GithubHelp home page GithubHelp logo

aws-hub-and-spoke-with-connect-peer-terraform's Introduction

AWS Hub and Spoke Architecture with Shared Services and Transit Gateway Connect VPCs - Terraform Sample

This repository contains terraform code to deploy a sample AWS Hub and Spoke architecture with Shared Services and Transit Gateway Connect VPC, with the following centralized services:

  • Managing EC2 instances using AWS Sytems Manager - ssm, ssmmessages and ec2messages VPC Endpoints.
  • Deploy a Cisco CSR1000v iinto the Transit Gateway Connect VPC
    • Configure the Cisco CSR1000v using a templated user_data boot strap:
      • Connect to the Transit Gateway Connect Peer using a GRE Tunnel
      • Peer with the Transit Gateway Connect Peer BGP address using BGP
  • Deploy a Cisco CSR1000v into a Remote Spoke VPC
    • Configure IPsec from the Remote Spoke VPC CSR1000v instance to the Connect VPC CSR1000v instance
    • Configure BGP neighbours between the Remote Spoke CSR1000v and the CSR1000v in the Connect VPC over the IPSec tunnel

The resources deployed and the architectural pattern they follow is purely for demonstration/testing purposes.

Prerequisites

  • An AWS account with an IAM user with the appropriate permissions
  • Have a local RSA key (~/.ssh/id_rsa and ~/.ssh/id_rsa.pub). If none exists, use 'ssh-keygen' to generate
  • Have an AWS Marketplace subscription for Cisco Cloud Services Router (CSR) 1000v - Transit Network VPC - BYOL software
  • Terraform installed

Code Principles:

  • Writing DRY (Do No Repeat Yourself) code using a modular design pattern

Usage

  • Clone the repository
  • Edit the variables.tf file in the project root directory. This file contains the variables that are used to configure the VPCs to create, and Hybrid DNS configuration needed to work with your environment.
  • To change the configuration about the Security Groups and VPC endpoints to create, edit the locals.tf file in the project root directory
  • Initialize Terraform using terraform init
  • Deploy the template using terraform apply

Terraform Output:

After the 'terraform apply' has completed, the output will provide all the information required to connect to the CSR 1000v as well as the AWS CLI command to query the relevant AWS Transit Gateway Route Table for propogated routes once BGP neighbours have formed between the AWS Transit Gateway and the Cisco CSR1000v.

Target Architecture

Architecture diagram

References

Cleanup

Remember to clean up after your work is complete. You can do that by doing terraform destroy.

Note that this command will delete all the resources previously created by Terraform.

Requirements

Name Version
terraform >= 1.1.0
aws ~> 4.4

Providers

Name Version
aws 4.4.0
external 2.2.0
random 3.1.0

Modules

Name Source Version
compute ./modules/compute n/a
connect_vpc ./modules/connect_vpc n/a
iam_kms ./modules/iam_kms n/a
key_pairs ./modules/key_pairs n/a
remote_vpc ./modules/remote_vpc n/a
transit_gateway ./modules/transit_gateway n/a
vpc ./modules/vpc n/a
vpc_endpoints ./modules/vpc_endpoints n/a

Resources

Name Type
aws_eip.csr_public_ip resource
random_password.isakmp_secret resource
external_external.curlip data source

Inputs

Name Description Type Default Required
amazon_side_asn BGP ASN for the TGW. number 64512 no
aws_region AWS Region to create the environment. string "eu-west-1" no
connect_peer_cidr_blocks cidr blocks for connect peer list(string) 
[
  "169.254.200.0/29"
]
 no
eips n/a map(any) 
{
  "connect_csr_eip": {
    "tags": {
      "Name": "connect-csr-eip",
      "Type": "ConnectCSR"
    }
  },
  "remote_csr_eip": {
    "tags": {
      "Name": "remote-csr-eip",
      "Type": "RemoteSR"
    }
  }
}
 no
on_premises_cidr On-premises CIDR block. string "192.168.0.0/16" no
project_identifier Project Name, used as identifer when creating resources. string "hub-spoke-connect" no
transit_gateway_cidr_block cidr blocks for connect peer string "192.168.100.0/24" no
tunnel_cidr_block cidr blocks for connect peer string "169.254.201.0/29" no
vpcs VPCs to create. map(any) 
{
  "connect-vpc-1": {
    "cidr_block": "10.132.0.0/16",
    "csr_hostname_prefix": "csr",
    "csr_instance_size": "c5.large",
    "instance_count": 1,
    "local_bgp_asn": 64515,
    "number_azs": 2,
    "remote_bgp_asn": 64512,
    "spoke_type": "connect"
  },
  "remote-vpc-1": {
    "cidr_block": "10.251.0.0/16",
    "csr_hostname_prefix": "csr",
    "csr_instance_size": "c5.large",
    "instance_count": 1,
    "local_bgp_asn": 64516,
    "number_azs": 2,
    "remote_bpg_asn": 64515,
    "spoke_type": "remote"
  },
  "spoke-vpc-1": {
    "cidr_block": "10.11.0.0/16",
    "instance_type": "t2.micro",
    "number_azs": 1,
    "spoke_type": "spoke"
  },
  "spoke-vpc-2": {
    "cidr_block": "10.12.0.0/16",
    "instance_type": "t2.micro",
    "number_azs": 1,
    "spoke_type": "spoke"
  }
}
 no

Outputs

Name Description
connect_aws_eip_csr_public_ip Public IP of the AWS EIP Connect CSR instance
connect_csr_instance_id Instance ID of the CSR instance created
instances_created Instances created in each VPC
isakmp_secret ISAKMP secret key
remote_aws_eip_csr_public_ip Public IP of the AWS EIP remote CSR instance
tgw_route_table_id Transit Gateway Route Table ID
transit_gateway Transit Gateway ID
vpc_endpoints DNS name (regional) of the VPC endpoints created.
vpcs List of VPCs created
z_output_user_message Route table search command
| |

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

aws-hub-and-spoke-with-connect-peer-terraform's People

Contributors

amazon-auto avatar ddericco avatar netdevautomate avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

netdevautomate jaytee305 ddericco the-aws-terraform-samples avi202020 techiewarrior

aws-hub-and-spoke-with-connect-peer-terraform's Issues

Provider template v2.2.0 unsupported on darwin_arm64

The terraform-provider-template provider has been deprecated and is not supported on M1/Apple ARM CPU architecture: hashicorp/terraform-provider-template#85

Output from terraform init on an M1 Mac:

$ terraform init
Initializing modules...
- compute in modules/compute
- connect_vpc in modules/connect_vpc
- iam_kms in modules/iam_kms
- key_pairs in modules/key_pairs
- remote_vpc in modules/remote_vpc
- transit_gateway in modules/transit_gateway
- transit_gateway.tgw_vpc_route in modules/tgw_vpc_route
- vpc in modules/vpc
- vpc_endpoints in modules/vpc_endpoints

Initializing the backend...

Initializing provider plugins...
- Finding latest version of hashicorp/random...
- Finding latest version of hashicorp/external...
- Finding latest version of hashicorp/template...
- Finding hashicorp/aws versions matching "~> 4.4"...
- Installing hashicorp/random v3.4.3...
- Installed hashicorp/random v3.4.3 (signed by HashiCorp)
- Installing hashicorp/external v2.2.2...
- Installed hashicorp/external v2.2.2 (signed by HashiCorp)
- Installing hashicorp/aws v4.31.0...
- Installed hashicorp/aws v4.31.0 (signed by HashiCorp)
╷
│ Error: Incompatible provider version
│ 
│ Provider registry.terraform.io/hashicorp/template v2.2.0 does not have a package available for your current
│ platform, darwin_arm64.
│ 
│ Provider releases are separate from Terraform CLI releases, so not all providers are available for all
│ platforms. Other versions of this provider may have different platforms supported.

Looking at the code, the deprecated provider appears to be used to provision the user_data for the CSR instances.

An alternative approach here would be to leverage the built-in templatefile function instead: https://www.terraform.io/language/functions/templatefile

Invalid Index Error with us-east-1 and us-west-2

When trying to plan or apply the resources into us-east-1 or us-west-2, Terraform returns an invalid index error:

$ terraform plan -var="aws_region=us-east-1"
... 

│ Error: Invalid index
│ 
│   on modules/connect_vpc/main.tf line 42, in resource "aws_subnet" "vpc_public_subnets":
│   42:   cidr_block              = [for i in range(11, 14) : cidrsubnet(var.vpc_info.cidr_block, 8, i)][count.index]
│     ├────────────────
│     │ count.index is 5
│     │ var.vpc_info.cidr_block is "10.132.0.0/16"
│ 
│ The given key does not identify an element in this collection value.

The issue appears to be due to how subnet CIDR blocks are allocated in the remote_vpc and connect_vpc modules. Currently these subnet values are hard-coded and do not allow for regions with more than three AZs.

You can use aws ec2 describe-availability-zones --query 'AvailabilityZones[*].ZoneId' --region to determine if your region is affected.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.