}
resource "aws_vpc" "arvados_vpc" {
+ count = var.vpc_id == "" ? 1 : 0
cidr_block = "10.1.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
+
+ lifecycle {
+ precondition {
+ condition = (var.sg_id == "")
+ error_message = "vpc_id should be set if sg_id is also set"
+ }
+ }
}
resource "aws_subnet" "public_subnet" {
- vpc_id = aws_vpc.arvados_vpc.id
+ count = var.public_subnet_id == "" ? 1 : 0
+ vpc_id = local.arvados_vpc_id
availability_zone = local.availability_zone
cidr_block = "10.1.1.0/24"
+
+ lifecycle {
+ precondition {
+ condition = (var.vpc_id == "")
+ error_message = "public_subnet_id should be set if vpc_id is also set"
+ }
+ }
}
resource "aws_subnet" "private_subnet" {
- vpc_id = aws_vpc.arvados_vpc.id
+ count = var.private_subnet_id == "" ? 1 : 0
+ vpc_id = local.arvados_vpc_id
availability_zone = local.availability_zone
cidr_block = "10.1.2.0/24"
+
+ lifecycle {
+ precondition {
+ condition = (var.vpc_id == "")
+ error_message = "private_subnet_id should be set if vpc_id is also set"
+ }
+ }
}
#
# VPC S3 access
#
resource "aws_vpc_endpoint" "s3" {
- vpc_id = aws_vpc.arvados_vpc.id
+ vpc_id = local.arvados_vpc_id
service_name = "com.amazonaws.${var.region_name}.s3"
}
resource "aws_vpc_endpoint_route_table_association" "compute_s3_route" {
+ count = var.private_subnet_id == "" ? 1 : 0
vpc_endpoint_id = aws_vpc_endpoint.s3.id
- route_table_id = aws_route_table.private_subnet_rt.id
+ route_table_id = aws_route_table.private_subnet_rt[0].id
}
#
# Internet access for Public IP instances
#
resource "aws_internet_gateway" "internet_gw" {
- vpc_id = aws_vpc.arvados_vpc.id
+ count = var.vpc_id == "" ? 1 : 0
+ vpc_id = local.arvados_vpc_id
}
resource "aws_eip" "arvados_eip" {
for_each = toset(local.public_hosts)
]
}
resource "aws_route_table" "public_subnet_rt" {
- vpc_id = aws_vpc.arvados_vpc.id
+ count = var.public_subnet_id == "" ? 1 : 0
+ vpc_id = local.arvados_vpc_id
route {
cidr_block = "0.0.0.0/0"
- gateway_id = aws_internet_gateway.internet_gw.id
+ gateway_id = aws_internet_gateway.internet_gw[0].id
}
}
resource "aws_route_table_association" "public_subnet_assoc" {
- subnet_id = aws_subnet.public_subnet.id
- route_table_id = aws_route_table.public_subnet_rt.id
+ count = var.public_subnet_id == "" ? 1 : 0
+ subnet_id = aws_subnet.public_subnet[0].id
+ route_table_id = aws_route_table.public_subnet_rt[0].id
}
#
# Internet access for Private IP instances
#
resource "aws_eip" "nat_gw_eip" {
+ count = var.private_subnet_id == "" ? 1 : 0
depends_on = [
- aws_internet_gateway.internet_gw
+ aws_internet_gateway.internet_gw[0]
]
}
resource "aws_nat_gateway" "nat_gw" {
+ count = var.private_subnet_id == "" ? 1 : 0
# A NAT gateway should be placed on a subnet with an internet gateway
- subnet_id = aws_subnet.public_subnet.id
- allocation_id = aws_eip.nat_gw_eip.id
+ subnet_id = aws_subnet.public_subnet[0].id
+ allocation_id = aws_eip.nat_gw_eip[0].id
}
resource "aws_route_table" "private_subnet_rt" {
- vpc_id = aws_vpc.arvados_vpc.id
+ count = var.private_subnet_id == "" ? 1 : 0
+ vpc_id = local.arvados_vpc_id
route {
cidr_block = "0.0.0.0/0"
- nat_gateway_id = aws_nat_gateway.nat_gw.id
+ nat_gateway_id = aws_nat_gateway.nat_gw[0].id
}
}
resource "aws_route_table_association" "private_subnet_assoc" {
- subnet_id = aws_subnet.private_subnet.id
- route_table_id = aws_route_table.private_subnet_rt.id
+ count = var.private_subnet_id == "" ? 1 : 0
+ subnet_id = aws_subnet.private_subnet[0].id
+ route_table_id = aws_route_table.private_subnet_rt[0].id
}
resource "aws_security_group" "arvados_sg" {
name = "arvados_sg"
- vpc_id = aws_vpc.arvados_vpc.id
+ count = var.sg_id == "" ? 1 : 0
+ vpc_id = aws_vpc.arvados_vpc[0].id
+
+ lifecycle {
+ precondition {
+ condition = (var.vpc_id == "")
+ error_message = "sg_id should be set if vpc_id is set"
+ }
+ }
dynamic "ingress" {
for_each = local.allowed_ports
from_port = 0
to_port = 0
protocol = "-1"
- cidr_blocks = [ aws_vpc.arvados_vpc.cidr_block ]
+ cidr_blocks = [ aws_vpc.arvados_vpc[0].cidr_block ]
}
# Even though AWS auto-creates an "allow all" egress rule,
# Terraform deletes it, so we add it explicitly.
resource "aws_route53_zone" "private_zone" {
name = var.domain_name
vpc {
- vpc_id = aws_vpc.arvados_vpc.id
+ vpc_id = local.arvados_vpc_id
}
}
resource "aws_route53_record" "private_a_record" {
projects / arvados.git / commitdiff