Skip to content

sebolabs/aws-anywhere-tf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
files
files
 
 
templates
templates
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
aws_data.tf
aws_data.tf
 
 
cloudwatch_log_groups.tf
cloudwatch_log_groups.tf
 
 
customer_gateway.tf
customer_gateway.tf
 
 
eks_hybrid_nodes.tf
eks_hybrid_nodes.tf
 
 
flow_log.tf
flow_log.tf
 
 
local_file-bind_dns_guide.tf
local_file-bind_dns_guide.tf
 
 
local_file-eks_hybrid_nodes_guide.tf
local_file-eks_hybrid_nodes_guide.tf
 
 
local_file-rolesanywhere_ca_guide.tf
local_file-rolesanywhere_ca_guide.tf
 
 
local_file-ssm_agent_guide.tf
local_file-ssm_agent_guide.tf
 
 
local_file-strongswan_vpn_guide.tf
local_file-strongswan_vpn_guide.tf
 
 
locals.tf
locals.tf
 
 
module-transit_gateway.tf
module-transit_gateway.tf
 
 
module-transit_vpc.tf
module-transit_vpc.tf
 
 
outputs.tf
outputs.tf
 
 
rolesanywhere_trust_anchor.tf
rolesanywhere_trust_anchor.tf
 
 
route53_resolver_endpoint.tf
route53_resolver_endpoint.tf
 
 
security_groups.tf
security_groups.tf
 
 
ssm_activation.tf
ssm_activation.tf
 
 
ssm_parameter.tf
ssm_parameter.tf
 
 
ssm_service_setting.tf
ssm_service_setting.tf
 
 
tf_provider.tf
tf_provider.tf
 
 
variables.tf
variables.tf
 
 
vpc_endpoint.tf
vpc_endpoint.tf
 
 
vpn_connection.tf
vpn_connection.tf
 
 

Repository files navigation

AWS Anywhere

Info

It contains the relevant configurations required for performing different integrations between AWS and on-premises environments. These include:

  • Site-to-Site VPN
  • DNS forwarding for AWS services/resources domain name resolution
  • IAM Roles Anywhere
  • SSM Agent
  • EKS Hybrid Nodes

NOTE: The configuration contained here was used for a Proof of Concept (PoC) and might not work out of the box for everyone. While the versions of various components used to configure individual pieces are listed in the corresponding templates/tftpl files, other configuration elements and peripherals may impact the setup and require additional configurations.

Blog

AWS Anywhere - a route to EKS Hybrid Nodes

Features

The features covered by this module can be enabled using the following environment variables, which are set to false by default:

on_prem_s2s_vpn_enabled             = true
r53_inbound_resolver_enabled        = true
iam_roles_anywhere_enabled          = true
ssm_advanced_instances_tier_enabled = true
eks_hybrid_nodes_enabled            = true

NOTE: Everything has been tested in the order specified above and applied one by one. Randomly enabling or disabling individual features may lead to unexpected errors when running Terraform. This is due to interdependencies that have not been tested in every possible scenario.

Guides

Enabled by default, guides are auto-generated upon Terraform apply. Look for GUIDE_*.md files in this folder.

Terraform

Requirements

Name Version
aws ~> 5

Providers

Name Version
aws 5.82.2
local 2.5.2

Modules

Name Source Version
transit_gateway terraform-aws-modules/transit-gateway/aws ~> 2.12
transit_vpc terraform-aws-modules/vpc/aws ~> 5.16

Resources

Name Type
aws_cloudwatch_log_group.on_prem_vpn resource
aws_cloudwatch_log_group.tgw_flow_logs resource
aws_customer_gateway.on_prem resource
aws_ec2_transit_gateway_route.vpc_to_on_prem_via_vpn resource
aws_ec2_transit_gateway_route_table.vpn resource
aws_ec2_transit_gateway_route_table_association.vpn resource
aws_ec2_transit_gateway_route_table_propagation.eks_vpc_for_vpn resource
aws_ec2_transit_gateway_route_table_propagation.transit_vpc_for_vpn resource
aws_flow_log.transit_gateway resource
aws_iam_policy.eks_hybrid_nodes_descr_cluster resource
aws_iam_role.eks_hybrid_nodes resource
aws_iam_role.rolesanywhere_on_prem resource
aws_iam_role.tgw_flow_logs resource
aws_iam_role_policy.tgw_flow_logs resource
aws_iam_role_policy_attachment.eks_hybrid_nodes_ecr_pull resource
aws_iam_role_policy_attachment.eks_hybrid_nodes_eks_descr_cluster resource
aws_iam_role_policy_attachment.on_prem_ssm_agent resource
aws_iam_role_policy_attachment.on_prem_vpc_full_access resource
aws_rolesanywhere_profile.eks_hybrid_nodes resource
aws_rolesanywhere_profile.on_prem resource
aws_rolesanywhere_trust_anchor.on_prem resource
aws_route.transit_intra_to_on_prem resource
aws_route.transit_private_to_on_prem resource
aws_route53_resolver_endpoint.inbound resource
aws_security_group.common resource
aws_security_group.r53_inbound_resolver resource
aws_security_group.vpc_if_endpoints resource
aws_ssm_activation.on_prem resource
aws_ssm_parameter.on_prem_ca_cert_bundle resource
aws_ssm_service_setting.advanced_instance_tier resource
aws_vpc_endpoint.ddb_gateway resource
aws_vpc_endpoint.interface resource
aws_vpc_endpoint.s3_gateway resource
aws_vpc_endpoint_route_table_association.ddb_gateway resource
aws_vpc_endpoint_route_table_association.s3_gateway resource
aws_vpc_security_group_egress_rule.common_https_to_ddb_gw_ep resource
aws_vpc_security_group_egress_rule.common_https_to_s3_gw_ep resource
aws_vpc_security_group_egress_rule.common_https_to_vpc_if_eps resource
aws_vpc_security_group_ingress_rule.r53_resolver_inbound_dns_tcp_from_on_prem_vpn_host resource
aws_vpc_security_group_ingress_rule.r53_resolver_inbound_dns_udp_from_on_prem_vpn_host resource
aws_vpc_security_group_ingress_rule.vpc_if_eps_https_from_common resource
aws_vpc_security_group_ingress_rule.vpc_if_eps_https_from_on_prem resource
aws_vpn_connection.on_prem resource
local_file.bind_dns_guide resource
local_file.eks_hybrid_nodes_guide resource
local_file.rolesanywhere_ca_guide resource
local_file.ssm_agent_guide resource
local_file.strongswan_vpn_guide resource
aws_availability_zones.available data source
aws_caller_identity.current data source
aws_iam_policy_document.eks_hybrid_nodes_descr_cluster data source
aws_iam_policy_document.eks_hybrid_nodes_trust data source
aws_iam_policy_document.rolesanywhere_trust data source
aws_iam_policy_document.tgw_flow_logs data source
aws_iam_policy_document.tgw_flow_logs_trust data source
aws_region.current data source

Inputs

Name Description Type Default Required
additional_default_tags A map with additional default tags to be applied at the AWS provider level map(string) {} no
aws_account_id The allowed AWS account ID to prevent you from mistakenly using an incorrect one string n/a yes
aws_region The AWS Region string n/a yes
component The TF component name string "network" no
cw_logs_retention_days The number of days any CloudWatch logs should be retained number 3 no
eks_hybrid_nodes_enabled Whether EKS Hybrid Nodes should be configured bool false no
eks_props A map with EKS relevant properties 
object({
    cluster_name    = optional(string)
    cluster_version = optional(string)
    vpc_name        = optional(string)
    vpc_id          = optional(string)
    vpc_cidr        = optional(string)
    tgw_subnet_ids  = optional(list(string))
  })
 {} no
environment The environment name string n/a yes
generate_bind_dns_guide_md Whether to generate the Bind DNS Guide as a local file bool true no
generate_eks_hybrid_nodes_guide_md Whether to generate the EKS Hybrid Nodes Guide as a local file bool true no
generate_rolesanywhere_ca_guide_md Whether to generate the CA RolesAnywhere Guide as a local file bool true no
generate_ssm_agent_guide_md Whether to generate the SSM Agent Guide as a local file bool true no
generate_strongswan_vpn_guide_md Whether to generate the Strongswan VPN Guide as a local file bool true no
iam_roles_anywhere_enabled Whether IAM roles anywhere should be configured bool false no
on_prem_props A map with on-prem relevant properties 
object({
    bgp_asn           = optional(number)
    public_ip_address = optional(string)
    private_cidr      = optional(string)
    vpn_host_ip       = optional(string)
  })
 {} no
on_prem_s2s_vpn_enabled Whther the Site-to-Site VPN connection to on-prem is enabled bool false no
project The Project name string n/a yes
r53_inbound_resolver_enabled Whther the Route53 Inbound Resolver for on-prem is enabled bool false no
ssm_advanced_instances_tier_enabled Whether the SSM advanced-instances tier is enabled. bool false no
ssm_hybrid_activation_registred Whether the SSM hybrid activation is registered (manually). bool false no
tf_state_bucket_name_prefix Terraform state bucket name prefix string n/a yes
transit_vpc_cidrs A map with Transit VPC and subnets CIDR blocks 
object({
    vpc             = string
    public_subnets  = list(string)
    private_subnets = list(string)
    intra_subnets   = list(string)
  })
 n/a yes
vpc_flow_logs_s3_bucket_arn The ARN of a dedicated S3 bucket for storing logs. If not provided CW LG will be configured instead string null no

Outputs

Name Description
__AWS_ACCOUNT_LEVEL_IDENTIFIER__ n/a
aws_ssm_activation n/a
eks_hybrid_nodes_iam_role_arn n/a
guide_bind_dns_path n/a
guide_eks_hybrid_nodes_path n/a
guide_rolesanywhere_ca_path n/a
guide_ssm_agent_path n/a
guide_strongswan_vpn_path n/a
r53_inbound_resolver_ips n/a
rolesanywhere_signing_helper_props n/a
transit_vpc n/a

About

AWS Anywhere - a route to EKS Hybrid Nodes

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages