diff options
21 files changed, 1307 insertions, 0 deletions
diff --git a/Terraform/AWS/instance-with-basic-configs/files/vyos_user_data.tfpl b/Terraform/AWS/instance-with-basic-configs/files/vyos_user_data.tfpl new file mode 100644 index 0000000..62b2892 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/files/vyos_user_data.tfpl @@ -0,0 +1,7 @@ +#cloud-config
+vyos_config_commands:
+ - set system host-name 'VyOS-for-Lab'
+ - set system login banner pre-login 'Welcome to the VyOS for Lab on AWS'
+ - set interfaces ethernet eth0 description 'WAN'
+ - set interfaces ethernet eth1 description 'LAN'
+ - set interfaces ethernet eth1 dhcp-options no-default-route
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_private_key.pem b/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_private_key.pem new file mode 100644 index 0000000..4c8d388 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_private_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAvZj8U767XO84ws+eng0bviq0hUvc+iP2q5Gc+3XPDWEu3S9s +ajBsvtEuLzlZk5QThRxRfjFuB1h+rWLJN2qawv978qpcySqi9IhHfVWLLbIgDuPr +hh8qXkaZ9W/FpLsRR0m+jcrcA1Efvr8cpMSvjHpFfLoH6KI2mbRC05OyfOij7ccz +ahxgBV3G3nil53PkNa5lTDuBYurx3K3jmvmlsC6Du5MSA5dOZ6QXeOT6RTbqJbSj +vSoL9/ku1DjGzTS0bghXWk1l7MkAYG6egMXQkJQmnYlwken1dxSCsH5HaPv8vkEZ +rakdejfRWgqil+OlHrp6D3lWoQbok58WmHH/qQIDAQABAoIBAQCJQH2x1kpmnZr2 +lDxcaFrkEKA8Os4OmwhP7Yq6Eu+/3NGDN3iBaurePCn178tj5Xc4DmcENp5TXQHf +XLsTje3ZKgA9jIy86EutQBaYqdumSeOhQ+fVYSxXsT51CeQHO5DnjYAPv4IEOK8F +c+41bVk0FbPF9hoRk5R5MqCJ78rvVm7q8gpGxftWIKMwVc7lSi2IH9GkrUGe6Y/W +lR6EqXDUHWep7rZN59bHXa82HYy98TzydeQtxBIWTSqfL5X2MGwfOkgNcBI9N4gi +Gj37Ng9lCWLgTfN/bs7chHKo8GrEmzxmSwP7ly+8fEGSvOQOwQ8ITmXN7rrnlTA8 +L0T/1qNNAoGBAOrunMHaZZ6moFU86aBhEJcxth3n10YpXl7AjwrvuquWYa76Hczp +PVs+f4uUYHG4lHwxLtvMVAw89MxRQnLB860l85qkwotoA5s8HIkhANLC/PbY/uHc +rEtrMQEV9z2vtcpFvxHlxut3a8hKONRaXJGJpnOYxKn5vnm3xoVQ/nU7AoGBAM6Z +nqIkYbWOySKbiWy7lKy7jIXlaiNn+vM7hQ5OS60mzDY0Z+yqV2u8y4VeufhiFQd+ +PSXpvosmKGBO4SB3HfE67y4JUFd3Nli6T0884QqsAeL1RIC/H+YK0DAUXLl6/oBL +LKCRt9c99rCnk/8CxqLzYuRPmpSbf2hvgj9c1QBrAoGBALUmhI0dwBnTVfIj4+mc +rtRGqqzopiAdqfzZ8fJ247OHY48uoWftuTfwOxz/rlZCA4y3x/AH4A8HuaMKTXh7 +gU/T4cEupiwkahN7CG3cmuvpGnGk5PR32grVfpXdwCU6paxwl2JPkVDjZqKsSKHF +g3ddcpHUDGEch/kG8fa+e1cdAoGAeaVCHj5Fud1E2Le0Bu278KjNaNlX0VkcDbNx ++KZpMJ6zhwb8WgFCUBFt1C2eWn2F3E+cOYKTyuLAy1QmgjMg0jTdN8IMKDPtL/kj +UYiLCPmWcsfvec8PPSgIxQZ4Qk4FJA0fTbv+/yFg60sAfRppUvDzvXKRlgao0hk2 +G5DRadkCgYAvPYH5NCk/jOa5Mv/6VfUPPaIhzHwADBv9ZXxg8jxw23zwxmozOUHa +v8sZF60s/4Kfd8NKnRPWlFPuvBqEkMQhfbJmP9lUmZkqxnYsXBV8wlPKIx7XAi+3 +CUBSZqJ6SrVewKc2Dx0on5Tr4OFTscK4NdFlp5PrQzZK9cuEn9rWgA== +-----END RSA PRIVATE KEY----- diff --git a/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_public_key.pem b/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_public_key.pem new file mode 100644 index 0000000..2b662ee --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_public_key.pem @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9mPxTvrtc7zjCz56eDRu+KrSFS9z6I/arkZz7dc8NYS7dL2xqMGy+0S4vOVmTlBOFHFF+MW4HWH6tYsk3aprC/3vyqlzJKqL0iEd9VYstsiAO4+uGHypeRpn1b8WkuxFHSb6NytwDUR++vxykxK+MekV8ugfoojaZtELTk7J86KPtxzNqHGAFXcbeeKXnc+Q1rmVMO4Fi6vHcreOa+aWwLoO7kxIDl05npBd45PpFNuoltKO9Kgv3+S7UOMbNNLRuCFdaTWXsyQBgbp6AxdCQlCadiXCR6fV3FIKwfkdo+/y+QRmtqR16N9FaCqKX46UeunoPeVahBuiTnxaYcf+p Admin@DESKTOP-R1T9R87 diff --git a/Terraform/AWS/instance-with-basic-configs/main.tf b/Terraform/AWS/instance-with-basic-configs/main.tf new file mode 100644 index 0000000..ddc27ef --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/main.tf @@ -0,0 +1,84 @@ +# EC2 KEY PAIR
+
+resource "aws_key_pair" "ec2_key" {
+ key_name = "${var.prefix}-${var.key_pair_name}"
+ public_key = file(var.public_key_path)
+
+ tags = {
+ Name = "${var.prefix}-${var.key_pair_name}"
+ }
+}
+
+
+# THE LATEST AMAZON VYOS 1.4 IMAGE
+
+data "aws_ami" "vyos" {
+ most_recent = true
+ owners = ["679593333241"]
+
+ filter {
+ name = "name"
+ values = ["VyOS 1.4*"]
+ }
+
+ filter {
+ name = "virtualization-type"
+ values = ["hvm"]
+ }
+
+}
+
+
+# VYOS INSTANCE
+
+resource "aws_instance" "vyos" {
+ ami = data.aws_ami.vyos.id
+ instance_type = var.vyos_instance_type
+ key_name = "${var.prefix}-${var.key_pair_name}"
+ availability_zone = var.availability_zone
+
+ user_data_base64 = base64encode(templatefile("${path.module}/files/vyos_user_data.tfpl", {}))
+
+ depends_on = [
+ aws_network_interface.vyos_public_nic,
+ aws_network_interface.vyos_private_nic
+ ]
+
+ network_interface {
+ network_interface_id = aws_network_interface.vyos_public_nic.id
+ device_index = 0
+ }
+
+ network_interface {
+ network_interface_id = aws_network_interface.vyos_private_nic.id
+ device_index = 1
+ }
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}"
+ }
+}
+
+# NETWORK INTERFACES
+
+resource "aws_network_interface" "vyos_public_nic" {
+ subnet_id = aws_subnet.public_subnet.id
+ security_groups = [aws_security_group.public_sg.id]
+ private_ips = [var.vyos_pub_nic_ip_address]
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-PublicNIC"
+ }
+}
+
+resource "aws_network_interface" "vyos_private_nic" {
+ subnet_id = aws_subnet.private_subnet.id
+ security_groups = [aws_security_group.private_sg.id]
+ private_ips = [var.vyos_priv_nic_address]
+
+ source_dest_check = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-PrivateNIC"
+ }
+}
diff --git a/Terraform/AWS/instance-with-basic-configs/network.tf b/Terraform/AWS/instance-with-basic-configs/network.tf new file mode 100644 index 0000000..4e2ebc0 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/network.tf @@ -0,0 +1,84 @@ +# VPC
+
+resource "aws_vpc" "vpc" {
+ cidr_block = var.vpc_cidr
+ instance_tenancy = "default"
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}"
+ }
+}
+
+# PUBLIC SUBNET
+
+resource "aws_subnet" "public_subnet" {
+ vpc_id = aws_vpc.vpc.id
+ cidr_block = var.public_subnet_cidr
+ availability_zone = var.availability_zone
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}-${var.public_subnet_name}"
+ }
+
+ depends_on = [aws_internet_gateway.igw]
+}
+
+# PRIVATE SUBNET
+
+resource "aws_subnet" "private_subnet" {
+ vpc_id = aws_vpc.vpc.id
+ cidr_block = var.private_subnet_cidr
+ availability_zone = var.availability_zone
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}-${var.private_subnet_name}"
+ }
+}
+
+# INTERNET GATEWAY
+
+resource "aws_internet_gateway" "igw" {
+ vpc_id = aws_vpc.vpc.id
+
+ tags = {
+ Name = join("-", [var.prefix, var.igw_name])
+ }
+}
+
+# ELASTICS IP FOR VYOS
+
+resource "aws_eip" "vyos_eip" {
+ domain = "vpc"
+ depends_on = [aws_internet_gateway.igw]
+
+ tags = {
+ Name = join("-", [var.prefix, var.vyos_eip_name])
+ }
+}
+
+resource "aws_eip_association" "vyos_eip_association" {
+ allocation_id = aws_eip.vyos_eip.id
+ network_interface_id = aws_network_interface.vyos_public_nic.id
+}
+
+# PUBLIC ROUTE TABLE
+
+resource "aws_route_table" "public_rtb" {
+ vpc_id = aws_vpc.vpc.id
+
+ route {
+ cidr_block = "0.0.0.0/0"
+ gateway_id = aws_internet_gateway.igw.id
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.public_rtb_name])
+ }
+}
+
+resource "aws_route_table_association" "public_rtb_assn" {
+ subnet_id = aws_subnet.public_subnet.id
+ route_table_id = aws_route_table.public_rtb.id
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/output.tf b/Terraform/AWS/instance-with-basic-configs/output.tf new file mode 100644 index 0000000..047d9a7 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/output.tf @@ -0,0 +1,16 @@ +
+output "vyos_public_ip" {
+ value = aws_instance.vyos.public_ip
+}
+
+output "vyos_pub_nic_ip" {
+ value = aws_network_interface.vyos_public_nic.private_ip
+}
+
+output "vyos_priv_nic_01_ip" {
+ value = aws_network_interface.vyos_private_nic.private_ip
+}
+
+output "vyos_key_name" {
+ value = aws_instance.vyos.key_name
+}
diff --git a/Terraform/AWS/instance-with-basic-configs/provider.tf b/Terraform/AWS/instance-with-basic-configs/provider.tf new file mode 100644 index 0000000..c6b24ff --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/provider.tf @@ -0,0 +1,22 @@ +# AWS PROVIDER CONFIGURATION
+
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0"
+ }
+ }
+}
+
+provider "aws" {
+ region = var.aws_region
+ default_tags {
+ tags = {
+ Company = "VyOS Inc"
+ Project = "VyOS-Demo"
+ Environment = "Lab"
+ ManagedBy = "Terraform"
+ }
+ }
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/readme.md b/Terraform/AWS/instance-with-basic-configs/readme.md new file mode 100644 index 0000000..c070d77 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/readme.md @@ -0,0 +1,119 @@ +# Terraform Project for deploying VyOS on AWS
+
+This Terraform project is designed to deploy VyOS instances on AWS. This script deploys a VyOS instance from the AWS Marketplace.
+
+## Prerequisites
+
+Before applying this module, ensure you have:
+
+### AWS Requirements
+
+- An active AWS account.
+- AWS CLI installed. [Installation link](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
+- Terraform installed. [Installation link](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)
+
+### Set AWS environment variables
+
+- Run the following commands in your terminal to set the AWS environment variables:
+
+```sh
+export AWS_ACCESS_KEY_ID="<AWS_ACCESS_KEY_ID>"
+export AWS_SECRET_ACCESS_KEY="<WS_SECRET_ACCESS_KEY>"
+export AWS_SESSION_TOKEN="<AWS_SESSION_TOKEN>"
+export AWS_DEFAULT_REGION="<AWS_REGION>" # e.g us-east-1
+```
+
+### Fetch AMI ID and Owner ID (Required for main.tf)
+First, you must subscribe to VyOS in the AWS Marketplace.
+Then, use the following AWS CLI command to find the correct AMI ID, Owner ID, and ensure you're querying the correct region (e.g., `us-east-1`):
+
+```sh
+aws ec2 describe-images \
+ --owners aws-marketplace \
+ --filters "Name=product-code,Values=8wqdkv3u2b9sa0y73xob2yl90" \
+ --query 'Images[*].[ImageId,OwnerId,Name]' \
+ --output table
+```
+Alternatively, you can hardcode the latest AMI ID for your region in `variables.tf` adding the `vyos_ami_id` variable.
+
+### Generate SSH keypair
+
+A demo SSH keypair is included in the `keys/` folder.
+
+To generate a new key (optional):
+
+```sh
+ssh-keygen -b 2048 -t rsa -m PEM -f keys/vyos_custom_key.pem
+```
+
+## Project Structure
+
+```
+.
+├── files/ # VyOS user-data
+├── keys/ # Pre-generated SSH keys
+├── network.tf # Network setup
+├── provider.tf # Provider configuration
+├── security_groups.tf # Security group configurations
+├── variables.tf # Input variables for customization
+├── vyos_instance.tf # VyOS virtual machine deployment (AWS)
+└── README.md # Documentation
+```
+
+## Usage
+
+### Setup Variables
+
+All variables needed for customization are defined in `variables.tf`. Adjust them according to your requirements, such as EC2 instance type and networking configurations. Before deployment, ensure you check `aws_region`, `availability_zone`, and update `vyos_ami_id` as necessary.
+
+## How to Run the Module
+
+Follow these steps to initialize, plan, apply, and manage your infrastructure with Terraform:
+
+1. **Initialize the Module**
+ ```sh
+ terraform init
+ ```
+
+2. **Format the Terraform Code**
+ ```sh
+ terraform fmt
+ ```
+
+3. **Validate Configuration**
+ ```sh
+ terraform validate
+ ```
+
+4. **Preview Infrastructure Changes Before Deployment**
+ ```sh
+ terraform plan
+ ```
+
+5. **Apply the Configuration**
+ ```sh
+ terraform apply
+ ```
+ Confirm the execution when prompted to provision the infrastructure.
+
+6. **View Outputs**
+ ```sh
+ terraform output
+ ```
+ This will display the management IP and test results for the VyOS instance.
+
+## Management
+
+To manage the VyOS instance, use the `vyos_public_ip` from `terraform output`:
+```sh
+ssh vyos@<vyos_public_ip> -i keys/vyos_demo_private_key.pem
+```
+
+## Destroying Resources
+
+To clean up the deployed infrastructure:
+```sh
+terraform destroy
+```
+Confirm the execution when prompted to remove all provisioned resources.
+
diff --git a/Terraform/AWS/instance-with-basic-configs/security_groups.tf b/Terraform/AWS/instance-with-basic-configs/security_groups.tf new file mode 100644 index 0000000..d8653ae --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/security_groups.tf @@ -0,0 +1,111 @@ +# SECURITY GROUP FOR PUBLIC RESOURCES
+
+resource "aws_security_group" "public_sg" {
+ name = join("-", [var.prefix, var.public_sg_name])
+ description = "Security Group for public resources"
+ vpc_id = aws_vpc.vpc.id
+
+ # Allow SSH Traffic
+ ingress {
+ description = "Allow SSH"
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow Wireguard Traffic
+ ingress {
+ description = "Allow Wireguard"
+ from_port = 51820
+ to_port = 51820
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow OpenVPN Traffic
+ ingress {
+ description = "Allow OpenVPN"
+ from_port = 1194
+ to_port = 1194
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow ESP Traffic
+ ingress {
+ description = "Allow ESP"
+ from_port = 0
+ to_port = 0
+ protocol = "50"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow IKE Traffic
+ ingress {
+ description = "Allow IKE"
+ from_port = 500
+ to_port = 500
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow IPSEC Traffic
+ ingress {
+ description = "Allow IPSEC"
+ from_port = 1701
+ to_port = 1701
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow NAT Traversal
+ ingress {
+ description = "Allow NAT Traversal"
+ from_port = 4500
+ to_port = 4500
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow all outbound traffic
+ egress {
+ description = "Allow all outbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.public_sg_name])
+ }
+}
+
+# SECURITY GROUP FOR PRIVATE RESOURCES
+
+resource "aws_security_group" "private_sg" {
+ name = join("-", [var.prefix, var.private_sg_name])
+ description = "Security Group for private resources"
+ vpc_id = aws_vpc.vpc.id
+
+ ingress {
+ description = "Allow all inbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ egress {
+ description = "Allow all outbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.private_sg_name])
+ }
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/variables.tf b/Terraform/AWS/instance-with-basic-configs/variables.tf new file mode 100644 index 0000000..3493252 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/variables.tf @@ -0,0 +1,116 @@ +variable "aws_region" {
+ description = "AWS Region"
+ type = string
+ default = "us-east-1"
+}
+
+variable "availability_zone" {
+ description = "AWS Availability Zone"
+ type = string
+ default = "us-east-1a"
+}
+
+variable "prefix" {
+ type = string
+ description = "Prefix for the resource names and Name tags"
+ default = "demo"
+}
+
+variable "key_pair_name" {
+ description = "SSH key pair name"
+ type = string
+ default = "vyos-demo-key"
+}
+
+variable "private_key_path" {
+ description = "Path to the private key file"
+ default = "keys/vyos_demo_private_key.pem"
+}
+
+variable "public_key_path" {
+ description = "Path to the private key file"
+ default = "keys/vyos_demo_public_key.pem"
+}
+
+variable "vpc_name" {
+ description = "Name for VPC"
+ default = "test-vpc"
+}
+
+variable "public_subnet_name" {
+ description = "The name of the public subnet"
+ type = string
+ default = "pub-subnet"
+}
+
+variable "private_subnet_name" {
+ description = "The name of the private subnet 01"
+ type = string
+ default = "priv-subnet"
+}
+
+variable "vpc_cidr" {
+ description = "CIDR block for VPC"
+ type = string
+ default = "172.16.0.0/16"
+}
+
+variable "public_subnet_cidr" {
+ description = "CIDR block for public subnet"
+ default = "172.16.1.0/24"
+}
+
+variable "private_subnet_cidr" {
+ description = "CIDR block for private subnet"
+ type = string
+ default = "172.16.11.0/24"
+}
+
+variable "vyos_pub_nic_ip_address" {
+ description = "VyOS Instance Public address"
+ type = string
+ default = "172.16.1.11"
+}
+
+variable "vyos_priv_nic_address" {
+ description = "VyOS Instance Private NIC address"
+ type = string
+ default = "172.16.11.11"
+}
+
+variable "vyos_instance_type" {
+ description = "The type of the VyOS Instance"
+ type = string
+ default = "c5n.xlarge"
+}
+
+variable "vyos_instance_name" {
+ type = string
+ default = "VyOS"
+}
+
+variable "igw_name" {
+ type = string
+ default = "igw"
+}
+
+variable "vyos_eip_name" {
+ type = string
+ default = "vyos"
+}
+
+variable "public_rtb_name" {
+ type = string
+ default = "public-rtb"
+
+}
+
+variable "public_sg_name" {
+ type = string
+ default = "public-sg"
+}
+
+variable "private_sg_name" {
+ type = string
+ default = "private-sg"
+}
diff --git a/Terraform/AWS/instance-with-configs/files/on-prem-vyos-config.txt b/Terraform/AWS/instance-with-configs/files/on-prem-vyos-config.txt new file mode 100644 index 0000000..6c52bcb --- /dev/null +++ b/Terraform/AWS/instance-with-configs/files/on-prem-vyos-config.txt @@ -0,0 +1,55 @@ +set system host-name 'VyOS-for-DEMO-On-Prem'
+set system login banner pre-login 'Welcome to the VyOS for DEMO on On-Prem'
+set interfaces ethernet eth0 description 'WAN'
+set interfaces ethernet eth1 description 'LAN'
+set interfaces ethernet eth1 dhcp-options no-default-route
+set system name-server '<DNS>'
+set service dns forwarding name-server '<DNS>'
+set service dns forwarding listen-address '<VYOS_PRIV_IP>'
+set service dns forwarding allow-from '<VYOS_CIDR>'
+set service dns forwarding no-serve-rfc1918
+set nat source rule 10 outbound-interface name 'eth0'
+set nat source rule 10 source address '<VYOS_CIDR>'
+set nat source rule 10 translation address 'masquerade'
+set vpn ipsec interface 'eth0'
+set vpn ipsec esp-group AWS lifetime '3600'
+set vpn ipsec esp-group AWS mode 'tunnel'
+set vpn ipsec esp-group AWS pfs 'dh-group2'
+set vpn ipsec esp-group AWS proposal 1 encryption 'aes256'
+set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
+set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
+set vpn ipsec ike-group AWS dead-peer-detection interval '15'
+set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
+set vpn ipsec ike-group AWS ikev2-reauth
+set vpn ipsec ike-group AWS key-exchange 'ikev2'
+set vpn ipsec ike-group AWS lifetime '28800'
+set vpn ipsec ike-group AWS proposal 1 dh-group '2'
+set vpn ipsec ike-group AWS proposal 1 encryption 'aes256'
+set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
+set vpn ipsec ike-group AWS close-action start
+set vpn ipsec option disable-route-autoinstall
+set interfaces vti vti1 address '10.2.100.11/32'
+set interfaces vti vti1 description 'Tunnel for VyOS in AWS'
+set interfaces vti vti1 ip adjust-mss '1350'
+set protocols static route 10.1.100.11/32 interface vti1
+set vpn ipsec authentication psk VyOS id '<VYOS_AWS_PUB_IP>'
+set vpn ipsec authentication psk VyOS id '<VYOS_PUB_IP>'
+set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
+set vpn ipsec site-to-site peer AWS authentication local-id '<VYOS_PUB_IP>'
+set vpn ipsec site-to-site peer AWS authentication mode 'pre-shared-secret'
+set vpn ipsec site-to-site peer AWS authentication remote-id '<VYOS_AWS_PUB_IP>'
+set vpn ipsec site-to-site peer AWS connection-type 'initiate'
+set vpn ipsec site-to-site peer AWS description 'AWS TUNNEL to VyOS on NET 02'
+set vpn ipsec site-to-site peer AWS ike-group 'AWS'
+set vpn ipsec site-to-site peer AWS ikev2-reauth 'inherit'
+set vpn ipsec site-to-site peer AWS local-address '<VYOS_PUB_IP>'
+set vpn ipsec site-to-site peer AWS remote-address '<VYOS_AWS_PUB_IP>'
+set vpn ipsec site-to-site peer AWS vti bind 'vti1'
+set vpn ipsec site-to-site peer AWS vti esp-group 'AWS'
+set protocols bgp system-as '<VYOS_BGP_AS_NUMBER>'
+set protocols bgp address-family ipv4-unicast network <VYOS_CIDR>
+set protocols bgp neighbor 10.1.100.11 remote-as '<VYOS_AWS_BGP_AS_NUMBER>'
+set protocols bgp neighbor 10.1.100.11 address-family ipv4-unicast soft-reconfiguration inbound
+set protocols bgp neighbor 10.1.100.11 timers holdtime '30'
+set protocols bgp neighbor 10.1.100.11 timers keepalive '10'
+set protocols bgp neighbor 10.1.100.11 disable-connected-check
diff --git a/Terraform/AWS/instance-with-configs/files/vyos_user_data.tfpl b/Terraform/AWS/instance-with-configs/files/vyos_user_data.tfpl new file mode 100644 index 0000000..7240a2c --- /dev/null +++ b/Terraform/AWS/instance-with-configs/files/vyos_user_data.tfpl @@ -0,0 +1,57 @@ +#cloud-config
+vyos_config_commands:
+ - set system host-name 'VyOS-for-DEMO-AWS'
+ - set system login banner pre-login 'Welcome to the VyOS for DEMO on AWS'
+ - set interfaces ethernet eth0 description 'WAN'
+ - set interfaces ethernet eth1 description 'LAN'
+ - set interfaces ethernet eth1 dhcp-options no-default-route
+ - set system name-server '${dns_1}'
+ - set service dns forwarding name-server '${dns_1}'
+ - set service dns forwarding listen-address '${vyos_priv_nic_ip}'
+ - set service dns forwarding allow-from '${private_subnet_cidr}'
+ - set service dns forwarding no-serve-rfc1918
+ - set nat source rule 10 outbound-interface name 'eth0'
+ - set nat source rule 10 source address '${private_subnet_cidr}'
+ - set nat source rule 10 translation address 'masquerade'
+ - set vpn ipsec interface 'eth0'
+ - set vpn ipsec esp-group ON-PREM lifetime '3600'
+ - set vpn ipsec esp-group ON-PREM mode 'tunnel'
+ - set vpn ipsec esp-group ON-PREM pfs 'dh-group2'
+ - set vpn ipsec esp-group ON-PREM proposal 1 encryption 'aes256'
+ - set vpn ipsec esp-group ON-PREM proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group ON-PREM dead-peer-detection action 'restart'
+ - set vpn ipsec ike-group ON-PREM dead-peer-detection interval '15'
+ - set vpn ipsec ike-group ON-PREM dead-peer-detection timeout '30'
+ - set vpn ipsec ike-group ON-PREM ikev2-reauth
+ - set vpn ipsec ike-group ON-PREM key-exchange 'ikev2'
+ - set vpn ipsec ike-group ON-PREM lifetime '28800'
+ - set vpn ipsec ike-group ON-PREM proposal 1 dh-group '2'
+ - set vpn ipsec ike-group ON-PREM proposal 1 encryption 'aes256'
+ - set vpn ipsec ike-group ON-PREM proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group ON-PREM close-action start
+ - set vpn ipsec option disable-route-autoinstall
+ - set interfaces vti vti1 address '10.1.100.11/32'
+ - set interfaces vti vti1 description 'Tunnel for VyOS in ON-PREM'
+ - set interfaces vti vti1 ip adjust-mss '1350'
+ - set protocols static route 10.2.100.11/32 interface vti1
+ - set vpn ipsec authentication psk VyOS id '${vyos_public_ip_address}'
+ - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip_address}'
+ - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
+ - set vpn ipsec site-to-site peer ON-PREM authentication local-id '${vyos_public_ip_address}'
+ - set vpn ipsec site-to-site peer ON-PREM authentication mode 'pre-shared-secret'
+ - set vpn ipsec site-to-site peer ON-PREM authentication remote-id '${on_prem_public_ip_address}'
+ - set vpn ipsec site-to-site peer ON-PREM connection-type 'none'
+ - set vpn ipsec site-to-site peer ON-PREM description 'ON-PREM TUNNEL to VyOS on NET 02'
+ - set vpn ipsec site-to-site peer ON-PREM ike-group 'ON-PREM'
+ - set vpn ipsec site-to-site peer ON-PREM ikev2-reauth 'inherit'
+ - set vpn ipsec site-to-site peer ON-PREM local-address '${vyos_pub_nic_ip}'
+ - set vpn ipsec site-to-site peer ON-PREM remote-address '${on_prem_public_ip_address}'
+ - set vpn ipsec site-to-site peer ON-PREM vti bind 'vti1'
+ - set vpn ipsec site-to-site peer ON-PREM vti esp-group 'ON-PREM'
+ - set protocols bgp system-as '${vyos_bgp_as_number}'
+ - set protocols bgp address-family ipv4-unicast network ${private_subnet_cidr}
+ - set protocols bgp neighbor 10.2.100.11 remote-as '${on_prem_bgp_as_number}'
+ - set protocols bgp neighbor 10.2.100.11 address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor 10.2.100.11 timers holdtime '30'
+ - set protocols bgp neighbor 10.2.100.11 timers keepalive '10'
+ - set protocols bgp neighbor 10.2.100.11 disable-connected-check
diff --git a/Terraform/AWS/instance-with-configs/keys/vyos_demo_private_key.pem b/Terraform/AWS/instance-with-configs/keys/vyos_demo_private_key.pem new file mode 100644 index 0000000..4c8d388 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/keys/vyos_demo_private_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAvZj8U767XO84ws+eng0bviq0hUvc+iP2q5Gc+3XPDWEu3S9s +ajBsvtEuLzlZk5QThRxRfjFuB1h+rWLJN2qawv978qpcySqi9IhHfVWLLbIgDuPr +hh8qXkaZ9W/FpLsRR0m+jcrcA1Efvr8cpMSvjHpFfLoH6KI2mbRC05OyfOij7ccz +ahxgBV3G3nil53PkNa5lTDuBYurx3K3jmvmlsC6Du5MSA5dOZ6QXeOT6RTbqJbSj +vSoL9/ku1DjGzTS0bghXWk1l7MkAYG6egMXQkJQmnYlwken1dxSCsH5HaPv8vkEZ +rakdejfRWgqil+OlHrp6D3lWoQbok58WmHH/qQIDAQABAoIBAQCJQH2x1kpmnZr2 +lDxcaFrkEKA8Os4OmwhP7Yq6Eu+/3NGDN3iBaurePCn178tj5Xc4DmcENp5TXQHf +XLsTje3ZKgA9jIy86EutQBaYqdumSeOhQ+fVYSxXsT51CeQHO5DnjYAPv4IEOK8F +c+41bVk0FbPF9hoRk5R5MqCJ78rvVm7q8gpGxftWIKMwVc7lSi2IH9GkrUGe6Y/W +lR6EqXDUHWep7rZN59bHXa82HYy98TzydeQtxBIWTSqfL5X2MGwfOkgNcBI9N4gi +Gj37Ng9lCWLgTfN/bs7chHKo8GrEmzxmSwP7ly+8fEGSvOQOwQ8ITmXN7rrnlTA8 +L0T/1qNNAoGBAOrunMHaZZ6moFU86aBhEJcxth3n10YpXl7AjwrvuquWYa76Hczp +PVs+f4uUYHG4lHwxLtvMVAw89MxRQnLB860l85qkwotoA5s8HIkhANLC/PbY/uHc +rEtrMQEV9z2vtcpFvxHlxut3a8hKONRaXJGJpnOYxKn5vnm3xoVQ/nU7AoGBAM6Z +nqIkYbWOySKbiWy7lKy7jIXlaiNn+vM7hQ5OS60mzDY0Z+yqV2u8y4VeufhiFQd+ +PSXpvosmKGBO4SB3HfE67y4JUFd3Nli6T0884QqsAeL1RIC/H+YK0DAUXLl6/oBL +LKCRt9c99rCnk/8CxqLzYuRPmpSbf2hvgj9c1QBrAoGBALUmhI0dwBnTVfIj4+mc +rtRGqqzopiAdqfzZ8fJ247OHY48uoWftuTfwOxz/rlZCA4y3x/AH4A8HuaMKTXh7 +gU/T4cEupiwkahN7CG3cmuvpGnGk5PR32grVfpXdwCU6paxwl2JPkVDjZqKsSKHF +g3ddcpHUDGEch/kG8fa+e1cdAoGAeaVCHj5Fud1E2Le0Bu278KjNaNlX0VkcDbNx ++KZpMJ6zhwb8WgFCUBFt1C2eWn2F3E+cOYKTyuLAy1QmgjMg0jTdN8IMKDPtL/kj +UYiLCPmWcsfvec8PPSgIxQZ4Qk4FJA0fTbv+/yFg60sAfRppUvDzvXKRlgao0hk2 +G5DRadkCgYAvPYH5NCk/jOa5Mv/6VfUPPaIhzHwADBv9ZXxg8jxw23zwxmozOUHa +v8sZF60s/4Kfd8NKnRPWlFPuvBqEkMQhfbJmP9lUmZkqxnYsXBV8wlPKIx7XAi+3 +CUBSZqJ6SrVewKc2Dx0on5Tr4OFTscK4NdFlp5PrQzZK9cuEn9rWgA== +-----END RSA PRIVATE KEY----- diff --git a/Terraform/AWS/instance-with-configs/keys/vyos_demo_public_key.pem b/Terraform/AWS/instance-with-configs/keys/vyos_demo_public_key.pem new file mode 100644 index 0000000..2b662ee --- /dev/null +++ b/Terraform/AWS/instance-with-configs/keys/vyos_demo_public_key.pem @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9mPxTvrtc7zjCz56eDRu+KrSFS9z6I/arkZz7dc8NYS7dL2xqMGy+0S4vOVmTlBOFHFF+MW4HWH6tYsk3aprC/3vyqlzJKqL0iEd9VYstsiAO4+uGHypeRpn1b8WkuxFHSb6NytwDUR++vxykxK+MekV8ugfoojaZtELTk7J86KPtxzNqHGAFXcbeeKXnc+Q1rmVMO4Fi6vHcreOa+aWwLoO7kxIDl05npBd45PpFNuoltKO9Kgv3+S7UOMbNNLRuCFdaTWXsyQBgbp6AxdCQlCadiXCR6fV3FIKwfkdo+/y+QRmtqR16N9FaCqKX46UeunoPeVahBuiTnxaYcf+p Admin@DESKTOP-R1T9R87 diff --git a/Terraform/AWS/instance-with-configs/main.tf b/Terraform/AWS/instance-with-configs/main.tf new file mode 100644 index 0000000..0d58e17 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/main.tf @@ -0,0 +1,91 @@ +# EC2 KEY PAIR
+
+resource "aws_key_pair" "ec2_key" {
+ key_name = "${var.prefix}-${var.key_pair_name}"
+ public_key = file(var.public_key_path)
+
+ tags = {
+ Name = "${var.prefix}-${var.key_pair_name}"
+ }
+}
+
+# THE LATEST AMAZON VYOS 1.4 IMAGE
+
+data "aws_ami" "vyos" {
+ most_recent = true
+ owners = ["679593333241"]
+
+ filter {
+ name = "name"
+ values = ["VyOS 1.4*"]
+ }
+
+ filter {
+ name = "virtualization-type"
+ values = ["hvm"]
+ }
+
+}
+
+# VYOS INSTANCE
+
+resource "aws_instance" "vyos" {
+ ami = data.aws_ami.vyos.id
+ instance_type = var.vyos_instance_type
+ key_name = "${var.prefix}-${var.key_pair_name}"
+ availability_zone = var.availability_zone
+
+ user_data_base64 = base64encode(templatefile("${path.module}/files/vyos_user_data.tfpl", {
+ private_subnet_cidr = var.private_subnet_cidr,
+ vyos_public_ip_address = aws_eip.vyos_eip.public_ip,
+ vyos_pub_nic_ip = aws_network_interface.vyos_public_nic.private_ip,
+ vyos_priv_nic_ip = aws_network_interface.vyos_private_nic.private_ip,
+ vyos_bgp_as_number = var.vyos_bgp_as_number,
+ dns_1 = var.dns,
+ on_prem_public_ip_address = var.on_prem_public_ip_address,
+ on_prem_bgp_as_number = var.on_prem_bgp_as_number
+ }))
+
+ depends_on = [
+ aws_network_interface.vyos_public_nic,
+ aws_network_interface.vyos_private_nic
+ ]
+
+ network_interface {
+ network_interface_id = aws_network_interface.vyos_public_nic.id
+ device_index = 0
+ }
+
+ network_interface {
+ network_interface_id = aws_network_interface.vyos_private_nic.id
+ device_index = 1
+ }
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}"
+ }
+}
+
+# NETWORK INTERFACES
+
+resource "aws_network_interface" "vyos_public_nic" {
+ subnet_id = aws_subnet.public_subnet.id
+ security_groups = [aws_security_group.public_sg.id]
+ private_ips = [var.vyos_pub_nic_ip_address]
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-PublicNIC"
+ }
+}
+
+resource "aws_network_interface" "vyos_private_nic" {
+ subnet_id = aws_subnet.private_subnet.id
+ security_groups = [aws_security_group.private_sg.id]
+ private_ips = [var.vyos_priv_nic_address]
+
+ source_dest_check = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-PrivateNIC"
+ }
+}
diff --git a/Terraform/AWS/instance-with-configs/network.tf b/Terraform/AWS/instance-with-configs/network.tf new file mode 100644 index 0000000..b3513f6 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/network.tf @@ -0,0 +1,86 @@ +# VPC
+
+resource "aws_vpc" "vpc" {
+ cidr_block = var.vpc_cidr
+ instance_tenancy = "default"
+ # enable_dns_support = true # DNS resolution within VPC
+ # enable_dns_hostnames = true # Public DNS hostnames
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}"
+ }
+}
+
+# PUBLIC SUBNET
+
+resource "aws_subnet" "public_subnet" {
+ vpc_id = aws_vpc.vpc.id
+ cidr_block = var.public_subnet_cidr
+ availability_zone = var.availability_zone
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}-${var.public_subnet_name}"
+ }
+
+ depends_on = [aws_internet_gateway.igw]
+}
+
+# PRIVATE SUBNET
+
+resource "aws_subnet" "private_subnet" {
+ vpc_id = aws_vpc.vpc.id
+ cidr_block = var.private_subnet_cidr
+ availability_zone = var.availability_zone
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}-${var.private_subnet_name}"
+ }
+}
+
+# INTERNET GATEWAY
+
+resource "aws_internet_gateway" "igw" {
+ vpc_id = aws_vpc.vpc.id
+
+ tags = {
+ Name = join("-", [var.prefix, var.igw_name])
+ }
+}
+
+# ELASTICS IP FOR VYOS
+
+resource "aws_eip" "vyos_eip" {
+ domain = "vpc"
+ depends_on = [aws_internet_gateway.igw]
+
+ tags = {
+ Name = join("-", [var.prefix, var.vyos_eip_name])
+ }
+}
+
+resource "aws_eip_association" "vyos_eip_association" {
+ allocation_id = aws_eip.vyos_eip.id
+ network_interface_id = aws_network_interface.vyos_public_nic.id
+}
+
+# PUBLIC ROUTE TABLE
+
+resource "aws_route_table" "public_rtb" {
+ vpc_id = aws_vpc.vpc.id
+
+ route {
+ cidr_block = "0.0.0.0/0"
+ gateway_id = aws_internet_gateway.igw.id
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.public_rtb_name])
+ }
+}
+
+resource "aws_route_table_association" "public_rtb_assn" {
+ subnet_id = aws_subnet.public_subnet.id
+ route_table_id = aws_route_table.public_rtb.id
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-configs/output.tf b/Terraform/AWS/instance-with-configs/output.tf new file mode 100644 index 0000000..047d9a7 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/output.tf @@ -0,0 +1,16 @@ +
+output "vyos_public_ip" {
+ value = aws_instance.vyos.public_ip
+}
+
+output "vyos_pub_nic_ip" {
+ value = aws_network_interface.vyos_public_nic.private_ip
+}
+
+output "vyos_priv_nic_01_ip" {
+ value = aws_network_interface.vyos_private_nic.private_ip
+}
+
+output "vyos_key_name" {
+ value = aws_instance.vyos.key_name
+}
diff --git a/Terraform/AWS/instance-with-configs/provider.tf b/Terraform/AWS/instance-with-configs/provider.tf new file mode 100644 index 0000000..c6b24ff --- /dev/null +++ b/Terraform/AWS/instance-with-configs/provider.tf @@ -0,0 +1,22 @@ +# AWS PROVIDER CONFIGURATION
+
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0"
+ }
+ }
+}
+
+provider "aws" {
+ region = var.aws_region
+ default_tags {
+ tags = {
+ Company = "VyOS Inc"
+ Project = "VyOS-Demo"
+ Environment = "Lab"
+ ManagedBy = "Terraform"
+ }
+ }
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-configs/readme.md b/Terraform/AWS/instance-with-configs/readme.md new file mode 100644 index 0000000..aca1d58 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/readme.md @@ -0,0 +1,120 @@ +# Terraform Project for deploying VyOS on AWS
+
+This Terraform project is designed to deploy VyOS instances on AWS. This script deploys a VyOS instance from the AWS Marketplace.
+
+## Prerequisites
+
+Before applying this module, ensure you have:
+
+### AWS Requirements
+
+- An active AWS account.
+- AWS CLI installed. [Installation link](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
+- Terraform installed. [Installation link](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)
+
+### Set AWS environment variables
+
+- Run the following commands in your terminal to set the AWS environment variables:
+
+```sh
+export AWS_ACCESS_KEY_ID="<AWS_ACCESS_KEY_ID>"
+export AWS_SECRET_ACCESS_KEY="<WS_SECRET_ACCESS_KEY>"
+export AWS_SESSION_TOKEN="<AWS_SESSION_TOKEN>"
+export AWS_DEFAULT_REGION="<AWS_REGION>" # e.g us-east-1
+```
+
+### Fetch AMI ID and Owner ID (Required for main.tf)
+First, you must subscribe to VyOS in the AWS Marketplace.
+Then, use the following AWS CLI command to find the correct AMI ID, Owner ID, and ensure you're querying the correct region (e.g., `us-east-1`):
+
+```sh
+aws ec2 describe-images \
+ --owners aws-marketplace \
+ --filters "Name=product-code,Values=8wqdkv3u2b9sa0y73xob2yl90" \
+ --query 'Images[*].[ImageId,OwnerId,Name]' \
+ --output table
+```
+Alternatively, you can hardcode the latest AMI ID for your region in `variables.tf` adding the `vyos_ami_id` variable.
+
+### Generate SSH keypair
+
+A demo SSH keypair is included in the `keys/` folder.
+
+To generate a new key (optional):
+
+```sh
+ssh-keygen -b 2048 -t rsa -m PEM -f keys/vyos_custom_key.pem
+```
+
+## Project Structure
+
+```
+.
+├── files/ # VyOS user-data
+├── keys/ # Pre-generated SSH keys
+├── network.tf # Network setup
+├── provider.tf # Provider configuration
+├── security_groups.tf # Security group configurations
+├── variables.tf # Input variables for customization
+├── vyos_instance.tf # VyOS virtual machine deployment (AWS)
+└── README.md # Documentation
+```
+
+## Usage
+
+### Setup Variables
+
+All variables needed for customization are defined in `variables.tf`. Adjust them according to your requirements, such as EC2 instance type and networking configurations. Before deployment, ensure you check `aws_region`, `availability_zone`, and update `vyos_ami_id` as necessary.
+
+## How to Run the Module
+
+Follow these steps to initialize, plan, apply, and manage your infrastructure with Terraform:
+
+1. **Initialize the Module**
+ ```sh
+ terraform init
+ ```
+
+2. **Format the Terraform Code**
+ ```sh
+ terraform fmt
+ ```
+
+3. **Validate Configuration**
+ ```sh
+ terraform validate
+ ```
+
+4. **Preview Infrastructure Changes Before Deployment**
+ ```sh
+ terraform plan
+ ```
+
+5. **Apply the Configuration**
+ ```sh
+ terraform apply
+ ```
+ Confirm the execution when prompted to provision the infrastructure.
+
+6. **View Outputs**
+ ```sh
+ terraform output
+ ```
+ This will display the management IP and test results for the VyOS instance.
+
+## Management
+
+To manage the VyOS instance, use the `vyos_public_ip` from `terraform output`:
+```sh
+ssh vyos@<vyos_public_ip> -i keys/vyos_demo_private_key.pem
+```
+You can find op-premise (peer) side VyOS configuration reference from: `files/on-prem-vyos-config.txt`
+
+## Destroying Resources
+
+To clean up the deployed infrastructure:
+```sh
+terraform destroy
+```
+Confirm the execution when prompted to remove all provisioned resources.
+
diff --git a/Terraform/AWS/instance-with-configs/security_groups.tf b/Terraform/AWS/instance-with-configs/security_groups.tf new file mode 100644 index 0000000..d8653ae --- /dev/null +++ b/Terraform/AWS/instance-with-configs/security_groups.tf @@ -0,0 +1,111 @@ +# SECURITY GROUP FOR PUBLIC RESOURCES
+
+resource "aws_security_group" "public_sg" {
+ name = join("-", [var.prefix, var.public_sg_name])
+ description = "Security Group for public resources"
+ vpc_id = aws_vpc.vpc.id
+
+ # Allow SSH Traffic
+ ingress {
+ description = "Allow SSH"
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow Wireguard Traffic
+ ingress {
+ description = "Allow Wireguard"
+ from_port = 51820
+ to_port = 51820
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow OpenVPN Traffic
+ ingress {
+ description = "Allow OpenVPN"
+ from_port = 1194
+ to_port = 1194
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow ESP Traffic
+ ingress {
+ description = "Allow ESP"
+ from_port = 0
+ to_port = 0
+ protocol = "50"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow IKE Traffic
+ ingress {
+ description = "Allow IKE"
+ from_port = 500
+ to_port = 500
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow IPSEC Traffic
+ ingress {
+ description = "Allow IPSEC"
+ from_port = 1701
+ to_port = 1701
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow NAT Traversal
+ ingress {
+ description = "Allow NAT Traversal"
+ from_port = 4500
+ to_port = 4500
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow all outbound traffic
+ egress {
+ description = "Allow all outbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.public_sg_name])
+ }
+}
+
+# SECURITY GROUP FOR PRIVATE RESOURCES
+
+resource "aws_security_group" "private_sg" {
+ name = join("-", [var.prefix, var.private_sg_name])
+ description = "Security Group for private resources"
+ vpc_id = aws_vpc.vpc.id
+
+ ingress {
+ description = "Allow all inbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ egress {
+ description = "Allow all outbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.private_sg_name])
+ }
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-configs/variables.tf b/Terraform/AWS/instance-with-configs/variables.tf new file mode 100644 index 0000000..3ab7d09 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/variables.tf @@ -0,0 +1,134 @@ +variable "aws_region" {
+ description = "AWS Region"
+ type = string
+ default = "us-east-1"
+}
+
+variable "availability_zone" {
+ description = "AWS Availability Zone"
+ type = string
+ default = "us-east-1a"
+}
+
+variable "prefix" {
+ type = string
+ description = "Prefix for the resource names and Name tags"
+ default = "demo"
+}
+
+variable "key_pair_name" {
+ description = "SSH key pair name"
+ type = string
+ default = "vyos-demo-key"
+}
+
+variable "private_key_path" {
+ description = "Path to the private key file"
+ default = "keys/vyos_demo_private_key.pem"
+}
+
+variable "public_key_path" {
+ description = "Path to the private key file"
+ default = "keys/vyos_demo_public_key.pem"
+}
+
+variable "vpc_name" {
+ description = "Name for VPC"
+ default = "test-vpc"
+}
+
+variable "public_subnet_name" {
+ description = "The name of the public subnet"
+ type = string
+ default = "pub-subnet"
+}
+
+variable "private_subnet_name" {
+ description = "The name of the private subnet 01"
+ type = string
+ default = "priv-subnet"
+}
+
+variable "vpc_cidr" {
+ description = "CIDR block for VPC"
+ type = string
+ default = "172.16.0.0/16"
+}
+
+variable "public_subnet_cidr" {
+ description = "CIDR block for public subnet"
+ default = "172.16.1.0/24"
+}
+
+variable "private_subnet_cidr" {
+ description = "CIDR block for private subnet"
+ type = string
+ default = "172.16.11.0/24"
+}
+
+variable "vyos_pub_nic_ip_address" {
+ description = "VyOS Instance Public address"
+ type = string
+ default = "172.16.1.11"
+}
+
+variable "vyos_priv_nic_address" {
+ description = "VyOS Instance Private NIC address"
+ type = string
+ default = "172.16.11.11"
+}
+
+variable "vyos_instance_type" {
+ description = "The type of the VyOS Instance"
+ type = string
+ default = "c5n.xlarge"
+}
+
+variable "vyos_instance_name" {
+ type = string
+ default = "VyOS"
+}
+
+variable "igw_name" {
+ type = string
+ default = "igw"
+}
+
+variable "vyos_eip_name" {
+ type = string
+ default = "vyos"
+}
+
+variable "public_rtb_name" {
+ type = string
+ default = "public-rtb"
+
+}
+
+variable "public_sg_name" {
+ type = string
+ default = "public-sg"
+}
+
+variable "private_sg_name" {
+ type = string
+ default = "private-sg"
+}
+
+variable "dns" {
+ default = "8.8.8.8"
+}
+
+variable "vyos_bgp_as_number" {
+ default = "65001"
+}
+
+# On Prem Data Center
+
+variable "on_prem_bgp_as_number" {
+ default = "65002"
+}
+
+variable "on_prem_public_ip_address" {
+ default = "192.0.2.1"
+}
|