provider "aws" {
region = "ap-northeast-2"
}
resource "aws_vpc" "skills_vpc" {
cidr_block = "172.16.0.0/16"
tags = { Name = "skills-vpc" }
}
resource "aws_internet_gateway" "skills_igw" {
vpc_id = aws_vpc.skills_vpc.id
tags = { Name = "skills-igw" }
}
resource "aws_subnet" "skills_private_subnet_a" {
vpc_id = aws_vpc.skills_vpc.id
cidr_block = "172.16.0.0/24"
availability_zone = "ap-northeast-2a"
map_public_ip_on_launch = false
tags = { Name = "skills-private-subnet-az-a" }
}
resource "aws_subnet" "skills_private_subnet_b" {
vpc_id = aws_vpc.skills_vpc.id
cidr_block = "172.16.1.0/24"
availability_zone = "ap-northeast-2b"
map_public_ip_on_launch = false
tags = { Name = "skills-private-subnet-az-b" }
}
resource "aws_subnet" "skills_public_subnet_a" {
vpc_id = aws_vpc.skills_vpc.id
cidr_block = "172.16.2.0/24"
availability_zone = "ap-northeast-2a"
map_public_ip_on_launch = true
tags = { Name = "skills-public-subnet-az-a" }
}
resource "aws_subnet" "skills_public_subnet_b" {
vpc_id = aws_vpc.skills_vpc.id
cidr_block = "172.16.3.0/24"
availability_zone = "ap-northeast-2b"
map_public_ip_on_launch = true
tags = { Name = "skills-public-subnet-az-b" }
}
resource "aws_nat_gateway" "skills_natgw_a" {
subnet_id = aws_subnet.skills_public_subnet_a.id
allocation_id = aws_eip.nat_eip_a.id
tags = { Name = "skills-natgw-a" }
}
resource "aws_nat_gateway" "skills_natgw_b" {
subnet_id = aws_subnet.skills_public_subnet_b.id
allocation_id = aws_eip.nat_eip_b.id
tags = { Name = "skills-natgw-b" }
}
resource "aws_eip" "nat_eip_a" {}
resource "aws_eip" "nat_eip_b" {}
resource "aws_route_table" "skills_private_rtb_a" {
vpc_id = aws_vpc.skills_vpc.id
tags = { Name = "skills-private-rtb-a" }
}
resource "aws_route_table" "skills_private_rtb_b" {
vpc_id = aws_vpc.skills_vpc.id
tags = { Name = "skills-private-rtb-b" }
}
resource "aws_route_table" "skills_public_rtb" {
vpc_id = aws_vpc.skills_vpc.id
tags = { Name = "skills-public-rtb" }
}
resource "aws_route" "public_internet_access" {
route_table_id = aws_route_table.skills_public_rtb.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.skills_igw.id
}
resource "aws_instance" "skills_bastion" {
ami = "ami-062cddb9d94dcf95d"
instance_type = "t3.small"
subnet_id = aws_subnet.skills_public_subnet_a.id
security_groups = [aws_security_group.skills_bastion_sg.id]
iam_instance_profile = aws_iam_instance_profile.bastion.name
user_data = <<-EOF
#!/bin/bash
yum install -y awscli jq curl
**sed -i 's/**#Port 22**/**Port 2025**/g' /etc/ssh/sshd_config**
systemctl restart sshd
EOF
tags = { Name = "skills-bastion" }
}
resource "aws_security_group" "skills_bastion_sg" {
vpc_id = aws_vpc.skills_vpc.id
ingress {
from_port = 2025
to_port = 2025
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
data "aws_iam_policy_document" "ec2_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
data "aws_iam_policy" "systems_manager" {
arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
resource "aws_iam_role" "bastion" {
name = "${var.name}-bastion-role"
assume_role_policy = data.aws_iam_policy_document.ec2_assume_role.json
}
resource "aws_iam_role_policy_attachment" "bastion_ssm" {
role = aws_iam_role.bastion.name
policy_arn = data.aws_iam_policy.systems_manager.arn
}
resource "aws_iam_instance_profile" "bastion" {
name = "${var.name}-bastion-role"
role = aws_iam_role.bastion.name
}