Jump to content

PoC Guide: Deploying Citrix DaaS and Amazon WorkSpaces Core using Terraform

  • Contributed By: Gerhard Krenn Special Thanks To: Camilo Marino

PoC Guide: Deploying Citrix DaaS and Amazon WorkSpaces Core using Terraform
 

Overview

AWS WorkSpaces Core is a managed virtual desktop infrastructure designed to work with third-party VDI solutions such as Citrix DaaS. It is the compute layer of AWS workloads that the Citrix DaaS control plane can help orchestrate and manage to deliver HDX-optimized apps anywhere. AWS WorkSpaces Core and Citrix improve cost savings, simplify cloud management, and provide a superior user experience.

Citrix DaaS treats AWS WorkSpaces Core as another Resource Location option to leverage within your deployment. It helps your IT teams manage and provision WorkSpace Core desktops directly from the Citrix platform, reducing application delivery complexity and simplifying operations. With security features like Zero Trust Network Access (ZTNA), contextual access policies, and secure browser redirection, Citrix protects your business from cyber threats and data leaks.

Citrix improves the WorkSpaces Core experience with advanced HDX graphics, Unified Communication optimizations, USB redirection, and support for 3D workloads, ensuring smooth performance on any device or network. With centralized management, automated patching, and streamlined updates, Citrix optimizes your budget by reducing IT costs and complexity.

This Proof of Concept guide will help you deploy Citrix DaaS and Amazon WorkSpaces Core using Terraform.

 Note: 

Please find a description of installing Terraform and initial configurations in our Tech Zone Deployment Guide: Installing Terraform and Configuring the Citrix Terraform Provider.
 

The following is covered in this guide:

  1. Deploying all needed entities for Citrix DaaS:
    1. Deploying a Resource Location and its Cloud Connectors
  2. Deploying all needed entities for Amazon WorkSpaces Core:
    1. Deploying a VPC
    2. Deploying the Subnets and Gateways
    3. Setting the IAM permissions
    4. Deploying all needed instances like the Jumphost and a Domain Controller
  3. Creating the Deployment of Citrix DaaS on Amazon WorkSpaces Core
     

Note: 

To deploy Citrix DaaS on Amazon WorkSpaces Core using the GUI, please review our PoC Guide: Deploying Citrix DaaS and Amazon Workspaces Core.
 

 

Deploying Citrix DaaS and Amazon WorkSpaces Core

Before deploying Citrix DaaS and Amazon WorkSpaces Core, we must create and configure all necessary prerequisites.

We assume you already have a Citrix Cloud tenant with an active trial or a paid subscription to the Citrix DaaS service and an active AWS account.
 

Installing AWS Tools for PowerShell and AWS CLI

This guide uses AWS CLI and PowerShell cmdlets to determine further needed information.

prereq-awscli1.png

prereq-awscli2.png

Install all needed AWS Tools modules you need – in this example, we install three different modules:

PS C:\_TERRAFORM\_AWSCore> Install-AWSToolsModule AWS.Tools.EC2 -Force
Installing module AWS.Tools.Common version 4.1.693.0
Installing module AWS.Tools.EC2 version 4.1.693.0
Installing module AWS.Tools.IdentityManagement version 4.1.693.0
Installing module AWS.Tools.ServiceQuotas version 4.1.693.0
Installing module AWS.Tools.SimpleSystemsManagement version 4.1.693.0
Installing module AWS.Tools.WorkSpaces version 4.1.693.0
PS C:\_TERRAFORM\_AWSCore>

PS C:\_TERRAFORM\_AWSCore> Install-AWSToolsModule AWS.Tools.S3 -Force
Installing module AWS.Tools.S3 version 4.1.693.0
PS C:\_TERRAFORM\_AWSCore>
PS C:\_TERRAFORM\_AWSCore>
Install-AWSToolsModule AWS.Tools.Workspaces -Force
PS C:\_TERRAFORM\_AWSCore>

You can check if all needed modules are installed:

PS C:\_TERRAFORM\_AWSCore> Get-AWSPowerShellVersion -ListServiceVersionInfo

AWS Tools for PowerShell
Version 4.1.693
Copyright 2012-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.

Amazon Web Services SDK for .NET
Core Runtime Version 3.7.400.46
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

Release notes: https://github.com/aws/aws-tools-for-powershell/blob/master/CHANGELOG.md

This software includes third party software subject to the following copyrights:
- Logging from log4net, Apache License
[http://logging.apache.org/log4net/license.html]


Service                                               Noun Prefix   Module Name                                   SDK Assembly Version
-------                                               -----------   -----------                                   --------------------
AWS IAM Access Analyzer                               IAMAA         AWS.Tools.AccessAnalyzer                      3.7.400.46
AWS Account                                           ACCT          AWS.Tools.Account                             3.7.400.46
AWS Certificate Manager Private Certificate Authority PCA           AWS.Tools.ACMPCA                              3.7.400.47
AWS Amplify                                           AMP           AWS.Tools.Amplify                             3.7.402.11
Amplify Backend                                       AMPB          AWS.Tools.AmplifyBackend                      3.7.400.46
AWS Amplify UI Builder                                AMPUI         AWS.Tools.AmplifyUIBuilder                    3.7.400.46
Amazon API Gateway                                    AG            AWS.Tools.APIGateway                          3.7.400.47
Amazon API Gateway Management API                     AGM           AWS.Tools.ApiGatewayManagementApi             3.7.400.46
Amazon API Gateway V2                                 AG2           AWS.Tools.ApiGatewayV2                        3.7.400.46
AWS AppConfig                                         APPC          AWS.Tools.AppConfig                           3.7.402.7
AWS AppConfig Data                                    ACD           AWS.Tools.AppConfigData                       3.7.400.46
Amazon Web Services AppFabric                         AFAB          AWS.Tools.AppFabric                           3.7.400.46
Amazon Appflow                                        AF            AWS.Tools.Appflow                             3.7.400.47
Amazon AppIntegrations Service                        AIS           AWS.Tools.AppIntegrationsService              3.7.401.43
Application Auto Scaling                              AAS           AWS.Tools.ApplicationAutoScaling              3.7.401.46
Amazon ApplicationCostProfiler                        ACP           AWS.Tools.ApplicationCostProfiler             3.7.400.46
AWS Application Discovery Service                     ADS           AWS.Tools.ApplicationDiscoveryService         3.7.400.46
Amazon CloudWatch Application Insights                CWAI          AWS.Tools.ApplicationInsights                 3.7.401.10
Amazon CloudWatch Application Signals                 CWAS          AWS.Tools.ApplicationSignals                  3.7.402.31
AWS App Mesh                                          AMSH          AWS.Tools.AppMesh                             3.7.400.46
AWS Service Catalog App Registry                      SCAR          AWS.Tools.AppRegistry                         3.7.400.46
AWS App Runner                                        AAR           AWS.Tools.AppRunner                           3.7.400.46
Amazon AppStream                                      APS           AWS.Tools.AppStream                           3.7.403.18
AWS AppSync                                           ASYN          AWS.Tools.AppSync                             3.7.402.3
AWS Mainframe Modernization Application Testing       AT            AWS.Tools.AppTest                             3.7.400.46
AWS ARC - Zonal Shift                                 AZS           AWS.Tools.ARCZonalShift                       3.7.400.46
AWS Artifact                                          ART           AWS.Tools.Artifact                            3.7.400.46
Amazon Athena                                         ATH           AWS.Tools.Athena                              3.7.402.10
AWS Audit Manager                                     AUDM          AWS.Tools.AuditManager                        3.7.400.46
Amazon Augmented AI (A2I) Runtime                     A2IR          AWS.Tools.AugmentedAIRuntime                  3.7.400.46
AWS Auto Scaling                                      AS            AWS.Tools.AutoScaling                         3.7.404.0
AWS Auto Scaling Plans                                ASP           AWS.Tools.AutoScalingPlans                    3.7.400.46
AWS Health                                            HLTH          AWS.Tools.AWSHealth                           3.7.400.46
AWS Marketplace Commerce Analytics                    MCA           AWS.Tools.AWSMarketplaceCommerceAnalytics     3.7.400.46
AWS Marketplace Metering                              MM            AWS.Tools.AWSMarketplaceMetering              3.7.400.46
AWS Support                                           ASA           AWS.Tools.AWSSupport                          3.7.400.47
AWS B2B Data Interchange                              B2BI          AWS.Tools.B2bi                                3.7.401.18
AWS Backup                                            BAK           AWS.Tools.Backup                              3.7.401.33
AWS Backup Gateway                                    BUGW          AWS.Tools.BackupGateway                       3.7.400.46
AWS Batch                                             BAT           AWS.Tools.Batch                               3.7.402.2
AWSBillingAndCostManagementDataExports                BCMDE         AWS.Tools.BCMDataExports                      3.7.400.46
Amazon Bedrock                                        BDR           AWS.Tools.Bedrock                             3.7.409.4
Agents for Amazon Bedrock                             AAB           AWS.Tools.BedrockAgent                        3.7.409.0
Amazon Bedrock Agent Runtime                          BAR           AWS.Tools.BedrockAgentRuntime                 3.7.406.10
Amazon Bedrock Runtime                                BDRR          AWS.Tools.BedrockRuntime                      3.7.408.0
AWSBillingConductor                                   ABC           AWS.Tools.BillingConductor                    3.7.400.46
Amazon Braket                                         BRKT          AWS.Tools.Braket                              3.7.400.46
AWS Budgets                                           BGT           AWS.Tools.Budgets                             3.7.401.23
AWS Certificate Manager                               ACM           AWS.Tools.CertificateManager                  3.7.400.46
AWS Chatbot                                           CHAT          AWS.Tools.Chatbot                             3.7.402.21
Amazon Chime                                          CHM           AWS.Tools.Chime                               3.7.400.46
Amazon Chime SDK Identity                             CHMID         AWS.Tools.ChimeSDKIdentity                    3.7.400.46
Amazon Chime SDK Media Pipelines                      CHMMP         AWS.Tools.ChimeSDKMediaPipelines              3.7.400.46
Amazon Chime SDK Meetings                             CHMTG         AWS.Tools.ChimeSDKMeetings                    3.7.400.46
Amazon Chime SDK Messaging                            CHMMG         AWS.Tools.ChimeSDKMessaging                   3.7.400.46
Amazon Chime SDK Voice                                CHMVO         AWS.Tools.ChimeSDKVoice                       3.7.400.46
AWS Clean Rooms Service                               CRS           AWS.Tools.CleanRooms                          3.7.402.0
CleanRoomsML                                          CRML          AWS.Tools.CleanRoomsML                        3.7.401.0
AWS Cloud9                                            C9            AWS.Tools.Cloud9                              3.7.400.46
AWS Cloud Control API                                 CCA           AWS.Tools.CloudControlApi                     3.7.400.46
Amazon Cloud Directory                                CDIR          AWS.Tools.CloudDirectory                      3.7.400.47
AWS CloudFormation                                    CFN           AWS.Tools.CloudFormation                      3.7.400.46
Amazon CloudFront                                     CF            AWS.Tools.CloudFront                          3.7.400.46
Amazon CloudFront KeyValueStore                       CFKV          AWS.Tools.CloudFrontKeyValueStore             3.7.400.46
AWS CloudHSM V2                                       HSM2          AWS.Tools.CloudHSMV2                          3.7.400.46
Amazon CloudSearch                                    CS            AWS.Tools.CloudSearch                         3.7.400.47
Amazon CloudSearch Domain                             CSD           AWS.Tools.CloudSearchDomain                   3.7.400.46
AWS CloudTrail                                        CT            AWS.Tools.CloudTrail                          3.7.400.46
AWS CloudTrail Data Service                           CTD           AWS.Tools.CloudTrailData                      3.7.400.46
Amazon CloudWatch                                     CW            AWS.Tools.CloudWatch                          3.7.401.44
Amazon CloudWatch Evidently                           CWEVD         AWS.Tools.CloudWatchEvidently                 3.7.400.46
Amazon CloudWatch Logs                                CWL           AWS.Tools.CloudWatchLogs                      3.7.406.1
CloudWatch RUM                                        CWRUM         AWS.Tools.CloudWatchRUM                       3.7.400.46
AWS CodeArtifact                                      CA            AWS.Tools.CodeArtifact                        3.7.401.19
AWS CodeBuild                                         CB            AWS.Tools.CodeBuild                           3.7.406.1
AWS CodeCatalyst                                      CCAT          AWS.Tools.CodeCatalyst                        3.7.400.46
AWS CodeCommit                                        CC            AWS.Tools.CodeCommit                          3.7.401.46
AWS CodeConnections                                   CCON          AWS.Tools.CodeConnections                     3.7.401.25
AWS CodeDeploy                                        CD            AWS.Tools.CodeDeploy                          3.7.400.46
Amazon CodeGuru Profiler                              CGP           AWS.Tools.CodeGuruProfiler                    3.7.400.46
Amazon CodeGuru Reviewer                              CGR           AWS.Tools.CodeGuruReviewer                    3.7.400.46
Amazon CodeGuru Security                              CGS           AWS.Tools.CodeGuruSecurity                    3.7.400.46
AWS CodePipeline                                      CP            AWS.Tools.CodePipeline                        3.7.404.12
AWS CodeStar Connections                              CSTC          AWS.Tools.CodeStarconnections                 3.7.400.46
AWS CodeStar Notifications                            CSTN          AWS.Tools.CodeStarNotifications               3.7.400.46
Amazon Cognito Identity                               CGI           AWS.Tools.CognitoIdentity                     3.7.401.28
Amazon Cognito Identity Provider                      CGIP          AWS.Tools.CognitoIdentityProvider             3.7.403.27
Amazon Cognito Sync                                   CGIS          AWS.Tools.CognitoSync                         3.7.400.46
Amazon Comprehend                                     COMP          AWS.Tools.Comprehend                          3.7.400.46
AWS Comprehend Medical                                CMPM          AWS.Tools.ComprehendMedical                   3.7.400.46
AWS Compute Optimizer                                 CO            AWS.Tools.ComputeOptimizer                    3.7.400.47
AWS Config                                            CFG           AWS.Tools.ConfigService                       3.7.401.42
Amazon Connect Service                                CONN          AWS.Tools.Connect                             3.7.408.3
Amazon Connect Campaign Service                       CCS           AWS.Tools.ConnectCampaignService              3.7.400.46
Amazon Connect Cases                                  CCAS          AWS.Tools.ConnectCases                        3.7.400.46
Amazon Connect Contact Lens                           CCL           AWS.Tools.ConnectContactLens                  3.7.400.46
Amazon Connect Participant Service                    CONNP         AWS.Tools.ConnectParticipant                  3.7.400.46
Amazon Connect Wisdom Service                         WSDM          AWS.Tools.ConnectWisdomService                3.7.400.46
AWS Control Catalog                                   CLCAT         AWS.Tools.ControlCatalog                      3.7.401.44
AWS Control Tower                                     ACT           AWS.Tools.ControlTower                        3.7.400.47
AWS Cost and Usage Report                             CUR           AWS.Tools.CostAndUsageReport                  3.7.400.46
AWS Cost Explorer                                     CE            AWS.Tools.CostExplorer                        3.7.401.25
Cost Optimization Hub                                 COH           AWS.Tools.CostOptimizationHub                 3.7.401.43
Amazon Connect Customer Profiles                      CPF           AWS.Tools.CustomerProfiles                    3.7.401.20
AWS Database Migration Service                        DMS           AWS.Tools.DatabaseMigrationService            3.7.402.10
AWS Data Exchange                                     DTEX          AWS.Tools.DataExchange                        3.7.401.10
AWS Data Pipeline                                     DP            AWS.Tools.DataPipeline                        3.7.400.46
AWS DataSync                                          DSYN          AWS.Tools.DataSync                            3.7.401.3
Amazon DataZone                                       DZ            AWS.Tools.DataZone                            3.7.406.10
Amazon DynamoDB Accelerator (DAX)                     DAX           AWS.Tools.DAX                                 3.7.400.46
AWSDeadlineCloud                                      ADC           AWS.Tools.Deadline                            3.7.402.15
Amazon Detective                                      DTCT          AWS.Tools.Detective                           3.7.400.46
AWS Device Farm                                       DF            AWS.Tools.DeviceFarm                          3.7.401.34
Amazon DevOps Guru                                    DGURU         AWS.Tools.DevOpsGuru                          3.7.400.46
AWS Direct Connect                                    DC            AWS.Tools.DirectConnect                       3.7.400.46
AWS Directory Service                                 DS            AWS.Tools.DirectoryService                    3.7.401.25
AWS Directory Service Data                            DSD           AWS.Tools.DirectoryServiceData                3.7.400.25
Amazon Data Lifecycle Manager                         DLM           AWS.Tools.DLM                                 3.7.400.46
Amazon DocumentDB (with MongoDB compatibility)        DOC           AWS.Tools.DocDB                               3.7.401.40
Amazon DocumentDB Elastic Clusters                    DOCE          AWS.Tools.DocDBElastic                        3.7.401.1
Elastic Disaster Recovery Service                     EDRS          AWS.Tools.Drs                                 3.7.400.46
Amazon DynamoDB                                       DDB           AWS.Tools.DynamoDBv2                          3.7.402.10
Amazon EBS                                            EBS           AWS.Tools.EBS                                 3.7.400.46
Amazon Elastic Compute Cloud (EC2)                    EC2           AWS.Tools.EC2                                 3.7.414.3
AWS EC2 Instance Connect                              EC2IC         AWS.Tools.EC2InstanceConnect                  3.7.400.46
Amazon EC2 Container Registry                         ECR           AWS.Tools.ECR                                 3.7.404.25
Amazon Elastic Container Registry Public              ECRP          AWS.Tools.ECRPublic                           3.7.400.46
Amazon EC2 Container Service                          ECS           AWS.Tools.ECS                                 3.7.404.3
Amazon Elastic Container Service for Kubernetes       EKS           AWS.Tools.EKS                                 3.7.403.10
Amazon EKS Auth                                       EKSAU         AWS.Tools.EKSAuth                             3.7.400.46
Amazon ElastiCache                                    EC            AWS.Tools.ElastiCache                         3.7.401.14
AWS Elastic Beanstalk                                 EB            AWS.Tools.ElasticBeanstalk                    3.7.400.46
Amazon Elastic File System                            EFS           AWS.Tools.ElasticFileSystem                   3.7.400.46
Amazon Elastic Inference                              EI            AWS.Tools.ElasticInference                    3.7.400.47
Elastic Load Balancing                                ELB           AWS.Tools.ElasticLoadBalancing                3.7.401.44
Elastic Load Balancing V2                             ELB2          AWS.Tools.ElasticLoadBalancingV2              3.7.406.2
Amazon Elastic MapReduce                              EMR           AWS.Tools.ElasticMapReduce                    3.7.402.13
Amazon Elasticsearch                                  ES            AWS.Tools.Elasticsearch                       3.7.400.46
Amazon Elastic Transcoder                             ETS           AWS.Tools.ElasticTranscoder                   3.7.400.46
Amazon EMR Containers                                 EMRC          AWS.Tools.EMRContainers                       3.7.401.35
EMR Serverless                                        EMRServerless AWS.Tools.EMRServerless                       3.7.401.24
AWS EntityResolution                                  ERES          AWS.Tools.EntityResolution                    3.7.401.36
Amazon EventBridge                                    EVB           AWS.Tools.EventBridge                         3.7.401.44
FinSpace User Environment Management Service          FINSP         AWS.Tools.Finspace                            3.7.400.46
FinSpace Public API                                   FNSP          AWS.Tools.FinSpaceData                        3.7.400.46
AWS Fault Injection Simulator                         FIS           AWS.Tools.FIS                                 3.7.402.32
Firewall Management Service                           FMS           AWS.Tools.FMS                                 3.7.401.10
Amazon Forecast Query Service                         FRCQ          AWS.Tools.ForecastQueryService                3.7.400.46
Amazon Forecast Service                               FRC           AWS.Tools.ForecastService                     3.7.400.46
Amazon Fraud Detector                                 FD            AWS.Tools.FraudDetector                       3.7.400.46
AWS Free Tier                                         FT            AWS.Tools.FreeTier                            3.7.400.46
Amazon FSx                                            FSX           AWS.Tools.FSx                                 3.7.400.46
Amazon GameLift Service                               GML           AWS.Tools.GameLift                            3.7.401.31
Amazon Location Service Maps V2                       GEOM          AWS.Tools.GeoMaps                             3.7.400.3
Amazon Location Service Places V2                     GEOP          AWS.Tools.GeoPlaces                           3.7.400.3
Amazon Location Service Routes V2                     GEOR          AWS.Tools.GeoRoutes                           3.7.400.3
Amazon Glacier                                        GLC           AWS.Tools.Glacier                             3.7.400.46
AWS Global Accelerator                                GACL          AWS.Tools.GlobalAccelerator                   3.7.400.46
AWS Glue                                              GLUE          AWS.Tools.Glue                                3.7.409.2
AWS Glue DataBrew                                     GDB           AWS.Tools.GlueDataBrew                        3.7.400.46
AWS Greengrass                                        GG            AWS.Tools.Greengrass                          3.7.400.46
AWS GreengrassV2                                      GGV2          AWS.Tools.GreengrassV2                        3.7.400.46
AWS Ground Station                                    GS            AWS.Tools.GroundStation                       3.7.400.47
Amazon GuardDuty                                      GD            AWS.Tools.GuardDuty                           3.7.404.1
Amazon HealthLake                                     AHL           AWS.Tools.HealthLake                          3.7.400.46
IAM Roles Anywhere                                    IAMRA         AWS.Tools.IAMRolesAnywhere                    3.7.401.44
AWS Identity and Access Management                    IAM           AWS.Tools.IdentityManagement                  3.7.402.40
AWS Identity Store                                    IDS           AWS.Tools.IdentityStore                       3.7.400.46
EC2 Image Builder                                     EC2IB         AWS.Tools.Imagebuilder                        3.7.401.9
AWS Import/Export                                     IE            AWS.Tools.ImportExport                        3.7.400.46
Amazon Inspector                                      INS           AWS.Tools.Inspector                           3.7.400.46
Inspector2                                            INS2          AWS.Tools.Inspector2                          3.7.402.35
Inspector Scan                                        ISCAN         AWS.Tools.InspectorScan                       3.7.400.46
Amazon CloudWatch Internet Monitor                    CWIM          AWS.Tools.InternetMonitor                     3.7.401.34
AWS IoT                                               IOT           AWS.Tools.IoT                                 3.7.402.17
AWS IoT Core Device Advisor                           IOTDA         AWS.Tools.IoTDeviceAdvisor                    3.7.401.18
AWS IoT Events                                        IOTE          AWS.Tools.IoTEvents                           3.7.400.46
AWS IoT Events Data                                   IOTED         AWS.Tools.IoTEventsData                       3.7.400.46
AWS IoT Fleet Hub                                     IOTFH         AWS.Tools.IoTFleetHub                         3.7.400.46
AWS IoT FleetWise                                     IFW           AWS.Tools.IoTFleetWise                        3.7.402.4
AWS IoT Jobs Data Plane                               IOTJ          AWS.Tools.IoTJobsDataPlane                    3.7.400.46
AWS IoT Secure Tunneling                              IOTST         AWS.Tools.IoTSecureTunneling                  3.7.400.46
AWS IoT SiteWise                                      IOTSW         AWS.Tools.IoTSiteWise                         3.7.401.35
AWS IoT Things Graph                                  IOTTG         AWS.Tools.IoTThingsGraph                      3.7.400.46
AWS IoT TwinMaker                                     IOTTM         AWS.Tools.IoTTwinMaker                        3.7.400.46
AWS IoT Wireless                                      IOTW          AWS.Tools.IoTWireless                         3.7.400.46
Amazon Interactive Video Service                      IVS           AWS.Tools.IVS                                 3.7.401.11
Amazon Interactive Video Service Chat                 IVSC          AWS.Tools.Ivschat                             3.7.400.46
Amazon Interactive Video Service RealTime             IVSRT         AWS.Tools.IVSRealTime                         3.7.402.18
Amazon Managed Streaming for Apache Kafka (MSK)       MSK           AWS.Tools.Kafka                               3.7.401.29
Managed Streaming for Kafka Connect                   MSKC          AWS.Tools.KafkaConnect                        3.7.400.46
Amazon Kendra                                         KNDR          AWS.Tools.Kendra                              3.7.400.46
Amazon Kendra Intelligent Ranking                     KNRK          AWS.Tools.KendraRanking                       3.7.400.46
AWS Key Management Service                            KMS           AWS.Tools.KeyManagementService                3.7.400.46
Amazon Keyspaces                                      KS            AWS.Tools.Keyspaces                           3.7.401.3
Amazon Kinesis                                        KIN           AWS.Tools.Kinesis                             3.7.402.23
Amazon Kinesis Analytics V2                           KINA2         AWS.Tools.KinesisAnalyticsV2                  3.7.401.31
Amazon Kinesis Firehose                               KINF          AWS.Tools.KinesisFirehose                     3.7.400.46
Amazon Kinesis Video Streams                          KV            AWS.Tools.KinesisVideo                        3.7.400.46
Amazon Kinesis Video Streams Media                    KVM           AWS.Tools.KinesisVideoMedia                   3.7.400.46
Amazon Kinesis Video Signaling Channels               KVSC          AWS.Tools.KinesisVideoSignalingChannels       3.7.400.46
Amazon Kinesis Video WebRTC Storage                   KVWS          AWS.Tools.KinesisVideoWebRTCStorage           3.7.401.43
AWS Lake Formation                                    LKF           AWS.Tools.LakeFormation                       3.7.401.1
AWS Lambda                                            LM            AWS.Tools.Lambda                              3.7.406.6
AWS Launch Wizard                                     LWIZ          AWS.Tools.LaunchWizard                        3.7.400.46
Amazon Lex                                            LEX           AWS.Tools.Lex                                 3.7.400.46
Amazon Lex Model Building Service                     LMB           AWS.Tools.LexModelBuildingService             3.7.400.46
Amazon Lex Model Building V2                          LMBV2         AWS.Tools.LexModelsV2                         3.7.402.27
Amazon Lex Runtime V2                                 LRSV2         AWS.Tools.LexRuntimeV2                        3.7.400.46
AWS License Manager                                   LICM          AWS.Tools.LicenseManager                      3.7.400.46
AWS License Manager - Linux Subscriptions             LLMS          AWS.Tools.LicenseManagerLinuxSubscriptions    3.7.400.46
AWS License Manager User Subscription                 LMUS          AWS.Tools.LicenseManagerUserSubscriptions     3.7.400.46
Amazon Lightsail                                      LS            AWS.Tools.Lightsail                           3.7.400.46
Amazon Location Service                               LOC           AWS.Tools.LocationService                     3.7.400.46
Amazon Lookout for Equipment                          L4E           AWS.Tools.LookoutEquipment                    3.7.400.46
Amazon Lookout for Vision                             LFV           AWS.Tools.LookoutforVision                    3.7.400.46
Amazon Lookout for Metrics                            LOM           AWS.Tools.LookoutMetrics                      3.7.400.46
Amazon Machine Learning                               ML            AWS.Tools.MachineLearning                     3.7.400.46
Amazon Macie 2                                        MAC2          AWS.Tools.Macie2                              3.7.400.46
Amazon SES Mail Manager                               MMGR          AWS.Tools.MailManager                         3.7.402.12
M2                                                    AMM           AWS.Tools.MainframeModernization              3.7.401.9
Amazon Managed Blockchain                             MBC           AWS.Tools.ManagedBlockchain                   3.7.400.46
Amazon Managed Blockchain Query                       MBCQ          AWS.Tools.ManagedBlockchainQuery              3.7.400.46
Amazon Managed Grafana                                MGRF          AWS.Tools.ManagedGrafana                      3.7.400.46
AWS Marketplace Agreement Service                     MAS           AWS.Tools.MarketplaceAgreement                3.7.400.46
AWS Marketplace Catalog Service                       MCAT          AWS.Tools.MarketplaceCatalog                  3.7.400.46
AWS Marketplace Deployment Service                    MD            AWS.Tools.MarketplaceDeployment               3.7.400.46
AWS Marketplace Entitlement Service                   MES           AWS.Tools.MarketplaceEntitlementService       3.7.400.46
AWS Marketplace Reporting Service                     MR            AWS.Tools.MarketplaceReporting                3.7.400.17
AWS Elemental MediaConnect                            EMCN          AWS.Tools.MediaConnect                        3.7.401.33
AWS Elemental MediaConvert                            EMC           AWS.Tools.MediaConvert                        3.7.402.25
AWS Elemental MediaLive                               EML           AWS.Tools.MediaLive                           3.7.405.25
AWS Elemental MediaPackage                            EMP           AWS.Tools.MediaPackage                        3.7.400.46
AWS Elemental MediaPackage v2                         MPV2          AWS.Tools.MediaPackageV2                      3.7.402.5
AWS Elemental MediaPackage VOD                        EMPV          AWS.Tools.MediaPackageVod                     3.7.400.46
AWS Elemental MediaStore                              EMS           AWS.Tools.MediaStore                          3.7.400.46
AWS Elemental MediaStore Data Plane                   EMSD          AWS.Tools.MediaStoreData                      3.7.400.46
AWS Elemental MediaTailor                             EMT           AWS.Tools.MediaTailor                         3.7.400.46
Amazon Medical Imaging Service                        MIS           AWS.Tools.MedicalImaging                      3.7.400.46
Amazon MemoryDB                                       MDB           AWS.Tools.MemoryDB                            3.7.401.14
Application Migration Service                         MGN           AWS.Tools.Mgn                                 3.7.400.46
AWS Migration Hub                                     MH            AWS.Tools.MigrationHub                        3.7.400.46
AWS Migration Hub Config                              MHC           AWS.Tools.MigrationHubConfig                  3.7.400.46
AWS Migration Hub Orchestrator                        MHO           AWS.Tools.MigrationHubOrchestrator            3.7.400.46
AWS Migration Hub Refactor Spaces                     MHRS          AWS.Tools.MigrationHubRefactorSpaces          3.7.400.46
Migration Hub Strategy Recommendations                MHS           AWS.Tools.MigrationHubStrategyRecommendations 3.7.400.46
Amazon MQ                                             MQ            AWS.Tools.MQ                                  3.7.400.46
Amazon MTurk Service                                  MTR           AWS.Tools.MTurk                               3.7.400.46
AmazonMWAA                                            MWAA          AWS.Tools.MWAA                                3.7.401.8
Amazon Neptune                                        NPT           AWS.Tools.Neptune                             3.7.401.24
Amazon NeptuneData                                    NEPT          AWS.Tools.Neptunedata                         3.7.400.46
Amazon Neptune Graph                                  NEPTG         AWS.Tools.NeptuneGraph                        3.7.402.13
AWS Network Firewall                                  NWFW          AWS.Tools.NetworkFirewall                     3.7.402.3
AWS Network Manager                                   NMGR          AWS.Tools.NetworkManager                      3.7.400.46
Amazon CloudWatch Network Monitor                     CWNM          AWS.Tools.NetworkMonitor                      3.7.400.46
CloudWatch Observability Access Manager               CWOAM         AWS.Tools.OAM                                 3.7.400.46
Amazon Omics                                          OMICS         AWS.Tools.Omics                               3.7.401.35
OpenSearch Serverless                                 OSS           AWS.Tools.OpenSearchServerless                3.7.402.3
Amazon OpenSearch Service                             OS            AWS.Tools.OpenSearchService                   3.7.402.3
AWS OpsWorks                                          OPS           AWS.Tools.OpsWorks                            3.7.400.46
AWS OpsWorksCM                                        OWCM          AWS.Tools.OpsWorksCM                          3.7.400.46
AWS Organizations                                     ORG           AWS.Tools.Organizations                       3.7.402.21
Amazon OpenSearch Ingestion                           OSIS          AWS.Tools.OSIS                                3.7.400.46
AWS Outposts                                          OUTP          AWS.Tools.Outposts                            3.7.402.13
AWS Panorama                                          PAN           AWS.Tools.Panorama                            3.7.400.46
Payment Cryptography Control Plane                    PAYCC         AWS.Tools.PaymentCryptography                 3.7.401.8
Payment Cryptography Data                             PAYCD         AWS.Tools.PaymentCryptographyData             3.7.402.8
Pca Connector Ad                                      PCAAD         AWS.Tools.PcaConnectorAd                      3.7.400.46
Private CA Connector for SCEP                         PCASCEP       AWS.Tools.PcaConnectorScep                    3.7.400.46
AWS Parallel Computing Service                        PCS           AWS.Tools.PCS                                 3.7.400.34
AWS Personalize                                       PERS          AWS.Tools.Personalize                         3.7.401.34
Amazon Personalize Events                             PERSE         AWS.Tools.PersonalizeEvents                   3.7.400.46
Amazon Personalize Runtime                            PERSR         AWS.Tools.PersonalizeRuntime                  3.7.400.46
AWS Performance Insights                              PI            AWS.Tools.PI                                  3.7.400.46
Amazon Pinpoint                                       PIN           AWS.Tools.Pinpoint                            3.7.400.46
Amazon Pinpoint Email                                 PINE          AWS.Tools.PinpointEmail                       3.7.400.46
Amazon Pinpoint SMS Voice V2                          SMSV          AWS.Tools.PinpointSMSVoiceV2                  3.7.402.10
Amazon EventBridge Pipes                              PIPES         AWS.Tools.Pipes                               3.7.402.10
Amazon Polly                                          POL           AWS.Tools.Polly                               3.7.401.35
AWS Price List Service                                PLS           AWS.Tools.Pricing                             3.7.400.47
AWS Private 5G                                        PV5G          AWS.Tools.Private5G                           3.7.400.46
Amazon Prometheus Service                             PROM          AWS.Tools.PrometheusService                   3.7.401.2
AWS Proton                                            PRO           AWS.Tools.Proton                              3.7.400.46
Amazon Q Apps                                         qapps         AWS.Tools.QApps                               3.7.402.1
Amazon QBusiness                                      QBUS          AWS.Tools.QBusiness                           3.7.403.7
Amazon Q Connect                                      QC            AWS.Tools.QConnect                            3.7.401.15
Amazon QLDB                                           QLDB          AWS.Tools.QLDB                                3.7.400.46
Amazon QLDB Session                                   QLDBS         AWS.Tools.QLDBSession                         3.7.400.46
Amazon QuickSight                                     QS            AWS.Tools.QuickSight                          3.7.408.0
AWS Resource Access Manager (RAM)                     RAM           AWS.Tools.RAM                                 3.7.400.46
Amazon Relational Database Service                    RDS           AWS.Tools.RDS                                 3.7.406.5
AWS RDS DataService                                   RDSD          AWS.Tools.RDSDataService                      3.7.400.46
Amazon Recycle Bin                                    RBIN          AWS.Tools.RecycleBin                          3.7.400.46
Amazon Redshift                                       RS            AWS.Tools.Redshift                            3.7.403.3
Redshift Data API Service                             RSD           AWS.Tools.RedshiftDataAPIService              3.7.402.4
Redshift Serverless                                   RSS           AWS.Tools.RedshiftServerless                  3.7.401.3
Amazon Rekognition                                    REK           AWS.Tools.Rekognition                         3.7.400.46
AWS re:Post Private                                   RESP          AWS.Tools.Repostspace                         3.7.401.9
AWS Resilience Hub                                    RESH          AWS.Tools.ResilienceHub                       3.7.402.11
AWS Resource Explorer                                 AREX          AWS.Tools.ResourceExplorer2                   3.7.402.0
AWS Resource Groups                                   RG            AWS.Tools.ResourceGroups                      3.7.401.20
AWS Resource Groups Tagging API                       RGT           AWS.Tools.ResourceGroupsTaggingAPI            3.7.400.46
AWS RoboMaker                                         ROBO          AWS.Tools.RoboMaker                           3.7.400.47
Amazon Route 53                                       R53           AWS.Tools.Route53                             3.7.403.3
Amazon Route 53 Domains                               R53D          AWS.Tools.Route53Domains                      3.7.400.46
Amazon Route 53 Profiles                              R53P          AWS.Tools.Route53Profiles                     3.7.400.46
Route53 Recovery Cluster                              RRC           AWS.Tools.Route53RecoveryCluster              3.7.400.46
AWS Route53 Recovery Control Config                   R53RC         AWS.Tools.Route53RecoveryControlConfig        3.7.400.46
AWS Route53 Recovery Readiness                        PD            AWS.Tools.Route53RecoveryReadiness            3.7.400.46
Amazon Route 53 Resolver                              R53R          AWS.Tools.Route53Resolver                     3.7.401.13
Amazon Simple Storage Service (S3)                    S3            AWS.Tools.S3                                  3.7.405.10
Amazon S3 Control                                     S3C           AWS.Tools.S3Control                           3.7.402.1
Amazon S3 Outposts                                    S3O           AWS.Tools.S3Outposts                          3.7.400.46
Amazon SageMaker Service                              SM            AWS.Tools.SageMaker                           3.7.414.2
Amazon Sagemaker Edge Manager                         SME           AWS.Tools.SagemakerEdgeManager                3.7.400.46
Amazon SageMaker Feature Store Runtime                SMFS          AWS.Tools.SageMakerFeatureStoreRuntime        3.7.400.46
SageMaker Geospatial                                  SMGS          AWS.Tools.SageMakerGeospatial                 3.7.400.46
Amazon SageMaker Metrics Service                      SMM           AWS.Tools.SageMakerMetrics                    3.7.401.24
Amazon SageMaker Runtime                              SMR           AWS.Tools.SageMakerRuntime                    3.7.401.29
AWS Savings Plans                                     SP            AWS.Tools.SavingsPlans                        3.7.400.46
Amazon EventBridge Scheduler                          SCH           AWS.Tools.Scheduler                           3.7.400.46
Amazon EventBridge Schema Registry                    SCHM          AWS.Tools.Schemas                             3.7.400.46
AWS Secrets Manager                                   SEC           AWS.Tools.SecretsManager                      3.7.400.46
AWS Security Hub                                      SHUB          AWS.Tools.SecurityHub                         3.7.401.36
Amazon Security Lake                                  SLK           AWS.Tools.SecurityLake                        3.7.401.12
AWS Security Token Service (STS)                      STS           AWS.Tools.SecurityToken                       3.7.400.46
AWS Serverless Application Repository                 SAR           AWS.Tools.ServerlessApplicationRepository     3.7.400.46
AWS Server Migration Service                          SMS           AWS.Tools.ServerMigrationService              3.7.400.46
AWS Service Catalog                                   SC            AWS.Tools.ServiceCatalog                      3.7.400.46
AWS Cloud Map                                         SD            AWS.Tools.ServiceDiscovery                    3.7.400.46
AWS Service Quotas                                    SQ            AWS.Tools.ServiceQuotas                       3.7.400.46
AWS Shield                                            SHLD          AWS.Tools.Shield                              3.7.400.46
Amazon Simple Email Service (SES)                     SES           AWS.Tools.SimpleEmail                         3.7.401.36
Amazon Simple Email Service V2 (SES V2)               SES2          AWS.Tools.SimpleEmailV2                       3.7.404.2
Amazon Simple Notification Service (SNS)              SNS           AWS.Tools.SimpleNotificationService           3.7.400.46
AWS Systems Manager                                   SSM           AWS.Tools.SimpleSystemsManagement             3.7.402.25
AWS Simple Workflow Service (SWF)                     SWF           AWS.Tools.SimpleWorkflow                      3.7.400.46
AWS SimSpace Weaver                                   SSW           AWS.Tools.SimSpaceWeaver                      3.7.400.46
AWS Import/Export Snowball                            SNOW          AWS.Tools.Snowball                            3.7.400.46
AWS Snow Device Management                            SDMS          AWS.Tools.SnowDeviceManagement                3.7.400.46
AWS End User Messaging Social                         SOCIAL        AWS.Tools.SocialMessaging                     3.7.400.13
Amazon Simple Queue Service (SQS)                     SQS           AWS.Tools.SQS                                 3.7.400.46
AWS Systems Manager Incident Manager Contacts         SMC           AWS.Tools.SSMContacts                         3.7.400.46
AWS Systems Manager Incident Manager                  SSMI          AWS.Tools.SSMIncidents                        3.7.400.46
AWS Systems Manager QuickSetup                        SSMQS         AWS.Tools.SSMQuickSetup                       3.7.400.44
AWS Systems Manager for SAP                           SMSAP         AWS.Tools.SsmSap                              3.7.401.38
AWS Single Sign-On                                    SSO           AWS.Tools.SSO                                 3.7.400.46
AWS Single Sign-On Admin                              SSOADMN       AWS.Tools.SSOAdmin                            3.7.400.46
AWS Single Sign-On OIDC                               SSOOIDC       AWS.Tools.SSOOIDC                             3.7.400.46
AWS Step Functions                                    SFN           AWS.Tools.StepFunctions                       3.7.402.34
AWS Storage Gateway                                   SG            AWS.Tools.StorageGateway                      3.7.401.27
AWS Supply Chain                                      SUPCH         AWS.Tools.SupplyChain                         3.7.403.6
AWS Support App                                       SUP           AWS.Tools.SupportApp                          3.7.400.46
Amazon CloudWatch Synthetics                          CWSYN         AWS.Tools.Synthetics                          3.7.402.0
AWS Tax Settings                                      TSA           AWS.Tools.TaxSettings                         3.7.401.1
Amazon Textract                                       TXT           AWS.Tools.Textract                            3.7.400.46
Amazon Timestream InfluxDB                            TIDB          AWS.Tools.TimestreamInfluxDB                  3.7.403.13
Amazon Timestream Query                               TSQ           AWS.Tools.TimestreamQuery                     3.7.401.9
Amazon Timestream Write                               TSW           AWS.Tools.TimestreamWrite                     3.7.400.46
AWS Telco Network Builder                             TNB           AWS.Tools.Tnb                                 3.7.401.44
Amazon Transcribe Service                             TRS           AWS.Tools.TranscribeService                   3.7.400.46
AWS Transfer for SFTP                                 TFR           AWS.Tools.Transfer                            3.7.401.12
Amazon Translate                                      TRN           AWS.Tools.Translate                           3.7.400.46
Trusted Advisor                                       TA            AWS.Tools.TrustedAdvisor                      3.7.400.46
Amazon Verified Permissions                           AVP           AWS.Tools.VerifiedPermissions                 3.7.401.1
Amazon Voice ID                                       VID           AWS.Tools.VoiceID                             3.7.400.46
VPC Lattice                                           VPCL          AWS.Tools.VPCLattice                          3.7.400.46
AWS WAF                                               WAF           AWS.Tools.WAF                                 3.7.400.46
AWS WAF Regional                                      WAFR          AWS.Tools.WAFRegional                         3.7.401.44
AWS WAF V2                                            WAF2          AWS.Tools.WAFV2                               3.7.402.10
AWS Well-Architected Tool                             WAT           AWS.Tools.WellArchitected                     3.7.400.46
Amazon WorkDocs                                       WD            AWS.Tools.WorkDocs                            3.7.400.46
Amazon WorkMail                                       WM            AWS.Tools.WorkMail                            3.7.401.3
Amazon WorkMail Message Flow                          WMMF          AWS.Tools.WorkMailMessageFlow                 3.7.400.46
Amazon WorkSpaces                                     WKS           AWS.Tools.WorkSpaces                          3.7.404.10
Amazon WorkSpaces Thin Client                         WSTC          AWS.Tools.WorkSpacesThinClient                3.7.400.46
Amazon WorkSpaces Web                                 WSW           AWS.Tools.WorkSpacesWeb                       3.7.401.25
AWS X-Ray                                             XR            AWS.Tools.XRay                                3.7.400.46

PS C:\_TERRAFORM\_AWSCore>

You should store your AWS credentials as a set of credentials on the credential store(s) on your machine. It is a best practice to avoid exposing your credentials - do not put literal credentials in the PowerShell commands.
To store your credentials, use the PowerShell snippet Set-AWSCredential:

PS C:\_TERRAFORM\_AWSCore> Set-AWSCredential -AccessKey AK...Q -SecretKey lR...J -StoreAs AWC

PS C:\_TERRAFORM\_AWSCore> Get-AWSCredential -ListProfileDetail

ProfileName StoreTypeName         ProfileLocation
----------- -------------         ---------------
default     NetSDKCredentialsFile
AWC         NetSDKCredentialsFile
default     SharedCredentialsFile C:\Users\Gerhard\.aws\credentials

PS C:\_TERRAFORM\_AWSCore>

 

Caution:

AWS credentials stored in the AWS SDK store are encrypted with the logged-in Windows user identity. They cannot be decrypted by using another account or on a device other than the one on which they were originally created.
 

To set the credentials for a PowerShell session, use the Set-AWSCredential snippet:

PS C:\_TERRAFORM\_AWSCore> Set-AWSCredential -ProfileName AWC
PS C:\_TERRAFORM\_AWSCore>

 

Deploy an Amazon VPC

An Amazon Virtual Private Cloud (VPC) enables you to launch AWS resources into a virtual network that you have defined.
 

Important: 

It is possible to have multiple VPCs in your AWS tenant. Create a dedicated VPC for your Citrix DaaS deployment. Tag all resources for easier management. The default VPC holds these IP address ranges: 172.31.0.0/16
 

Using a PowerShell snippet, you can check for existing VPCs:

PS C:\_TERRAFORM\_AWSCore>Get-EC2Vpc


CidrBlock                   : 172.31.0.0/16
CidrBlockAssociationSet     : {vpc-cidr-assoc-09e0d958d1c0af892}
DhcpOptionsId               : dopt-0a71f0bb911106c5f
InstanceTenancy             : default
Ipv6CidrBlockAssociationSet : {}
IsDefault                   : False
OwnerId                     : 968334184707
State                       : available
Tags                        : {Name}
VpcId                       : vpc-0a0c4e01213dca45a


PS C:\_TERRAFORM\_AWSCore>

There is already an existing VPC, but that does not matter.
In this guide, we will deploy a new VPC with all needed entities to show the possible coexistence with an existing environment.

Use Terraform to create a new VPC and the required DHCP options:

## Create a VPC

resource "aws_vpc" "AWC-VPC" {

  cidr_block            = "${var.AWC-VPC-CIDR}"

  instance_tenancy      = "default"

  enable_dns_support    = "true"

  enable_dns_hostnames  = "true"

  tags                  = {

                              Name = "AWC-TF-VPC"

  }

}

 

### Create the DHCP options

resource "aws_vpc_dhcp_options" "AWC-DHCP" {

  domain_name                       = "${var.AWC-DHCP-DomainName}"

  domain_name_servers               = "${var.AWC-DHCP-DNS1}"

  ipv6_address_preferred_lease_time = 1440

  ntp_servers                       = "${var.AWC-DHCP-DNS1}"

  netbios_name_servers              = "${var.AWC-DHCP-DNS1}"

  netbios_node_type                 = 1

  tags                  = {

                              Name = "AWC-TF-DHCP"

  }

}


Terraform will now create these entities:

PS C:\_TERRAFORM\_AWSCore> terraform init
Initializing the backend...
Initializing provider plugins...
- Finding citrix/citrix versions matching "1.0.6"...
- Finding hashicorp/aws versions matching ">= 5.4.0"...
- Finding latest version of hashicorp/local...
- Installing citrix/citrix v1.0.6...
- Installed citrix/citrix v1.0.6 (self-signed, key ID BD4BD0E690CB7D88)
- Installing hashicorp/aws v5.73.0...
- Installed hashicorp/aws v5.73.0 (signed by HashiCorp)
- Installing hashicorp/local v2.5.2...
- Installed hashicorp/local v2.5.2 (signed by HashiCorp)
Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
PS C:\_TERRAFORM\_AWSCore> terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

 

# aws_vpc.AWC-VPC will be created
  + resource "aws_vpc" "AWC-VPC" {
      + arn                                  = (known after apply)
      + cidr_block                           = "172.31.0.0/16"
      + default_network_acl_id               = (known after apply)
      + default_route_table_id               = (known after apply)
      + default_security_group_id            = (known after apply)
      + dhcp_options_id                      = (known after apply)
      + enable_dns_hostnames                 = true
      + enable_dns_support                   = true
      + enable_network_address_usage_metrics = (known after apply)
      + id                                   = (known after apply)
      + instance_tenancy                     = "default"
      + ipv6_association_id                  = (known after apply)
      + ipv6_cidr_block                      = (known after apply)
      + ipv6_cidr_block_network_border_group = (known after apply)
      + main_route_table_id                  = (known after apply)
      + owner_id                             = (known after apply)
      + tags                                 = {
          + "Name" = "AWC-TF-VPC"
        }
      + tags_all                             = {
          + "Name" = "AWC-TF-VPC"
        }
    }

  # aws_vpc_dhcp_options.AWC-DHCP will be created
  + resource "aws_vpc_dhcp_options" "AWC-DHCP" {
      + arn                               = (known after apply)
      + domain_name                       = "pseaws.lab"
      + domain_name_servers               = [
          + "172.31.20.19",
        ]
      + id                                = (known after apply)
      + ipv6_address_preferred_lease_time = "1440"
      + netbios_name_servers              = [
          + "172.31.20.19",
        ]
      + netbios_node_type                 = "1"
      + ntp_servers                       = [
          + "172.31.20.19",
        ]
      + owner_id                          = (known after apply)
      + tags                              = {
          + "Name" = "AWC-TF-DHCP"
        }
      + tags_all                          = {
          + "Name" = "AWC-TF-DHCP"
        }
    }

Plan: 2 to add, 0 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

PS C:\_TERRAFORM\_AWSCore> terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:


# aws_vpc.AWC-VPC will be created
  + resource "aws_vpc" "AWC-VPC" {
      + arn                                  = (known after apply)
      + cidr_block                           = "172.31.0.0/16"
      + default_network_acl_id               = (known after apply)
      + default_route_table_id               = (known after apply)
      + default_security_group_id            = (known after apply)
      + dhcp_options_id                      = (known after apply)
      + enable_dns_hostnames                 = true
      + enable_dns_support                   = true
      + enable_network_address_usage_metrics = (known after apply)
      + id                                   = (known after apply)
      + instance_tenancy                     = "default"
      + ipv6_association_id                  = (known after apply)
      + ipv6_cidr_block                      = (known after apply)
      + ipv6_cidr_block_network_border_group = (known after apply)
      + main_route_table_id                  = (known after apply)
      + owner_id                             = (known after apply)
      + tags                                 = {
          + "Name" = "AWC-TF-VPC"
        }
      + tags_all                             = {
          + "Name" = "AWC-TF-VPC"
        }
    }

  # aws_vpc_dhcp_options.AWC-DHCP will be created
  + resource "aws_vpc_dhcp_options" "AWC-DHCP" {
      + arn                               = (known after apply)
      + domain_name                       = "pseaws.lab"
      + domain_name_servers               = [
          + "172.31.20.19",
        ]
      + id                                = (known after apply)
      + ipv6_address_preferred_lease_time = "1440"
      + netbios_name_servers              = [
          + "172.31.20.19",
        ]
      + netbios_node_type                 = "1"
      + ntp_servers                       = [
          + "172.31.20.19",
        ]
      + owner_id                          = (known after apply)
      + tags                              = {
          + "Name" = "AWC-TF-DHCP"
        }
      + tags_all                          = {
          + "Name" = "AWC-TF-DHCP"
        }
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

 

aws_vpc.AWC-VPC: Creating...
aws_vpc_dhcp_options.AWC-DHCP: Creation complete after 1s [id=dopt-0c26e5d5880c8b208]
aws_vpc.AWC-VPC: Still creating... [10s elapsed]
aws_vpc.AWC-VPC: Creation complete after 11s [id=vpc-0a0c4e01213dca45a]


Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

PS C:\_TERRAFORM\_AWSCore>
 

Terraform successfully created the new VPC and its DHCP options.

Note: 

For more information about VPCs and DHCP options, please visit Amazon´s Product Documentation pages.
 

 

Deploy Subnets, Internet Gateways, NAT Gateways, Route Tables and Security Groups

After creating the VPC, we deploy all needed network components, such as Subnets, Internet Gateways, NAT Gateways, and Router Tables.
 

Deploying the Subnets

A Subnet is a range of IP addresses in your VPC.
You can create AWS resources
in specific subnets, such as EC2 instances.

The Subnet type is determined by how you configure routing for your Subnets:

  • Public Subnet: The Subnet has a direct route to an Internet Gateway.
    Resources in a Public Subnet can directly access the Internet.
  • Private Subnet: The Subnet does not have a direct route to an Internet Gateway. Resources in a Private Subnet require a NAT device to access the Internet.
     

Important: 

Each Subnet must be associated with a Route Table, specifying all allowed outbound traffic routes. Every Subnet is automatically associated with the main Route Table for the VPC.
Disable the
Auto-assign IP settings, as otherwise, a public IPv4 address is automatically requested for each new Network Interface in this Subnet.

 

Use Terraform to create the Subnets:

### Create a Public Subnet #1

resource "aws_subnet" "AWC-Subnet-Pub-1" {

  vpc_id                  = aws_vpc.AWC-VPC.id

  cidr_block              = "${var.AWC-Subnet-Pub-CIDR-1}"

  availability_zone       = "${var.AWC-AvailibilityRegion-1}"

  map_public_ip_on_launch = false

  tags                    = {

                              Name = "AWC-TF-PubSubnet1"

  }

}

 

### Create a Public Subnet #2

resource "aws_subnet" "AWC-Subnet-Pub-2" {

  vpc_id                  = aws_vpc.AWC-VPC.id

  cidr_block              = "${var.AWC-Subnet-Pub-CIDR-2}"

  availability_zone       = "${var.AWC-AvailibilityRegion-2}"

  map_public_ip_on_launch = false

  tags                    = {

                              Name = "AWC-TF-PubSubnet2"

  }

}

 

### Create a Private Subnet #1

resource "aws_subnet" "AWC-Subnet-Priv-1" {

  vpc_id                  = aws_vpc.AWC-VPC.id

  cidr_block              = "${var.AWC-Subnet-Priv-CIDR-1}"

  availability_zone       = "${var.AWC-AvailibilityRegion-1}"

  map_public_ip_on_launch = false

  tags                    = {

                              Name = "AWC-TF-PrivSubnet1"

  }

}

 

### Create a Private Subnet #2

resource "aws_subnet" "AWC-Subnet-Priv-2" {

  vpc_id                  = aws_vpc.AWC-VPC.id

  cidr_block              = "${var.AWC-Subnet-Priv-CIDR-2}"

  availability_zone       = "${var.AWC-AvailibilityRegion-2}"

  map_public_ip_on_launch = false

  tags                    = {

                              Name = "AWC-TF-PrivSubnet2"

  }

}


Terraform will now create these entities:

PS C:\_TERRAFORM\_AWSCore> terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

# aws_subnet.AWC-Subnet-Priv-1 will be created
  + resource "aws_subnet" "AWC-Subnet-Priv-1" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = (sensitive value)
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "172.31.5.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name" = "AWC-TF-PrivSubnet1"
        }
      + tags_all                                       = {
          + "Name" = "AWC-TF-PrivSubnet1"
        }
      + vpc_id                                         = (known after apply)
    }

  # aws_subnet.AWC-Subnet-Priv-2 will be created
  + resource "aws_subnet" "AWC-Subnet-Priv-2" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = (sensitive value)
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "172.31.6.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name" = "AWC-TF-PrivSubnet2"
        }
      + tags_all                                       = {
          + "Name" = "AWC-TF-PrivSubnet2"
        }
      + vpc_id                                         = (known after apply)
    }

  # aws_subnet.AWC-Subnet-Pub-1 will be created
  + resource "aws_subnet" "AWC-Subnet-Pub-1" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = (sensitive value)
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "172.31.1.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name" = "AWC-TF-PubSubnet1"
        }
      + tags_all                                       = {
          + "Name" = "AWC-TF-PubSubnet1"
        }
      + vpc_id                                         = (known after apply)
    }

  # aws_subnet.AWC-Subnet-Pub-2 will be created
  + resource "aws_subnet" "AWC-Subnet-Pub-2" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = (sensitive value)
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "172.31.2.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name" = "AWC-TF-PubSubnet2"
        }
      + tags_all                                       = {
          + "Name" = "AWC-TF-PubSubnet2"
        }
      + vpc_id                                         = (known after apply)
    }

 

Plan: 4 to add, 0 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

PS C:\_TERRAFORM\_AWSCore> terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

# aws_subnet.AWC-Subnet-Priv-1 will be created
  + resource "aws_subnet" "AWC-Subnet-Priv-1" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = (sensitive value)
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "172.31.5.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name" = "AWC-TF-PrivSubnet1"
        }
      + tags_all                                       = {
          + "Name" = "AWC-TF-PrivSubnet1"
        }
      + vpc_id                                         = (known after apply)
    }

  # aws_subnet.AWC-Subnet-Priv-2 will be created
  + resource "aws_subnet" "AWC-Subnet-Priv-2" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = (sensitive value)
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "172.31.6.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name" = "AWC-TF-PrivSubnet2"
        }
      + tags_all                                       = {
          + "Name" = "AWC-TF-PrivSubnet2"
        }
      + vpc_id                                         = (known after apply)
    }

  # aws_subnet.AWC-Subnet-Pub-1 will be created
  + resource "aws_subnet" "AWC-Subnet-Pub-1" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = (sensitive value)
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "172.31.1.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name" = "AWC-TF-PubSubnet1"
        }
      + tags_all                                       = {
          + "Name" = "AWC-TF-PubSubnet1"
        }
      + vpc_id                                         = (known after apply)
    }

  # aws_subnet.AWC-Subnet-Pub-2 will be created
  + resource "aws_subnet" "AWC-Subnet-Pub-2" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = (sensitive value)
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "172.31.2.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name" = "AWC-TF-PubSubnet2"
        }
      + tags_all                                       = {
          + "Name" = "AWC-TF-PubSubnet2"
        }
      + vpc_id                                         = (known after apply)
    }

 

Plan: 4 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_subnet.AWC-Subnet-Pub-1: Creating...
aws_subnet.AWC-Subnet-Pub-2: Creating...
aws_subnet.AWC-Subnet-Priv-2: Creating...
aws_subnet.AWC-Subnet-Priv-1: Creating...
aws_subnet.AWC-Subnet-Pub-1: Creation complete after 1s [id=subnet-0c66b831b007a95dc]
aws_subnet.AWC-Subnet-Pub-2: Creation complete after 1s [id=subnet-0218607b747ebabe1]
aws_subnet.AWC-Subnet-Priv-1: Creation complete after 1s [id=subnet-0ebd5082675ce4b86]
aws_subnet.AWC-Subnet-Priv-2: Creation complete after 1s [id=subnet-0aedb284d0a518375]

Apply complete! Resources: 4 added, 0 changed, 0 destroyed.

PS C:\_TERRAFORM\_AWSCore>

Terraform successfully created the new VPC and its DHCP options.

Note: 

For more information about Subnets, please visit Amazon´s Product Documentation pages.
 

After creating the Subnets, you must create an Internet Gateway to enable the Public Subnet and the Jumphost-VM to connect to the Internet.
 

Deploying an Internet Gateway

An Internet Gateway allows communication between your VPC and the Internet. It supports IPv4 and IPv6 traffic and provides a target in your VPC Route Tables.
Resources in your Public Subnets can connect to the Internet if they have a public IPv4 or IPv6 address. The communication flow is two-way—the resources can also be contacted from the Internet.
For communication using IPv4, the Internet Gateway also performs Network Address Translation (NAT).

Use Terraform to create the Internet Gateway:

### Create a Public Internet Gateway

resource "aws_internet_gateway" "AWC-InetGW" {

  vpc_id = aws_vpc.AWC-VPC.id

  tags                  = {

                              Name = "AWC-TF-InetGW-Pub"

  }

}


Terraform will now create these entities:

PS C:\_TERRAFORM\_AWSCore> terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:


  # aws_internet_gateway.AWC-InetGW will be created
  + resource "aws_internet_gateway" "AWC-InetGW" {
      + arn      = (known after apply)
      + id       = (known after apply)
      + owner_id = (known after apply)
      + tags     = {
          + "Name" = "AWC-TF-InetGW-Pub"
        }
      + tags_all = {
          + "Name" = "AWC-TF-InetGW-Pub"
        }
      + vpc_id   = (known after apply)
    }


Plan: 1 to add, 0 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

PS C:\_TERRAFORM\_AWSCore> terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_internet_gateway.AWC-InetGW will be created
  + resource "aws_internet_gateway" "AWC-InetGW" {
      + arn      = (known after apply)
      + id       = (known after apply)
      + owner_id = (known after apply)
      + tags     = {
          + "Name" = "AWC-TF-InetGW-Pub"
        }
      + tags_all = {
          + "Name" = "AWC-TF-InetGW-Pub"
        }
      + vpc_id   = (known after apply)
    }


Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

 

aws_internet_gateway.AWC-InetGW: Creating...
aws_internet_gateway.AWC-InetGW: Creation complete after 1s [id=igw-07459e74a135ab85f]


Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

PS C:\_TERRAFORM\_AWSCore>

Terraform successfully created the new Internet Gateway.

To connect the Public Subnets to the Internet, you need to adjust the adjacent Route Table. A Route Table contains a set of routes directing network traffic from your Subnet or Gateway.
You should use 0.0.0.0/0 as the Destination and choose the Internet Gateway you created as the Target. The Public Subnets now have a connection to the Internet.

Use Terraform to create the Route Table and the needed Routes and Associations:

### Create the Public Route Table

resource "aws_route_table" "AWC-RouteTable-Pub" {

  vpc_id = aws_vpc.AWC-VPC.id

  tags                  = {

                              Name = "AWC-TF-RouteTable-Pub"

  }

}

 

#### Create Routes in the Public Route Table

resource "aws_route" "AWC-Route-Public" {

  depends_on = [ aws_vpc.AWC-VPC, aws_internet_gateway.AWC-InetGW, aws_route_table.AWC-RouteTable-Pub ]

  route_table_id         = aws_route_table.AWC-RouteTable-Pub.id

  destination_cidr_block = "0.0.0.0/0"

  gateway_id             = aws_internet_gateway.AWC-InetGW.id

}

 

#### Create Subnet Association for Public Subnet #1

resource "aws_route_table_association" "AWC-RT-SN-Association-Pub-1" {

  subnet_id      = aws_subnet.AWC-Subnet-Pub-1.id

  route_table_id = aws_route_table.AWC-RouteTable-Pub.id

}

 

#### Create Subnet Association for Public Subnet #2

resource "aws_route_table_association" "AWC-RT-SN-Association-Pub-2" {

  subnet_id      = aws_subnet.AWC-Subnet-Pub-2.id

  route_table_id = aws_route_table.AWC-RouteTable-Pub.id

}

 


Terraform will now create these entities:

PS C:\_TERRAFORM\_AWSCore> terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:


  # aws_route_table.AWC-RouteTable-Pub will be created
  + resource "aws_route_table" "AWC-RouteTable-Pub" {
      + arn              = (known after apply)
      + id               = (known after apply)
      + owner_id         = (known after apply)
      + propagating_vgws = (known after apply)
      + route            = (known after apply)
      + tags             = {
          + "Name" = "AWC-TF-RouteTable-Pub"
        }
      + vpc_id           = (known after apply)
    }

  # aws_route.AWC-Route-Public will be created
  + resource "aws_route" "AWC-Route-Public" {
      + destination_cidr_block = "0.0.0.0/0"
      + gateway_id             = (known after apply)
      + id                     = (known after apply)
      + instance_id            = (known after apply)
      + instance_owner_id      = (known after apply)
      + network_interface_id   = (known after apply)
      + origin                 = (known after apply)
      + route_table_id         = (known after apply)
      + state                  = (known after apply)
    }

  # aws_route_table_association.AWC-RT-SN-Association-Pub-1 will be created
  + resource "aws_route_table_association" "AWC-RT-SN-Association-Pub-1" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }

  # aws_route_table_association.AWC-RT-SN-Association-Pub-2 will be created
  + resource "aws_route_table_association" "AWC-RT-SN-Association-Pub-2" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }

Plan: 4 to add, 0 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

PS C:\_TERRAFORM\_AWSCore> terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:


  # aws_route_table.AWC-RouteTable-Pub will be created
  + resource "aws_route_table" "AWC-RouteTable-Pub" {
      + arn              = (known after apply)
      + id               = (known after apply)
      + owner_id         = (known after apply)
      + propagating_vgws = (known after apply)
      + route            = (known after apply)
      + tags             = {
          + "Name" = "AWC-TF-RouteTable-Pub"
        }
      + vpc_id           = (known after apply)
    }

  # aws_route.AWC-Route-Public will be created
  + resource "aws_route" "AWC-Route-Public" {
      + destination_cidr_block = "0.0.0.0/0"
      + gateway_id             = (known after apply)
      + id                     = (known after apply)
      + instance_id            = (known after apply)
      + instance_owner_id      = (known after apply)
      + network_interface_id   = (known after apply)
      + origin                 = (known after apply)
      + route_table_id         = (known after apply)
      + state                  = (known after apply)
    }

  # aws_route_table_association.AWC-RT-SN-Association-Pub-1 will be created
  + resource "aws_route_table_association" "AWC-RT-SN-Association-Pub-1" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }

  # aws_route_table_association.AWC-RT-SN-Association-Pub-2 will be created
  + resource "aws_route_table_association" "AWC-RT-SN-Association-Pub-2" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }

Plan: 4 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_route_table.AWC-RouteTable-Pub: Creating...
aws_route_table.AWC-RouteTable-Pub: Creation complete after 1s [id=rtb-03e180326b1e9e342]
aws_route_table_association.AWC-RT-SN-Association-Pub-1: Creating...

aws_route_table_association.AWC-RT-SN-Association-Pub-2: Creating...
aws_route.AWC-Route-Public: Creating...
aws_route_table_association.AWC-RT-SN-Association-Pub-1: Creation complete after 0s [id=rtbassoc-0fa2d0b5fe04866de]

aws_route_table_association.AWC-RT-SN-Association-Pub-2: Creation complete after 0s [id=rtbassoc-021578912696a90c3]
aws_route.AWC-Route-Public: Creation complete after 0s [id=r-rtb-03e180326b1e9e3421080289494]


Apply complete! Resources: 4 added, 0 changed, 0 destroyed.

PS C:\_TERRAFORM\_AWSCore>

Terraform successfully created the new Route Table, Routes, and Associations for the Public Subnets and the Internet Gateway.

Note: 

For more information about Gateways, please visit Amazon´s Product Documentation pages.
 

 

Deploying a NAT Gateway

After creating the Internet Gateway, you need to create a NAT Gateway in the Private Subnet(s) to enable the Private Subnet(s) to connect to the Internet.
A NAT Gateway is a Network Address Translation (NAT) device. It needs a mapped Elastic IP.

Important: 

You can use a NAT Gateway to enable instances in a Private Subnet to connect to services outside your VPC. External services cannot initiate a connection with those instances.
A NAT Gateway is for use with IPv4 traffic only.

 

When you create a NAT Gateway, you specify one of the following connectivity types:

  • Public – (Default) Instances in Private Subnets can connect to the Internet.
  • Private – Instances in Private Subnets can connect to other VPCs or your on-premises network but not to the Internet.

Use Terraform to create the Elastic IPs and the NAT Gateways:

### Create an Elastic IP for NATGW #1

resource "aws_eip" "AWC-EIP-NATGW-AZ1" {

  tags                  = {

                              Name = "AWC-TF-EIP1"

  }

}

 

### Create an Elastic IP for NATGW #2

resource "aws_eip" "AWC-EIP-NATGW-AZ2" {

  tags                  = {

                              Name = "AWC-TF-EIP2"

  }

}

 

### Create a NAT Gateway for Private Subnet #1

resource "aws_nat_gateway" "AWC-NATGW-SN1" {

  allocation_id         = aws_eip.AWC-EIP-NATGW-AZ1.id

  subnet_id             = aws_subnet.AWC-Subnet-Priv-1.id

  tags                  = {

                              Name = "AWC-TF-NATGW-SN1"

  }

}

 

### Create a NAT Gateway for Private Subnet #2

resource "aws_nat_gateway" "AWC-NATGW-SN2" {

  allocation_id         = aws_eip.AWC-EIP-NATGW-AZ2.id

  subnet_id             = aws_subnet.AWC-Subnet-Priv-2.id

  tags                  = {

                              Name = "AWC-TF-NATGW-SN2"

  }

}


Terraform will now create these entities:

PS C:\_TERRAFORM\_AWSCore> terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:


  # aws_eip.AWC-EIP-NATGW-AZ1 will be created
  + resource "aws_eip" "AWC-EIP-NATGW-AZ1" {
      + allocation_id        = (known after apply)
      + arn                  = (known after apply)
      + association_id       = (known after apply)
      + carrier_ip           = (known after apply)
      + customer_owned_ip    = (known after apply)
      + domain               = (known after apply)
      + id                   = (known after apply)
      + instance             = (known after apply)
      + ipam_pool_id         = (known after apply)
      + network_border_group = (known after apply)
      + network_interface    = (known after apply)
      + private_dns          = (known after apply)
      + private_ip           = (known after apply)
      + ptr_record           = (known after apply)
      + public_dns           = (known after apply)
      + public_ip            = (known after apply)
      + public_ipv4_pool     = (known after apply)
      + tags                 = {
          + "Name" = "AWC-TF-EIP1"
        }
      + tags_all             = {
          + "Name" = "AWC-TF-EIP1"
        }
      + vpc                  = (known after apply)
    }

  # aws_eip.AWC-EIP-NATGW-AZ2 will be created
  + resource "aws_eip" "AWC-EIP-NATGW-AZ2" {
      + allocation_id        = (known after apply)
      + arn                  = (known after apply)
      + association_id       = (known after apply)
      + carrier_ip           = (known after apply)
      + customer_owned_ip    = (known after apply)
      + domain               = (known after apply)
      + id                   = (known after apply)
      + instance             = (known after apply)
      + ipam_pool_id         = (known after apply)
      + network_border_group = (known after apply)
      + network_interface    = (known after apply)
      + private_dns          = (known after apply)
      + private_ip           = (known after apply)
      + ptr_record           = (known after apply)
      + public_dns           = (known after apply)
      + public_ip            = (known after apply)
      + public_ipv4_pool     = (known after apply)
      + tags                 = {
          + "Name" = "AWC-TF-EIP2"
        }
      + tags_all             = {
          + "Name" = "AWC-TF-EIP2"
        }
      + vpc                  = (known after apply)
    }

# aws_nat_gateway.AWC-NATGW-SN1 will be created
  + resource "aws_nat_gateway" "AWC-NATGW-SN1" {
      + allocation_id                      = (known after apply)
      + association_id                     = (known after apply)
      + connectivity_type                  = "public"
      + id                                 = (known after apply)
      + network_interface_id               = (known after apply)
      + private_ip                         = (known after apply)
      + public_ip                          = (known after apply)
      + secondary_private_ip_address_count = (known after apply)
      + secondary_private_ip_addresses     = (known after apply)
      + subnet_id                          = (known after apply)
      + tags                               = {
          + "Name" = "AWC-TF-NATGW-SN1"
        }
      + tags_all                           = {
          + "Name" = "AWC-TF-NATGW-SN1"
        }
    }

  # aws_nat_gateway.AWC-NATGW-SN2 will be created
  + resource "aws_nat_gateway" "AWC-NATGW-SN2" {
      + allocation_id                      = (known after apply)
      + association_id                     = (known after apply)
      + connectivity_type                  = "public"
      + id                                 = (known after apply)
      + network_interface_id               = (known after apply)
      + private_ip                         = (known after apply)
      + public_ip                          = (known after apply)
      + secondary_private_ip_address_count = (known after apply)
      + secondary_private_ip_addresses     = (known after apply)
      + subnet_id                          = (known after apply)
      + tags                               = {
          + "Name" = "AWC-TF-NATGW-SN2"
        }
      + tags_all                           = {
          + "Name" = "AWC-TF-NATGW-SN2"
        }
    }

Plan: 4 to add, 0 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

PS C:\_TERRAFORM\_AWSCore> terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_eip.AWC-EIP-NATGW-AZ1 will be created
  + resource "aws_eip" "AWC-EIP-NATGW-AZ1" {
      + allocation_id        = (known after apply)
      + arn                  = (known after apply)
      + association_id       = (known after apply)
      + carrier_ip           = (known after apply)
      + customer_owned_ip    = (known after apply)
      + domain               = (known after apply)
      + id                   = (known after apply)
      + instance             = (known after apply)
      + ipam_pool_id         = (known after apply)
      + network_border_group = (known after apply)
      + network_interface    = (known after apply)
      + private_dns          = (known after apply)
      + private_ip           = (known after apply)
      + ptr_record           = (known after apply)
      + public_dns           = (known after apply)
      + public_ip            = (known after apply)
      + public_ipv4_pool     = (known after apply)
      + tags                 = {
          + "Name" = "AWC-TF-EIP1"
        }
      + tags_all             = {
          + "Name" = "AWC-TF-EIP1"
        }
      + vpc                  = (known after apply)
    }

  # aws_eip.AWC-EIP-NATGW-AZ2 will be created
  + resource "aws_eip" "AWC-EIP-NATGW-AZ2" {
      + allocation_id        = (known after apply)
      + arn                  = (known after apply)
      + association_id       = (known after apply)
      + carrier_ip           = (known after apply)
      + customer_owned_ip    = (known after apply)
      + domain               = (known after apply)
      + id                   = (known after apply)
      + instance             = (known after apply)
      + ipam_pool_id         = (known after apply)
      + network_border_group = (known after apply)
      + network_interface    = (known after apply)
      + private_dns          = (known after apply)
      + private_ip           = (known after apply)
      + ptr_record           = (known after apply)
      + public_dns           = (known after apply)
      + public_ip            = (known after apply)
      + public_ipv4_pool     = (known after apply)
      + tags                 = {
          + "Name" = "AWC-TF-EIP2"
        }
      + tags_all             = {
          + "Name" = "AWC-TF-EIP2"
        }
      + vpc                  = (known after apply)
    }

# aws_nat_gateway.AWC-NATGW-SN1 will be created
  + resource "aws_nat_gateway" "AWC-NATGW-SN1" {
      + allocation_id                      = (known after apply)
      + association_id                     = (known after apply)
      + connectivity_type                  = "public"
      + id                                 = (known after apply)
      + network_interface_id               = (known after apply)
      + private_ip                         = (known after apply)
      + public_ip                          = (known after apply)
      + secondary_private_ip_address_count = (known after apply)
      + secondary_private_ip_addresses     = (known after apply)
      + subnet_id                          = (known after apply)
      + tags                               = {
          + "Name" = "AWC-TF-NATGW-SN1"
        }
      + tags_all                           = {
          + "Name" = "AWC-TF-NATGW-SN1"
        }
    }

  # aws_nat_gateway.AWC-NATGW-SN2 will be created
  + resource "aws_nat_gateway" "AWC-NATGW-SN2" {
      + allocation_id                      = (known after apply)
      + association_id                     = (known after apply)
      + connectivity_type                  = "public"
      + id                                 = (known after apply)
      + network_interface_id               = (known after apply)
      + private_ip                         = (known after apply)
      + public_ip                          = (known after apply)
      + secondary_private_ip_address_count = (known after apply)
      + secondary_private_ip_addresses     = (known after apply)
      + subnet_id                          = (known after apply)
      + tags                               = {
          + "Name" = "AWC-TF-NATGW-SN2"
        }
      + tags_all                           = {
          + "Name" = "AWC-TF-NATGW-SN2"
        }
    }

Plan: 4 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_eip.AWC-EIP-NATGW-AZ2: Creating...
aws_eip.AWC-EIP-NATGW-AZ1: Creating...
aws_eip.AWC-EIP-NATGW-AZ2: Creation complete after 1s [id=eipalloc-0d2c0d41ca785a357]

aws_eip.AWC-EIP-NATGW-AZ1: Creation complete after 1s [id=eipalloc-00184109cbc0ed1c3]
aws_nat_gateway.AWC-NATGW-SN1: Creating...

aws_nat_gateway.AWC-NATGW-SN2: Creating...
aws_nat_gateway.AWC-NATGW-SN1: Still creating... [10s elapsed]

aws_nat_gateway.AWC-NATGW-SN2: Still creating... [10s elapsed]
aws_nat_gateway.AWC-NATGW-SN1: Still creating... [20s elapsed]
aws_nat_gateway.AWC-NATGW-SN2: Still creating... [20s elapsed]
aws_nat_gateway.AWC-NATGW-SN1: Still creating... [30s elapsed]
aws_nat_gateway.AWC-NATGW-SN2: Still creating... [30s elapsed]
...
aws_nat_gateway.AWC-NATGW-SN1: Still creating... [1m40s elapsed]

aws_nat_gateway.AWC-NATGW-SN2: Still creating... [1m40s elapsed]
aws_nat_gateway.AWC-NATGW-SN2: Creation complete after 1m44s [id=nat-0b05e87d8b775ad17]
aws_nat_gateway.AWC-NATGW-SN1: Creation complete after 1m44s [id=nat-064b88196cc1199a4]


Apply complete! Resources: 4 added, 0 changed, 0 destroyed.

PS C:\_TERRAFORM\_AWSCore>

Terraform successfully created the new NAT Gateways and its needed Elastic IPs.
After creation, you need to add a Route Table and change it for the NAT Gateway as you did for the Internet Gateway.

Use Terraform to create the Route Table and the needed Routes and Associations:

### Create the Private Route Table for Subnet #1

resource "aws_route_table" "AWC-RouteTable-Priv-SN1" {

  vpc_id = aws_vpc.AWC-VPC.id

  tags                  = {

                              Name = "AWC-TF-RouteTable-Priv-SN1"

  }

}

 

### Create the Private Route Table for Subnet #2

resource "aws_route_table" "AWC-RouteTable-Priv-SN2" {

  vpc_id = aws_vpc.AWC-VPC.id

  tags                  = {

                              Name = "AWC-TF-RouteTable-Priv-SN2"

  }

}

 

#### Create Routes in the Private Route Table for Subnet #1

resource "aws_route" "AWC-Route-Private-SN1" {

  route_table_id         = aws_route_table.AWC-RouteTable-Priv-SN1.id

  destination_cidr_block = "0.0.0.0/0"

  gateway_id             = aws_nat_gateway.AWC-NATGW-SN1.id

}

 

#### Create Routes in the Private Route Table for Subnet #2

resource "aws_route" "AWC-Route-Private-SN2" {

  route_table_id         = aws_route_table.AWC-RouteTable-Priv-SN2.id

  destination_cidr_block = "0.0.0.0/0"

  gateway_id             = aws_nat_gateway.AWC-NATGW-SN2.id

}

 

#### Create Subnet Association for Private Subnet #1

resource "aws_route_table_association" "AWC-RT-SN-Association-Priv-1" {

  subnet_id      = aws_subnet.AWC-Subnet-Priv-1.id

  route_table_id = aws_route_table.AWC-RouteTable-Priv-SN1.id

}

 

#### Create Subnet Association for Private Subnet #2

resource "aws_route_table_association" "AWC-RT-SN-Association-Priv-2" {

  subnet_id      = aws_subnet.AWC-Subnet-Priv-2.id

  route_table_id = aws_route_table.AWC-RouteTable-Priv-SN2.id

}


Terraform will now create these entities:

PS C:\_TERRAFORM\_AWSCore> terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_route_table.AWC-RouteTable-Priv-SN1 will be created
  + resource "aws_route_table" "AWC-RouteTable-Priv-SN1" {
      + arn              = (known after apply)
      + id               = (known after apply)
      + owner_id         = (known after apply)
      + propagating_vgws = (known after apply)
      + route            = (known after apply)
      + tags             = {
          + "Name" = "AWC-TF-RouteTable-Priv-SN1"
        }
      + tags_all         = {
          + "Name" = "AWC-TF-RouteTable-Priv-SN1"
        }
      + vpc_id           = (known after apply)
    }

  # aws_route_table.AWC-RouteTable-Priv-SN2 will be created
  + resource "aws_route_table" "AWC-RouteTable-Priv-SN2" {
      + arn              = (known after apply)
      + id               = (known after apply)
      + owner_id         = (known after apply)
      + propagating_vgws = (known after apply)
      + route            = (known after apply)
      + tags             = {
          + "Name" = "AWC-TF-RouteTable-Priv-SN2"
        }
      + tags_all         = {
          + "Name" = "AWC-TF-RouteTable-Priv-SN2"
        }
      + vpc_id           = (known after apply)
    }

  # aws_route.AWC-Route-Private-SN1 will be created
  + resource "aws_route" "AWC-Route-Private-SN1" {
      + destination_cidr_block = "0.0.0.0/0"
      + gateway_id             = (known after apply)
      + id                     = (known after apply)
      + instance_id            = (known after apply)
      + instance_owner_id      = (known after apply)
      + network_interface_id   = (known after apply)
      + origin                 = (known after apply)
      + route_table_id         = (known after apply)
      + state                  = (known after apply)
    }

  # aws_route.AWC-Route-Private-SN2 will be created
  + resource "aws_route" "AWC-Route-Private-SN2" {
      + destination_cidr_block = "0.0.0.0/0"
      + gateway_id             = (known after apply)
      + id                     = (known after apply)
      + instance_id            = (known after apply)
      + instance_owner_id      = (known after apply)
      + network_interface_id   = (known after apply)
      + origin                 = (known after apply)
      + route_table_id         = (known after apply)
      + state                  = (known after apply)
    }
  # aws_route_table_association.AWC-RT-SN-Association-Priv-1 will be created
  + resource "aws_route_table_association" "AWC-RT-SN-Association-Priv-1" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }

  # aws_route_table_association.AWC-RT-SN-Association-Priv-2 will be created
  + resource "aws_route_table_association" "AWC-RT-SN-Association-Priv-2" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }


Plan: 6 to add, 0 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

PS C:\_TERRAFORM\_AWSCore> terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_route_table.AWC-RouteTable-Pub will be created
  + resource "aws_route_table" "AWC-RouteTable-Pub" {
      + arn              = (known after apply)
      + id               = (known after apply)
      + owner_id         = (known after apply)
      + propagating_vgws = (known after apply)
      + route            = (known after apply)
      + tags             = {
          + "Name" = "AWC-TF-RouteTable-Pub"
        }
      + vpc_id           = (known after apply)
    }

  # aws_route.AWC-Route-Public will be created
  + resource "aws_route" "AWC-Route-Public" {
      + destination_cidr_block = "0.0.0.0/0"
      + gateway_id             = (known after apply)
      + id                     = (known after apply)
      + instance_id            = (known after apply)
      + instance_owner_id      = (known after apply)
      + network_interface_id   = (known after apply)
      + origin                 = (known after apply)
      + route_table_id         = (known after apply)
      + state                  = (known after apply)
    }

  # aws_route_table_association.AWC-RT-SN-Association-Pub-1 will be created
  + resource "aws_route_table_association" "AWC-RT-SN-Association-Pub-1" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }

  # aws_route_table_association.AWC-RT-SN-Association-Pub-2 will be created
  + resource "aws_route_table_association" "AWC-RT-SN-Association-Pub-2" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }

Terraform will perform the following actions:

  # aws_route_table.AWC-RouteTable-Priv-SN1 will be created
  + resource "aws_route_table" "AWC-RouteTable-Priv-SN1" {
      + arn              = (known after apply)
      + id               = (known after apply)
      + owner_id         = (known after apply)
      + propagating_vgws = (known after apply)
      + route            = (known after apply)
      + tags             = {
          + "Name" = "AWC-TF-RouteTable-Priv-SN1"
        }
      + tags_all         = {
          + "Name" = "AWC-TF-RouteTable-Priv-SN1"
        }
      + vpc_id           = (known after apply)
    }

  # aws_route_table.AWC-RouteTable-Priv-SN2 will be created
  + resource "aws_route_table" "AWC-RouteTable-Priv-SN2" {
      + arn              = (known after apply)
      + id               = (known after apply)
      + owner_id         = (known after apply)
      + propagating_vgws = (known after apply)
      + route            = (known after apply)
      + tags             = {
          + "Name" = "AWC-TF-RouteTable-Priv-SN2"
        }
      + tags_all         = {
          + "Name" = "AWC-TF-RouteTable-Priv-SN2"
        }
      + vpc_id           = (known after apply)
    }

  # aws_route.AWC-Route-Private-SN1 will be created
  + resource "aws_route" "AWC-Route-Private-SN1" {
      + destination_cidr_block = "0.0.0.0/0"
      + gateway_id             = (known after apply)
      + id                     = (known after apply)
      + instance_id            = (known after apply)
      + instance_owner_id      = (known after apply)
      + network_interface_id   = (known after apply)
      + origin                 = (known after apply)
      + route_table_id         = (known after apply)
      + state                  = (known after apply)
    }

  # aws_route.AWC-Route-Private-SN2 will be created
  + resource "aws_route" "AWC-Route-Private-SN2" {
      + destination_cidr_block = "0.0.0.0/0"
      + gateway_id             = (known after apply)
      + id                     = (known after apply)
      + instance_id            = (known after apply)
      + instance_owner_id      = (known after apply)
      + network_interface_id   = (known after apply)
      + origin                 = (known after apply)
      + route_table_id         = (known after apply)
      + state                  = (known after apply)
    }
  # aws_route_table_association.AWC-RT-SN-Association-Priv-1 will be created
  + resource "aws_route_table_association" "AWC-RT-SN-Association-Priv-1" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }

  # aws_route_table_association.AWC-RT-SN-Association-Priv-2 will be created
  + resource "aws_route_table_association" "AWC-RT-SN-Association-Priv-2" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }


Plan: 6 to add, 0 to change, 0 to destroy.


Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_route_table.AWC-RouteTable-Priv-SN2: Creating...
aws_route_table.AWC-RouteTable-Priv-SN1: Creating...
aws_route.AWC-Route-Private-SN2: Creating...

aws_route.AWC-Route-Private-SN1: Creating...
aws_route_table.AWC-RouteTable-Priv-SN2: Creation complete after 1s [id=rtb-04d3927d25865adcf]

aws_route_table.AWC-RouteTable-Priv-SN1: Creation complete after 1s [id=rtb-0c9cb8b3a967e3481]
aws_route.AWC-Route-Private-SN2: Creation complete after 0s [id=r-rtb-04d3927d25865adcf1080289494]

aws_route.AWC-Route-Private-SN1: Creation complete after 0s [id=r-rtb-0c9cb8b3a967e34811080289494]
aws_route_table_association.AWC-RT-SN-Association-Priv-1: Creating...

aws_route_table_association.AWC-RT-SN-Association-Priv-2: Creating...
aws_route_table_association.AWC-RT-SN-Association-Priv-1: Creation complete after 0s [id=rtbassoc-090c9d66718c2a158]
aws_route_table_association.AWC-RT-SN-Association-Priv-2: Creation complete after 0s [id=rtbassoc-038405332aa4c4384]



Apply complete! Resources: 6 added, 0 changed, 0 destroyed.

PS C:\_TERRAFORM\_AWSCore>

Terraform successfully created the new Route Table, Routes, and Associations for the Private Subnets.

Note: 

For more information about Gateways, please visit Amazon´s Product Documentation pages.
 

Now, all instances in the Private Subnets should be able to connect to the Internet.
 

Set the IAM permissions

After creating all needed Network components, we must set all required IAM permissions.
Identity and Access Management (IAM) allows control of access to AWS resources.
IAM controls who can be authenticated (signed in) and authorized (have permissions) to use Amazon VPC resources.

Deploying an IAM Policy

You can control access by attaching policies and attaching them to identities or resources.
A Policy
defines the permissions associated with it. Policies are evaluated when a user, for example, or a root user, wants to access a resource.
Permissions in the Policies determine whether the request is allowed or denied.
Most Policies are stored in AWS as
JSON documents.

As an example, we deploy an IAM policy and an IAM role that sets the needed permissions for deploying DaaS and its entities:

### Create the needed IAM Roles and Policies

resource "aws_iam_role" "AWC-IAM-Main-Role" {

  name = "AWC-IAM-Main-Role"

 

  assume_role_policy = jsonencode({

    Version = "2012-10-17"

    Statement = [{

          Action    = "sts:AssumeRole"

          Effect    = "Allow"

          Principal = {

                  Service = "ec2.amazonaws.com"

      }

    }]

  })

}

 

resource "aws_iam_role_policy" "AWC-IAM-Main"  {

  name    = "AWC-IAM-Role-Main"

  role    = aws_iam_role.AWC-IAM-Main-Role.id

  policy  = <<EOF

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "VisualEditor0",

      "Effect": "Allow",

      "Action": [

        "workdocs:DeregisterDirectory",

        "workdocs:RegisterDirectory",

        "workdocs:AddUserToGroup",

        "ec2:ImportInstance",

        "ec2:DescribeImages",

        "ec2:DescribeImageAttribute",

        "ec2:CreateKeyPair",

        "ec2:DescribeKeyPairs",

        "ec2:ModifyImageAttribute",

        "ec2:DescribeVpcs",

        "ec2:DescribeSubnets",

        "ec2:RunInstances",

        "ec2:DescribeSecurityGroups",

        "ec2:CreateTags",

        "ec2:DescribeRouteTables",

        "ec2:DescribeInternetGateways",

        "ec2:CreateSecurityGroup",

        "ec2:DescribeInstanceTypes",

        "servicequotas:ListServices",

        "servicequotas:GetRequestedServiceQuotaChange",

        "servicequotas:ListTagsForResource",

        "servicequotas:GetServiceQuota",

        "servicequotas:GetAssociationForServiceQuotaTemplate",

        "servicequotas:ListAWSDefaultServiceQuotas",

        "servicequotas:ListServiceQuotas",

        "servicequotas:GetAWSDefaultServiceQuota",

        "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate",

        "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate",

        "servicequotas:ListRequestedServiceQuotaChangeHistory",

        "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota",

        "sts:DecodeAuthorizationMessage",

        "ds:*",

        "workspaces:*",

        "iam:GetRole",

        "iam:GetContextKeysForPrincipalPolicy",

        "iam:SimulatePrincipalPolicy"

      ],

      "Resource": "*"

    }

  ]

}

 EOF

 

}


Terraform will now create these entities:

PS C:\_TERRAFORM\_AWSCore> terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_iam_role.AWC-IAM-Main-Role will be created
  + resource "aws_iam_role" "AWC-IAM-Main-Role" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "ec2.amazonaws.com"
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "AWC-IAM-Main-Role"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = (known after apply)
      + unique_id             = (known after apply)

      + inline_policy (known after apply)
    }

  # aws_iam_role_policy.AWC-IAM-Main will be created
  + resource "aws_iam_role_policy" "AWC-IAM-Main" {
      + id          = (known after apply)
      + name        = "AWC-IAM-Role-Main"
      + name_prefix = (known after apply)
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "workdocs:DeregisterDirectory",
                          + "workdocs:RegisterDirectory",
                          + "workdocs:AddUserToGroup",
                          + "ec2:ImportInstance",
                          + "ec2:DescribeImages",
                          + "ec2:DescribeImageAttribute",
                          + "ec2:CreateKeyPair",
                          + "ec2:DescribeKeyPairs",
                          + "ec2:ModifyImageAttribute",
                          + "ec2:DescribeVpcs",
                          + "ec2:DescribeSubnets",
                          + "ec2:RunInstances",
                          + "ec2:DescribeSecurityGroups",
                          + "ec2:CreateTags",
                          + "ec2:DescribeRouteTables",
                          + "ec2:DescribeInternetGateways",
                          + "ec2:CreateSecurityGroup",
                          + "ec2:DescribeInstanceTypes",
                          + "servicequotas:ListServices",
                          + "servicequotas:GetRequestedServiceQuotaChange",
                          + "servicequotas:ListTagsForResource",
                          + "servicequotas:GetServiceQuota",
                          + "servicequotas:GetAssociationForServiceQuotaTemplate",
                          + "servicequotas:ListAWSDefaultServiceQuotas",
                          + "servicequotas:ListServiceQuotas",
                          + "servicequotas:GetAWSDefaultServiceQuota",
                          + "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate",
                          + "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate",
                          + "servicequotas:ListRequestedServiceQuotaChangeHistory",
                          + "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota",
                          + "sts:DecodeAuthorizationMessage",
                          + "ds:*",
                          + "workspaces:*",
                          + "iam:GetRole",
                          + "iam:GetContextKeysForPrincipalPolicy",
                          + "iam:SimulatePrincipalPolicy",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                      + Sid      = "VisualEditor0"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + role        = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
PS C:\_TERRAFORM\_AWSCore> terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_iam_role.AWC-IAM-Main-Role will be created
  + resource "aws_iam_role" "AWC-IAM-Main-Role" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "ec2.amazonaws.com"
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "AWC-IAM-Main-Role"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = (known after apply)
      + unique_id             = (known after apply)

      + inline_policy (known after apply)
    }

  # aws_iam_role_policy.AWC-IAM-Main will be created
  + resource "aws_iam_role_policy" "AWC-IAM-Main" {
      + id          = (known after apply)
      + name        = "AWC-IAM-Role-Main"
      + name_prefix = (known after apply)
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "workdocs:DeregisterDirectory",
                          + "workdocs:RegisterDirectory",
                          + "workdocs:AddUserToGroup",
                          + "ec2:ImportInstance",
                          + "ec2:DescribeImages",
                          + "ec2:DescribeImageAttribute",
                          + "ec2:CreateKeyPair",
                          + "ec2:DescribeKeyPairs",
                          + "ec2:ModifyImageAttribute",
                          + "ec2:DescribeVpcs",
                          + "ec2:DescribeSubnets",
                          + "ec2:RunInstances",
                          + "ec2:DescribeSecurityGroups",
                          + "ec2:CreateTags",
                          + "ec2:DescribeRouteTables",
                          + "ec2:DescribeInternetGateways",
                          + "ec2:CreateSecurityGroup",
                          + "ec2:DescribeInstanceTypes",
                          + "servicequotas:ListServices",
                          + "servicequotas:GetRequestedServiceQuotaChange",
                          + "servicequotas:ListTagsForResource",
                          + "servicequotas:GetServiceQuota",
                          + "servicequotas:GetAssociationForServiceQuotaTemplate",
                          + "servicequotas:ListAWSDefaultServiceQuotas",
                          + "servicequotas:ListServiceQuotas",
                          + "servicequotas:GetAWSDefaultServiceQuota",
                          + "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate",
                          + "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate",
                          + "servicequotas:ListRequestedServiceQuotaChangeHistory",
                          + "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota",
                          + "sts:DecodeAuthorizationMessage",
                          + "ds:*",
                          + "workspaces:*",
                          + "iam:GetRole",
                          + "iam:GetContextKeysForPrincipalPolicy",
                          + "iam:SimulatePrincipalPolicy",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                      + Sid      = "VisualEditor0"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + role        = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_iam_role.AWC-IAM-Main-Role: Creating...
aws_iam_role.AWC-IAM-Main-Role: Creation complete after 1s [id=AWC-IAM-Main-Role]
aws_iam_role_policy.AWC-IAM-Main: Creating...
aws_iam_role_policy.AWC-IAM-Main: Creation complete after 0s [id=AWC-IAM-Main-Role:AWC-IAM-Role-Main]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

PS C:\_TERRAFORM\_AWSCore>

Terraform successfully created the initial IAM policy.

As the various needs for IAM Policies are too divergent, the detailed description of the deployment of further IAM policies is out-of-scope of this guide.

Note: 

For more information about Gateways, please visit Amazon´s Product Documentation pages.
 

 

Deploying Security Groups on the Network Entities

If you associate a Security Group with an EC2 instance, it controls the instance's inbound and outbound traffic.

Note: 

Security Groups enable you to increase security for the resources in your VPC as they act like virtual firewalls.
 

When you create a VPC, it comes with a default Security Group. You can create additional Security Groups for a VPC, each with their own inbound and outbound rules:

You can specify each inbound rule's source, port range, and protocol.
You can specify
each outbound rule's destination, port range, and protocol.

The following diagram shows a VPC with a Subnet, an Internet Gateway, and a Security Group.
The Subnet contains an EC2 instance. The Security Group is assigned to the instance and acts as a virtual firewall. The only traffic that reaches the instance is the traffic allowed by the Security Group rules.

aws-security-group-overview.png

For the Security Group bound to the Instances in the Public Subnets, use the following rules:

Type: HTTP
Protocol: TCP
Port range: 80
Source: Custom 0.0.0.0/0

Type: HTTPS
Protocol: TCP
Port range: 443
Source: Custom 0.0.0.0/0

Type: RDP
Protocol: TCP
Port range: 3389
Source: MyIP – your current external IP should be entered automatically

Create more Inbound Rules according to your needs.
 

For the Security Group bound to the Instances in the Private Subnets, use the following rules:

Type: HTTP
Protocol: TCP
Port range: 80
Source: Custom 0.0.0.0/0

Type: HTTPS
Protocol: TCP
Port range: 443
Source: Custom 0.0.0.0/0

Type: RDP
Protocol: TCP
Port range: 3389
Source: Custom 0.0.0.0/0

Type: Custom TCP
Protocol: TCP
Port range: 1494
Source: Custom 0.0.0.0/0

Type: Custom UDP
Protocol: UDP
Port range: 1494
Source: Custom 0.0.0.0/0

Type: Custom TCP
Protocol: TCP
Port range: 2598
Source: Custom 0.0.0.0/0

Type: Custom UDP
Protocol: UDP
Port range: 2598
Source: Custom 0.0.0.0/0

Create more Inbound Rules according to your needs.

Use Terraform to create the Security Groups and their Rules:

### Create Internal-bound Security Group

resource "aws_security_group" "AWC-SG-Internal" {

  name        = "SG-Internal"

  vpc_id      = aws_vpc.AWC-VPC.id

  tags                  = {

                              Name = "AWC-TF-SecurityGroup-Internal"

  }

}

 

### Create Public-Security Group

resource "aws_security_group" "AWC-SG-Public" {

  name        = "SG-External"

  vpc_id      = aws_vpc.AWC-VPC.id

  tags                  = {

                              Name = "AWC-TF-SecurityGroup-Public"

  }

}

 

#### Create the Security Group Rules

resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-HTTPS" {

  security_group_id = aws_security_group.AWC-SG-Internal.id

  cidr_ipv4         = "0.0.0.0/0"

  from_port         = 0

  ip_protocol       = "tcp"

  to_port           = 443

}

 

resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-HTTP" {

  security_group_id = aws_security_group.AWC-SG-Internal.id

  cidr_ipv4         = "0.0.0.0/0"

  from_port         = 0

  ip_protocol       = "tcp"

  to_port           = 80

}

 

resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Public-IR-HTTPS" {

  security_group_id = aws_security_group.AWC-SG-Public.id

  cidr_ipv4         = "0.0.0.0/0"

  from_port         = 0

  ip_protocol       = "tcp"

  to_port           = 443

}

 

resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Public-IR-HTTP" {

  security_group_id = aws_security_group.AWC-SG-Public.id

  cidr_ipv4         = "0.0.0.0/0"

  from_port         = 0

  ip_protocol       = "tcp"

  to_port           = 80

}

 

resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Pub-IR-RDP" {

  security_group_id = aws_security_group.AWC-SG-Public.id

  cidr_ipv4         = XXXXXXXXXX

  from_port         = 0

  ip_protocol       = "tcp"

  to_port           = 3389

}

 

 

resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-RDP" {

  security_group_id = aws_security_group.AWC-SG-Internal.id

  cidr_ipv4         = "0.0.0.0/0"

  from_port         = 0

  ip_protocol       = "tcp"

  to_port           = 3389

}

 

resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICATCP" {

  security_group_id = aws_security_group.AWC-SG-Internal.id

  cidr_ipv4         = "0.0.0.0/0"

  from_port         = 0

  ip_protocol       = "tcp"

  to_port           = 1494

}

 

resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICAUDP" {

  security_group_id = aws_security_group.AWC-SG-Internal.id

  cidr_ipv4         = "0.0.0.0/0"

  from_port         = 0

  ip_protocol       = "udp"

  to_port           = 1494

}

 

resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-CGPTCP" {

  security_group_id = aws_security_group.AWC-SG-Internal.id

  cidr_ipv4         = "0.0.0.0/0"

  from_port         = 0

  ip_protocol       = "tcp"

  to_port           = 2598

}

 

resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-CGPUDP" {

  security_group_id = aws_security_group.AWC-SG-Internal.id

  cidr_ipv4         = "0.0.0.0/0"

  from_port         = 0

  ip_protocol       = "udp"

  to_port           = 2598

}

 

resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICMP" {

  security_group_id = aws_security_group.AWC-SG-Internal.id

  cidr_ipv4         = "0.0.0.0/0"

  from_port         = 0

  ip_protocol       = "icmp"

  to_port           = 0

}

 

resource "aws_vpc_security_group_egress_rule" "AWC-SG-Int-ER-All" {

  security_group_id = aws_security_group.AWC-SG-Internal.id

  cidr_ipv4         = "0.0.0.0/0"

  from_port         = 0

  ip_protocol       = "-1"

  to_port           = 0

}

 

resource "aws_vpc_security_group_egress_rule" "AWC-SG-Ext-ER-All" {

  security_group_id = aws_security_group.AWC-SG-External.id

  cidr_ipv4         = "0.0.0.0/0"

  from_port         = 0

  ip_protocol       = "-1"

  to_port           = 0

}

 


Terraform will now create these entities:

PS C:\_TERRAFORM\_AWSCore> terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_security_group.AWS-SG-Internal will be created
  + resource "aws_security_group" "AWS-SG-Internal" {
      + arn                    = (known after apply)
      + description            = "Managed by Terraform"
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = "SG-Internal"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "Name" = "AWC-TF-SecurityGroup-Internal"
        }
      + tags_all               = {
          + "Name" = "AWC-TF-SecurityGroup-Internal"
        }
      + vpc_id                 = "vpc-0a0c4e01213dca45a"
    }

  # aws_security_group.AWS-SG-Public will be created
  + resource "aws_security_group" "AWS-SG-Public" {
      + arn                    = (known after apply)
      + description            = "Managed by Terraform"
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = "SG-Public"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "Name" = "AWC-TF-SecurityGroup-Public"
        }
      + tags_all               = {
          + "Name" = "AWC-TF-SecurityGroup-Public"
        }
      + vpc_id                 = "vpc-0a0c4e01213dca45a"
    }

# aws_vpc_security_group_egress_rule.AWC-SG-Int-ER-All will be created
  + resource "aws_vpc_security_group_egress_rule" "AWC-SG-Int-ER-All" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "-1"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 0
    }

# aws_vpc_security_group_egress_rule.AWC-SG-Pub-ER-All will be created
  + resource "aws_vpc_security_group_egress_rule" "AWC-SG-Pub-ER-All" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "-1"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 0
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-CGPTCP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-CGPTCP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 2598
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG—Int-IR-CGPUDP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-CGPUDP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "udp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 2598
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG—Int-IR-HTTP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-HTTP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 80
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-HTTPS will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-HTTPS" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 443
    }

# aws_vpc_security_group_ingress_rule.AWC-SG—Pub-IR-HTTP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Pub-IR-HTTP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 80
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG-Pub-IR-HTTPS will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Pub-IR-HTTPS" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 443
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICATCP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICATCP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 1494
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICAUDP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICAUDP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "udp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 1494
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICMP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICMP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "icmp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 0
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-RDP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-RDP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 3389
    }

 

# aws_vpc_security_group_ingress_rule.AWC-SG-Pub-IR-RDP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Pub-IR-RDP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "XXXXXXXXXXXXX"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 3389
    }


Plan: 15 to add, 0 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

PS C:\_TERRAFORM\_AWSCore> terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_security_group.AWS-SG-Internal will be created
  + resource "aws_security_group" "AWS-SG-Internal" {
      + arn                    = (known after apply)
      + description            = "Managed by Terraform"
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = "SG-Internal"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "Name" = "AWC-TF-SecurityGroup-Internal"
        }
      + tags_all               = {
          + "Name" = "AWC-TF-SecurityGroup-Internal"
        }
      + vpc_id                 = "vpc-0a0c4e01213dca45a"
    }

  # aws_security_group.AWS-SG-Public will be created
  + resource "aws_security_group" "AWS-SG-Public" {
      + arn                    = (known after apply)
      + description            = "Managed by Terraform"
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = "SG-Public"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "Name" = "AWC-TF-SecurityGroup-Public"
        }
      + tags_all               = {
          + "Name" = "AWC-TF-SecurityGroup-Public"
        }
      + vpc_id                 = "vpc-0a0c4e01213dca45a"
    }

# aws_vpc_security_group_egress_rule.AWC-SG-Int-ER-All will be created
  + resource "aws_vpc_security_group_egress_rule" "AWC-SG-Int-ER-All" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "-1"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 0
    }

# aws_vpc_security_group_egress_rule.AWC-SG-Pub-ER-All will be created
  + resource "aws_vpc_security_group_egress_rule" "AWC-SG-Pub-ER-All" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "-1"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 0
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-CGPTCP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-CGPTCP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 2598
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG—Int-IR-CGPUDP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-CGPUDP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "udp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 2598
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG—Int-IR-HTTP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-HTTP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 80
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-HTTPS will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-HTTPS" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 443
    }

# aws_vpc_security_group_ingress_rule.AWC-SG—Pub-IR-HTTP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Pub-IR-HTTP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 80
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG-Pub-IR-HTTPS will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Pub-IR-HTTPS" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 443
    }


  # aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICATCP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICATCP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 1494
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICAUDP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICAUDP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "udp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 1494
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICMP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICMP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "icmp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 0
    }

  # aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-RDP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-RDP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 3389
    }

 

# aws_vpc_security_group_ingress_rule.AWC-SG-Pub-IR-RDP will be created
  + resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Pub-IR-RDP" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "XXXXXXXXXXXXX"
      + from_port              = 0
      + id                     = (known after apply)
      + ip_protocol            = "tcp"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
      + to_port                = 3389
    }


Plan: 15 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_security_group.AWS-SG-Internal: Creation complete after 1s [id=sg-0633dbccc6f7debdc]
aws_security_group.AWS-SG-Public: Creation complete after 1s [id=sg-06a8ab84b0a692170]

aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICATCP: Creating...
aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-HTTP: Creating...
aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-CGPUDP: Creating...
aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICMP: Creating...
aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICAUDP: Creating...
...
aws_vpc_security_group_ingress_rule.AWC-SG-IR-ICATCP: Creation complete after 0s [id=sgr-01067ddbb01b277fa]

aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-CGPUDP: Creation complete after 0s [id=sgr-0c276bd82c1893367]
aws_vpc_security_group_ingress_rule.AWC-SG—Int-IR-RDP: Creation complete after 0s [id=sgr-036882befc2d63329]
aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-HTTPS: Creation complete after 0s [id=sgr-0f83b2b1e904eaf12]
aws_vpc_security_group_egress_rule.AWC-SG—Int-ER-All: Creation complete after 0s [id=sgr-0742921e3eee9d06b]

Apply complete! Resources: 15 added, 0 changed, 0 destroyed.

PS C:\_TERRAFORM\_AWSCore>

Terraform successfully created the Security Groups and its needed Rules.

 

Deploy all needed Instances in your VPC

An Amazon EC2 Instance is a Virtual Machine in the AWS Cloud environment.
Amazon EC2 provides a wide range of Instance types. You can choose an Instance type that provides the compute resources, memory, storage, and network configurations according to your needs.

In this guide, we will initially deploy the following Instances:

  • 1 Jump Host for accessing the environment over the Internet using RDP
  • 1 Domain Controller for providing all needed Active Directory functionalities
  • 2 Cloud Connectors

Further Instances will be created automatically during the Machine Catalog creation.

Important: 

You need an EC2 Key Pair to decrypt the administrator password to access a non-domain-joined Windows-based Instance. A Key Pair, consisting of a public key and a private key, is a set of security credentials you use to prove your identity.
After joining the Instance to a Domain, you can log on using the Domain credentials.
The Key Pair is used only for local Admin access!

 

Creating the EC2 Key Pair using the GUI

Before deploying Windows Instances, you must create a Key Pair to gain access to the Instance after it is created.

  1. Log on to your AWS console, enter EC2 in the Search bar at the top of the page, and choose the Network & Security option. Click on Key Pairs on the Dashboard.
    If no Key Pair was already created, click Create key pair.

    kp1.png
  2. Choose the needed settings and click Create key pair.
    kp2.png

Important: 

After successful creation, download and store the Key Pair in a safe place.
You will need it each time you access the Windows Instance with local administrator credentials.

 

 

Creating the EC2 Key Pair using PowerShell

The AWS EC2-Terraform provider is currently not supporting the creation of a Key Pair.
To automate this process, you must use PowerShell:

PS C:\_TERRAFORM\_AWSCore> $GetKeyPair = New-EC2KeyPair -KeyName AWC-KeyPair
PS C:\_TERRAFORM\_AWSCore> $GetKeyPair


KeyFingerprint : c1:2b:01:8d:ba:4a:50:ed:41:d1:94:f7:d6:39:df:04:b3:f9:cb:dd
KeyMaterial    : -----BEGIN RSA PRIVATE KEY-----
                 MIIEpQIBAAKCAQEAskyHNFpSh+k+K+7ccyjEguX/VEcQKiYkf3ebAJ1VZSZJ0FnX
...                 +7IB7HL42zIt7oG29n35XycvXI6tg/mT7pEtnAehuolwtapdCFKUGjo=
                 -----END RSA PRIVATE KEY-----
KeyName        : AWC-KeyPair
KeyPairId      : key-00cb83cebc992e403
Tags           : {}


PS C:\_TERRAFORM\_AWSCore> $GetKeyPair.KeyMaterial | Out-File -Encoding ascii “C:\_TERRAFORM\_AWSCore\WC-KeyPair.pem”
PS C:\_TERRAFORM\_AWSCore>