projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
18790: Merge branch 'main' into 18790-log-client
[arvados.git] / tools / salt-install / terraform / aws / vpc / main.tf
diff --git a/tools/salt-install/terraform/aws/vpc/main.tf b/tools/salt-install/terraform/aws/vpc/main.tf
index 4581d5b6f0fade2c84a2d8d9f2c6941c6948f92e..eba48b9f9ed320cfa93ef67060afa3f58f7a44e8 100644 (file)
--- a/tools/salt-install/terraform/aws/vpc/main.tf
+++ b/tools/salt-install/terraform/aws/vpc/main.tf
@@ -24,10 +24,15 @@ resource "aws_vpc" "arvados_vpc" {
   enable_dns_hostnames = true
   enable_dns_support = true
 }
-resource "aws_subnet" "arvados_subnet" {
+resource "aws_subnet" "public_subnet" {
   vpc_id = aws_vpc.arvados_vpc.id
-  availability_zone = "${var.region_name}a"
-  cidr_block = aws_vpc.arvados_vpc.cidr_block
+  availability_zone = local.availability_zone
+  cidr_block = "10.1.1.0/24"
+}
+resource "aws_subnet" "private_subnet" {
+  vpc_id = aws_vpc.arvados_vpc.id
+  availability_zone = local.availability_zone
+  cidr_block = "10.1.2.0/24"
 }
 
 #
@@ -37,34 +42,60 @@ resource "aws_vpc_endpoint" "s3" {
   vpc_id = aws_vpc.arvados_vpc.id
   service_name = "com.amazonaws.${var.region_name}.s3"
 }
-resource "aws_vpc_endpoint_route_table_association" "s3_route" {
+resource "aws_vpc_endpoint_route_table_association" "compute_s3_route" {
   vpc_endpoint_id = aws_vpc_endpoint.s3.id
-  route_table_id = aws_route_table.arvados_rt.id
+  route_table_id = aws_route_table.private_subnet_rt.id
 }
 
 #
-# VPC Internet access
+# Internet access for Public IP instances
 #
-resource "aws_internet_gateway" "arvados_gw" {
+resource "aws_internet_gateway" "internet_gw" {
   vpc_id = aws_vpc.arvados_vpc.id
 }
 resource "aws_eip" "arvados_eip" {
-  for_each = toset(local.hostnames)
+  for_each = toset(local.public_hosts)
+  depends_on = [
+    aws_internet_gateway.internet_gw
+  ]
+}
+resource "aws_route_table" "public_subnet_rt" {
+  vpc_id = aws_vpc.arvados_vpc.id
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.internet_gw.id
+  }
+}
+resource "aws_route_table_association" "public_subnet_assoc" {
+  subnet_id = aws_subnet.public_subnet.id
+  route_table_id = aws_route_table.public_subnet_rt.id
+}
+
+#
+# Internet access for Private IP instances
+#
+resource "aws_eip" "nat_gw_eip" {
   depends_on = [
-    aws_internet_gateway.arvados_gw
+    aws_internet_gateway.internet_gw
   ]
 }
-resource "aws_route_table" "arvados_rt" {
+resource "aws_nat_gateway" "nat_gw" {
+  # A NAT gateway should be placed on a subnet with an internet gateway
+  subnet_id = aws_subnet.public_subnet.id
+  allocation_id = aws_eip.nat_gw_eip.id
+}
+resource "aws_route_table" "private_subnet_rt" {
   vpc_id = aws_vpc.arvados_vpc.id
   route {
     cidr_block = "0.0.0.0/0"
-    gateway_id = aws_internet_gateway.arvados_gw.id
+    nat_gateway_id = aws_nat_gateway.nat_gw.id
   }
 }
-resource "aws_route_table_association" "arvados_subnet_assoc" {
-  subnet_id = aws_subnet.arvados_subnet.id
-  route_table_id = aws_route_table.arvados_rt.id
+resource "aws_route_table_association" "private_subnet_assoc" {
+  subnet_id = aws_subnet.private_subnet.id
+  route_table_id = aws_route_table.private_subnet_rt.id
 }
+
 resource "aws_security_group" "arvados_sg" {
   name = "arvados_sg"
   vpc_id = aws_vpc.arvados_vpc.id