-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathterraform.tf
244 lines (217 loc) · 8.15 KB
/
terraform.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
provider "alicloud" {
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
region = "${var.region-a}"
alias = "region-a"
}
provider "alicloud" {
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
region = "${var.region-b}"
alias = "region-b"
}
resource "alicloud_vpc" "vpc_region-a" {
provider = "alicloud.region-a"
name = "${var.vpc_name_region-a}"
cidr_block = "${var.vpc_cidr_region-a}"
}
resource "alicloud_vswitch" "vsw_region-a" {
provider = "alicloud.region-a"
vpc_id = "${alicloud_vpc.vpc_region-a.id}"
cidr_block = "${var.vsw_cidr_region-a}"
availability_zone = "${var.zone_region-a}"
}
resource "alicloud_vpc" "vpc_region-b" {
provider = "alicloud.region-b"
name = "${var.vpc_name_region-b}"
cidr_block = "${var.vpc_cidr_region-b}"
}
resource "alicloud_vswitch" "vsw_region-b" {
provider = "alicloud.region-b"
vpc_id = "${alicloud_vpc.vpc_region-b.id}"
cidr_block = "${var.vsw_cidr_region-b}"
availability_zone = "${var.zone_region-b}"
}
resource "alicloud_cen_instance" "cen" {
provider = "alicloud.region-a"
name = "${var.cen_name}"
description = "${var.cen_description}"
}
resource "alicloud_cen_instance_attachment" "attachment_region-a" {
provider = "alicloud.region-a"
instance_id = "${alicloud_cen_instance.cen.id}"
child_instance_id = "${alicloud_vpc.vpc_region-a.id}"
child_instance_region_id = "${var.region-a}"
}
resource "alicloud_cen_instance_attachment" "attachment_region-b" {
provider = "alicloud.region-b"
instance_id = "${alicloud_cen_instance.cen.id}"
child_instance_id = "${alicloud_vpc.vpc_region-b.id}"
child_instance_region_id = "${var.region-b}"
}
resource "alicloud_vpn_gateway" "vpn-gateway" {
provider = "alicloud.region-b"
name = "${var.vpn_gateway_name}"
vpc_id = "${alicloud_vpc.vpc_region-b.id}"
bandwidth = "10"
enable_ssl = true
instance_charge_type = "PostPaid"
description = "${var.vpn_gateway_description}"
}
resource "alicloud_ssl_vpn_server" "ssl-vpn-server" {
provider = "alicloud.region-b"
name = "${var.ssl_vpn_server_name}"
vpn_gateway_id = "${alicloud_vpn_gateway.vpn-gateway.id}"
client_ip_pool = "${var.client_ip_pool}"
local_subnet = "${alicloud_vswitch.vsw_region-b.cidr_block}"
protocol = "UDP"
cipher = "AES-128-CBC"
port = 1194
compress = "false"
}
resource "alicloud_ssl_vpn_client_cert" "cert1" {
provider = "alicloud.region-b"
ssl_vpn_server_id = "${alicloud_ssl_vpn_server.ssl-vpn-server.id}"
name = "${var.ssl_vpn_client_cert_name}"
}
resource "alicloud_security_group" "sg_region-a" {
provider = "alicloud.region-a"
name = "terraform-sg"
vpc_id = "${alicloud_vpc.vpc_region-a.id}"
}
resource "alicloud_security_group_rule" "allow_icmp_region-a" {
provider = "alicloud.region-a"
type = "ingress"
ip_protocol = "icmp"
nic_type = "intranet"
policy = "accept"
port_range = "-1/-1"
priority = 1
security_group_id = "${alicloud_security_group.sg_region-a.id}"
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group_rule" "allow_ssh_region-a" {
provider = "alicloud.region-a"
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "22/22"
priority = 1
security_group_id = "${alicloud_security_group.sg_region-a.id}"
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group_rule" "allow_proxy_access_region-a" {
provider = "alicloud.region-a"
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "8080/8080"
priority = 1
security_group_id = "${alicloud_security_group.sg_region-a.id}"
cidr_ip = "${alicloud_instance.proxy-b.private_ip}"
}
resource "alicloud_security_group" "sg_region-b" {
provider = "alicloud.region-b"
name = "terraform-sg"
vpc_id = "${alicloud_vpc.vpc_region-b.id}"
}
resource "alicloud_security_group_rule" "allow_icmp_region-b" {
provider = "alicloud.region-b"
type = "ingress"
ip_protocol = "icmp"
nic_type = "intranet"
policy = "accept"
port_range = "-1/-1"
priority = 1
security_group_id = "${alicloud_security_group.sg_region-b.id}"
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group_rule" "allow_ssh_region-b" {
provider = "alicloud.region-b"
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "22/22"
priority = 1
security_group_id = "${alicloud_security_group.sg_region-b.id}"
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group_rule" "allow_proxy_access_region-b" {
provider = "alicloud.region-b"
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "8080/8080"
priority = 1
security_group_id = "${alicloud_security_group.sg_region-b.id}"
cidr_ip = "${alicloud_ssl_vpn_server.ssl-vpn-server.client_ip_pool}"
}
resource "alicloud_cen_route_entry" "vpn" {
provider = "alicloud.region-b"
instance_id = "${alicloud_cen_instance.cen.id}"
route_table_id = "${alicloud_vpc.vpc_region-b.route_table_id}"
cidr_block = "${var.client_ip_pool}"
depends_on = [
"alicloud_ssl_vpn_server.ssl-vpn-server"
]
}
resource "alicloud_eip" "eip-a" {
provider = "alicloud.region-a"
}
resource "alicloud_eip" "eip-b" {
provider = "alicloud.region-b"
}
resource "alicloud_instance" "proxy-a" {
provider = "alicloud.region-a"
instance_name = "terraform-ecs"
host_name = "proxy-ecs"
availability_zone = "${var.zone_region-a}"
image_id = "centos_7_3_64_40G_base_20170322.vhd"
instance_type = "ecs.n4.small"
system_disk_category = "cloud_efficiency"
security_groups = ["${alicloud_security_group.sg_region-a.id}"]
vswitch_id = "${alicloud_vswitch.vsw_region-a.id}"
user_data = "#!/bin/bash\necho \"${file("ansible/playbook.yml")}\" > /tmp/playbook.yml\necho \"${file("ansible/squid-a.conf.j2")}\" > /tmp/squid.conf.j2\n${data.template_file.prv-proxy-a.rendered}"
}
resource "alicloud_eip_association" "eip-a-ass" {
provider = "alicloud.region-a"
allocation_id = "${alicloud_eip.eip-a.id}"
instance_id = "${alicloud_instance.proxy-a.id}"
}
resource "alicloud_instance" "proxy-b" {
provider = "alicloud.region-b"
instance_name = "terraform-ecs"
host_name = "proxy-ecs"
availability_zone = "${var.zone_region-b}"
image_id = "centos_7_3_64_40G_base_20170322.vhd"
instance_type = "ecs.n4.small"
system_disk_category = "cloud_efficiency"
security_groups = ["${alicloud_security_group.sg_region-b.id}"]
vswitch_id = "${alicloud_vswitch.vsw_region-b.id}"
user_data = "#!/bin/bash\necho \"${file("ansible/playbook.yml")}\" > /tmp/playbook.yml\necho \"${file("ansible/squid-b.conf.j2")}\" > /tmp/squid.conf.j2\n${data.template_file.prv-proxy-b.rendered}"
}
resource "alicloud_eip_association" "eip-b-ass" {
provider = "alicloud.region-b"
allocation_id = "${alicloud_eip.eip-b.id}"
instance_id = "${alicloud_instance.proxy-b.id}"
}
data "template_file" "prv-proxy-a" {
template = "${file("templates/provisioning-proxy-a.tpl")}"
vars = {
password = "${var.ecs-password}"
publickey = "${var.publickey}"
}
}
data "template_file" "prv-proxy-b" {
template = "${file("templates/provisioning-proxy-b.tpl")}"
vars = {
password = "${var.ecs-password}"
publickey = "${var.publickey}"
proxy-a-ip = "${alicloud_instance.proxy-a.private_ip}"
dest-domain = "${var.dest-domain}"
}
}