diff options
| author | aslanvyos <a.hajiyev@vyos.io> | 2024-10-31 10:04:05 +0400 |
|---|---|---|
| committer | aslanvyos <a.hajiyev@vyos.io> | 2025-04-10 06:45:48 +0400 |
| commit | cb2f5c86fd732a2d10a758bc3a90fc4ee33323de (patch) | |
| tree | f27518abd233c3620122a867a5043ff37fd334b4 /Terraform | |
| parent | f731eacb91e2b5d9c51b76bae4364ceae5091280 (diff) | |
| download | vyos-automation-cb2f5c86fd732a2d10a758bc3a90fc4ee33323de.tar.gz vyos-automation-cb2f5c86fd732a2d10a758bc3a90fc4ee33323de.zip | |
Add Terraform project for VyOS instance with basic setup and with network services (VPN, NAT, DNS)
Added CloudFormation templates for VyOS deployment on AWS
Diffstat (limited to 'Terraform')
21 files changed, 1307 insertions, 0 deletions
diff --git a/Terraform/AWS/instance-with-basic-configs/files/vyos_user_data.tfpl b/Terraform/AWS/instance-with-basic-configs/files/vyos_user_data.tfpl new file mode 100644 index 0000000..62b2892 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/files/vyos_user_data.tfpl @@ -0,0 +1,7 @@ +#cloud-config
+vyos_config_commands:
+ - set system host-name 'VyOS-for-Lab'
+ - set system login banner pre-login 'Welcome to the VyOS for Lab on AWS'
+ - set interfaces ethernet eth0 description 'WAN'
+ - set interfaces ethernet eth1 description 'LAN'
+ - set interfaces ethernet eth1 dhcp-options no-default-route
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_private_key.pem b/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_private_key.pem new file mode 100644 index 0000000..4c8d388 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_private_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAvZj8U767XO84ws+eng0bviq0hUvc+iP2q5Gc+3XPDWEu3S9s +ajBsvtEuLzlZk5QThRxRfjFuB1h+rWLJN2qawv978qpcySqi9IhHfVWLLbIgDuPr +hh8qXkaZ9W/FpLsRR0m+jcrcA1Efvr8cpMSvjHpFfLoH6KI2mbRC05OyfOij7ccz +ahxgBV3G3nil53PkNa5lTDuBYurx3K3jmvmlsC6Du5MSA5dOZ6QXeOT6RTbqJbSj +vSoL9/ku1DjGzTS0bghXWk1l7MkAYG6egMXQkJQmnYlwken1dxSCsH5HaPv8vkEZ +rakdejfRWgqil+OlHrp6D3lWoQbok58WmHH/qQIDAQABAoIBAQCJQH2x1kpmnZr2 +lDxcaFrkEKA8Os4OmwhP7Yq6Eu+/3NGDN3iBaurePCn178tj5Xc4DmcENp5TXQHf +XLsTje3ZKgA9jIy86EutQBaYqdumSeOhQ+fVYSxXsT51CeQHO5DnjYAPv4IEOK8F +c+41bVk0FbPF9hoRk5R5MqCJ78rvVm7q8gpGxftWIKMwVc7lSi2IH9GkrUGe6Y/W +lR6EqXDUHWep7rZN59bHXa82HYy98TzydeQtxBIWTSqfL5X2MGwfOkgNcBI9N4gi +Gj37Ng9lCWLgTfN/bs7chHKo8GrEmzxmSwP7ly+8fEGSvOQOwQ8ITmXN7rrnlTA8 +L0T/1qNNAoGBAOrunMHaZZ6moFU86aBhEJcxth3n10YpXl7AjwrvuquWYa76Hczp +PVs+f4uUYHG4lHwxLtvMVAw89MxRQnLB860l85qkwotoA5s8HIkhANLC/PbY/uHc +rEtrMQEV9z2vtcpFvxHlxut3a8hKONRaXJGJpnOYxKn5vnm3xoVQ/nU7AoGBAM6Z +nqIkYbWOySKbiWy7lKy7jIXlaiNn+vM7hQ5OS60mzDY0Z+yqV2u8y4VeufhiFQd+ +PSXpvosmKGBO4SB3HfE67y4JUFd3Nli6T0884QqsAeL1RIC/H+YK0DAUXLl6/oBL +LKCRt9c99rCnk/8CxqLzYuRPmpSbf2hvgj9c1QBrAoGBALUmhI0dwBnTVfIj4+mc +rtRGqqzopiAdqfzZ8fJ247OHY48uoWftuTfwOxz/rlZCA4y3x/AH4A8HuaMKTXh7 +gU/T4cEupiwkahN7CG3cmuvpGnGk5PR32grVfpXdwCU6paxwl2JPkVDjZqKsSKHF +g3ddcpHUDGEch/kG8fa+e1cdAoGAeaVCHj5Fud1E2Le0Bu278KjNaNlX0VkcDbNx ++KZpMJ6zhwb8WgFCUBFt1C2eWn2F3E+cOYKTyuLAy1QmgjMg0jTdN8IMKDPtL/kj +UYiLCPmWcsfvec8PPSgIxQZ4Qk4FJA0fTbv+/yFg60sAfRppUvDzvXKRlgao0hk2 +G5DRadkCgYAvPYH5NCk/jOa5Mv/6VfUPPaIhzHwADBv9ZXxg8jxw23zwxmozOUHa +v8sZF60s/4Kfd8NKnRPWlFPuvBqEkMQhfbJmP9lUmZkqxnYsXBV8wlPKIx7XAi+3 +CUBSZqJ6SrVewKc2Dx0on5Tr4OFTscK4NdFlp5PrQzZK9cuEn9rWgA== +-----END RSA PRIVATE KEY----- diff --git a/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_public_key.pem b/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_public_key.pem new file mode 100644 index 0000000..2b662ee --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_public_key.pem @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9mPxTvrtc7zjCz56eDRu+KrSFS9z6I/arkZz7dc8NYS7dL2xqMGy+0S4vOVmTlBOFHFF+MW4HWH6tYsk3aprC/3vyqlzJKqL0iEd9VYstsiAO4+uGHypeRpn1b8WkuxFHSb6NytwDUR++vxykxK+MekV8ugfoojaZtELTk7J86KPtxzNqHGAFXcbeeKXnc+Q1rmVMO4Fi6vHcreOa+aWwLoO7kxIDl05npBd45PpFNuoltKO9Kgv3+S7UOMbNNLRuCFdaTWXsyQBgbp6AxdCQlCadiXCR6fV3FIKwfkdo+/y+QRmtqR16N9FaCqKX46UeunoPeVahBuiTnxaYcf+p Admin@DESKTOP-R1T9R87 diff --git a/Terraform/AWS/instance-with-basic-configs/main.tf b/Terraform/AWS/instance-with-basic-configs/main.tf new file mode 100644 index 0000000..ddc27ef --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/main.tf @@ -0,0 +1,84 @@ +# EC2 KEY PAIR
+
+resource "aws_key_pair" "ec2_key" {
+ key_name = "${var.prefix}-${var.key_pair_name}"
+ public_key = file(var.public_key_path)
+
+ tags = {
+ Name = "${var.prefix}-${var.key_pair_name}"
+ }
+}
+
+
+# THE LATEST AMAZON VYOS 1.4 IMAGE
+
+data "aws_ami" "vyos" {
+ most_recent = true
+ owners = ["679593333241"]
+
+ filter {
+ name = "name"
+ values = ["VyOS 1.4*"]
+ }
+
+ filter {
+ name = "virtualization-type"
+ values = ["hvm"]
+ }
+
+}
+
+
+# VYOS INSTANCE
+
+resource "aws_instance" "vyos" {
+ ami = data.aws_ami.vyos.id
+ instance_type = var.vyos_instance_type
+ key_name = "${var.prefix}-${var.key_pair_name}"
+ availability_zone = var.availability_zone
+
+ user_data_base64 = base64encode(templatefile("${path.module}/files/vyos_user_data.tfpl", {}))
+
+ depends_on = [
+ aws_network_interface.vyos_public_nic,
+ aws_network_interface.vyos_private_nic
+ ]
+
+ network_interface {
+ network_interface_id = aws_network_interface.vyos_public_nic.id
+ device_index = 0
+ }
+
+ network_interface {
+ network_interface_id = aws_network_interface.vyos_private_nic.id
+ device_index = 1
+ }
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}"
+ }
+}
+
+# NETWORK INTERFACES
+
+resource "aws_network_interface" "vyos_public_nic" {
+ subnet_id = aws_subnet.public_subnet.id
+ security_groups = [aws_security_group.public_sg.id]
+ private_ips = [var.vyos_pub_nic_ip_address]
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-PublicNIC"
+ }
+}
+
+resource "aws_network_interface" "vyos_private_nic" {
+ subnet_id = aws_subnet.private_subnet.id
+ security_groups = [aws_security_group.private_sg.id]
+ private_ips = [var.vyos_priv_nic_address]
+
+ source_dest_check = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-PrivateNIC"
+ }
+}
diff --git a/Terraform/AWS/instance-with-basic-configs/network.tf b/Terraform/AWS/instance-with-basic-configs/network.tf new file mode 100644 index 0000000..4e2ebc0 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/network.tf @@ -0,0 +1,84 @@ +# VPC
+
+resource "aws_vpc" "vpc" {
+ cidr_block = var.vpc_cidr
+ instance_tenancy = "default"
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}"
+ }
+}
+
+# PUBLIC SUBNET
+
+resource "aws_subnet" "public_subnet" {
+ vpc_id = aws_vpc.vpc.id
+ cidr_block = var.public_subnet_cidr
+ availability_zone = var.availability_zone
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}-${var.public_subnet_name}"
+ }
+
+ depends_on = [aws_internet_gateway.igw]
+}
+
+# PRIVATE SUBNET
+
+resource "aws_subnet" "private_subnet" {
+ vpc_id = aws_vpc.vpc.id
+ cidr_block = var.private_subnet_cidr
+ availability_zone = var.availability_zone
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}-${var.private_subnet_name}"
+ }
+}
+
+# INTERNET GATEWAY
+
+resource "aws_internet_gateway" "igw" {
+ vpc_id = aws_vpc.vpc.id
+
+ tags = {
+ Name = join("-", [var.prefix, var.igw_name])
+ }
+}
+
+# ELASTICS IP FOR VYOS
+
+resource "aws_eip" "vyos_eip" {
+ domain = "vpc"
+ depends_on = [aws_internet_gateway.igw]
+
+ tags = {
+ Name = join("-", [var.prefix, var.vyos_eip_name])
+ }
+}
+
+resource "aws_eip_association" "vyos_eip_association" {
+ allocation_id = aws_eip.vyos_eip.id
+ network_interface_id = aws_network_interface.vyos_public_nic.id
+}
+
+# PUBLIC ROUTE TABLE
+
+resource "aws_route_table" "public_rtb" {
+ vpc_id = aws_vpc.vpc.id
+
+ route {
+ cidr_block = "0.0.0.0/0"
+ gateway_id = aws_internet_gateway.igw.id
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.public_rtb_name])
+ }
+}
+
+resource "aws_route_table_association" "public_rtb_assn" {
+ subnet_id = aws_subnet.public_subnet.id
+ route_table_id = aws_route_table.public_rtb.id
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/output.tf b/Terraform/AWS/instance-with-basic-configs/output.tf new file mode 100644 index 0000000..047d9a7 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/output.tf @@ -0,0 +1,16 @@ +
+output "vyos_public_ip" {
+ value = aws_instance.vyos.public_ip
+}
+
+output "vyos_pub_nic_ip" {
+ value = aws_network_interface.vyos_public_nic.private_ip
+}
+
+output "vyos_priv_nic_01_ip" {
+ value = aws_network_interface.vyos_private_nic.private_ip
+}
+
+output "vyos_key_name" {
+ value = aws_instance.vyos.key_name
+}
diff --git a/Terraform/AWS/instance-with-basic-configs/provider.tf b/Terraform/AWS/instance-with-basic-configs/provider.tf new file mode 100644 index 0000000..c6b24ff --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/provider.tf @@ -0,0 +1,22 @@ +# AWS PROVIDER CONFIGURATION
+
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0"
+ }
+ }
+}
+
+provider "aws" {
+ region = var.aws_region
+ default_tags {
+ tags = {
+ Company = "VyOS Inc"
+ Project = "VyOS-Demo"
+ Environment = "Lab"
+ ManagedBy = "Terraform"
+ }
+ }
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/readme.md b/Terraform/AWS/instance-with-basic-configs/readme.md new file mode 100644 index 0000000..c070d77 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/readme.md @@ -0,0 +1,119 @@ +# Terraform Project for deploying VyOS on AWS
+
+This Terraform project is designed to deploy VyOS instances on AWS. This script deploys a VyOS instance from the AWS Marketplace.
+
+## Prerequisites
+
+Before applying this module, ensure you have:
+
+### AWS Requirements
+
+- An active AWS account.
+- AWS CLI installed. [Installation link](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
+- Terraform installed. [Installation link](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)
+
+### Set AWS environment variables
+
+- Run the following commands in your terminal to set the AWS environment variables:
+
+```sh
+export AWS_ACCESS_KEY_ID="<AWS_ACCESS_KEY_ID>"
+export AWS_SECRET_ACCESS_KEY="<WS_SECRET_ACCESS_KEY>"
+export AWS_SESSION_TOKEN="<AWS_SESSION_TOKEN>"
+export AWS_DEFAULT_REGION="<AWS_REGION>" # e.g us-east-1
+```
+
+### Fetch AMI ID and Owner ID (Required for main.tf)
+First, you must subscribe to VyOS in the AWS Marketplace.
+Then, use the following AWS CLI command to find the correct AMI ID, Owner ID, and ensure you're querying the correct region (e.g., `us-east-1`):
+
+```sh
+aws ec2 describe-images \
+ --owners aws-marketplace \
+ --filters "Name=product-code,Values=8wqdkv3u2b9sa0y73xob2yl90" \
+ --query 'Images[*].[ImageId,OwnerId,Name]' \
+ --output table
+```
+Alternatively, you can hardcode the latest AMI ID for your region in `variables.tf` adding the `vyos_ami_id` variable.
+
+### Generate SSH keypair
+
+A demo SSH keypair is included in the `keys/` folder.
+
+To generate a new key (optional):
+
+```sh
+ssh-keygen -b 2048 -t rsa -m PEM -f keys/vyos_custom_key.pem
+```
+
+## Project Structure
+
+```
+.
+├── files/ # VyOS user-data
+├── keys/ # Pre-generated SSH keys
+├── network.tf # Network setup
+├── provider.tf # Provider configuration
+├── security_groups.tf # Security group configurations
+├── variables.tf # Input variables for customization
+├── vyos_instance.tf # VyOS virtual machine deployment (AWS)
+└── README.md # Documentation
+```
+
+## Usage
+
+### Setup Variables
+
+All variables needed for customization are defined in `variables.tf`. Adjust them according to your requirements, such as EC2 instance type and networking configurations. Before deployment, ensure you check `aws_region`, `availability_zone`, and update `vyos_ami_id` as necessary.
+
+## How to Run the Module
+
+Follow these steps to initialize, plan, apply, and manage your infrastructure with Terraform:
+
+1. **Initialize the Module**
+ ```sh
+ terraform init
+ ```
+
+2. **Format the Terraform Code**
+ ```sh
+ terraform fmt
+ ```
+
+3. **Validate Configuration**
+ ```sh
+ terraform validate
+ ```
+
+4. **Preview Infrastructure Changes Before Deployment**
+ ```sh
+ terraform plan
+ ```
+
+5. **Apply the Configuration**
+ ```sh
+ terraform apply
+ ```
+ Confirm the execution when prompted to provision the infrastructure.
+
+6. **View Outputs**
+ ```sh
+ terraform output
+ ```
+ This will display the management IP and test results for the VyOS instance.
+
+## Management
+
+To manage the VyOS instance, use the `vyos_public_ip` from `terraform output`:
+```sh
+ssh vyos@<vyos_public_ip> -i keys/vyos_demo_private_key.pem
+```
+
+## Destroying Resources
+
+To clean up the deployed infrastructure:
+```sh
+terraform destroy
+```
+Confirm the execution when prompted to remove all provisioned resources.
+
diff --git a/Terraform/AWS/instance-with-basic-configs/security_groups.tf b/Terraform/AWS/instance-with-basic-configs/security_groups.tf new file mode 100644 index 0000000..d8653ae --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/security_groups.tf @@ -0,0 +1,111 @@ +# SECURITY GROUP FOR PUBLIC RESOURCES
+
+resource "aws_security_group" "public_sg" {
+ name = join("-", [var.prefix, var.public_sg_name])
+ description = "Security Group for public resources"
+ vpc_id = aws_vpc.vpc.id
+
+ # Allow SSH Traffic
+ ingress {
+ description = "Allow SSH"
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow Wireguard Traffic
+ ingress {
+ description = "Allow Wireguard"
+ from_port = 51820
+ to_port = 51820
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow OpenVPN Traffic
+ ingress {
+ description = "Allow OpenVPN"
+ from_port = 1194
+ to_port = 1194
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow ESP Traffic
+ ingress {
+ description = "Allow ESP"
+ from_port = 0
+ to_port = 0
+ protocol = "50"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow IKE Traffic
+ ingress {
+ description = "Allow IKE"
+ from_port = 500
+ to_port = 500
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow IPSEC Traffic
+ ingress {
+ description = "Allow IPSEC"
+ from_port = 1701
+ to_port = 1701
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow NAT Traversal
+ ingress {
+ description = "Allow NAT Traversal"
+ from_port = 4500
+ to_port = 4500
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow all outbound traffic
+ egress {
+ description = "Allow all outbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.public_sg_name])
+ }
+}
+
+# SECURITY GROUP FOR PRIVATE RESOURCES
+
+resource "aws_security_group" "private_sg" {
+ name = join("-", [var.prefix, var.private_sg_name])
+ description = "Security Group for private resources"
+ vpc_id = aws_vpc.vpc.id
+
+ ingress {
+ description = "Allow all inbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ egress {
+ description = "Allow all outbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.private_sg_name])
+ }
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/variables.tf b/Terraform/AWS/instance-with-basic-configs/variables.tf new file mode 100644 index 0000000..3493252 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/variables.tf @@ -0,0 +1,116 @@ +variable "aws_region" {
+ description = "AWS Region"
+ type = string
+ default = "us-east-1"
+}
+
+variable "availability_zone" {
+ description = "AWS Availability Zone"
+ type = string
+ default = "us-east-1a"
+}
+
+variable "prefix" {
+ type = string
+ description = "Prefix for the resource names and Name tags"
+ default = "demo"
+}
+
+variable "key_pair_name" {
+ description = "SSH key pair name"
+ type = string
+ default = "vyos-demo-key"
+}
+
+variable "private_key_path" {
+ description = "Path to the private key file"
+ default = "keys/vyos_demo_private_key.pem"
+}
+
+variable "public_key_path" {
+ description = "Path to the private key file"
+ default = "keys/vyos_demo_public_key.pem"
+}
+
+variable "vpc_name" {
+ description = "Name for VPC"
+ default = "test-vpc"
+}
+
+variable "public_subnet_name" {
+ description = "The name of the public subnet"
+ type = string
+ default = "pub-subnet"
+}
+
+variable "private_subnet_name" {
+ description = "The name of the private subnet 01"
+ type = string
+ default = "priv-subnet"
+}
+
+variable "vpc_cidr" {
+ description = "CIDR block for VPC"
+ type = string
+ default = "172.16.0.0/16"
+}
+
+variable "public_subnet_cidr" {
+ description = "CIDR block for public subnet"
+ default = "172.16.1.0/24"
+}
+
+variable "private_subnet_cidr" {
+ description = "CIDR block for private subnet"
+ type = string
+ default = "172.16.11.0/24"
+}
+
+variable "vyos_pub_nic_ip_address" {
+ description = "VyOS Instance Public address"
+ type = string
+ default = "172.16.1.11"
+}
+
+variable "vyos_priv_nic_address" {
+ description = "VyOS Instance Private NIC address"
+ type = string
+ default = "172.16.11.11"
+}
+
+variable "vyos_instance_type" {
+ description = "The type of the VyOS Instance"
+ type = string
+ default = "c5n.xlarge"
+}
+
+variable "vyos_instance_name" {
+ type = string
+ default = "VyOS"
+}
+
+variable "igw_name" {
+ type = string
+ default = "igw"
+}
+
+variable "vyos_eip_name" {
+ type = string
+ default = "vyos"
+}
+
+variable "public_rtb_name" {
+ type = string
+ default = "public-rtb"
+
+}
+
+variable "public_sg_name" {
+ type = string
+ default = "public-sg"
+}
+
+variable "private_sg_name" {
+ type = string
+ default = "private-sg"
+}
diff --git a/Terraform/AWS/instance-with-configs/files/on-prem-vyos-config.txt b/Terraform/AWS/instance-with-configs/files/on-prem-vyos-config.txt new file mode 100644 index 0000000..6c52bcb --- /dev/null +++ b/Terraform/AWS/instance-with-configs/files/on-prem-vyos-config.txt @@ -0,0 +1,55 @@ +set system host-name 'VyOS-for-DEMO-On-Prem'
+set system login banner pre-login 'Welcome to the VyOS for DEMO on On-Prem'
+set interfaces ethernet eth0 description 'WAN'
+set interfaces ethernet eth1 description 'LAN'
+set interfaces ethernet eth1 dhcp-options no-default-route
+set system name-server '<DNS>'
+set service dns forwarding name-server '<DNS>'
+set service dns forwarding listen-address '<VYOS_PRIV_IP>'
+set service dns forwarding allow-from '<VYOS_CIDR>'
+set service dns forwarding no-serve-rfc1918
+set nat source rule 10 outbound-interface name 'eth0'
+set nat source rule 10 source address '<VYOS_CIDR>'
+set nat source rule 10 translation address 'masquerade'
+set vpn ipsec interface 'eth0'
+set vpn ipsec esp-group AWS lifetime '3600'
+set vpn ipsec esp-group AWS mode 'tunnel'
+set vpn ipsec esp-group AWS pfs 'dh-group2'
+set vpn ipsec esp-group AWS proposal 1 encryption 'aes256'
+set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
+set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
+set vpn ipsec ike-group AWS dead-peer-detection interval '15'
+set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
+set vpn ipsec ike-group AWS ikev2-reauth
+set vpn ipsec ike-group AWS key-exchange 'ikev2'
+set vpn ipsec ike-group AWS lifetime '28800'
+set vpn ipsec ike-group AWS proposal 1 dh-group '2'
+set vpn ipsec ike-group AWS proposal 1 encryption 'aes256'
+set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
+set vpn ipsec ike-group AWS close-action start
+set vpn ipsec option disable-route-autoinstall
+set interfaces vti vti1 address '10.2.100.11/32'
+set interfaces vti vti1 description 'Tunnel for VyOS in AWS'
+set interfaces vti vti1 ip adjust-mss '1350'
+set protocols static route 10.1.100.11/32 interface vti1
+set vpn ipsec authentication psk VyOS id '<VYOS_AWS_PUB_IP>'
+set vpn ipsec authentication psk VyOS id '<VYOS_PUB_IP>'
+set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
+set vpn ipsec site-to-site peer AWS authentication local-id '<VYOS_PUB_IP>'
+set vpn ipsec site-to-site peer AWS authentication mode 'pre-shared-secret'
+set vpn ipsec site-to-site peer AWS authentication remote-id '<VYOS_AWS_PUB_IP>'
+set vpn ipsec site-to-site peer AWS connection-type 'initiate'
+set vpn ipsec site-to-site peer AWS description 'AWS TUNNEL to VyOS on NET 02'
+set vpn ipsec site-to-site peer AWS ike-group 'AWS'
+set vpn ipsec site-to-site peer AWS ikev2-reauth 'inherit'
+set vpn ipsec site-to-site peer AWS local-address '<VYOS_PUB_IP>'
+set vpn ipsec site-to-site peer AWS remote-address '<VYOS_AWS_PUB_IP>'
+set vpn ipsec site-to-site peer AWS vti bind 'vti1'
+set vpn ipsec site-to-site peer AWS vti esp-group 'AWS'
+set protocols bgp system-as '<VYOS_BGP_AS_NUMBER>'
+set protocols bgp address-family ipv4-unicast network <VYOS_CIDR>
+set protocols bgp neighbor 10.1.100.11 remote-as '<VYOS_AWS_BGP_AS_NUMBER>'
+set protocols bgp neighbor 10.1.100.11 address-family ipv4-unicast soft-reconfiguration inbound
+set protocols bgp neighbor 10.1.100.11 timers holdtime '30'
+set protocols bgp neighbor 10.1.100.11 timers keepalive '10'
+set protocols bgp neighbor 10.1.100.11 disable-connected-check
diff --git a/Terraform/AWS/instance-with-configs/files/vyos_user_data.tfpl b/Terraform/AWS/instance-with-configs/files/vyos_user_data.tfpl new file mode 100644 index 0000000..7240a2c --- /dev/null +++ b/Terraform/AWS/instance-with-configs/files/vyos_user_data.tfpl @@ -0,0 +1,57 @@ +#cloud-config
+vyos_config_commands:
+ - set system host-name 'VyOS-for-DEMO-AWS'
+ - set system login banner pre-login 'Welcome to the VyOS for DEMO on AWS'
+ - set interfaces ethernet eth0 description 'WAN'
+ - set interfaces ethernet eth1 description 'LAN'
+ - set interfaces ethernet eth1 dhcp-options no-default-route
+ - set system name-server '${dns_1}'
+ - set service dns forwarding name-server '${dns_1}'
+ - set service dns forwarding listen-address '${vyos_priv_nic_ip}'
+ - set service dns forwarding allow-from '${private_subnet_cidr}'
+ - set service dns forwarding no-serve-rfc1918
+ - set nat source rule 10 outbound-interface name 'eth0'
+ - set nat source rule 10 source address '${private_subnet_cidr}'
+ - set nat source rule 10 translation address 'masquerade'
+ - set vpn ipsec interface 'eth0'
+ - set vpn ipsec esp-group ON-PREM lifetime '3600'
+ - set vpn ipsec esp-group ON-PREM mode 'tunnel'
+ - set vpn ipsec esp-group ON-PREM pfs 'dh-group2'
+ - set vpn ipsec esp-group ON-PREM proposal 1 encryption 'aes256'
+ - set vpn ipsec esp-group ON-PREM proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group ON-PREM dead-peer-detection action 'restart'
+ - set vpn ipsec ike-group ON-PREM dead-peer-detection interval '15'
+ - set vpn ipsec ike-group ON-PREM dead-peer-detection timeout '30'
+ - set vpn ipsec ike-group ON-PREM ikev2-reauth
+ - set vpn ipsec ike-group ON-PREM key-exchange 'ikev2'
+ - set vpn ipsec ike-group ON-PREM lifetime '28800'
+ - set vpn ipsec ike-group ON-PREM proposal 1 dh-group '2'
+ - set vpn ipsec ike-group ON-PREM proposal 1 encryption 'aes256'
+ - set vpn ipsec ike-group ON-PREM proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group ON-PREM close-action start
+ - set vpn ipsec option disable-route-autoinstall
+ - set interfaces vti vti1 address '10.1.100.11/32'
+ - set interfaces vti vti1 description 'Tunnel for VyOS in ON-PREM'
+ - set interfaces vti vti1 ip adjust-mss '1350'
+ - set protocols static route 10.2.100.11/32 interface vti1
+ - set vpn ipsec authentication psk VyOS id '${vyos_public_ip_address}'
+ - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip_address}'
+ - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
+ - set vpn ipsec site-to-site peer ON-PREM authentication local-id '${vyos_public_ip_address}'
+ - set vpn ipsec site-to-site peer ON-PREM authentication mode 'pre-shared-secret'
+ - set vpn ipsec site-to-site peer ON-PREM authentication remote-id '${on_prem_public_ip_address}'
+ - set vpn ipsec site-to-site peer ON-PREM connection-type 'none'
+ - set vpn ipsec site-to-site peer ON-PREM description 'ON-PREM TUNNEL to VyOS on NET 02'
+ - set vpn ipsec site-to-site peer ON-PREM ike-group 'ON-PREM'
+ - set vpn ipsec site-to-site peer ON-PREM ikev2-reauth 'inherit'
+ - set vpn ipsec site-to-site peer ON-PREM local-address '${vyos_pub_nic_ip}'
+ - set vpn ipsec site-to-site peer ON-PREM remote-address '${on_prem_public_ip_address}'
+ - set vpn ipsec site-to-site peer ON-PREM vti bind 'vti1'
+ - set vpn ipsec site-to-site peer ON-PREM vti esp-group 'ON-PREM'
+ - set protocols bgp system-as '${vyos_bgp_as_number}'
+ - set protocols bgp address-family ipv4-unicast network ${private_subnet_cidr}
+ - set protocols bgp neighbor 10.2.100.11 remote-as '${on_prem_bgp_as_number}'
+ - set protocols bgp neighbor 10.2.100.11 address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor 10.2.100.11 timers holdtime '30'
+ - set protocols bgp neighbor 10.2.100.11 timers keepalive '10'
+ - set protocols bgp neighbor 10.2.100.11 disable-connected-check
diff --git a/Terraform/AWS/instance-with-configs/keys/vyos_demo_private_key.pem b/Terraform/AWS/instance-with-configs/keys/vyos_demo_private_key.pem new file mode 100644 index 0000000..4c8d388 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/keys/vyos_demo_private_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAvZj8U767XO84ws+eng0bviq0hUvc+iP2q5Gc+3XPDWEu3S9s +ajBsvtEuLzlZk5QThRxRfjFuB1h+rWLJN2qawv978qpcySqi9IhHfVWLLbIgDuPr +hh8qXkaZ9W/FpLsRR0m+jcrcA1Efvr8cpMSvjHpFfLoH6KI2mbRC05OyfOij7ccz +ahxgBV3G3nil53PkNa5lTDuBYurx3K3jmvmlsC6Du5MSA5dOZ6QXeOT6RTbqJbSj +vSoL9/ku1DjGzTS0bghXWk1l7MkAYG6egMXQkJQmnYlwken1dxSCsH5HaPv8vkEZ +rakdejfRWgqil+OlHrp6D3lWoQbok58WmHH/qQIDAQABAoIBAQCJQH2x1kpmnZr2 +lDxcaFrkEKA8Os4OmwhP7Yq6Eu+/3NGDN3iBaurePCn178tj5Xc4DmcENp5TXQHf +XLsTje3ZKgA9jIy86EutQBaYqdumSeOhQ+fVYSxXsT51CeQHO5DnjYAPv4IEOK8F +c+41bVk0FbPF9hoRk5R5MqCJ78rvVm7q8gpGxftWIKMwVc7lSi2IH9GkrUGe6Y/W +lR6EqXDUHWep7rZN59bHXa82HYy98TzydeQtxBIWTSqfL5X2MGwfOkgNcBI9N4gi +Gj37Ng9lCWLgTfN/bs7chHKo8GrEmzxmSwP7ly+8fEGSvOQOwQ8ITmXN7rrnlTA8 +L0T/1qNNAoGBAOrunMHaZZ6moFU86aBhEJcxth3n10YpXl7AjwrvuquWYa76Hczp +PVs+f4uUYHG4lHwxLtvMVAw89MxRQnLB860l85qkwotoA5s8HIkhANLC/PbY/uHc +rEtrMQEV9z2vtcpFvxHlxut3a8hKONRaXJGJpnOYxKn5vnm3xoVQ/nU7AoGBAM6Z +nqIkYbWOySKbiWy7lKy7jIXlaiNn+vM7hQ5OS60mzDY0Z+yqV2u8y4VeufhiFQd+ +PSXpvosmKGBO4SB3HfE67y4JUFd3Nli6T0884QqsAeL1RIC/H+YK0DAUXLl6/oBL +LKCRt9c99rCnk/8CxqLzYuRPmpSbf2hvgj9c1QBrAoGBALUmhI0dwBnTVfIj4+mc +rtRGqqzopiAdqfzZ8fJ247OHY48uoWftuTfwOxz/rlZCA4y3x/AH4A8HuaMKTXh7 +gU/T4cEupiwkahN7CG3cmuvpGnGk5PR32grVfpXdwCU6paxwl2JPkVDjZqKsSKHF +g3ddcpHUDGEch/kG8fa+e1cdAoGAeaVCHj5Fud1E2Le0Bu278KjNaNlX0VkcDbNx ++KZpMJ6zhwb8WgFCUBFt1C2eWn2F3E+cOYKTyuLAy1QmgjMg0jTdN8IMKDPtL/kj +UYiLCPmWcsfvec8PPSgIxQZ4Qk4FJA0fTbv+/yFg60sAfRppUvDzvXKRlgao0hk2 +G5DRadkCgYAvPYH5NCk/jOa5Mv/6VfUPPaIhzHwADBv9ZXxg8jxw23zwxmozOUHa +v8sZF60s/4Kfd8NKnRPWlFPuvBqEkMQhfbJmP9lUmZkqxnYsXBV8wlPKIx7XAi+3 +CUBSZqJ6SrVewKc2Dx0on5Tr4OFTscK4NdFlp5PrQzZK9cuEn9rWgA== +-----END RSA PRIVATE KEY----- diff --git a/Terraform/AWS/instance-with-configs/keys/vyos_demo_public_key.pem b/Terraform/AWS/instance-with-configs/keys/vyos_demo_public_key.pem new file mode 100644 index 0000000..2b662ee --- /dev/null +++ b/Terraform/AWS/instance-with-configs/keys/vyos_demo_public_key.pem @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9mPxTvrtc7zjCz56eDRu+KrSFS9z6I/arkZz7dc8NYS7dL2xqMGy+0S4vOVmTlBOFHFF+MW4HWH6tYsk3aprC/3vyqlzJKqL0iEd9VYstsiAO4+uGHypeRpn1b8WkuxFHSb6NytwDUR++vxykxK+MekV8ugfoojaZtELTk7J86KPtxzNqHGAFXcbeeKXnc+Q1rmVMO4Fi6vHcreOa+aWwLoO7kxIDl05npBd45PpFNuoltKO9Kgv3+S7UOMbNNLRuCFdaTWXsyQBgbp6AxdCQlCadiXCR6fV3FIKwfkdo+/y+QRmtqR16N9FaCqKX46UeunoPeVahBuiTnxaYcf+p Admin@DESKTOP-R1T9R87 diff --git a/Terraform/AWS/instance-with-configs/main.tf b/Terraform/AWS/instance-with-configs/main.tf new file mode 100644 index 0000000..0d58e17 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/main.tf @@ -0,0 +1,91 @@ +# EC2 KEY PAIR
+
+resource "aws_key_pair" "ec2_key" {
+ key_name = "${var.prefix}-${var.key_pair_name}"
+ public_key = file(var.public_key_path)
+
+ tags = {
+ Name = "${var.prefix}-${var.key_pair_name}"
+ }
+}
+
+# THE LATEST AMAZON VYOS 1.4 IMAGE
+
+data "aws_ami" "vyos" {
+ most_recent = true
+ owners = ["679593333241"]
+
+ filter {
+ name = "name"
+ values = ["VyOS 1.4*"]
+ }
+
+ filter {
+ name = "virtualization-type"
+ values = ["hvm"]
+ }
+
+}
+
+# VYOS INSTANCE
+
+resource "aws_instance" "vyos" {
+ ami = data.aws_ami.vyos.id
+ instance_type = var.vyos_instance_type
+ key_name = "${var.prefix}-${var.key_pair_name}"
+ availability_zone = var.availability_zone
+
+ user_data_base64 = base64encode(templatefile("${path.module}/files/vyos_user_data.tfpl", {
+ private_subnet_cidr = var.private_subnet_cidr,
+ vyos_public_ip_address = aws_eip.vyos_eip.public_ip,
+ vyos_pub_nic_ip = aws_network_interface.vyos_public_nic.private_ip,
+ vyos_priv_nic_ip = aws_network_interface.vyos_private_nic.private_ip,
+ vyos_bgp_as_number = var.vyos_bgp_as_number,
+ dns_1 = var.dns,
+ on_prem_public_ip_address = var.on_prem_public_ip_address,
+ on_prem_bgp_as_number = var.on_prem_bgp_as_number
+ }))
+
+ depends_on = [
+ aws_network_interface.vyos_public_nic,
+ aws_network_interface.vyos_private_nic
+ ]
+
+ network_interface {
+ network_interface_id = aws_network_interface.vyos_public_nic.id
+ device_index = 0
+ }
+
+ network_interface {
+ network_interface_id = aws_network_interface.vyos_private_nic.id
+ device_index = 1
+ }
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}"
+ }
+}
+
+# NETWORK INTERFACES
+
+resource "aws_network_interface" "vyos_public_nic" {
+ subnet_id = aws_subnet.public_subnet.id
+ security_groups = [aws_security_group.public_sg.id]
+ private_ips = [var.vyos_pub_nic_ip_address]
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-PublicNIC"
+ }
+}
+
+resource "aws_network_interface" "vyos_private_nic" {
+ subnet_id = aws_subnet.private_subnet.id
+ security_groups = [aws_security_group.private_sg.id]
+ private_ips = [var.vyos_priv_nic_address]
+
+ source_dest_check = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-PrivateNIC"
+ }
+}
diff --git a/Terraform/AWS/instance-with-configs/network.tf b/Terraform/AWS/instance-with-configs/network.tf new file mode 100644 index 0000000..b3513f6 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/network.tf @@ -0,0 +1,86 @@ +# VPC
+
+resource "aws_vpc" "vpc" {
+ cidr_block = var.vpc_cidr
+ instance_tenancy = "default"
+ # enable_dns_support = true # DNS resolution within VPC
+ # enable_dns_hostnames = true # Public DNS hostnames
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}"
+ }
+}
+
+# PUBLIC SUBNET
+
+resource "aws_subnet" "public_subnet" {
+ vpc_id = aws_vpc.vpc.id
+ cidr_block = var.public_subnet_cidr
+ availability_zone = var.availability_zone
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}-${var.public_subnet_name}"
+ }
+
+ depends_on = [aws_internet_gateway.igw]
+}
+
+# PRIVATE SUBNET
+
+resource "aws_subnet" "private_subnet" {
+ vpc_id = aws_vpc.vpc.id
+ cidr_block = var.private_subnet_cidr
+ availability_zone = var.availability_zone
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}-${var.private_subnet_name}"
+ }
+}
+
+# INTERNET GATEWAY
+
+resource "aws_internet_gateway" "igw" {
+ vpc_id = aws_vpc.vpc.id
+
+ tags = {
+ Name = join("-", [var.prefix, var.igw_name])
+ }
+}
+
+# ELASTICS IP FOR VYOS
+
+resource "aws_eip" "vyos_eip" {
+ domain = "vpc"
+ depends_on = [aws_internet_gateway.igw]
+
+ tags = {
+ Name = join("-", [var.prefix, var.vyos_eip_name])
+ }
+}
+
+resource "aws_eip_association" "vyos_eip_association" {
+ allocation_id = aws_eip.vyos_eip.id
+ network_interface_id = aws_network_interface.vyos_public_nic.id
+}
+
+# PUBLIC ROUTE TABLE
+
+resource "aws_route_table" "public_rtb" {
+ vpc_id = aws_vpc.vpc.id
+
+ route {
+ cidr_block = "0.0.0.0/0"
+ gateway_id = aws_internet_gateway.igw.id
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.public_rtb_name])
+ }
+}
+
+resource "aws_route_table_association" "public_rtb_assn" {
+ subnet_id = aws_subnet.public_subnet.id
+ route_table_id = aws_route_table.public_rtb.id
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-configs/output.tf b/Terraform/AWS/instance-with-configs/output.tf new file mode 100644 index 0000000..047d9a7 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/output.tf @@ -0,0 +1,16 @@ +
+output "vyos_public_ip" {
+ value = aws_instance.vyos.public_ip
+}
+
+output "vyos_pub_nic_ip" {
+ value = aws_network_interface.vyos_public_nic.private_ip
+}
+
+output "vyos_priv_nic_01_ip" {
+ value = aws_network_interface.vyos_private_nic.private_ip
+}
+
+output "vyos_key_name" {
+ value = aws_instance.vyos.key_name
+}
diff --git a/Terraform/AWS/instance-with-configs/provider.tf b/Terraform/AWS/instance-with-configs/provider.tf new file mode 100644 index 0000000..c6b24ff --- /dev/null +++ b/Terraform/AWS/instance-with-configs/provider.tf @@ -0,0 +1,22 @@ +# AWS PROVIDER CONFIGURATION
+
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0"
+ }
+ }
+}
+
+provider "aws" {
+ region = var.aws_region
+ default_tags {
+ tags = {
+ Company = "VyOS Inc"
+ Project = "VyOS-Demo"
+ Environment = "Lab"
+ ManagedBy = "Terraform"
+ }
+ }
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-configs/readme.md b/Terraform/AWS/instance-with-configs/readme.md new file mode 100644 index 0000000..aca1d58 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/readme.md @@ -0,0 +1,120 @@ +# Terraform Project for deploying VyOS on AWS
+
+This Terraform project is designed to deploy VyOS instances on AWS. This script deploys a VyOS instance from the AWS Marketplace.
+
+## Prerequisites
+
+Before applying this module, ensure you have:
+
+### AWS Requirements
+
+- An active AWS account.
+- AWS CLI installed. [Installation link](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
+- Terraform installed. [Installation link](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)
+
+### Set AWS environment variables
+
+- Run the following commands in your terminal to set the AWS environment variables:
+
+```sh
+export AWS_ACCESS_KEY_ID="<AWS_ACCESS_KEY_ID>"
+export AWS_SECRET_ACCESS_KEY="<WS_SECRET_ACCESS_KEY>"
+export AWS_SESSION_TOKEN="<AWS_SESSION_TOKEN>"
+export AWS_DEFAULT_REGION="<AWS_REGION>" # e.g us-east-1
+```
+
+### Fetch AMI ID and Owner ID (Required for main.tf)
+First, you must subscribe to VyOS in the AWS Marketplace.
+Then, use the following AWS CLI command to find the correct AMI ID, Owner ID, and ensure you're querying the correct region (e.g., `us-east-1`):
+
+```sh
+aws ec2 describe-images \
+ --owners aws-marketplace \
+ --filters "Name=product-code,Values=8wqdkv3u2b9sa0y73xob2yl90" \
+ --query 'Images[*].[ImageId,OwnerId,Name]' \
+ --output table
+```
+Alternatively, you can hardcode the latest AMI ID for your region in `variables.tf` adding the `vyos_ami_id` variable.
+
+### Generate SSH keypair
+
+A demo SSH keypair is included in the `keys/` folder.
+
+To generate a new key (optional):
+
+```sh
+ssh-keygen -b 2048 -t rsa -m PEM -f keys/vyos_custom_key.pem
+```
+
+## Project Structure
+
+```
+.
+├── files/ # VyOS user-data
+├── keys/ # Pre-generated SSH keys
+├── network.tf # Network setup
+├── provider.tf # Provider configuration
+├── security_groups.tf # Security group configurations
+├── variables.tf # Input variables for customization
+├── vyos_instance.tf # VyOS virtual machine deployment (AWS)
+└── README.md # Documentation
+```
+
+## Usage
+
+### Setup Variables
+
+All variables needed for customization are defined in `variables.tf`. Adjust them according to your requirements, such as EC2 instance type and networking configurations. Before deployment, ensure you check `aws_region`, `availability_zone`, and update `vyos_ami_id` as necessary.
+
+## How to Run the Module
+
+Follow these steps to initialize, plan, apply, and manage your infrastructure with Terraform:
+
+1. **Initialize the Module**
+ ```sh
+ terraform init
+ ```
+
+2. **Format the Terraform Code**
+ ```sh
+ terraform fmt
+ ```
+
+3. **Validate Configuration**
+ ```sh
+ terraform validate
+ ```
+
+4. **Preview Infrastructure Changes Before Deployment**
+ ```sh
+ terraform plan
+ ```
+
+5. **Apply the Configuration**
+ ```sh
+ terraform apply
+ ```
+ Confirm the execution when prompted to provision the infrastructure.
+
+6. **View Outputs**
+ ```sh
+ terraform output
+ ```
+ This will display the management IP and test results for the VyOS instance.
+
+## Management
+
+To manage the VyOS instance, use the `vyos_public_ip` from `terraform output`:
+```sh
+ssh vyos@<vyos_public_ip> -i keys/vyos_demo_private_key.pem
+```
+You can find op-premise (peer) side VyOS configuration reference from: `files/on-prem-vyos-config.txt`
+
+## Destroying Resources
+
+To clean up the deployed infrastructure:
+```sh
+terraform destroy
+```
+Confirm the execution when prompted to remove all provisioned resources.
+
diff --git a/Terraform/AWS/instance-with-configs/security_groups.tf b/Terraform/AWS/instance-with-configs/security_groups.tf new file mode 100644 index 0000000..d8653ae --- /dev/null +++ b/Terraform/AWS/instance-with-configs/security_groups.tf @@ -0,0 +1,111 @@ +# SECURITY GROUP FOR PUBLIC RESOURCES
+
+resource "aws_security_group" "public_sg" {
+ name = join("-", [var.prefix, var.public_sg_name])
+ description = "Security Group for public resources"
+ vpc_id = aws_vpc.vpc.id
+
+ # Allow SSH Traffic
+ ingress {
+ description = "Allow SSH"
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow Wireguard Traffic
+ ingress {
+ description = "Allow Wireguard"
+ from_port = 51820
+ to_port = 51820
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow OpenVPN Traffic
+ ingress {
+ description = "Allow OpenVPN"
+ from_port = 1194
+ to_port = 1194
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow ESP Traffic
+ ingress {
+ description = "Allow ESP"
+ from_port = 0
+ to_port = 0
+ protocol = "50"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow IKE Traffic
+ ingress {
+ description = "Allow IKE"
+ from_port = 500
+ to_port = 500
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow IPSEC Traffic
+ ingress {
+ description = "Allow IPSEC"
+ from_port = 1701
+ to_port = 1701
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow NAT Traversal
+ ingress {
+ description = "Allow NAT Traversal"
+ from_port = 4500
+ to_port = 4500
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow all outbound traffic
+ egress {
+ description = "Allow all outbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.public_sg_name])
+ }
+}
+
+# SECURITY GROUP FOR PRIVATE RESOURCES
+
+resource "aws_security_group" "private_sg" {
+ name = join("-", [var.prefix, var.private_sg_name])
+ description = "Security Group for private resources"
+ vpc_id = aws_vpc.vpc.id
+
+ ingress {
+ description = "Allow all inbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ egress {
+ description = "Allow all outbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.private_sg_name])
+ }
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-configs/variables.tf b/Terraform/AWS/instance-with-configs/variables.tf new file mode 100644 index 0000000..3ab7d09 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/variables.tf @@ -0,0 +1,134 @@ +variable "aws_region" {
+ description = "AWS Region"
+ type = string
+ default = "us-east-1"
+}
+
+variable "availability_zone" {
+ description = "AWS Availability Zone"
+ type = string
+ default = "us-east-1a"
+}
+
+variable "prefix" {
+ type = string
+ description = "Prefix for the resource names and Name tags"
+ default = "demo"
+}
+
+variable "key_pair_name" {
+ description = "SSH key pair name"
+ type = string
+ default = "vyos-demo-key"
+}
+
+variable "private_key_path" {
+ description = "Path to the private key file"
+ default = "keys/vyos_demo_private_key.pem"
+}
+
+variable "public_key_path" {
+ description = "Path to the private key file"
+ default = "keys/vyos_demo_public_key.pem"
+}
+
+variable "vpc_name" {
+ description = "Name for VPC"
+ default = "test-vpc"
+}
+
+variable "public_subnet_name" {
+ description = "The name of the public subnet"
+ type = string
+ default = "pub-subnet"
+}
+
+variable "private_subnet_name" {
+ description = "The name of the private subnet 01"
+ type = string
+ default = "priv-subnet"
+}
+
+variable "vpc_cidr" {
+ description = "CIDR block for VPC"
+ type = string
+ default = "172.16.0.0/16"
+}
+
+variable "public_subnet_cidr" {
+ description = "CIDR block for public subnet"
+ default = "172.16.1.0/24"
+}
+
+variable "private_subnet_cidr" {
+ description = "CIDR block for private subnet"
+ type = string
+ default = "172.16.11.0/24"
+}
+
+variable "vyos_pub_nic_ip_address" {
+ description = "VyOS Instance Public address"
+ type = string
+ default = "172.16.1.11"
+}
+
+variable "vyos_priv_nic_address" {
+ description = "VyOS Instance Private NIC address"
+ type = string
+ default = "172.16.11.11"
+}
+
+variable "vyos_instance_type" {
+ description = "The type of the VyOS Instance"
+ type = string
+ default = "c5n.xlarge"
+}
+
+variable "vyos_instance_name" {
+ type = string
+ default = "VyOS"
+}
+
+variable "igw_name" {
+ type = string
+ default = "igw"
+}
+
+variable "vyos_eip_name" {
+ type = string
+ default = "vyos"
+}
+
+variable "public_rtb_name" {
+ type = string
+ default = "public-rtb"
+
+}
+
+variable "public_sg_name" {
+ type = string
+ default = "public-sg"
+}
+
+variable "private_sg_name" {
+ type = string
+ default = "private-sg"
+}
+
+variable "dns" {
+ default = "8.8.8.8"
+}
+
+variable "vyos_bgp_as_number" {
+ default = "65001"
+}
+
+# On Prem Data Center
+
+variable "on_prem_bgp_as_number" {
+ default = "65002"
+}
+
+variable "on_prem_public_ip_address" {
+ default = "192.0.2.1"
+}
|