From cb2f5c86fd732a2d10a758bc3a90fc4ee33323de Mon Sep 17 00:00:00 2001 From: aslanvyos Date: Thu, 31 Oct 2024 10:04:05 +0400 Subject: Add Terraform project for VyOS instance with basic setup and with network services (VPN, NAT, DNS) Added CloudFormation templates for VyOS deployment on AWS --- .../files/vyos_user_data.tfpl | 7 ++ .../keys/vyos_demo_private_key.pem | 27 +++++ .../keys/vyos_demo_public_key.pem | 1 + Terraform/AWS/instance-with-basic-configs/main.tf | 84 +++++++++++++ .../AWS/instance-with-basic-configs/network.tf | 84 +++++++++++++ .../AWS/instance-with-basic-configs/output.tf | 16 +++ .../AWS/instance-with-basic-configs/provider.tf | 22 ++++ .../AWS/instance-with-basic-configs/readme.md | 119 ++++++++++++++++++ .../instance-with-basic-configs/security_groups.tf | 111 +++++++++++++++++ .../AWS/instance-with-basic-configs/variables.tf | 116 ++++++++++++++++++ .../files/on-prem-vyos-config.txt | 55 +++++++++ .../files/vyos_user_data.tfpl | 57 +++++++++ .../keys/vyos_demo_private_key.pem | 27 +++++ .../keys/vyos_demo_public_key.pem | 1 + Terraform/AWS/instance-with-configs/main.tf | 91 ++++++++++++++ Terraform/AWS/instance-with-configs/network.tf | 86 +++++++++++++ Terraform/AWS/instance-with-configs/output.tf | 16 +++ Terraform/AWS/instance-with-configs/provider.tf | 22 ++++ Terraform/AWS/instance-with-configs/readme.md | 120 ++++++++++++++++++ .../AWS/instance-with-configs/security_groups.tf | 111 +++++++++++++++++ Terraform/AWS/instance-with-configs/variables.tf | 134 +++++++++++++++++++++ 21 files changed, 1307 insertions(+) create mode 100644 Terraform/AWS/instance-with-basic-configs/files/vyos_user_data.tfpl create mode 100644 Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_private_key.pem create mode 100644 Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_public_key.pem create mode 100644 Terraform/AWS/instance-with-basic-configs/main.tf create mode 100644 Terraform/AWS/instance-with-basic-configs/network.tf create mode 100644 Terraform/AWS/instance-with-basic-configs/output.tf create mode 100644 Terraform/AWS/instance-with-basic-configs/provider.tf create mode 100644 Terraform/AWS/instance-with-basic-configs/readme.md create mode 100644 Terraform/AWS/instance-with-basic-configs/security_groups.tf create mode 100644 Terraform/AWS/instance-with-basic-configs/variables.tf create mode 100644 Terraform/AWS/instance-with-configs/files/on-prem-vyos-config.txt create mode 100644 Terraform/AWS/instance-with-configs/files/vyos_user_data.tfpl create mode 100644 Terraform/AWS/instance-with-configs/keys/vyos_demo_private_key.pem create mode 100644 Terraform/AWS/instance-with-configs/keys/vyos_demo_public_key.pem create mode 100644 Terraform/AWS/instance-with-configs/main.tf create mode 100644 Terraform/AWS/instance-with-configs/network.tf create mode 100644 Terraform/AWS/instance-with-configs/output.tf create mode 100644 Terraform/AWS/instance-with-configs/provider.tf create mode 100644 Terraform/AWS/instance-with-configs/readme.md create mode 100644 Terraform/AWS/instance-with-configs/security_groups.tf create mode 100644 Terraform/AWS/instance-with-configs/variables.tf (limited to 'Terraform/AWS') diff --git a/Terraform/AWS/instance-with-basic-configs/files/vyos_user_data.tfpl b/Terraform/AWS/instance-with-basic-configs/files/vyos_user_data.tfpl new file mode 100644 index 0000000..62b2892 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/files/vyos_user_data.tfpl @@ -0,0 +1,7 @@ +#cloud-config +vyos_config_commands: + - set system host-name 'VyOS-for-Lab' + - set system login banner pre-login 'Welcome to the VyOS for Lab on AWS' + - set interfaces ethernet eth0 description 'WAN' + - set interfaces ethernet eth1 description 'LAN' + - set interfaces ethernet eth1 dhcp-options no-default-route \ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_private_key.pem b/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_private_key.pem new file mode 100644 index 0000000..4c8d388 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_private_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAvZj8U767XO84ws+eng0bviq0hUvc+iP2q5Gc+3XPDWEu3S9s +ajBsvtEuLzlZk5QThRxRfjFuB1h+rWLJN2qawv978qpcySqi9IhHfVWLLbIgDuPr +hh8qXkaZ9W/FpLsRR0m+jcrcA1Efvr8cpMSvjHpFfLoH6KI2mbRC05OyfOij7ccz +ahxgBV3G3nil53PkNa5lTDuBYurx3K3jmvmlsC6Du5MSA5dOZ6QXeOT6RTbqJbSj +vSoL9/ku1DjGzTS0bghXWk1l7MkAYG6egMXQkJQmnYlwken1dxSCsH5HaPv8vkEZ +rakdejfRWgqil+OlHrp6D3lWoQbok58WmHH/qQIDAQABAoIBAQCJQH2x1kpmnZr2 +lDxcaFrkEKA8Os4OmwhP7Yq6Eu+/3NGDN3iBaurePCn178tj5Xc4DmcENp5TXQHf +XLsTje3ZKgA9jIy86EutQBaYqdumSeOhQ+fVYSxXsT51CeQHO5DnjYAPv4IEOK8F +c+41bVk0FbPF9hoRk5R5MqCJ78rvVm7q8gpGxftWIKMwVc7lSi2IH9GkrUGe6Y/W +lR6EqXDUHWep7rZN59bHXa82HYy98TzydeQtxBIWTSqfL5X2MGwfOkgNcBI9N4gi +Gj37Ng9lCWLgTfN/bs7chHKo8GrEmzxmSwP7ly+8fEGSvOQOwQ8ITmXN7rrnlTA8 +L0T/1qNNAoGBAOrunMHaZZ6moFU86aBhEJcxth3n10YpXl7AjwrvuquWYa76Hczp +PVs+f4uUYHG4lHwxLtvMVAw89MxRQnLB860l85qkwotoA5s8HIkhANLC/PbY/uHc +rEtrMQEV9z2vtcpFvxHlxut3a8hKONRaXJGJpnOYxKn5vnm3xoVQ/nU7AoGBAM6Z +nqIkYbWOySKbiWy7lKy7jIXlaiNn+vM7hQ5OS60mzDY0Z+yqV2u8y4VeufhiFQd+ +PSXpvosmKGBO4SB3HfE67y4JUFd3Nli6T0884QqsAeL1RIC/H+YK0DAUXLl6/oBL +LKCRt9c99rCnk/8CxqLzYuRPmpSbf2hvgj9c1QBrAoGBALUmhI0dwBnTVfIj4+mc +rtRGqqzopiAdqfzZ8fJ247OHY48uoWftuTfwOxz/rlZCA4y3x/AH4A8HuaMKTXh7 +gU/T4cEupiwkahN7CG3cmuvpGnGk5PR32grVfpXdwCU6paxwl2JPkVDjZqKsSKHF +g3ddcpHUDGEch/kG8fa+e1cdAoGAeaVCHj5Fud1E2Le0Bu278KjNaNlX0VkcDbNx ++KZpMJ6zhwb8WgFCUBFt1C2eWn2F3E+cOYKTyuLAy1QmgjMg0jTdN8IMKDPtL/kj +UYiLCPmWcsfvec8PPSgIxQZ4Qk4FJA0fTbv+/yFg60sAfRppUvDzvXKRlgao0hk2 +G5DRadkCgYAvPYH5NCk/jOa5Mv/6VfUPPaIhzHwADBv9ZXxg8jxw23zwxmozOUHa +v8sZF60s/4Kfd8NKnRPWlFPuvBqEkMQhfbJmP9lUmZkqxnYsXBV8wlPKIx7XAi+3 +CUBSZqJ6SrVewKc2Dx0on5Tr4OFTscK4NdFlp5PrQzZK9cuEn9rWgA== +-----END RSA PRIVATE KEY----- diff --git a/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_public_key.pem b/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_public_key.pem new file mode 100644 index 0000000..2b662ee --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_public_key.pem @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9mPxTvrtc7zjCz56eDRu+KrSFS9z6I/arkZz7dc8NYS7dL2xqMGy+0S4vOVmTlBOFHFF+MW4HWH6tYsk3aprC/3vyqlzJKqL0iEd9VYstsiAO4+uGHypeRpn1b8WkuxFHSb6NytwDUR++vxykxK+MekV8ugfoojaZtELTk7J86KPtxzNqHGAFXcbeeKXnc+Q1rmVMO4Fi6vHcreOa+aWwLoO7kxIDl05npBd45PpFNuoltKO9Kgv3+S7UOMbNNLRuCFdaTWXsyQBgbp6AxdCQlCadiXCR6fV3FIKwfkdo+/y+QRmtqR16N9FaCqKX46UeunoPeVahBuiTnxaYcf+p Admin@DESKTOP-R1T9R87 diff --git a/Terraform/AWS/instance-with-basic-configs/main.tf b/Terraform/AWS/instance-with-basic-configs/main.tf new file mode 100644 index 0000000..ddc27ef --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/main.tf @@ -0,0 +1,84 @@ +# EC2 KEY PAIR + +resource "aws_key_pair" "ec2_key" { + key_name = "${var.prefix}-${var.key_pair_name}" + public_key = file(var.public_key_path) + + tags = { + Name = "${var.prefix}-${var.key_pair_name}" + } +} + + +# THE LATEST AMAZON VYOS 1.4 IMAGE + +data "aws_ami" "vyos" { + most_recent = true + owners = ["679593333241"] + + filter { + name = "name" + values = ["VyOS 1.4*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + +} + + +# VYOS INSTANCE + +resource "aws_instance" "vyos" { + ami = data.aws_ami.vyos.id + instance_type = var.vyos_instance_type + key_name = "${var.prefix}-${var.key_pair_name}" + availability_zone = var.availability_zone + + user_data_base64 = base64encode(templatefile("${path.module}/files/vyos_user_data.tfpl", {})) + + depends_on = [ + aws_network_interface.vyos_public_nic, + aws_network_interface.vyos_private_nic + ] + + network_interface { + network_interface_id = aws_network_interface.vyos_public_nic.id + device_index = 0 + } + + network_interface { + network_interface_id = aws_network_interface.vyos_private_nic.id + device_index = 1 + } + + tags = { + Name = "${var.prefix}-${var.vyos_instance_name}" + } +} + +# NETWORK INTERFACES + +resource "aws_network_interface" "vyos_public_nic" { + subnet_id = aws_subnet.public_subnet.id + security_groups = [aws_security_group.public_sg.id] + private_ips = [var.vyos_pub_nic_ip_address] + + tags = { + Name = "${var.prefix}-${var.vyos_instance_name}-PublicNIC" + } +} + +resource "aws_network_interface" "vyos_private_nic" { + subnet_id = aws_subnet.private_subnet.id + security_groups = [aws_security_group.private_sg.id] + private_ips = [var.vyos_priv_nic_address] + + source_dest_check = false + + tags = { + Name = "${var.prefix}-${var.vyos_instance_name}-PrivateNIC" + } +} diff --git a/Terraform/AWS/instance-with-basic-configs/network.tf b/Terraform/AWS/instance-with-basic-configs/network.tf new file mode 100644 index 0000000..4e2ebc0 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/network.tf @@ -0,0 +1,84 @@ +# VPC + +resource "aws_vpc" "vpc" { + cidr_block = var.vpc_cidr + instance_tenancy = "default" + + tags = { + Name = "${var.prefix}-${var.vpc_name}" + } +} + +# PUBLIC SUBNET + +resource "aws_subnet" "public_subnet" { + vpc_id = aws_vpc.vpc.id + cidr_block = var.public_subnet_cidr + availability_zone = var.availability_zone + map_public_ip_on_launch = false + + tags = { + Name = "${var.prefix}-${var.vpc_name}-${var.public_subnet_name}" + } + + depends_on = [aws_internet_gateway.igw] +} + +# PRIVATE SUBNET + +resource "aws_subnet" "private_subnet" { + vpc_id = aws_vpc.vpc.id + cidr_block = var.private_subnet_cidr + availability_zone = var.availability_zone + map_public_ip_on_launch = false + + tags = { + Name = "${var.prefix}-${var.vpc_name}-${var.private_subnet_name}" + } +} + +# INTERNET GATEWAY + +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.vpc.id + + tags = { + Name = join("-", [var.prefix, var.igw_name]) + } +} + +# ELASTICS IP FOR VYOS + +resource "aws_eip" "vyos_eip" { + domain = "vpc" + depends_on = [aws_internet_gateway.igw] + + tags = { + Name = join("-", [var.prefix, var.vyos_eip_name]) + } +} + +resource "aws_eip_association" "vyos_eip_association" { + allocation_id = aws_eip.vyos_eip.id + network_interface_id = aws_network_interface.vyos_public_nic.id +} + +# PUBLIC ROUTE TABLE + +resource "aws_route_table" "public_rtb" { + vpc_id = aws_vpc.vpc.id + + route { + cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.igw.id + } + + tags = { + Name = join("-", [var.prefix, var.public_rtb_name]) + } +} + +resource "aws_route_table_association" "public_rtb_assn" { + subnet_id = aws_subnet.public_subnet.id + route_table_id = aws_route_table.public_rtb.id +} \ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/output.tf b/Terraform/AWS/instance-with-basic-configs/output.tf new file mode 100644 index 0000000..047d9a7 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/output.tf @@ -0,0 +1,16 @@ + +output "vyos_public_ip" { + value = aws_instance.vyos.public_ip +} + +output "vyos_pub_nic_ip" { + value = aws_network_interface.vyos_public_nic.private_ip +} + +output "vyos_priv_nic_01_ip" { + value = aws_network_interface.vyos_private_nic.private_ip +} + +output "vyos_key_name" { + value = aws_instance.vyos.key_name +} diff --git a/Terraform/AWS/instance-with-basic-configs/provider.tf b/Terraform/AWS/instance-with-basic-configs/provider.tf new file mode 100644 index 0000000..c6b24ff --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/provider.tf @@ -0,0 +1,22 @@ +# AWS PROVIDER CONFIGURATION + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} + +provider "aws" { + region = var.aws_region + default_tags { + tags = { + Company = "VyOS Inc" + Project = "VyOS-Demo" + Environment = "Lab" + ManagedBy = "Terraform" + } + } +} \ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/readme.md b/Terraform/AWS/instance-with-basic-configs/readme.md new file mode 100644 index 0000000..c070d77 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/readme.md @@ -0,0 +1,119 @@ +# Terraform Project for deploying VyOS on AWS + +This Terraform project is designed to deploy VyOS instances on AWS. This script deploys a VyOS instance from the AWS Marketplace. + +## Prerequisites + +Before applying this module, ensure you have: + +### AWS Requirements + +- An active AWS account. +- AWS CLI installed. [Installation link](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) +- Terraform installed. [Installation link](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) + +### Set AWS environment variables + +- Run the following commands in your terminal to set the AWS environment variables: + +```sh +export AWS_ACCESS_KEY_ID="" +export AWS_SECRET_ACCESS_KEY="" +export AWS_SESSION_TOKEN="" +export AWS_DEFAULT_REGION="" # e.g us-east-1 +``` + +### Fetch AMI ID and Owner ID (Required for main.tf) +First, you must subscribe to VyOS in the AWS Marketplace. +Then, use the following AWS CLI command to find the correct AMI ID, Owner ID, and ensure you're querying the correct region (e.g., `us-east-1`): + +```sh +aws ec2 describe-images \ + --owners aws-marketplace \ + --filters "Name=product-code,Values=8wqdkv3u2b9sa0y73xob2yl90" \ + --query 'Images[*].[ImageId,OwnerId,Name]' \ + --output table +``` +Alternatively, you can hardcode the latest AMI ID for your region in `variables.tf` adding the `vyos_ami_id` variable. + +### Generate SSH keypair + +A demo SSH keypair is included in the `keys/` folder. + +To generate a new key (optional): + +```sh +ssh-keygen -b 2048 -t rsa -m PEM -f keys/vyos_custom_key.pem +``` + +## Project Structure + +``` +. +├── files/ # VyOS user-data +├── keys/ # Pre-generated SSH keys +├── network.tf # Network setup +├── provider.tf # Provider configuration +├── security_groups.tf # Security group configurations +├── variables.tf # Input variables for customization +├── vyos_instance.tf # VyOS virtual machine deployment (AWS) +└── README.md # Documentation +``` + +## Usage + +### Setup Variables + +All variables needed for customization are defined in `variables.tf`. Adjust them according to your requirements, such as EC2 instance type and networking configurations. Before deployment, ensure you check `aws_region`, `availability_zone`, and update `vyos_ami_id` as necessary. + +## How to Run the Module + +Follow these steps to initialize, plan, apply, and manage your infrastructure with Terraform: + +1. **Initialize the Module** + ```sh + terraform init + ``` + +2. **Format the Terraform Code** + ```sh + terraform fmt + ``` + +3. **Validate Configuration** + ```sh + terraform validate + ``` + +4. **Preview Infrastructure Changes Before Deployment** + ```sh + terraform plan + ``` + +5. **Apply the Configuration** + ```sh + terraform apply + ``` + Confirm the execution when prompted to provision the infrastructure. + +6. **View Outputs** + ```sh + terraform output + ``` + This will display the management IP and test results for the VyOS instance. + +## Management + +To manage the VyOS instance, use the `vyos_public_ip` from `terraform output`: +```sh +ssh vyos@ -i keys/vyos_demo_private_key.pem +``` + +## Destroying Resources + +To clean up the deployed infrastructure: +```sh +terraform destroy +``` +Confirm the execution when prompted to remove all provisioned resources. + diff --git a/Terraform/AWS/instance-with-basic-configs/security_groups.tf b/Terraform/AWS/instance-with-basic-configs/security_groups.tf new file mode 100644 index 0000000..d8653ae --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/security_groups.tf @@ -0,0 +1,111 @@ +# SECURITY GROUP FOR PUBLIC RESOURCES + +resource "aws_security_group" "public_sg" { + name = join("-", [var.prefix, var.public_sg_name]) + description = "Security Group for public resources" + vpc_id = aws_vpc.vpc.id + + # Allow SSH Traffic + ingress { + description = "Allow SSH" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + # Allow Wireguard Traffic + ingress { + description = "Allow Wireguard" + from_port = 51820 + to_port = 51820 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + } + + # Allow OpenVPN Traffic + ingress { + description = "Allow OpenVPN" + from_port = 1194 + to_port = 1194 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + } + + # Allow ESP Traffic + ingress { + description = "Allow ESP" + from_port = 0 + to_port = 0 + protocol = "50" + cidr_blocks = ["0.0.0.0/0"] + } + + # Allow IKE Traffic + ingress { + description = "Allow IKE" + from_port = 500 + to_port = 500 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + } + + # Allow IPSEC Traffic + ingress { + description = "Allow IPSEC" + from_port = 1701 + to_port = 1701 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + } + + # Allow NAT Traversal + ingress { + description = "Allow NAT Traversal" + from_port = 4500 + to_port = 4500 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + } + + # Allow all outbound traffic + egress { + description = "Allow all outbound traffic" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = join("-", [var.prefix, var.public_sg_name]) + } +} + +# SECURITY GROUP FOR PRIVATE RESOURCES + +resource "aws_security_group" "private_sg" { + name = join("-", [var.prefix, var.private_sg_name]) + description = "Security Group for private resources" + vpc_id = aws_vpc.vpc.id + + ingress { + description = "Allow all inbound traffic" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + description = "Allow all outbound traffic" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = join("-", [var.prefix, var.private_sg_name]) + } +} \ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/variables.tf b/Terraform/AWS/instance-with-basic-configs/variables.tf new file mode 100644 index 0000000..3493252 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/variables.tf @@ -0,0 +1,116 @@ +variable "aws_region" { + description = "AWS Region" + type = string + default = "us-east-1" +} + +variable "availability_zone" { + description = "AWS Availability Zone" + type = string + default = "us-east-1a" +} + +variable "prefix" { + type = string + description = "Prefix for the resource names and Name tags" + default = "demo" +} + +variable "key_pair_name" { + description = "SSH key pair name" + type = string + default = "vyos-demo-key" +} + +variable "private_key_path" { + description = "Path to the private key file" + default = "keys/vyos_demo_private_key.pem" +} + +variable "public_key_path" { + description = "Path to the private key file" + default = "keys/vyos_demo_public_key.pem" +} + +variable "vpc_name" { + description = "Name for VPC" + default = "test-vpc" +} + +variable "public_subnet_name" { + description = "The name of the public subnet" + type = string + default = "pub-subnet" +} + +variable "private_subnet_name" { + description = "The name of the private subnet 01" + type = string + default = "priv-subnet" +} + +variable "vpc_cidr" { + description = "CIDR block for VPC" + type = string + default = "172.16.0.0/16" +} + +variable "public_subnet_cidr" { + description = "CIDR block for public subnet" + default = "172.16.1.0/24" +} + +variable "private_subnet_cidr" { + description = "CIDR block for private subnet" + type = string + default = "172.16.11.0/24" +} + +variable "vyos_pub_nic_ip_address" { + description = "VyOS Instance Public address" + type = string + default = "172.16.1.11" +} + +variable "vyos_priv_nic_address" { + description = "VyOS Instance Private NIC address" + type = string + default = "172.16.11.11" +} + +variable "vyos_instance_type" { + description = "The type of the VyOS Instance" + type = string + default = "c5n.xlarge" +} + +variable "vyos_instance_name" { + type = string + default = "VyOS" +} + +variable "igw_name" { + type = string + default = "igw" +} + +variable "vyos_eip_name" { + type = string + default = "vyos" +} + +variable "public_rtb_name" { + type = string + default = "public-rtb" + +} + +variable "public_sg_name" { + type = string + default = "public-sg" +} + +variable "private_sg_name" { + type = string + default = "private-sg" +} diff --git a/Terraform/AWS/instance-with-configs/files/on-prem-vyos-config.txt b/Terraform/AWS/instance-with-configs/files/on-prem-vyos-config.txt new file mode 100644 index 0000000..6c52bcb --- /dev/null +++ b/Terraform/AWS/instance-with-configs/files/on-prem-vyos-config.txt @@ -0,0 +1,55 @@ +set system host-name 'VyOS-for-DEMO-On-Prem' +set system login banner pre-login 'Welcome to the VyOS for DEMO on On-Prem' +set interfaces ethernet eth0 description 'WAN' +set interfaces ethernet eth1 description 'LAN' +set interfaces ethernet eth1 dhcp-options no-default-route +set system name-server '' +set service dns forwarding name-server '' +set service dns forwarding listen-address '' +set service dns forwarding allow-from '' +set service dns forwarding no-serve-rfc1918 +set nat source rule 10 outbound-interface name 'eth0' +set nat source rule 10 source address '' +set nat source rule 10 translation address 'masquerade' +set vpn ipsec interface 'eth0' +set vpn ipsec esp-group AWS lifetime '3600' +set vpn ipsec esp-group AWS mode 'tunnel' +set vpn ipsec esp-group AWS pfs 'dh-group2' +set vpn ipsec esp-group AWS proposal 1 encryption 'aes256' +set vpn ipsec esp-group AWS proposal 1 hash 'sha1' +set vpn ipsec ike-group AWS dead-peer-detection action 'restart' +set vpn ipsec ike-group AWS dead-peer-detection interval '15' +set vpn ipsec ike-group AWS dead-peer-detection timeout '30' +set vpn ipsec ike-group AWS ikev2-reauth +set vpn ipsec ike-group AWS key-exchange 'ikev2' +set vpn ipsec ike-group AWS lifetime '28800' +set vpn ipsec ike-group AWS proposal 1 dh-group '2' +set vpn ipsec ike-group AWS proposal 1 encryption 'aes256' +set vpn ipsec ike-group AWS proposal 1 hash 'sha1' +set vpn ipsec ike-group AWS close-action start +set vpn ipsec option disable-route-autoinstall +set interfaces vti vti1 address '10.2.100.11/32' +set interfaces vti vti1 description 'Tunnel for VyOS in AWS' +set interfaces vti vti1 ip adjust-mss '1350' +set protocols static route 10.1.100.11/32 interface vti1 +set vpn ipsec authentication psk VyOS id '' +set vpn ipsec authentication psk VyOS id '' +set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk' +set vpn ipsec site-to-site peer AWS authentication local-id '' +set vpn ipsec site-to-site peer AWS authentication mode 'pre-shared-secret' +set vpn ipsec site-to-site peer AWS authentication remote-id '' +set vpn ipsec site-to-site peer AWS connection-type 'initiate' +set vpn ipsec site-to-site peer AWS description 'AWS TUNNEL to VyOS on NET 02' +set vpn ipsec site-to-site peer AWS ike-group 'AWS' +set vpn ipsec site-to-site peer AWS ikev2-reauth 'inherit' +set vpn ipsec site-to-site peer AWS local-address '' +set vpn ipsec site-to-site peer AWS remote-address '' +set vpn ipsec site-to-site peer AWS vti bind 'vti1' +set vpn ipsec site-to-site peer AWS vti esp-group 'AWS' +set protocols bgp system-as '' +set protocols bgp address-family ipv4-unicast network +set protocols bgp neighbor 10.1.100.11 remote-as '' +set protocols bgp neighbor 10.1.100.11 address-family ipv4-unicast soft-reconfiguration inbound +set protocols bgp neighbor 10.1.100.11 timers holdtime '30' +set protocols bgp neighbor 10.1.100.11 timers keepalive '10' +set protocols bgp neighbor 10.1.100.11 disable-connected-check diff --git a/Terraform/AWS/instance-with-configs/files/vyos_user_data.tfpl b/Terraform/AWS/instance-with-configs/files/vyos_user_data.tfpl new file mode 100644 index 0000000..7240a2c --- /dev/null +++ b/Terraform/AWS/instance-with-configs/files/vyos_user_data.tfpl @@ -0,0 +1,57 @@ +#cloud-config +vyos_config_commands: + - set system host-name 'VyOS-for-DEMO-AWS' + - set system login banner pre-login 'Welcome to the VyOS for DEMO on AWS' + - set interfaces ethernet eth0 description 'WAN' + - set interfaces ethernet eth1 description 'LAN' + - set interfaces ethernet eth1 dhcp-options no-default-route + - set system name-server '${dns_1}' + - set service dns forwarding name-server '${dns_1}' + - set service dns forwarding listen-address '${vyos_priv_nic_ip}' + - set service dns forwarding allow-from '${private_subnet_cidr}' + - set service dns forwarding no-serve-rfc1918 + - set nat source rule 10 outbound-interface name 'eth0' + - set nat source rule 10 source address '${private_subnet_cidr}' + - set nat source rule 10 translation address 'masquerade' + - set vpn ipsec interface 'eth0' + - set vpn ipsec esp-group ON-PREM lifetime '3600' + - set vpn ipsec esp-group ON-PREM mode 'tunnel' + - set vpn ipsec esp-group ON-PREM pfs 'dh-group2' + - set vpn ipsec esp-group ON-PREM proposal 1 encryption 'aes256' + - set vpn ipsec esp-group ON-PREM proposal 1 hash 'sha1' + - set vpn ipsec ike-group ON-PREM dead-peer-detection action 'restart' + - set vpn ipsec ike-group ON-PREM dead-peer-detection interval '15' + - set vpn ipsec ike-group ON-PREM dead-peer-detection timeout '30' + - set vpn ipsec ike-group ON-PREM ikev2-reauth + - set vpn ipsec ike-group ON-PREM key-exchange 'ikev2' + - set vpn ipsec ike-group ON-PREM lifetime '28800' + - set vpn ipsec ike-group ON-PREM proposal 1 dh-group '2' + - set vpn ipsec ike-group ON-PREM proposal 1 encryption 'aes256' + - set vpn ipsec ike-group ON-PREM proposal 1 hash 'sha1' + - set vpn ipsec ike-group ON-PREM close-action start + - set vpn ipsec option disable-route-autoinstall + - set interfaces vti vti1 address '10.1.100.11/32' + - set interfaces vti vti1 description 'Tunnel for VyOS in ON-PREM' + - set interfaces vti vti1 ip adjust-mss '1350' + - set protocols static route 10.2.100.11/32 interface vti1 + - set vpn ipsec authentication psk VyOS id '${vyos_public_ip_address}' + - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip_address}' + - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk' + - set vpn ipsec site-to-site peer ON-PREM authentication local-id '${vyos_public_ip_address}' + - set vpn ipsec site-to-site peer ON-PREM authentication mode 'pre-shared-secret' + - set vpn ipsec site-to-site peer ON-PREM authentication remote-id '${on_prem_public_ip_address}' + - set vpn ipsec site-to-site peer ON-PREM connection-type 'none' + - set vpn ipsec site-to-site peer ON-PREM description 'ON-PREM TUNNEL to VyOS on NET 02' + - set vpn ipsec site-to-site peer ON-PREM ike-group 'ON-PREM' + - set vpn ipsec site-to-site peer ON-PREM ikev2-reauth 'inherit' + - set vpn ipsec site-to-site peer ON-PREM local-address '${vyos_pub_nic_ip}' + - set vpn ipsec site-to-site peer ON-PREM remote-address '${on_prem_public_ip_address}' + - set vpn ipsec site-to-site peer ON-PREM vti bind 'vti1' + - set vpn ipsec site-to-site peer ON-PREM vti esp-group 'ON-PREM' + - set protocols bgp system-as '${vyos_bgp_as_number}' + - set protocols bgp address-family ipv4-unicast network ${private_subnet_cidr} + - set protocols bgp neighbor 10.2.100.11 remote-as '${on_prem_bgp_as_number}' + - set protocols bgp neighbor 10.2.100.11 address-family ipv4-unicast soft-reconfiguration inbound + - set protocols bgp neighbor 10.2.100.11 timers holdtime '30' + - set protocols bgp neighbor 10.2.100.11 timers keepalive '10' + - set protocols bgp neighbor 10.2.100.11 disable-connected-check diff --git a/Terraform/AWS/instance-with-configs/keys/vyos_demo_private_key.pem b/Terraform/AWS/instance-with-configs/keys/vyos_demo_private_key.pem new file mode 100644 index 0000000..4c8d388 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/keys/vyos_demo_private_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAvZj8U767XO84ws+eng0bviq0hUvc+iP2q5Gc+3XPDWEu3S9s +ajBsvtEuLzlZk5QThRxRfjFuB1h+rWLJN2qawv978qpcySqi9IhHfVWLLbIgDuPr +hh8qXkaZ9W/FpLsRR0m+jcrcA1Efvr8cpMSvjHpFfLoH6KI2mbRC05OyfOij7ccz +ahxgBV3G3nil53PkNa5lTDuBYurx3K3jmvmlsC6Du5MSA5dOZ6QXeOT6RTbqJbSj +vSoL9/ku1DjGzTS0bghXWk1l7MkAYG6egMXQkJQmnYlwken1dxSCsH5HaPv8vkEZ +rakdejfRWgqil+OlHrp6D3lWoQbok58WmHH/qQIDAQABAoIBAQCJQH2x1kpmnZr2 +lDxcaFrkEKA8Os4OmwhP7Yq6Eu+/3NGDN3iBaurePCn178tj5Xc4DmcENp5TXQHf +XLsTje3ZKgA9jIy86EutQBaYqdumSeOhQ+fVYSxXsT51CeQHO5DnjYAPv4IEOK8F +c+41bVk0FbPF9hoRk5R5MqCJ78rvVm7q8gpGxftWIKMwVc7lSi2IH9GkrUGe6Y/W +lR6EqXDUHWep7rZN59bHXa82HYy98TzydeQtxBIWTSqfL5X2MGwfOkgNcBI9N4gi +Gj37Ng9lCWLgTfN/bs7chHKo8GrEmzxmSwP7ly+8fEGSvOQOwQ8ITmXN7rrnlTA8 +L0T/1qNNAoGBAOrunMHaZZ6moFU86aBhEJcxth3n10YpXl7AjwrvuquWYa76Hczp +PVs+f4uUYHG4lHwxLtvMVAw89MxRQnLB860l85qkwotoA5s8HIkhANLC/PbY/uHc +rEtrMQEV9z2vtcpFvxHlxut3a8hKONRaXJGJpnOYxKn5vnm3xoVQ/nU7AoGBAM6Z +nqIkYbWOySKbiWy7lKy7jIXlaiNn+vM7hQ5OS60mzDY0Z+yqV2u8y4VeufhiFQd+ +PSXpvosmKGBO4SB3HfE67y4JUFd3Nli6T0884QqsAeL1RIC/H+YK0DAUXLl6/oBL +LKCRt9c99rCnk/8CxqLzYuRPmpSbf2hvgj9c1QBrAoGBALUmhI0dwBnTVfIj4+mc +rtRGqqzopiAdqfzZ8fJ247OHY48uoWftuTfwOxz/rlZCA4y3x/AH4A8HuaMKTXh7 +gU/T4cEupiwkahN7CG3cmuvpGnGk5PR32grVfpXdwCU6paxwl2JPkVDjZqKsSKHF +g3ddcpHUDGEch/kG8fa+e1cdAoGAeaVCHj5Fud1E2Le0Bu278KjNaNlX0VkcDbNx ++KZpMJ6zhwb8WgFCUBFt1C2eWn2F3E+cOYKTyuLAy1QmgjMg0jTdN8IMKDPtL/kj +UYiLCPmWcsfvec8PPSgIxQZ4Qk4FJA0fTbv+/yFg60sAfRppUvDzvXKRlgao0hk2 +G5DRadkCgYAvPYH5NCk/jOa5Mv/6VfUPPaIhzHwADBv9ZXxg8jxw23zwxmozOUHa +v8sZF60s/4Kfd8NKnRPWlFPuvBqEkMQhfbJmP9lUmZkqxnYsXBV8wlPKIx7XAi+3 +CUBSZqJ6SrVewKc2Dx0on5Tr4OFTscK4NdFlp5PrQzZK9cuEn9rWgA== +-----END RSA PRIVATE KEY----- diff --git a/Terraform/AWS/instance-with-configs/keys/vyos_demo_public_key.pem b/Terraform/AWS/instance-with-configs/keys/vyos_demo_public_key.pem new file mode 100644 index 0000000..2b662ee --- /dev/null +++ b/Terraform/AWS/instance-with-configs/keys/vyos_demo_public_key.pem @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9mPxTvrtc7zjCz56eDRu+KrSFS9z6I/arkZz7dc8NYS7dL2xqMGy+0S4vOVmTlBOFHFF+MW4HWH6tYsk3aprC/3vyqlzJKqL0iEd9VYstsiAO4+uGHypeRpn1b8WkuxFHSb6NytwDUR++vxykxK+MekV8ugfoojaZtELTk7J86KPtxzNqHGAFXcbeeKXnc+Q1rmVMO4Fi6vHcreOa+aWwLoO7kxIDl05npBd45PpFNuoltKO9Kgv3+S7UOMbNNLRuCFdaTWXsyQBgbp6AxdCQlCadiXCR6fV3FIKwfkdo+/y+QRmtqR16N9FaCqKX46UeunoPeVahBuiTnxaYcf+p Admin@DESKTOP-R1T9R87 diff --git a/Terraform/AWS/instance-with-configs/main.tf b/Terraform/AWS/instance-with-configs/main.tf new file mode 100644 index 0000000..0d58e17 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/main.tf @@ -0,0 +1,91 @@ +# EC2 KEY PAIR + +resource "aws_key_pair" "ec2_key" { + key_name = "${var.prefix}-${var.key_pair_name}" + public_key = file(var.public_key_path) + + tags = { + Name = "${var.prefix}-${var.key_pair_name}" + } +} + +# THE LATEST AMAZON VYOS 1.4 IMAGE + +data "aws_ami" "vyos" { + most_recent = true + owners = ["679593333241"] + + filter { + name = "name" + values = ["VyOS 1.4*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + +} + +# VYOS INSTANCE + +resource "aws_instance" "vyos" { + ami = data.aws_ami.vyos.id + instance_type = var.vyos_instance_type + key_name = "${var.prefix}-${var.key_pair_name}" + availability_zone = var.availability_zone + + user_data_base64 = base64encode(templatefile("${path.module}/files/vyos_user_data.tfpl", { + private_subnet_cidr = var.private_subnet_cidr, + vyos_public_ip_address = aws_eip.vyos_eip.public_ip, + vyos_pub_nic_ip = aws_network_interface.vyos_public_nic.private_ip, + vyos_priv_nic_ip = aws_network_interface.vyos_private_nic.private_ip, + vyos_bgp_as_number = var.vyos_bgp_as_number, + dns_1 = var.dns, + on_prem_public_ip_address = var.on_prem_public_ip_address, + on_prem_bgp_as_number = var.on_prem_bgp_as_number + })) + + depends_on = [ + aws_network_interface.vyos_public_nic, + aws_network_interface.vyos_private_nic + ] + + network_interface { + network_interface_id = aws_network_interface.vyos_public_nic.id + device_index = 0 + } + + network_interface { + network_interface_id = aws_network_interface.vyos_private_nic.id + device_index = 1 + } + + tags = { + Name = "${var.prefix}-${var.vyos_instance_name}" + } +} + +# NETWORK INTERFACES + +resource "aws_network_interface" "vyos_public_nic" { + subnet_id = aws_subnet.public_subnet.id + security_groups = [aws_security_group.public_sg.id] + private_ips = [var.vyos_pub_nic_ip_address] + + tags = { + Name = "${var.prefix}-${var.vyos_instance_name}-PublicNIC" + } +} + +resource "aws_network_interface" "vyos_private_nic" { + subnet_id = aws_subnet.private_subnet.id + security_groups = [aws_security_group.private_sg.id] + private_ips = [var.vyos_priv_nic_address] + + source_dest_check = false + + tags = { + Name = "${var.prefix}-${var.vyos_instance_name}-PrivateNIC" + } +} diff --git a/Terraform/AWS/instance-with-configs/network.tf b/Terraform/AWS/instance-with-configs/network.tf new file mode 100644 index 0000000..b3513f6 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/network.tf @@ -0,0 +1,86 @@ +# VPC + +resource "aws_vpc" "vpc" { + cidr_block = var.vpc_cidr + instance_tenancy = "default" + # enable_dns_support = true # DNS resolution within VPC + # enable_dns_hostnames = true # Public DNS hostnames + + tags = { + Name = "${var.prefix}-${var.vpc_name}" + } +} + +# PUBLIC SUBNET + +resource "aws_subnet" "public_subnet" { + vpc_id = aws_vpc.vpc.id + cidr_block = var.public_subnet_cidr + availability_zone = var.availability_zone + map_public_ip_on_launch = false + + tags = { + Name = "${var.prefix}-${var.vpc_name}-${var.public_subnet_name}" + } + + depends_on = [aws_internet_gateway.igw] +} + +# PRIVATE SUBNET + +resource "aws_subnet" "private_subnet" { + vpc_id = aws_vpc.vpc.id + cidr_block = var.private_subnet_cidr + availability_zone = var.availability_zone + map_public_ip_on_launch = false + + tags = { + Name = "${var.prefix}-${var.vpc_name}-${var.private_subnet_name}" + } +} + +# INTERNET GATEWAY + +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.vpc.id + + tags = { + Name = join("-", [var.prefix, var.igw_name]) + } +} + +# ELASTICS IP FOR VYOS + +resource "aws_eip" "vyos_eip" { + domain = "vpc" + depends_on = [aws_internet_gateway.igw] + + tags = { + Name = join("-", [var.prefix, var.vyos_eip_name]) + } +} + +resource "aws_eip_association" "vyos_eip_association" { + allocation_id = aws_eip.vyos_eip.id + network_interface_id = aws_network_interface.vyos_public_nic.id +} + +# PUBLIC ROUTE TABLE + +resource "aws_route_table" "public_rtb" { + vpc_id = aws_vpc.vpc.id + + route { + cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.igw.id + } + + tags = { + Name = join("-", [var.prefix, var.public_rtb_name]) + } +} + +resource "aws_route_table_association" "public_rtb_assn" { + subnet_id = aws_subnet.public_subnet.id + route_table_id = aws_route_table.public_rtb.id +} \ No newline at end of file diff --git a/Terraform/AWS/instance-with-configs/output.tf b/Terraform/AWS/instance-with-configs/output.tf new file mode 100644 index 0000000..047d9a7 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/output.tf @@ -0,0 +1,16 @@ + +output "vyos_public_ip" { + value = aws_instance.vyos.public_ip +} + +output "vyos_pub_nic_ip" { + value = aws_network_interface.vyos_public_nic.private_ip +} + +output "vyos_priv_nic_01_ip" { + value = aws_network_interface.vyos_private_nic.private_ip +} + +output "vyos_key_name" { + value = aws_instance.vyos.key_name +} diff --git a/Terraform/AWS/instance-with-configs/provider.tf b/Terraform/AWS/instance-with-configs/provider.tf new file mode 100644 index 0000000..c6b24ff --- /dev/null +++ b/Terraform/AWS/instance-with-configs/provider.tf @@ -0,0 +1,22 @@ +# AWS PROVIDER CONFIGURATION + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} + +provider "aws" { + region = var.aws_region + default_tags { + tags = { + Company = "VyOS Inc" + Project = "VyOS-Demo" + Environment = "Lab" + ManagedBy = "Terraform" + } + } +} \ No newline at end of file diff --git a/Terraform/AWS/instance-with-configs/readme.md b/Terraform/AWS/instance-with-configs/readme.md new file mode 100644 index 0000000..aca1d58 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/readme.md @@ -0,0 +1,120 @@ +# Terraform Project for deploying VyOS on AWS + +This Terraform project is designed to deploy VyOS instances on AWS. This script deploys a VyOS instance from the AWS Marketplace. + +## Prerequisites + +Before applying this module, ensure you have: + +### AWS Requirements + +- An active AWS account. +- AWS CLI installed. [Installation link](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) +- Terraform installed. [Installation link](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) + +### Set AWS environment variables + +- Run the following commands in your terminal to set the AWS environment variables: + +```sh +export AWS_ACCESS_KEY_ID="" +export AWS_SECRET_ACCESS_KEY="" +export AWS_SESSION_TOKEN="" +export AWS_DEFAULT_REGION="" # e.g us-east-1 +``` + +### Fetch AMI ID and Owner ID (Required for main.tf) +First, you must subscribe to VyOS in the AWS Marketplace. +Then, use the following AWS CLI command to find the correct AMI ID, Owner ID, and ensure you're querying the correct region (e.g., `us-east-1`): + +```sh +aws ec2 describe-images \ + --owners aws-marketplace \ + --filters "Name=product-code,Values=8wqdkv3u2b9sa0y73xob2yl90" \ + --query 'Images[*].[ImageId,OwnerId,Name]' \ + --output table +``` +Alternatively, you can hardcode the latest AMI ID for your region in `variables.tf` adding the `vyos_ami_id` variable. + +### Generate SSH keypair + +A demo SSH keypair is included in the `keys/` folder. + +To generate a new key (optional): + +```sh +ssh-keygen -b 2048 -t rsa -m PEM -f keys/vyos_custom_key.pem +``` + +## Project Structure + +``` +. +├── files/ # VyOS user-data +├── keys/ # Pre-generated SSH keys +├── network.tf # Network setup +├── provider.tf # Provider configuration +├── security_groups.tf # Security group configurations +├── variables.tf # Input variables for customization +├── vyos_instance.tf # VyOS virtual machine deployment (AWS) +└── README.md # Documentation +``` + +## Usage + +### Setup Variables + +All variables needed for customization are defined in `variables.tf`. Adjust them according to your requirements, such as EC2 instance type and networking configurations. Before deployment, ensure you check `aws_region`, `availability_zone`, and update `vyos_ami_id` as necessary. + +## How to Run the Module + +Follow these steps to initialize, plan, apply, and manage your infrastructure with Terraform: + +1. **Initialize the Module** + ```sh + terraform init + ``` + +2. **Format the Terraform Code** + ```sh + terraform fmt + ``` + +3. **Validate Configuration** + ```sh + terraform validate + ``` + +4. **Preview Infrastructure Changes Before Deployment** + ```sh + terraform plan + ``` + +5. **Apply the Configuration** + ```sh + terraform apply + ``` + Confirm the execution when prompted to provision the infrastructure. + +6. **View Outputs** + ```sh + terraform output + ``` + This will display the management IP and test results for the VyOS instance. + +## Management + +To manage the VyOS instance, use the `vyos_public_ip` from `terraform output`: +```sh +ssh vyos@ -i keys/vyos_demo_private_key.pem +``` +You can find op-premise (peer) side VyOS configuration reference from: `files/on-prem-vyos-config.txt` + +## Destroying Resources + +To clean up the deployed infrastructure: +```sh +terraform destroy +``` +Confirm the execution when prompted to remove all provisioned resources. + diff --git a/Terraform/AWS/instance-with-configs/security_groups.tf b/Terraform/AWS/instance-with-configs/security_groups.tf new file mode 100644 index 0000000..d8653ae --- /dev/null +++ b/Terraform/AWS/instance-with-configs/security_groups.tf @@ -0,0 +1,111 @@ +# SECURITY GROUP FOR PUBLIC RESOURCES + +resource "aws_security_group" "public_sg" { + name = join("-", [var.prefix, var.public_sg_name]) + description = "Security Group for public resources" + vpc_id = aws_vpc.vpc.id + + # Allow SSH Traffic + ingress { + description = "Allow SSH" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + # Allow Wireguard Traffic + ingress { + description = "Allow Wireguard" + from_port = 51820 + to_port = 51820 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + } + + # Allow OpenVPN Traffic + ingress { + description = "Allow OpenVPN" + from_port = 1194 + to_port = 1194 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + } + + # Allow ESP Traffic + ingress { + description = "Allow ESP" + from_port = 0 + to_port = 0 + protocol = "50" + cidr_blocks = ["0.0.0.0/0"] + } + + # Allow IKE Traffic + ingress { + description = "Allow IKE" + from_port = 500 + to_port = 500 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + } + + # Allow IPSEC Traffic + ingress { + description = "Allow IPSEC" + from_port = 1701 + to_port = 1701 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + } + + # Allow NAT Traversal + ingress { + description = "Allow NAT Traversal" + from_port = 4500 + to_port = 4500 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + } + + # Allow all outbound traffic + egress { + description = "Allow all outbound traffic" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = join("-", [var.prefix, var.public_sg_name]) + } +} + +# SECURITY GROUP FOR PRIVATE RESOURCES + +resource "aws_security_group" "private_sg" { + name = join("-", [var.prefix, var.private_sg_name]) + description = "Security Group for private resources" + vpc_id = aws_vpc.vpc.id + + ingress { + description = "Allow all inbound traffic" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + description = "Allow all outbound traffic" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = join("-", [var.prefix, var.private_sg_name]) + } +} \ No newline at end of file diff --git a/Terraform/AWS/instance-with-configs/variables.tf b/Terraform/AWS/instance-with-configs/variables.tf new file mode 100644 index 0000000..3ab7d09 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/variables.tf @@ -0,0 +1,134 @@ +variable "aws_region" { + description = "AWS Region" + type = string + default = "us-east-1" +} + +variable "availability_zone" { + description = "AWS Availability Zone" + type = string + default = "us-east-1a" +} + +variable "prefix" { + type = string + description = "Prefix for the resource names and Name tags" + default = "demo" +} + +variable "key_pair_name" { + description = "SSH key pair name" + type = string + default = "vyos-demo-key" +} + +variable "private_key_path" { + description = "Path to the private key file" + default = "keys/vyos_demo_private_key.pem" +} + +variable "public_key_path" { + description = "Path to the private key file" + default = "keys/vyos_demo_public_key.pem" +} + +variable "vpc_name" { + description = "Name for VPC" + default = "test-vpc" +} + +variable "public_subnet_name" { + description = "The name of the public subnet" + type = string + default = "pub-subnet" +} + +variable "private_subnet_name" { + description = "The name of the private subnet 01" + type = string + default = "priv-subnet" +} + +variable "vpc_cidr" { + description = "CIDR block for VPC" + type = string + default = "172.16.0.0/16" +} + +variable "public_subnet_cidr" { + description = "CIDR block for public subnet" + default = "172.16.1.0/24" +} + +variable "private_subnet_cidr" { + description = "CIDR block for private subnet" + type = string + default = "172.16.11.0/24" +} + +variable "vyos_pub_nic_ip_address" { + description = "VyOS Instance Public address" + type = string + default = "172.16.1.11" +} + +variable "vyos_priv_nic_address" { + description = "VyOS Instance Private NIC address" + type = string + default = "172.16.11.11" +} + +variable "vyos_instance_type" { + description = "The type of the VyOS Instance" + type = string + default = "c5n.xlarge" +} + +variable "vyos_instance_name" { + type = string + default = "VyOS" +} + +variable "igw_name" { + type = string + default = "igw" +} + +variable "vyos_eip_name" { + type = string + default = "vyos" +} + +variable "public_rtb_name" { + type = string + default = "public-rtb" + +} + +variable "public_sg_name" { + type = string + default = "public-sg" +} + +variable "private_sg_name" { + type = string + default = "private-sg" +} + +variable "dns" { + default = "8.8.8.8" +} + +variable "vyos_bgp_as_number" { + default = "65001" +} + +# On Prem Data Center + +variable "on_prem_bgp_as_number" { + default = "65002" +} + +variable "on_prem_public_ip_address" { + default = "192.0.2.1" +} -- cgit v1.2.3