PoC Guide: Deploying Citrix DaaS and Amazon WorkSpaces Core using Terraform
Overview
AWS WorkSpaces Core is a managed virtual desktop infrastructure designed to work with third-party VDI solutions such as Citrix DaaS. It is the compute layer of AWS workloads that the Citrix DaaS control plane can help orchestrate and manage to deliver HDX-optimized apps anywhere. AWS WorkSpaces Core and Citrix improve cost savings, simplify cloud management, and provide a superior user experience.
Citrix DaaS treats AWS WorkSpaces Core as another Resource Location option to leverage within your deployment. It helps your IT teams manage and provision WorkSpace Core desktops directly from the Citrix platform, reducing application delivery complexity and simplifying operations. With security features like Zero Trust Network Access (ZTNA), contextual access policies, and secure browser redirection, Citrix protects your business from cyber threats and data leaks.
Citrix improves the WorkSpaces Core experience with advanced HDX graphics, Unified Communication optimizations, USB redirection, and support for 3D workloads, ensuring smooth performance on any device or network. With centralized management, automated patching, and streamlined updates, Citrix optimizes your budget by reducing IT costs and complexity.
This Proof of Concept guide will help you deploy Citrix DaaS and Amazon WorkSpaces Core using Terraform.
The following is covered in this guide:
-
Deploying all needed entities for Citrix DaaS:
-
Deploying a Resource Location and its Cloud Connectors
-
Deploying all needed entities for Amazon WorkSpaces Core:
-
Deploying a VPC
-
Deploying the Subnets and Gateways
-
Setting the IAM permissions
-
Deploying all needed instances like the Jumphost and a Domain Controller
-
Creating the Deployment of Citrix DaaS on Amazon WorkSpaces Core
Deploying Citrix DaaS and Amazon WorkSpaces Core
Before deploying Citrix DaaS and Amazon WorkSpaces Core, we must create and configure all necessary prerequisites.
We assume you already have a Citrix Cloud tenant with an active trial or a paid subscription to the Citrix DaaS service and an active AWS account.
Installing AWS Tools for PowerShell and AWS CLI
This guide uses AWS CLI and PowerShell cmdlets to determine further needed information.
Install all needed AWS Tools modules you need – in this example, we install three different modules:
PS C:\_TERRAFORM\_AWSCore> Install-AWSToolsModule AWS.Tools.EC2 -Force
Installing module AWS.Tools.Common version 4.1.693.0
Installing module AWS.Tools.EC2 version 4.1.693.0
Installing module AWS.Tools.IdentityManagement version 4.1.693.0
Installing module AWS.Tools.ServiceQuotas version 4.1.693.0
Installing module AWS.Tools.SimpleSystemsManagement version 4.1.693.0
Installing module AWS.Tools.WorkSpaces version 4.1.693.0
PS C:\_TERRAFORM\_AWSCore>
PS C:\_TERRAFORM\_AWSCore> Install-AWSToolsModule AWS.Tools.S3 -Force
Installing module AWS.Tools.S3 version 4.1.693.0
PS C:\_TERRAFORM\_AWSCore>
PS C:\_TERRAFORM\_AWSCore> Install-AWSToolsModule AWS.Tools.Workspaces -Force
PS C:\_TERRAFORM\_AWSCore>
|
You can check if all needed modules are installed:
PS C:\_TERRAFORM\_AWSCore> Get-AWSPowerShellVersion -ListServiceVersionInfo
AWS Tools for PowerShell
Version 4.1.693
Copyright 2012-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
Amazon Web Services SDK for .NET
Core Runtime Version 3.7.400.46
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
Release notes: https://github.com/aws/aws-tools-for-powershell/blob/master/CHANGELOG.md
This software includes third party software subject to the following copyrights:
- Logging from log4net, Apache License
[http://logging.apache.org/log4net/license.html]
Service Noun Prefix Module Name SDK Assembly Version
------- ----------- ----------- --------------------
AWS IAM Access Analyzer IAMAA AWS.Tools.AccessAnalyzer 3.7.400.46
AWS Account ACCT AWS.Tools.Account 3.7.400.46
AWS Certificate Manager Private Certificate Authority PCA AWS.Tools.ACMPCA 3.7.400.47
AWS Amplify AMP AWS.Tools.Amplify 3.7.402.11
Amplify Backend AMPB AWS.Tools.AmplifyBackend 3.7.400.46
AWS Amplify UI Builder AMPUI AWS.Tools.AmplifyUIBuilder 3.7.400.46
Amazon API Gateway AG AWS.Tools.APIGateway 3.7.400.47
Amazon API Gateway Management API AGM AWS.Tools.ApiGatewayManagementApi 3.7.400.46
Amazon API Gateway V2 AG2 AWS.Tools.ApiGatewayV2 3.7.400.46
AWS AppConfig APPC AWS.Tools.AppConfig 3.7.402.7
AWS AppConfig Data ACD AWS.Tools.AppConfigData 3.7.400.46
Amazon Web Services AppFabric AFAB AWS.Tools.AppFabric 3.7.400.46
Amazon Appflow AF AWS.Tools.Appflow 3.7.400.47
Amazon AppIntegrations Service AIS AWS.Tools.AppIntegrationsService 3.7.401.43
Application Auto Scaling AAS AWS.Tools.ApplicationAutoScaling 3.7.401.46
Amazon ApplicationCostProfiler ACP AWS.Tools.ApplicationCostProfiler 3.7.400.46
AWS Application Discovery Service ADS AWS.Tools.ApplicationDiscoveryService 3.7.400.46
Amazon CloudWatch Application Insights CWAI AWS.Tools.ApplicationInsights 3.7.401.10
Amazon CloudWatch Application Signals CWAS AWS.Tools.ApplicationSignals 3.7.402.31
AWS App Mesh AMSH AWS.Tools.AppMesh 3.7.400.46
AWS Service Catalog App Registry SCAR AWS.Tools.AppRegistry 3.7.400.46
AWS App Runner AAR AWS.Tools.AppRunner 3.7.400.46
Amazon AppStream APS AWS.Tools.AppStream 3.7.403.18
AWS AppSync ASYN AWS.Tools.AppSync 3.7.402.3
AWS Mainframe Modernization Application Testing AT AWS.Tools.AppTest 3.7.400.46
AWS ARC - Zonal Shift AZS AWS.Tools.ARCZonalShift 3.7.400.46
AWS Artifact ART AWS.Tools.Artifact 3.7.400.46
Amazon Athena ATH AWS.Tools.Athena 3.7.402.10
AWS Audit Manager AUDM AWS.Tools.AuditManager 3.7.400.46
Amazon Augmented AI (A2I) Runtime A2IR AWS.Tools.AugmentedAIRuntime 3.7.400.46
AWS Auto Scaling AS AWS.Tools.AutoScaling 3.7.404.0
AWS Auto Scaling Plans ASP AWS.Tools.AutoScalingPlans 3.7.400.46
AWS Health HLTH AWS.Tools.AWSHealth 3.7.400.46
AWS Marketplace Commerce Analytics MCA AWS.Tools.AWSMarketplaceCommerceAnalytics 3.7.400.46
AWS Marketplace Metering MM AWS.Tools.AWSMarketplaceMetering 3.7.400.46
AWS Support ASA AWS.Tools.AWSSupport 3.7.400.47
AWS B2B Data Interchange B2BI AWS.Tools.B2bi 3.7.401.18
AWS Backup BAK AWS.Tools.Backup 3.7.401.33
AWS Backup Gateway BUGW AWS.Tools.BackupGateway 3.7.400.46
AWS Batch BAT AWS.Tools.Batch 3.7.402.2
AWSBillingAndCostManagementDataExports BCMDE AWS.Tools.BCMDataExports 3.7.400.46
Amazon Bedrock BDR AWS.Tools.Bedrock 3.7.409.4
Agents for Amazon Bedrock AAB AWS.Tools.BedrockAgent 3.7.409.0
Amazon Bedrock Agent Runtime BAR AWS.Tools.BedrockAgentRuntime 3.7.406.10
Amazon Bedrock Runtime BDRR AWS.Tools.BedrockRuntime 3.7.408.0
AWSBillingConductor ABC AWS.Tools.BillingConductor 3.7.400.46
Amazon Braket BRKT AWS.Tools.Braket 3.7.400.46
AWS Budgets BGT AWS.Tools.Budgets 3.7.401.23
AWS Certificate Manager ACM AWS.Tools.CertificateManager 3.7.400.46
AWS Chatbot CHAT AWS.Tools.Chatbot 3.7.402.21
Amazon Chime CHM AWS.Tools.Chime 3.7.400.46
Amazon Chime SDK Identity CHMID AWS.Tools.ChimeSDKIdentity 3.7.400.46
Amazon Chime SDK Media Pipelines CHMMP AWS.Tools.ChimeSDKMediaPipelines 3.7.400.46
Amazon Chime SDK Meetings CHMTG AWS.Tools.ChimeSDKMeetings 3.7.400.46
Amazon Chime SDK Messaging CHMMG AWS.Tools.ChimeSDKMessaging 3.7.400.46
Amazon Chime SDK Voice CHMVO AWS.Tools.ChimeSDKVoice 3.7.400.46
AWS Clean Rooms Service CRS AWS.Tools.CleanRooms 3.7.402.0
CleanRoomsML CRML AWS.Tools.CleanRoomsML 3.7.401.0
AWS Cloud9 C9 AWS.Tools.Cloud9 3.7.400.46
AWS Cloud Control API CCA AWS.Tools.CloudControlApi 3.7.400.46
Amazon Cloud Directory CDIR AWS.Tools.CloudDirectory 3.7.400.47
AWS CloudFormation CFN AWS.Tools.CloudFormation 3.7.400.46
Amazon CloudFront CF AWS.Tools.CloudFront 3.7.400.46
Amazon CloudFront KeyValueStore CFKV AWS.Tools.CloudFrontKeyValueStore 3.7.400.46
AWS CloudHSM V2 HSM2 AWS.Tools.CloudHSMV2 3.7.400.46
Amazon CloudSearch CS AWS.Tools.CloudSearch 3.7.400.47
Amazon CloudSearch Domain CSD AWS.Tools.CloudSearchDomain 3.7.400.46
AWS CloudTrail CT AWS.Tools.CloudTrail 3.7.400.46
AWS CloudTrail Data Service CTD AWS.Tools.CloudTrailData 3.7.400.46
Amazon CloudWatch CW AWS.Tools.CloudWatch 3.7.401.44
Amazon CloudWatch Evidently CWEVD AWS.Tools.CloudWatchEvidently 3.7.400.46
Amazon CloudWatch Logs CWL AWS.Tools.CloudWatchLogs 3.7.406.1
CloudWatch RUM CWRUM AWS.Tools.CloudWatchRUM 3.7.400.46
AWS CodeArtifact CA AWS.Tools.CodeArtifact 3.7.401.19
AWS CodeBuild CB AWS.Tools.CodeBuild 3.7.406.1
AWS CodeCatalyst CCAT AWS.Tools.CodeCatalyst 3.7.400.46
AWS CodeCommit CC AWS.Tools.CodeCommit 3.7.401.46
AWS CodeConnections CCON AWS.Tools.CodeConnections 3.7.401.25
AWS CodeDeploy CD AWS.Tools.CodeDeploy 3.7.400.46
Amazon CodeGuru Profiler CGP AWS.Tools.CodeGuruProfiler 3.7.400.46
Amazon CodeGuru Reviewer CGR AWS.Tools.CodeGuruReviewer 3.7.400.46
Amazon CodeGuru Security CGS AWS.Tools.CodeGuruSecurity 3.7.400.46
AWS CodePipeline CP AWS.Tools.CodePipeline 3.7.404.12
AWS CodeStar Connections CSTC AWS.Tools.CodeStarconnections 3.7.400.46
AWS CodeStar Notifications CSTN AWS.Tools.CodeStarNotifications 3.7.400.46
Amazon Cognito Identity CGI AWS.Tools.CognitoIdentity 3.7.401.28
Amazon Cognito Identity Provider CGIP AWS.Tools.CognitoIdentityProvider 3.7.403.27
Amazon Cognito Sync CGIS AWS.Tools.CognitoSync 3.7.400.46
Amazon Comprehend COMP AWS.Tools.Comprehend 3.7.400.46
AWS Comprehend Medical CMPM AWS.Tools.ComprehendMedical 3.7.400.46
AWS Compute Optimizer CO AWS.Tools.ComputeOptimizer 3.7.400.47
AWS Config CFG AWS.Tools.ConfigService 3.7.401.42
Amazon Connect Service CONN AWS.Tools.Connect 3.7.408.3
Amazon Connect Campaign Service CCS AWS.Tools.ConnectCampaignService 3.7.400.46
Amazon Connect Cases CCAS AWS.Tools.ConnectCases 3.7.400.46
Amazon Connect Contact Lens CCL AWS.Tools.ConnectContactLens 3.7.400.46
Amazon Connect Participant Service CONNP AWS.Tools.ConnectParticipant 3.7.400.46
Amazon Connect Wisdom Service WSDM AWS.Tools.ConnectWisdomService 3.7.400.46
AWS Control Catalog CLCAT AWS.Tools.ControlCatalog 3.7.401.44
AWS Control Tower ACT AWS.Tools.ControlTower 3.7.400.47
AWS Cost and Usage Report CUR AWS.Tools.CostAndUsageReport 3.7.400.46
AWS Cost Explorer CE AWS.Tools.CostExplorer 3.7.401.25
Cost Optimization Hub COH AWS.Tools.CostOptimizationHub 3.7.401.43
Amazon Connect Customer Profiles CPF AWS.Tools.CustomerProfiles 3.7.401.20
AWS Database Migration Service DMS AWS.Tools.DatabaseMigrationService 3.7.402.10
AWS Data Exchange DTEX AWS.Tools.DataExchange 3.7.401.10
AWS Data Pipeline DP AWS.Tools.DataPipeline 3.7.400.46
AWS DataSync DSYN AWS.Tools.DataSync 3.7.401.3
Amazon DataZone DZ AWS.Tools.DataZone 3.7.406.10
Amazon DynamoDB Accelerator (DAX) DAX AWS.Tools.DAX 3.7.400.46
AWSDeadlineCloud ADC AWS.Tools.Deadline 3.7.402.15
Amazon Detective DTCT AWS.Tools.Detective 3.7.400.46
AWS Device Farm DF AWS.Tools.DeviceFarm 3.7.401.34
Amazon DevOps Guru DGURU AWS.Tools.DevOpsGuru 3.7.400.46
AWS Direct Connect DC AWS.Tools.DirectConnect 3.7.400.46
AWS Directory Service DS AWS.Tools.DirectoryService 3.7.401.25
AWS Directory Service Data DSD AWS.Tools.DirectoryServiceData 3.7.400.25
Amazon Data Lifecycle Manager DLM AWS.Tools.DLM 3.7.400.46
Amazon DocumentDB (with MongoDB compatibility) DOC AWS.Tools.DocDB 3.7.401.40
Amazon DocumentDB Elastic Clusters DOCE AWS.Tools.DocDBElastic 3.7.401.1
Elastic Disaster Recovery Service EDRS AWS.Tools.Drs 3.7.400.46
Amazon DynamoDB DDB AWS.Tools.DynamoDBv2 3.7.402.10
Amazon EBS EBS AWS.Tools.EBS 3.7.400.46
Amazon Elastic Compute Cloud (EC2) EC2 AWS.Tools.EC2 3.7.414.3
AWS EC2 Instance Connect EC2IC AWS.Tools.EC2InstanceConnect 3.7.400.46
Amazon EC2 Container Registry ECR AWS.Tools.ECR 3.7.404.25
Amazon Elastic Container Registry Public ECRP AWS.Tools.ECRPublic 3.7.400.46
Amazon EC2 Container Service ECS AWS.Tools.ECS 3.7.404.3
Amazon Elastic Container Service for Kubernetes EKS AWS.Tools.EKS 3.7.403.10
Amazon EKS Auth EKSAU AWS.Tools.EKSAuth 3.7.400.46
Amazon ElastiCache EC AWS.Tools.ElastiCache 3.7.401.14
AWS Elastic Beanstalk EB AWS.Tools.ElasticBeanstalk 3.7.400.46
Amazon Elastic File System EFS AWS.Tools.ElasticFileSystem 3.7.400.46
Amazon Elastic Inference EI AWS.Tools.ElasticInference 3.7.400.47
Elastic Load Balancing ELB AWS.Tools.ElasticLoadBalancing 3.7.401.44
Elastic Load Balancing V2 ELB2 AWS.Tools.ElasticLoadBalancingV2 3.7.406.2
Amazon Elastic MapReduce EMR AWS.Tools.ElasticMapReduce 3.7.402.13
Amazon Elasticsearch ES AWS.Tools.Elasticsearch 3.7.400.46
Amazon Elastic Transcoder ETS AWS.Tools.ElasticTranscoder 3.7.400.46
Amazon EMR Containers EMRC AWS.Tools.EMRContainers 3.7.401.35
EMR Serverless EMRServerless AWS.Tools.EMRServerless 3.7.401.24
AWS EntityResolution ERES AWS.Tools.EntityResolution 3.7.401.36
Amazon EventBridge EVB AWS.Tools.EventBridge 3.7.401.44
FinSpace User Environment Management Service FINSP AWS.Tools.Finspace 3.7.400.46
FinSpace Public API FNSP AWS.Tools.FinSpaceData 3.7.400.46
AWS Fault Injection Simulator FIS AWS.Tools.FIS 3.7.402.32
Firewall Management Service FMS AWS.Tools.FMS 3.7.401.10
Amazon Forecast Query Service FRCQ AWS.Tools.ForecastQueryService 3.7.400.46
Amazon Forecast Service FRC AWS.Tools.ForecastService 3.7.400.46
Amazon Fraud Detector FD AWS.Tools.FraudDetector 3.7.400.46
AWS Free Tier FT AWS.Tools.FreeTier 3.7.400.46
Amazon FSx FSX AWS.Tools.FSx 3.7.400.46
Amazon GameLift Service GML AWS.Tools.GameLift 3.7.401.31
Amazon Location Service Maps V2 GEOM AWS.Tools.GeoMaps 3.7.400.3
Amazon Location Service Places V2 GEOP AWS.Tools.GeoPlaces 3.7.400.3
Amazon Location Service Routes V2 GEOR AWS.Tools.GeoRoutes 3.7.400.3
Amazon Glacier GLC AWS.Tools.Glacier 3.7.400.46
AWS Global Accelerator GACL AWS.Tools.GlobalAccelerator 3.7.400.46
AWS Glue GLUE AWS.Tools.Glue 3.7.409.2
AWS Glue DataBrew GDB AWS.Tools.GlueDataBrew 3.7.400.46
AWS Greengrass GG AWS.Tools.Greengrass 3.7.400.46
AWS GreengrassV2 GGV2 AWS.Tools.GreengrassV2 3.7.400.46
AWS Ground Station GS AWS.Tools.GroundStation 3.7.400.47
Amazon GuardDuty GD AWS.Tools.GuardDuty 3.7.404.1
Amazon HealthLake AHL AWS.Tools.HealthLake 3.7.400.46
IAM Roles Anywhere IAMRA AWS.Tools.IAMRolesAnywhere 3.7.401.44
AWS Identity and Access Management IAM AWS.Tools.IdentityManagement 3.7.402.40
AWS Identity Store IDS AWS.Tools.IdentityStore 3.7.400.46
EC2 Image Builder EC2IB AWS.Tools.Imagebuilder 3.7.401.9
AWS Import/Export IE AWS.Tools.ImportExport 3.7.400.46
Amazon Inspector INS AWS.Tools.Inspector 3.7.400.46
Inspector2 INS2 AWS.Tools.Inspector2 3.7.402.35
Inspector Scan ISCAN AWS.Tools.InspectorScan 3.7.400.46
Amazon CloudWatch Internet Monitor CWIM AWS.Tools.InternetMonitor 3.7.401.34
AWS IoT IOT AWS.Tools.IoT 3.7.402.17
AWS IoT Core Device Advisor IOTDA AWS.Tools.IoTDeviceAdvisor 3.7.401.18
AWS IoT Events IOTE AWS.Tools.IoTEvents 3.7.400.46
AWS IoT Events Data IOTED AWS.Tools.IoTEventsData 3.7.400.46
AWS IoT Fleet Hub IOTFH AWS.Tools.IoTFleetHub 3.7.400.46
AWS IoT FleetWise IFW AWS.Tools.IoTFleetWise 3.7.402.4
AWS IoT Jobs Data Plane IOTJ AWS.Tools.IoTJobsDataPlane 3.7.400.46
AWS IoT Secure Tunneling IOTST AWS.Tools.IoTSecureTunneling 3.7.400.46
AWS IoT SiteWise IOTSW AWS.Tools.IoTSiteWise 3.7.401.35
AWS IoT Things Graph IOTTG AWS.Tools.IoTThingsGraph 3.7.400.46
AWS IoT TwinMaker IOTTM AWS.Tools.IoTTwinMaker 3.7.400.46
AWS IoT Wireless IOTW AWS.Tools.IoTWireless 3.7.400.46
Amazon Interactive Video Service IVS AWS.Tools.IVS 3.7.401.11
Amazon Interactive Video Service Chat IVSC AWS.Tools.Ivschat 3.7.400.46
Amazon Interactive Video Service RealTime IVSRT AWS.Tools.IVSRealTime 3.7.402.18
Amazon Managed Streaming for Apache Kafka (MSK) MSK AWS.Tools.Kafka 3.7.401.29
Managed Streaming for Kafka Connect MSKC AWS.Tools.KafkaConnect 3.7.400.46
Amazon Kendra KNDR AWS.Tools.Kendra 3.7.400.46
Amazon Kendra Intelligent Ranking KNRK AWS.Tools.KendraRanking 3.7.400.46
AWS Key Management Service KMS AWS.Tools.KeyManagementService 3.7.400.46
Amazon Keyspaces KS AWS.Tools.Keyspaces 3.7.401.3
Amazon Kinesis KIN AWS.Tools.Kinesis 3.7.402.23
Amazon Kinesis Analytics V2 KINA2 AWS.Tools.KinesisAnalyticsV2 3.7.401.31
Amazon Kinesis Firehose KINF AWS.Tools.KinesisFirehose 3.7.400.46
Amazon Kinesis Video Streams KV AWS.Tools.KinesisVideo 3.7.400.46
Amazon Kinesis Video Streams Media KVM AWS.Tools.KinesisVideoMedia 3.7.400.46
Amazon Kinesis Video Signaling Channels KVSC AWS.Tools.KinesisVideoSignalingChannels 3.7.400.46
Amazon Kinesis Video WebRTC Storage KVWS AWS.Tools.KinesisVideoWebRTCStorage 3.7.401.43
AWS Lake Formation LKF AWS.Tools.LakeFormation 3.7.401.1
AWS Lambda LM AWS.Tools.Lambda 3.7.406.6
AWS Launch Wizard LWIZ AWS.Tools.LaunchWizard 3.7.400.46
Amazon Lex LEX AWS.Tools.Lex 3.7.400.46
Amazon Lex Model Building Service LMB AWS.Tools.LexModelBuildingService 3.7.400.46
Amazon Lex Model Building V2 LMBV2 AWS.Tools.LexModelsV2 3.7.402.27
Amazon Lex Runtime V2 LRSV2 AWS.Tools.LexRuntimeV2 3.7.400.46
AWS License Manager LICM AWS.Tools.LicenseManager 3.7.400.46
AWS License Manager - Linux Subscriptions LLMS AWS.Tools.LicenseManagerLinuxSubscriptions 3.7.400.46
AWS License Manager User Subscription LMUS AWS.Tools.LicenseManagerUserSubscriptions 3.7.400.46
Amazon Lightsail LS AWS.Tools.Lightsail 3.7.400.46
Amazon Location Service LOC AWS.Tools.LocationService 3.7.400.46
Amazon Lookout for Equipment L4E AWS.Tools.LookoutEquipment 3.7.400.46
Amazon Lookout for Vision LFV AWS.Tools.LookoutforVision 3.7.400.46
Amazon Lookout for Metrics LOM AWS.Tools.LookoutMetrics 3.7.400.46
Amazon Machine Learning ML AWS.Tools.MachineLearning 3.7.400.46
Amazon Macie 2 MAC2 AWS.Tools.Macie2 3.7.400.46
Amazon SES Mail Manager MMGR AWS.Tools.MailManager 3.7.402.12
M2 AMM AWS.Tools.MainframeModernization 3.7.401.9
Amazon Managed Blockchain MBC AWS.Tools.ManagedBlockchain 3.7.400.46
Amazon Managed Blockchain Query MBCQ AWS.Tools.ManagedBlockchainQuery 3.7.400.46
Amazon Managed Grafana MGRF AWS.Tools.ManagedGrafana 3.7.400.46
AWS Marketplace Agreement Service MAS AWS.Tools.MarketplaceAgreement 3.7.400.46
AWS Marketplace Catalog Service MCAT AWS.Tools.MarketplaceCatalog 3.7.400.46
AWS Marketplace Deployment Service MD AWS.Tools.MarketplaceDeployment 3.7.400.46
AWS Marketplace Entitlement Service MES AWS.Tools.MarketplaceEntitlementService 3.7.400.46
AWS Marketplace Reporting Service MR AWS.Tools.MarketplaceReporting 3.7.400.17
AWS Elemental MediaConnect EMCN AWS.Tools.MediaConnect 3.7.401.33
AWS Elemental MediaConvert EMC AWS.Tools.MediaConvert 3.7.402.25
AWS Elemental MediaLive EML AWS.Tools.MediaLive 3.7.405.25
AWS Elemental MediaPackage EMP AWS.Tools.MediaPackage 3.7.400.46
AWS Elemental MediaPackage v2 MPV2 AWS.Tools.MediaPackageV2 3.7.402.5
AWS Elemental MediaPackage VOD EMPV AWS.Tools.MediaPackageVod 3.7.400.46
AWS Elemental MediaStore EMS AWS.Tools.MediaStore 3.7.400.46
AWS Elemental MediaStore Data Plane EMSD AWS.Tools.MediaStoreData 3.7.400.46
AWS Elemental MediaTailor EMT AWS.Tools.MediaTailor 3.7.400.46
Amazon Medical Imaging Service MIS AWS.Tools.MedicalImaging 3.7.400.46
Amazon MemoryDB MDB AWS.Tools.MemoryDB 3.7.401.14
Application Migration Service MGN AWS.Tools.Mgn 3.7.400.46
AWS Migration Hub MH AWS.Tools.MigrationHub 3.7.400.46
AWS Migration Hub Config MHC AWS.Tools.MigrationHubConfig 3.7.400.46
AWS Migration Hub Orchestrator MHO AWS.Tools.MigrationHubOrchestrator 3.7.400.46
AWS Migration Hub Refactor Spaces MHRS AWS.Tools.MigrationHubRefactorSpaces 3.7.400.46
Migration Hub Strategy Recommendations MHS AWS.Tools.MigrationHubStrategyRecommendations 3.7.400.46
Amazon MQ MQ AWS.Tools.MQ 3.7.400.46
Amazon MTurk Service MTR AWS.Tools.MTurk 3.7.400.46
AmazonMWAA MWAA AWS.Tools.MWAA 3.7.401.8
Amazon Neptune NPT AWS.Tools.Neptune 3.7.401.24
Amazon NeptuneData NEPT AWS.Tools.Neptunedata 3.7.400.46
Amazon Neptune Graph NEPTG AWS.Tools.NeptuneGraph 3.7.402.13
AWS Network Firewall NWFW AWS.Tools.NetworkFirewall 3.7.402.3
AWS Network Manager NMGR AWS.Tools.NetworkManager 3.7.400.46
Amazon CloudWatch Network Monitor CWNM AWS.Tools.NetworkMonitor 3.7.400.46
CloudWatch Observability Access Manager CWOAM AWS.Tools.OAM 3.7.400.46
Amazon Omics OMICS AWS.Tools.Omics 3.7.401.35
OpenSearch Serverless OSS AWS.Tools.OpenSearchServerless 3.7.402.3
Amazon OpenSearch Service OS AWS.Tools.OpenSearchService 3.7.402.3
AWS OpsWorks OPS AWS.Tools.OpsWorks 3.7.400.46
AWS OpsWorksCM OWCM AWS.Tools.OpsWorksCM 3.7.400.46
AWS Organizations ORG AWS.Tools.Organizations 3.7.402.21
Amazon OpenSearch Ingestion OSIS AWS.Tools.OSIS 3.7.400.46
AWS Outposts OUTP AWS.Tools.Outposts 3.7.402.13
AWS Panorama PAN AWS.Tools.Panorama 3.7.400.46
Payment Cryptography Control Plane PAYCC AWS.Tools.PaymentCryptography 3.7.401.8
Payment Cryptography Data PAYCD AWS.Tools.PaymentCryptographyData 3.7.402.8
Pca Connector Ad PCAAD AWS.Tools.PcaConnectorAd 3.7.400.46
Private CA Connector for SCEP PCASCEP AWS.Tools.PcaConnectorScep 3.7.400.46
AWS Parallel Computing Service PCS AWS.Tools.PCS 3.7.400.34
AWS Personalize PERS AWS.Tools.Personalize 3.7.401.34
Amazon Personalize Events PERSE AWS.Tools.PersonalizeEvents 3.7.400.46
Amazon Personalize Runtime PERSR AWS.Tools.PersonalizeRuntime 3.7.400.46
AWS Performance Insights PI AWS.Tools.PI 3.7.400.46
Amazon Pinpoint PIN AWS.Tools.Pinpoint 3.7.400.46
Amazon Pinpoint Email PINE AWS.Tools.PinpointEmail 3.7.400.46
Amazon Pinpoint SMS Voice V2 SMSV AWS.Tools.PinpointSMSVoiceV2 3.7.402.10
Amazon EventBridge Pipes PIPES AWS.Tools.Pipes 3.7.402.10
Amazon Polly POL AWS.Tools.Polly 3.7.401.35
AWS Price List Service PLS AWS.Tools.Pricing 3.7.400.47
AWS Private 5G PV5G AWS.Tools.Private5G 3.7.400.46
Amazon Prometheus Service PROM AWS.Tools.PrometheusService 3.7.401.2
AWS Proton PRO AWS.Tools.Proton 3.7.400.46
Amazon Q Apps qapps AWS.Tools.QApps 3.7.402.1
Amazon QBusiness QBUS AWS.Tools.QBusiness 3.7.403.7
Amazon Q Connect QC AWS.Tools.QConnect 3.7.401.15
Amazon QLDB QLDB AWS.Tools.QLDB 3.7.400.46
Amazon QLDB Session QLDBS AWS.Tools.QLDBSession 3.7.400.46
Amazon QuickSight QS AWS.Tools.QuickSight 3.7.408.0
AWS Resource Access Manager (RAM) RAM AWS.Tools.RAM 3.7.400.46
Amazon Relational Database Service RDS AWS.Tools.RDS 3.7.406.5
AWS RDS DataService RDSD AWS.Tools.RDSDataService 3.7.400.46
Amazon Recycle Bin RBIN AWS.Tools.RecycleBin 3.7.400.46
Amazon Redshift RS AWS.Tools.Redshift 3.7.403.3
Redshift Data API Service RSD AWS.Tools.RedshiftDataAPIService 3.7.402.4
Redshift Serverless RSS AWS.Tools.RedshiftServerless 3.7.401.3
Amazon Rekognition REK AWS.Tools.Rekognition 3.7.400.46
AWS re:Post Private RESP AWS.Tools.Repostspace 3.7.401.9
AWS Resilience Hub RESH AWS.Tools.ResilienceHub 3.7.402.11
AWS Resource Explorer AREX AWS.Tools.ResourceExplorer2 3.7.402.0
AWS Resource Groups RG AWS.Tools.ResourceGroups 3.7.401.20
AWS Resource Groups Tagging API RGT AWS.Tools.ResourceGroupsTaggingAPI 3.7.400.46
AWS RoboMaker ROBO AWS.Tools.RoboMaker 3.7.400.47
Amazon Route 53 R53 AWS.Tools.Route53 3.7.403.3
Amazon Route 53 Domains R53D AWS.Tools.Route53Domains 3.7.400.46
Amazon Route 53 Profiles R53P AWS.Tools.Route53Profiles 3.7.400.46
Route53 Recovery Cluster RRC AWS.Tools.Route53RecoveryCluster 3.7.400.46
AWS Route53 Recovery Control Config R53RC AWS.Tools.Route53RecoveryControlConfig 3.7.400.46
AWS Route53 Recovery Readiness PD AWS.Tools.Route53RecoveryReadiness 3.7.400.46
Amazon Route 53 Resolver R53R AWS.Tools.Route53Resolver 3.7.401.13
Amazon Simple Storage Service (S3) S3 AWS.Tools.S3 3.7.405.10
Amazon S3 Control S3C AWS.Tools.S3Control 3.7.402.1
Amazon S3 Outposts S3O AWS.Tools.S3Outposts 3.7.400.46
Amazon SageMaker Service SM AWS.Tools.SageMaker 3.7.414.2
Amazon Sagemaker Edge Manager SME AWS.Tools.SagemakerEdgeManager 3.7.400.46
Amazon SageMaker Feature Store Runtime SMFS AWS.Tools.SageMakerFeatureStoreRuntime 3.7.400.46
SageMaker Geospatial SMGS AWS.Tools.SageMakerGeospatial 3.7.400.46
Amazon SageMaker Metrics Service SMM AWS.Tools.SageMakerMetrics 3.7.401.24
Amazon SageMaker Runtime SMR AWS.Tools.SageMakerRuntime 3.7.401.29
AWS Savings Plans SP AWS.Tools.SavingsPlans 3.7.400.46
Amazon EventBridge Scheduler SCH AWS.Tools.Scheduler 3.7.400.46
Amazon EventBridge Schema Registry SCHM AWS.Tools.Schemas 3.7.400.46
AWS Secrets Manager SEC AWS.Tools.SecretsManager 3.7.400.46
AWS Security Hub SHUB AWS.Tools.SecurityHub 3.7.401.36
Amazon Security Lake SLK AWS.Tools.SecurityLake 3.7.401.12
AWS Security Token Service (STS) STS AWS.Tools.SecurityToken 3.7.400.46
AWS Serverless Application Repository SAR AWS.Tools.ServerlessApplicationRepository 3.7.400.46
AWS Server Migration Service SMS AWS.Tools.ServerMigrationService 3.7.400.46
AWS Service Catalog SC AWS.Tools.ServiceCatalog 3.7.400.46
AWS Cloud Map SD AWS.Tools.ServiceDiscovery 3.7.400.46
AWS Service Quotas SQ AWS.Tools.ServiceQuotas 3.7.400.46
AWS Shield SHLD AWS.Tools.Shield 3.7.400.46
Amazon Simple Email Service (SES) SES AWS.Tools.SimpleEmail 3.7.401.36
Amazon Simple Email Service V2 (SES V2) SES2 AWS.Tools.SimpleEmailV2 3.7.404.2
Amazon Simple Notification Service (SNS) SNS AWS.Tools.SimpleNotificationService 3.7.400.46
AWS Systems Manager SSM AWS.Tools.SimpleSystemsManagement 3.7.402.25
AWS Simple Workflow Service (SWF) SWF AWS.Tools.SimpleWorkflow 3.7.400.46
AWS SimSpace Weaver SSW AWS.Tools.SimSpaceWeaver 3.7.400.46
AWS Import/Export Snowball SNOW AWS.Tools.Snowball 3.7.400.46
AWS Snow Device Management SDMS AWS.Tools.SnowDeviceManagement 3.7.400.46
AWS End User Messaging Social SOCIAL AWS.Tools.SocialMessaging 3.7.400.13
Amazon Simple Queue Service (SQS) SQS AWS.Tools.SQS 3.7.400.46
AWS Systems Manager Incident Manager Contacts SMC AWS.Tools.SSMContacts 3.7.400.46
AWS Systems Manager Incident Manager SSMI AWS.Tools.SSMIncidents 3.7.400.46
AWS Systems Manager QuickSetup SSMQS AWS.Tools.SSMQuickSetup 3.7.400.44
AWS Systems Manager for SAP SMSAP AWS.Tools.SsmSap 3.7.401.38
AWS Single Sign-On SSO AWS.Tools.SSO 3.7.400.46
AWS Single Sign-On Admin SSOADMN AWS.Tools.SSOAdmin 3.7.400.46
AWS Single Sign-On OIDC SSOOIDC AWS.Tools.SSOOIDC 3.7.400.46
AWS Step Functions SFN AWS.Tools.StepFunctions 3.7.402.34
AWS Storage Gateway SG AWS.Tools.StorageGateway 3.7.401.27
AWS Supply Chain SUPCH AWS.Tools.SupplyChain 3.7.403.6
AWS Support App SUP AWS.Tools.SupportApp 3.7.400.46
Amazon CloudWatch Synthetics CWSYN AWS.Tools.Synthetics 3.7.402.0
AWS Tax Settings TSA AWS.Tools.TaxSettings 3.7.401.1
Amazon Textract TXT AWS.Tools.Textract 3.7.400.46
Amazon Timestream InfluxDB TIDB AWS.Tools.TimestreamInfluxDB 3.7.403.13
Amazon Timestream Query TSQ AWS.Tools.TimestreamQuery 3.7.401.9
Amazon Timestream Write TSW AWS.Tools.TimestreamWrite 3.7.400.46
AWS Telco Network Builder TNB AWS.Tools.Tnb 3.7.401.44
Amazon Transcribe Service TRS AWS.Tools.TranscribeService 3.7.400.46
AWS Transfer for SFTP TFR AWS.Tools.Transfer 3.7.401.12
Amazon Translate TRN AWS.Tools.Translate 3.7.400.46
Trusted Advisor TA AWS.Tools.TrustedAdvisor 3.7.400.46
Amazon Verified Permissions AVP AWS.Tools.VerifiedPermissions 3.7.401.1
Amazon Voice ID VID AWS.Tools.VoiceID 3.7.400.46
VPC Lattice VPCL AWS.Tools.VPCLattice 3.7.400.46
AWS WAF WAF AWS.Tools.WAF 3.7.400.46
AWS WAF Regional WAFR AWS.Tools.WAFRegional 3.7.401.44
AWS WAF V2 WAF2 AWS.Tools.WAFV2 3.7.402.10
AWS Well-Architected Tool WAT AWS.Tools.WellArchitected 3.7.400.46
Amazon WorkDocs WD AWS.Tools.WorkDocs 3.7.400.46
Amazon WorkMail WM AWS.Tools.WorkMail 3.7.401.3
Amazon WorkMail Message Flow WMMF AWS.Tools.WorkMailMessageFlow 3.7.400.46
Amazon WorkSpaces WKS AWS.Tools.WorkSpaces 3.7.404.10
Amazon WorkSpaces Thin Client WSTC AWS.Tools.WorkSpacesThinClient 3.7.400.46
Amazon WorkSpaces Web WSW AWS.Tools.WorkSpacesWeb 3.7.401.25
AWS X-Ray XR AWS.Tools.XRay 3.7.400.46
PS C:\_TERRAFORM\_AWSCore>
|
You should store your AWS credentials as a set of credentials on the credential store(s) on your machine. It is a best practice to avoid exposing your credentials - do not put literal credentials in the PowerShell commands.
To store your credentials, use the PowerShell snippet Set-AWSCredential:
PS C:\_TERRAFORM\_AWSCore> Set-AWSCredential -AccessKey AK...Q -SecretKey lR...J -StoreAs AWC
PS C:\_TERRAFORM\_AWSCore> Get-AWSCredential -ListProfileDetail
ProfileName StoreTypeName ProfileLocation
----------- ------------- ---------------
default NetSDKCredentialsFile
AWC NetSDKCredentialsFile
default SharedCredentialsFile C:\Users\Gerhard\.aws\credentials
PS C:\_TERRAFORM\_AWSCore>
|
Caution:
AWS credentials stored in the AWS SDK store are encrypted with the logged-in Windows user identity. They cannot be decrypted by using another account or on a device other than the one on which they were originally created.
To set the credentials for a PowerShell session, use the Set-AWSCredential snippet:
PS C:\_TERRAFORM\_AWSCore> Set-AWSCredential -ProfileName AWC
PS C:\_TERRAFORM\_AWSCore>
|
Deploy an Amazon VPC
An Amazon Virtual Private Cloud (VPC) enables you to launch AWS resources into a virtual network that you have defined.
Important:
It is possible to have multiple VPCs in your AWS tenant. Create a dedicated VPC for your Citrix DaaS deployment. Tag all resources for easier management. The default VPC holds these IP address ranges: 172.31.0.0/16
Using a PowerShell snippet, you can check for existing VPCs:
PS C:\_TERRAFORM\_AWSCore>Get-EC2Vpc
CidrBlock : 172.31.0.0/16
CidrBlockAssociationSet : {vpc-cidr-assoc-09e0d958d1c0af892}
DhcpOptionsId : dopt-0a71f0bb911106c5f
InstanceTenancy : default
Ipv6CidrBlockAssociationSet : {}
IsDefault : False
OwnerId : 968334184707
State : available
Tags : {Name}
VpcId : vpc-0a0c4e01213dca45a
PS C:\_TERRAFORM\_AWSCore>
|
There is already an existing VPC, but that does not matter.
In this guide, we will deploy a new VPC with all needed entities to show the possible coexistence with an existing environment.
Use Terraform to create a new VPC and the required DHCP options:
## Create a VPC
resource "aws_vpc" "AWC-VPC" {
cidr_block = "${var.AWC-VPC-CIDR}"
instance_tenancy = "default"
enable_dns_support = "true"
enable_dns_hostnames = "true"
tags = {
Name = "AWC-TF-VPC"
}
}
### Create the DHCP options
resource "aws_vpc_dhcp_options" "AWC-DHCP" {
domain_name = "${var.AWC-DHCP-DomainName}"
domain_name_servers = "${var.AWC-DHCP-DNS1}"
ipv6_address_preferred_lease_time = 1440
ntp_servers = "${var.AWC-DHCP-DNS1}"
netbios_name_servers = "${var.AWC-DHCP-DNS1}"
netbios_node_type = 1
tags = {
Name = "AWC-TF-DHCP"
}
}
|
Terraform will now create these entities:
PS C:\_TERRAFORM\_AWSCore> terraform init
Initializing the backend...
Initializing provider plugins...
- Finding citrix/citrix versions matching "1.0.6"...
- Finding hashicorp/aws versions matching ">= 5.4.0"...
- Finding latest version of hashicorp/local...
- Installing citrix/citrix v1.0.6...
- Installed citrix/citrix v1.0.6 (self-signed, key ID BD4BD0E690CB7D88)
- Installing hashicorp/aws v5.73.0...
- Installed hashicorp/aws v5.73.0 (signed by HashiCorp)
- Installing hashicorp/local v2.5.2...
- Installed hashicorp/local v2.5.2 (signed by HashiCorp)
Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
PS C:\_TERRAFORM\_AWSCore> terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_vpc.AWC-VPC will be created
+ resource "aws_vpc" "AWC-VPC" {
+ arn = (known after apply)
+ cidr_block = "172.31.0.0/16"
+ default_network_acl_id = (known after apply)
+ default_route_table_id = (known after apply)
+ default_security_group_id = (known after apply)
+ dhcp_options_id = (known after apply)
+ enable_dns_hostnames = true
+ enable_dns_support = true
+ enable_network_address_usage_metrics = (known after apply)
+ id = (known after apply)
+ instance_tenancy = "default"
+ ipv6_association_id = (known after apply)
+ ipv6_cidr_block = (known after apply)
+ ipv6_cidr_block_network_border_group = (known after apply)
+ main_route_table_id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-VPC"
}
+ tags_all = {
+ "Name" = "AWC-TF-VPC"
}
}
# aws_vpc_dhcp_options.AWC-DHCP will be created
+ resource "aws_vpc_dhcp_options" "AWC-DHCP" {
+ arn = (known after apply)
+ domain_name = "pseaws.lab"
+ domain_name_servers = [
+ "172.31.20.19",
]
+ id = (known after apply)
+ ipv6_address_preferred_lease_time = "1440"
+ netbios_name_servers = [
+ "172.31.20.19",
]
+ netbios_node_type = "1"
+ ntp_servers = [
+ "172.31.20.19",
]
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-DHCP"
}
+ tags_all = {
+ "Name" = "AWC-TF-DHCP"
}
}
Plan: 2 to add, 0 to change, 0 to destroy.
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PS C:\_TERRAFORM\_AWSCore> terraform apply
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_vpc.AWC-VPC will be created
+ resource "aws_vpc" "AWC-VPC" {
+ arn = (known after apply)
+ cidr_block = "172.31.0.0/16"
+ default_network_acl_id = (known after apply)
+ default_route_table_id = (known after apply)
+ default_security_group_id = (known after apply)
+ dhcp_options_id = (known after apply)
+ enable_dns_hostnames = true
+ enable_dns_support = true
+ enable_network_address_usage_metrics = (known after apply)
+ id = (known after apply)
+ instance_tenancy = "default"
+ ipv6_association_id = (known after apply)
+ ipv6_cidr_block = (known after apply)
+ ipv6_cidr_block_network_border_group = (known after apply)
+ main_route_table_id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-VPC"
}
+ tags_all = {
+ "Name" = "AWC-TF-VPC"
}
}
# aws_vpc_dhcp_options.AWC-DHCP will be created
+ resource "aws_vpc_dhcp_options" "AWC-DHCP" {
+ arn = (known after apply)
+ domain_name = "pseaws.lab"
+ domain_name_servers = [
+ "172.31.20.19",
]
+ id = (known after apply)
+ ipv6_address_preferred_lease_time = "1440"
+ netbios_name_servers = [
+ "172.31.20.19",
]
+ netbios_node_type = "1"
+ ntp_servers = [
+ "172.31.20.19",
]
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-DHCP"
}
+ tags_all = {
+ "Name" = "AWC-TF-DHCP"
}
}
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_vpc.AWC-VPC: Creating...
aws_vpc_dhcp_options.AWC-DHCP: Creation complete after 1s [id=dopt-0c26e5d5880c8b208]
aws_vpc.AWC-VPC: Still creating... [10s elapsed]
aws_vpc.AWC-VPC: Creation complete after 11s [id=vpc-0a0c4e01213dca45a]
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
PS C:\_TERRAFORM\_AWSCore>
|
Terraform successfully created the new VPC and its DHCP options.
Deploy Subnets, Internet Gateways, NAT Gateways, Route Tables and Security Groups
After creating the VPC, we deploy all needed network components, such as Subnets, Internet Gateways, NAT Gateways, and Router Tables.
Deploying the Subnets
A Subnet is a range of IP addresses in your VPC.
You can create AWS resources in specific subnets, such as EC2 instances.
The Subnet type is determined by how you configure routing for your Subnets:
-
Public Subnet: The Subnet has a direct route to an Internet Gateway.
Resources in a Public Subnet can directly access the Internet.
-
Private Subnet: The Subnet does not have a direct route to an Internet Gateway. Resources in a Private Subnet require a NAT device to access the Internet.
Important:
Each Subnet must be associated with a Route Table, specifying all allowed outbound traffic routes. Every Subnet is automatically associated with the main Route Table for the VPC.
Disable the Auto-assign IP settings, as otherwise, a public IPv4 address is automatically requested for each new Network Interface in this Subnet.
Use Terraform to create the Subnets:
### Create a Public Subnet #1
resource "aws_subnet" "AWC-Subnet-Pub-1" {
vpc_id = aws_vpc.AWC-VPC.id
cidr_block = "${var.AWC-Subnet-Pub-CIDR-1}"
availability_zone = "${var.AWC-AvailibilityRegion-1}"
map_public_ip_on_launch = false
tags = {
Name = "AWC-TF-PubSubnet1"
}
}
### Create a Public Subnet #2
resource "aws_subnet" "AWC-Subnet-Pub-2" {
vpc_id = aws_vpc.AWC-VPC.id
cidr_block = "${var.AWC-Subnet-Pub-CIDR-2}"
availability_zone = "${var.AWC-AvailibilityRegion-2}"
map_public_ip_on_launch = false
tags = {
Name = "AWC-TF-PubSubnet2"
}
}
### Create a Private Subnet #1
resource "aws_subnet" "AWC-Subnet-Priv-1" {
vpc_id = aws_vpc.AWC-VPC.id
cidr_block = "${var.AWC-Subnet-Priv-CIDR-1}"
availability_zone = "${var.AWC-AvailibilityRegion-1}"
map_public_ip_on_launch = false
tags = {
Name = "AWC-TF-PrivSubnet1"
}
}
### Create a Private Subnet #2
resource "aws_subnet" "AWC-Subnet-Priv-2" {
vpc_id = aws_vpc.AWC-VPC.id
cidr_block = "${var.AWC-Subnet-Priv-CIDR-2}"
availability_zone = "${var.AWC-AvailibilityRegion-2}"
map_public_ip_on_launch = false
tags = {
Name = "AWC-TF-PrivSubnet2"
}
}
|
Terraform will now create these entities:
PS C:\_TERRAFORM\_AWSCore> terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_subnet.AWC-Subnet-Priv-1 will be created
+ resource "aws_subnet" "AWC-Subnet-Priv-1" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = (sensitive value)
+ availability_zone_id = (known after apply)
+ cidr_block = "172.31.5.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-PrivSubnet1"
}
+ tags_all = {
+ "Name" = "AWC-TF-PrivSubnet1"
}
+ vpc_id = (known after apply)
}
# aws_subnet.AWC-Subnet-Priv-2 will be created
+ resource "aws_subnet" "AWC-Subnet-Priv-2" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = (sensitive value)
+ availability_zone_id = (known after apply)
+ cidr_block = "172.31.6.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-PrivSubnet2"
}
+ tags_all = {
+ "Name" = "AWC-TF-PrivSubnet2"
}
+ vpc_id = (known after apply)
}
# aws_subnet.AWC-Subnet-Pub-1 will be created
+ resource "aws_subnet" "AWC-Subnet-Pub-1" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = (sensitive value)
+ availability_zone_id = (known after apply)
+ cidr_block = "172.31.1.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-PubSubnet1"
}
+ tags_all = {
+ "Name" = "AWC-TF-PubSubnet1"
}
+ vpc_id = (known after apply)
}
# aws_subnet.AWC-Subnet-Pub-2 will be created
+ resource "aws_subnet" "AWC-Subnet-Pub-2" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = (sensitive value)
+ availability_zone_id = (known after apply)
+ cidr_block = "172.31.2.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-PubSubnet2"
}
+ tags_all = {
+ "Name" = "AWC-TF-PubSubnet2"
}
+ vpc_id = (known after apply)
}
Plan: 4 to add, 0 to change, 0 to destroy.
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PS C:\_TERRAFORM\_AWSCore> terraform apply
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_subnet.AWC-Subnet-Priv-1 will be created
+ resource "aws_subnet" "AWC-Subnet-Priv-1" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = (sensitive value)
+ availability_zone_id = (known after apply)
+ cidr_block = "172.31.5.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-PrivSubnet1"
}
+ tags_all = {
+ "Name" = "AWC-TF-PrivSubnet1"
}
+ vpc_id = (known after apply)
}
# aws_subnet.AWC-Subnet-Priv-2 will be created
+ resource "aws_subnet" "AWC-Subnet-Priv-2" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = (sensitive value)
+ availability_zone_id = (known after apply)
+ cidr_block = "172.31.6.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-PrivSubnet2"
}
+ tags_all = {
+ "Name" = "AWC-TF-PrivSubnet2"
}
+ vpc_id = (known after apply)
}
# aws_subnet.AWC-Subnet-Pub-1 will be created
+ resource "aws_subnet" "AWC-Subnet-Pub-1" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = (sensitive value)
+ availability_zone_id = (known after apply)
+ cidr_block = "172.31.1.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-PubSubnet1"
}
+ tags_all = {
+ "Name" = "AWC-TF-PubSubnet1"
}
+ vpc_id = (known after apply)
}
# aws_subnet.AWC-Subnet-Pub-2 will be created
+ resource "aws_subnet" "AWC-Subnet-Pub-2" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = (sensitive value)
+ availability_zone_id = (known after apply)
+ cidr_block = "172.31.2.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-PubSubnet2"
}
+ tags_all = {
+ "Name" = "AWC-TF-PubSubnet2"
}
+ vpc_id = (known after apply)
}
Plan: 4 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_subnet.AWC-Subnet-Pub-1: Creating...
aws_subnet.AWC-Subnet-Pub-2: Creating...
aws_subnet.AWC-Subnet-Priv-2: Creating...
aws_subnet.AWC-Subnet-Priv-1: Creating...
aws_subnet.AWC-Subnet-Pub-1: Creation complete after 1s [id=subnet-0c66b831b007a95dc]
aws_subnet.AWC-Subnet-Pub-2: Creation complete after 1s [id=subnet-0218607b747ebabe1]
aws_subnet.AWC-Subnet-Priv-1: Creation complete after 1s [id=subnet-0ebd5082675ce4b86]
aws_subnet.AWC-Subnet-Priv-2: Creation complete after 1s [id=subnet-0aedb284d0a518375]
Apply complete! Resources: 4 added, 0 changed, 0 destroyed.
PS C:\_TERRAFORM\_AWSCore>
|
Terraform successfully created the new VPC and its DHCP options.
After creating the Subnets, you must create an Internet Gateway to enable the Public Subnet and the Jumphost-VM to connect to the Internet.
Deploying an Internet Gateway
An Internet Gateway allows communication between your VPC and the Internet. It supports IPv4 and IPv6 traffic and provides a target in your VPC Route Tables.
Resources in your Public Subnets can connect to the Internet if they have a public IPv4 or IPv6 address. The communication flow is two-way—the resources can also be contacted from the Internet.
For communication using IPv4, the Internet Gateway also performs Network Address Translation (NAT).
Use Terraform to create the Internet Gateway:
### Create a Public Internet Gateway
resource "aws_internet_gateway" "AWC-InetGW" {
vpc_id = aws_vpc.AWC-VPC.id
tags = {
Name = "AWC-TF-InetGW-Pub"
}
}
|
Terraform will now create these entities:
PS C:\_TERRAFORM\_AWSCore> terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_internet_gateway.AWC-InetGW will be created
+ resource "aws_internet_gateway" "AWC-InetGW" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-InetGW-Pub"
}
+ tags_all = {
+ "Name" = "AWC-TF-InetGW-Pub"
}
+ vpc_id = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PS C:\_TERRAFORM\_AWSCore> terraform apply
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_internet_gateway.AWC-InetGW will be created
+ resource "aws_internet_gateway" "AWC-InetGW" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-InetGW-Pub"
}
+ tags_all = {
+ "Name" = "AWC-TF-InetGW-Pub"
}
+ vpc_id = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_internet_gateway.AWC-InetGW: Creating...
aws_internet_gateway.AWC-InetGW: Creation complete after 1s [id=igw-07459e74a135ab85f]
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
PS C:\_TERRAFORM\_AWSCore>
|
Terraform successfully created the new Internet Gateway.
To connect the Public Subnets to the Internet, you need to adjust the adjacent Route Table. A Route Table contains a set of routes directing network traffic from your Subnet or Gateway.
You should use 0.0.0.0/0 as the Destination and choose the Internet Gateway you created as the Target. The Public Subnets now have a connection to the Internet.
Use Terraform to create the Route Table and the needed Routes and Associations:
### Create the Public Route Table
resource "aws_route_table" "AWC-RouteTable-Pub" {
vpc_id = aws_vpc.AWC-VPC.id
tags = {
Name = "AWC-TF-RouteTable-Pub"
}
}
#### Create Routes in the Public Route Table
resource "aws_route" "AWC-Route-Public" {
depends_on = [ aws_vpc.AWC-VPC, aws_internet_gateway.AWC-InetGW, aws_route_table.AWC-RouteTable-Pub ]
route_table_id = aws_route_table.AWC-RouteTable-Pub.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.AWC-InetGW.id
}
#### Create Subnet Association for Public Subnet #1
resource "aws_route_table_association" "AWC-RT-SN-Association-Pub-1" {
subnet_id = aws_subnet.AWC-Subnet-Pub-1.id
route_table_id = aws_route_table.AWC-RouteTable-Pub.id
}
#### Create Subnet Association for Public Subnet #2
resource "aws_route_table_association" "AWC-RT-SN-Association-Pub-2" {
subnet_id = aws_subnet.AWC-Subnet-Pub-2.id
route_table_id = aws_route_table.AWC-RouteTable-Pub.id
}
|
Terraform will now create these entities:
PS C:\_TERRAFORM\_AWSCore> terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_route_table.AWC-RouteTable-Pub will be created
+ resource "aws_route_table" "AWC-RouteTable-Pub" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ propagating_vgws = (known after apply)
+ route = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-RouteTable-Pub"
}
+ vpc_id = (known after apply)
}
# aws_route.AWC-Route-Public will be created
+ resource "aws_route" "AWC-Route-Public" {
+ destination_cidr_block = "0.0.0.0/0"
+ gateway_id = (known after apply)
+ id = (known after apply)
+ instance_id = (known after apply)
+ instance_owner_id = (known after apply)
+ network_interface_id = (known after apply)
+ origin = (known after apply)
+ route_table_id = (known after apply)
+ state = (known after apply)
}
# aws_route_table_association.AWC-RT-SN-Association-Pub-1 will be created
+ resource "aws_route_table_association" "AWC-RT-SN-Association-Pub-1" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
# aws_route_table_association.AWC-RT-SN-Association-Pub-2 will be created
+ resource "aws_route_table_association" "AWC-RT-SN-Association-Pub-2" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
Plan: 4 to add, 0 to change, 0 to destroy.
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PS C:\_TERRAFORM\_AWSCore> terraform apply
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_route_table.AWC-RouteTable-Pub will be created
+ resource "aws_route_table" "AWC-RouteTable-Pub" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ propagating_vgws = (known after apply)
+ route = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-RouteTable-Pub"
}
+ vpc_id = (known after apply)
}
# aws_route.AWC-Route-Public will be created
+ resource "aws_route" "AWC-Route-Public" {
+ destination_cidr_block = "0.0.0.0/0"
+ gateway_id = (known after apply)
+ id = (known after apply)
+ instance_id = (known after apply)
+ instance_owner_id = (known after apply)
+ network_interface_id = (known after apply)
+ origin = (known after apply)
+ route_table_id = (known after apply)
+ state = (known after apply)
}
# aws_route_table_association.AWC-RT-SN-Association-Pub-1 will be created
+ resource "aws_route_table_association" "AWC-RT-SN-Association-Pub-1" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
# aws_route_table_association.AWC-RT-SN-Association-Pub-2 will be created
+ resource "aws_route_table_association" "AWC-RT-SN-Association-Pub-2" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
Plan: 4 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_route_table.AWC-RouteTable-Pub: Creating...
aws_route_table.AWC-RouteTable-Pub: Creation complete after 1s [id=rtb-03e180326b1e9e342]
aws_route_table_association.AWC-RT-SN-Association-Pub-1: Creating...
aws_route_table_association.AWC-RT-SN-Association-Pub-2: Creating...
aws_route.AWC-Route-Public: Creating...
aws_route_table_association.AWC-RT-SN-Association-Pub-1: Creation complete after 0s [id=rtbassoc-0fa2d0b5fe04866de]
aws_route_table_association.AWC-RT-SN-Association-Pub-2: Creation complete after 0s [id=rtbassoc-021578912696a90c3]
aws_route.AWC-Route-Public: Creation complete after 0s [id=r-rtb-03e180326b1e9e3421080289494]
Apply complete! Resources: 4 added, 0 changed, 0 destroyed.
PS C:\_TERRAFORM\_AWSCore>
|
Terraform successfully created the new Route Table, Routes, and Associations for the Public Subnets and the Internet Gateway.
Deploying a NAT Gateway
After creating the Internet Gateway, you need to create a NAT Gateway in the Private Subnet(s) to enable the Private Subnet(s) to connect to the Internet.
A NAT Gateway is a Network Address Translation (NAT) device. It needs a mapped Elastic IP.
Important:
You can use a NAT Gateway to enable instances in a Private Subnet to connect to services outside your VPC. External services cannot initiate a connection with those instances.
A NAT Gateway is for use with IPv4 traffic only.
When you create a NAT Gateway, you specify one of the following connectivity types:
-
Public – (Default) Instances in Private Subnets can connect to the Internet.
-
Private – Instances in Private Subnets can connect to other VPCs or your on-premises network but not to the Internet.
Use Terraform to create the Elastic IPs and the NAT Gateways:
### Create an Elastic IP for NATGW #1
resource "aws_eip" "AWC-EIP-NATGW-AZ1" {
tags = {
Name = "AWC-TF-EIP1"
}
}
### Create an Elastic IP for NATGW #2
resource "aws_eip" "AWC-EIP-NATGW-AZ2" {
tags = {
Name = "AWC-TF-EIP2"
}
}
### Create a NAT Gateway for Private Subnet #1
resource "aws_nat_gateway" "AWC-NATGW-SN1" {
allocation_id = aws_eip.AWC-EIP-NATGW-AZ1.id
subnet_id = aws_subnet.AWC-Subnet-Priv-1.id
tags = {
Name = "AWC-TF-NATGW-SN1"
}
}
### Create a NAT Gateway for Private Subnet #2
resource "aws_nat_gateway" "AWC-NATGW-SN2" {
allocation_id = aws_eip.AWC-EIP-NATGW-AZ2.id
subnet_id = aws_subnet.AWC-Subnet-Priv-2.id
tags = {
Name = "AWC-TF-NATGW-SN2"
}
}
|
Terraform will now create these entities:
PS C:\_TERRAFORM\_AWSCore> terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_eip.AWC-EIP-NATGW-AZ1 will be created
+ resource "aws_eip" "AWC-EIP-NATGW-AZ1" {
+ allocation_id = (known after apply)
+ arn = (known after apply)
+ association_id = (known after apply)
+ carrier_ip = (known after apply)
+ customer_owned_ip = (known after apply)
+ domain = (known after apply)
+ id = (known after apply)
+ instance = (known after apply)
+ ipam_pool_id = (known after apply)
+ network_border_group = (known after apply)
+ network_interface = (known after apply)
+ private_dns = (known after apply)
+ private_ip = (known after apply)
+ ptr_record = (known after apply)
+ public_dns = (known after apply)
+ public_ip = (known after apply)
+ public_ipv4_pool = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-EIP1"
}
+ tags_all = {
+ "Name" = "AWC-TF-EIP1"
}
+ vpc = (known after apply)
}
# aws_eip.AWC-EIP-NATGW-AZ2 will be created
+ resource "aws_eip" "AWC-EIP-NATGW-AZ2" {
+ allocation_id = (known after apply)
+ arn = (known after apply)
+ association_id = (known after apply)
+ carrier_ip = (known after apply)
+ customer_owned_ip = (known after apply)
+ domain = (known after apply)
+ id = (known after apply)
+ instance = (known after apply)
+ ipam_pool_id = (known after apply)
+ network_border_group = (known after apply)
+ network_interface = (known after apply)
+ private_dns = (known after apply)
+ private_ip = (known after apply)
+ ptr_record = (known after apply)
+ public_dns = (known after apply)
+ public_ip = (known after apply)
+ public_ipv4_pool = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-EIP2"
}
+ tags_all = {
+ "Name" = "AWC-TF-EIP2"
}
+ vpc = (known after apply)
}
# aws_nat_gateway.AWC-NATGW-SN1 will be created
+ resource "aws_nat_gateway" "AWC-NATGW-SN1" {
+ allocation_id = (known after apply)
+ association_id = (known after apply)
+ connectivity_type = "public"
+ id = (known after apply)
+ network_interface_id = (known after apply)
+ private_ip = (known after apply)
+ public_ip = (known after apply)
+ secondary_private_ip_address_count = (known after apply)
+ secondary_private_ip_addresses = (known after apply)
+ subnet_id = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-NATGW-SN1"
}
+ tags_all = {
+ "Name" = "AWC-TF-NATGW-SN1"
}
}
# aws_nat_gateway.AWC-NATGW-SN2 will be created
+ resource "aws_nat_gateway" "AWC-NATGW-SN2" {
+ allocation_id = (known after apply)
+ association_id = (known after apply)
+ connectivity_type = "public"
+ id = (known after apply)
+ network_interface_id = (known after apply)
+ private_ip = (known after apply)
+ public_ip = (known after apply)
+ secondary_private_ip_address_count = (known after apply)
+ secondary_private_ip_addresses = (known after apply)
+ subnet_id = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-NATGW-SN2"
}
+ tags_all = {
+ "Name" = "AWC-TF-NATGW-SN2"
}
}
Plan: 4 to add, 0 to change, 0 to destroy.
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PS C:\_TERRAFORM\_AWSCore> terraform apply
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_eip.AWC-EIP-NATGW-AZ1 will be created
+ resource "aws_eip" "AWC-EIP-NATGW-AZ1" {
+ allocation_id = (known after apply)
+ arn = (known after apply)
+ association_id = (known after apply)
+ carrier_ip = (known after apply)
+ customer_owned_ip = (known after apply)
+ domain = (known after apply)
+ id = (known after apply)
+ instance = (known after apply)
+ ipam_pool_id = (known after apply)
+ network_border_group = (known after apply)
+ network_interface = (known after apply)
+ private_dns = (known after apply)
+ private_ip = (known after apply)
+ ptr_record = (known after apply)
+ public_dns = (known after apply)
+ public_ip = (known after apply)
+ public_ipv4_pool = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-EIP1"
}
+ tags_all = {
+ "Name" = "AWC-TF-EIP1"
}
+ vpc = (known after apply)
}
# aws_eip.AWC-EIP-NATGW-AZ2 will be created
+ resource "aws_eip" "AWC-EIP-NATGW-AZ2" {
+ allocation_id = (known after apply)
+ arn = (known after apply)
+ association_id = (known after apply)
+ carrier_ip = (known after apply)
+ customer_owned_ip = (known after apply)
+ domain = (known after apply)
+ id = (known after apply)
+ instance = (known after apply)
+ ipam_pool_id = (known after apply)
+ network_border_group = (known after apply)
+ network_interface = (known after apply)
+ private_dns = (known after apply)
+ private_ip = (known after apply)
+ ptr_record = (known after apply)
+ public_dns = (known after apply)
+ public_ip = (known after apply)
+ public_ipv4_pool = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-EIP2"
}
+ tags_all = {
+ "Name" = "AWC-TF-EIP2"
}
+ vpc = (known after apply)
}
# aws_nat_gateway.AWC-NATGW-SN1 will be created
+ resource "aws_nat_gateway" "AWC-NATGW-SN1" {
+ allocation_id = (known after apply)
+ association_id = (known after apply)
+ connectivity_type = "public"
+ id = (known after apply)
+ network_interface_id = (known after apply)
+ private_ip = (known after apply)
+ public_ip = (known after apply)
+ secondary_private_ip_address_count = (known after apply)
+ secondary_private_ip_addresses = (known after apply)
+ subnet_id = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-NATGW-SN1"
}
+ tags_all = {
+ "Name" = "AWC-TF-NATGW-SN1"
}
}
# aws_nat_gateway.AWC-NATGW-SN2 will be created
+ resource "aws_nat_gateway" "AWC-NATGW-SN2" {
+ allocation_id = (known after apply)
+ association_id = (known after apply)
+ connectivity_type = "public"
+ id = (known after apply)
+ network_interface_id = (known after apply)
+ private_ip = (known after apply)
+ public_ip = (known after apply)
+ secondary_private_ip_address_count = (known after apply)
+ secondary_private_ip_addresses = (known after apply)
+ subnet_id = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-NATGW-SN2"
}
+ tags_all = {
+ "Name" = "AWC-TF-NATGW-SN2"
}
}
Plan: 4 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_eip.AWC-EIP-NATGW-AZ2: Creating...
aws_eip.AWC-EIP-NATGW-AZ1: Creating...
aws_eip.AWC-EIP-NATGW-AZ2: Creation complete after 1s [id=eipalloc-0d2c0d41ca785a357]
aws_eip.AWC-EIP-NATGW-AZ1: Creation complete after 1s [id=eipalloc-00184109cbc0ed1c3]
aws_nat_gateway.AWC-NATGW-SN1: Creating...
aws_nat_gateway.AWC-NATGW-SN2: Creating...
aws_nat_gateway.AWC-NATGW-SN1: Still creating... [10s elapsed]
aws_nat_gateway.AWC-NATGW-SN2: Still creating... [10s elapsed]
aws_nat_gateway.AWC-NATGW-SN1: Still creating... [20s elapsed]
aws_nat_gateway.AWC-NATGW-SN2: Still creating... [20s elapsed]
aws_nat_gateway.AWC-NATGW-SN1: Still creating... [30s elapsed]
aws_nat_gateway.AWC-NATGW-SN2: Still creating... [30s elapsed]
...
aws_nat_gateway.AWC-NATGW-SN1: Still creating... [1m40s elapsed]
aws_nat_gateway.AWC-NATGW-SN2: Still creating... [1m40s elapsed]
aws_nat_gateway.AWC-NATGW-SN2: Creation complete after 1m44s [id=nat-0b05e87d8b775ad17]
aws_nat_gateway.AWC-NATGW-SN1: Creation complete after 1m44s [id=nat-064b88196cc1199a4]
Apply complete! Resources: 4 added, 0 changed, 0 destroyed.
PS C:\_TERRAFORM\_AWSCore>
|
Terraform successfully created the new NAT Gateways and its needed Elastic IPs.
After creation, you need to add a Route Table and change it for the NAT Gateway as you did for the Internet Gateway.
Use Terraform to create the Route Table and the needed Routes and Associations:
### Create the Private Route Table for Subnet #1
resource "aws_route_table" "AWC-RouteTable-Priv-SN1" {
vpc_id = aws_vpc.AWC-VPC.id
tags = {
Name = "AWC-TF-RouteTable-Priv-SN1"
}
}
### Create the Private Route Table for Subnet #2
resource "aws_route_table" "AWC-RouteTable-Priv-SN2" {
vpc_id = aws_vpc.AWC-VPC.id
tags = {
Name = "AWC-TF-RouteTable-Priv-SN2"
}
}
#### Create Routes in the Private Route Table for Subnet #1
resource "aws_route" "AWC-Route-Private-SN1" {
route_table_id = aws_route_table.AWC-RouteTable-Priv-SN1.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_nat_gateway.AWC-NATGW-SN1.id
}
#### Create Routes in the Private Route Table for Subnet #2
resource "aws_route" "AWC-Route-Private-SN2" {
route_table_id = aws_route_table.AWC-RouteTable-Priv-SN2.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_nat_gateway.AWC-NATGW-SN2.id
}
#### Create Subnet Association for Private Subnet #1
resource "aws_route_table_association" "AWC-RT-SN-Association-Priv-1" {
subnet_id = aws_subnet.AWC-Subnet-Priv-1.id
route_table_id = aws_route_table.AWC-RouteTable-Priv-SN1.id
}
#### Create Subnet Association for Private Subnet #2
resource "aws_route_table_association" "AWC-RT-SN-Association-Priv-2" {
subnet_id = aws_subnet.AWC-Subnet-Priv-2.id
route_table_id = aws_route_table.AWC-RouteTable-Priv-SN2.id
}
|
Terraform will now create these entities:
PS C:\_TERRAFORM\_AWSCore> terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_route_table.AWC-RouteTable-Priv-SN1 will be created
+ resource "aws_route_table" "AWC-RouteTable-Priv-SN1" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ propagating_vgws = (known after apply)
+ route = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-RouteTable-Priv-SN1"
}
+ tags_all = {
+ "Name" = "AWC-TF-RouteTable-Priv-SN1"
}
+ vpc_id = (known after apply)
}
# aws_route_table.AWC-RouteTable-Priv-SN2 will be created
+ resource "aws_route_table" "AWC-RouteTable-Priv-SN2" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ propagating_vgws = (known after apply)
+ route = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-RouteTable-Priv-SN2"
}
+ tags_all = {
+ "Name" = "AWC-TF-RouteTable-Priv-SN2"
}
+ vpc_id = (known after apply)
}
# aws_route.AWC-Route-Private-SN1 will be created
+ resource "aws_route" "AWC-Route-Private-SN1" {
+ destination_cidr_block = "0.0.0.0/0"
+ gateway_id = (known after apply)
+ id = (known after apply)
+ instance_id = (known after apply)
+ instance_owner_id = (known after apply)
+ network_interface_id = (known after apply)
+ origin = (known after apply)
+ route_table_id = (known after apply)
+ state = (known after apply)
}
# aws_route.AWC-Route-Private-SN2 will be created
+ resource "aws_route" "AWC-Route-Private-SN2" {
+ destination_cidr_block = "0.0.0.0/0"
+ gateway_id = (known after apply)
+ id = (known after apply)
+ instance_id = (known after apply)
+ instance_owner_id = (known after apply)
+ network_interface_id = (known after apply)
+ origin = (known after apply)
+ route_table_id = (known after apply)
+ state = (known after apply)
}
# aws_route_table_association.AWC-RT-SN-Association-Priv-1 will be created
+ resource "aws_route_table_association" "AWC-RT-SN-Association-Priv-1" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
# aws_route_table_association.AWC-RT-SN-Association-Priv-2 will be created
+ resource "aws_route_table_association" "AWC-RT-SN-Association-Priv-2" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
Plan: 6 to add, 0 to change, 0 to destroy.
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PS C:\_TERRAFORM\_AWSCore> terraform apply
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_route_table.AWC-RouteTable-Pub will be created
+ resource "aws_route_table" "AWC-RouteTable-Pub" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ propagating_vgws = (known after apply)
+ route = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-RouteTable-Pub"
}
+ vpc_id = (known after apply)
}
# aws_route.AWC-Route-Public will be created
+ resource "aws_route" "AWC-Route-Public" {
+ destination_cidr_block = "0.0.0.0/0"
+ gateway_id = (known after apply)
+ id = (known after apply)
+ instance_id = (known after apply)
+ instance_owner_id = (known after apply)
+ network_interface_id = (known after apply)
+ origin = (known after apply)
+ route_table_id = (known after apply)
+ state = (known after apply)
}
# aws_route_table_association.AWC-RT-SN-Association-Pub-1 will be created
+ resource "aws_route_table_association" "AWC-RT-SN-Association-Pub-1" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
# aws_route_table_association.AWC-RT-SN-Association-Pub-2 will be created
+ resource "aws_route_table_association" "AWC-RT-SN-Association-Pub-2" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
Terraform will perform the following actions:
# aws_route_table.AWC-RouteTable-Priv-SN1 will be created
+ resource "aws_route_table" "AWC-RouteTable-Priv-SN1" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ propagating_vgws = (known after apply)
+ route = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-RouteTable-Priv-SN1"
}
+ tags_all = {
+ "Name" = "AWC-TF-RouteTable-Priv-SN1"
}
+ vpc_id = (known after apply)
}
# aws_route_table.AWC-RouteTable-Priv-SN2 will be created
+ resource "aws_route_table" "AWC-RouteTable-Priv-SN2" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ propagating_vgws = (known after apply)
+ route = (known after apply)
+ tags = {
+ "Name" = "AWC-TF-RouteTable-Priv-SN2"
}
+ tags_all = {
+ "Name" = "AWC-TF-RouteTable-Priv-SN2"
}
+ vpc_id = (known after apply)
}
# aws_route.AWC-Route-Private-SN1 will be created
+ resource "aws_route" "AWC-Route-Private-SN1" {
+ destination_cidr_block = "0.0.0.0/0"
+ gateway_id = (known after apply)
+ id = (known after apply)
+ instance_id = (known after apply)
+ instance_owner_id = (known after apply)
+ network_interface_id = (known after apply)
+ origin = (known after apply)
+ route_table_id = (known after apply)
+ state = (known after apply)
}
# aws_route.AWC-Route-Private-SN2 will be created
+ resource "aws_route" "AWC-Route-Private-SN2" {
+ destination_cidr_block = "0.0.0.0/0"
+ gateway_id = (known after apply)
+ id = (known after apply)
+ instance_id = (known after apply)
+ instance_owner_id = (known after apply)
+ network_interface_id = (known after apply)
+ origin = (known after apply)
+ route_table_id = (known after apply)
+ state = (known after apply)
}
# aws_route_table_association.AWC-RT-SN-Association-Priv-1 will be created
+ resource "aws_route_table_association" "AWC-RT-SN-Association-Priv-1" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
# aws_route_table_association.AWC-RT-SN-Association-Priv-2 will be created
+ resource "aws_route_table_association" "AWC-RT-SN-Association-Priv-2" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
Plan: 6 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_route_table.AWC-RouteTable-Priv-SN2: Creating...
aws_route_table.AWC-RouteTable-Priv-SN1: Creating...
aws_route.AWC-Route-Private-SN2: Creating...
aws_route.AWC-Route-Private-SN1: Creating...
aws_route_table.AWC-RouteTable-Priv-SN2: Creation complete after 1s [id=rtb-04d3927d25865adcf]
aws_route_table.AWC-RouteTable-Priv-SN1: Creation complete after 1s [id=rtb-0c9cb8b3a967e3481]
aws_route.AWC-Route-Private-SN2: Creation complete after 0s [id=r-rtb-04d3927d25865adcf1080289494]
aws_route.AWC-Route-Private-SN1: Creation complete after 0s [id=r-rtb-0c9cb8b3a967e34811080289494]
aws_route_table_association.AWC-RT-SN-Association-Priv-1: Creating...
aws_route_table_association.AWC-RT-SN-Association-Priv-2: Creating...
aws_route_table_association.AWC-RT-SN-Association-Priv-1: Creation complete after 0s [id=rtbassoc-090c9d66718c2a158]
aws_route_table_association.AWC-RT-SN-Association-Priv-2: Creation complete after 0s [id=rtbassoc-038405332aa4c4384]
Apply complete! Resources: 6 added, 0 changed, 0 destroyed.
PS C:\_TERRAFORM\_AWSCore>
|
Terraform successfully created the new Route Table, Routes, and Associations for the Private Subnets.
Now, all instances in the Private Subnets should be able to connect to the Internet.
Set the IAM permissions
After creating all needed Network components, we must set all required IAM permissions.
Identity and Access Management (IAM) allows control of access to AWS resources.
IAM controls who can be authenticated (signed in) and authorized (have permissions) to use Amazon VPC resources.
Deploying an IAM Policy
You can control access by attaching policies and attaching them to identities or resources.
A Policy defines the permissions associated with it. Policies are evaluated when a user, for example, or a root user, wants to access a resource.
Permissions in the Policies determine whether the request is allowed or denied.
Most Policies are stored in AWS as JSON documents.
As an example, we deploy an IAM policy and an IAM role that sets the needed permissions for deploying DaaS and its entities:
### Create the needed IAM Roles and Policies
resource "aws_iam_role" "AWC-IAM-Main-Role" {
name = "AWC-IAM-Main-Role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
}]
})
}
resource "aws_iam_role_policy" "AWC-IAM-Main" {
name = "AWC-IAM-Role-Main"
role = aws_iam_role.AWC-IAM-Main-Role.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"workdocs:DeregisterDirectory",
"workdocs:RegisterDirectory",
"workdocs:AddUserToGroup",
"ec2:ImportInstance",
"ec2:DescribeImages",
"ec2:DescribeImageAttribute",
"ec2:CreateKeyPair",
"ec2:DescribeKeyPairs",
"ec2:ModifyImageAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:RunInstances",
"ec2:DescribeSecurityGroups",
"ec2:CreateTags",
"ec2:DescribeRouteTables",
"ec2:DescribeInternetGateways",
"ec2:CreateSecurityGroup",
"ec2:DescribeInstanceTypes",
"servicequotas:ListServices",
"servicequotas:GetRequestedServiceQuotaChange",
"servicequotas:ListTagsForResource",
"servicequotas:GetServiceQuota",
"servicequotas:GetAssociationForServiceQuotaTemplate",
"servicequotas:ListAWSDefaultServiceQuotas",
"servicequotas:ListServiceQuotas",
"servicequotas:GetAWSDefaultServiceQuota",
"servicequotas:GetServiceQuotaIncreaseRequestFromTemplate",
"servicequotas:ListServiceQuotaIncreaseRequestsInTemplate",
"servicequotas:ListRequestedServiceQuotaChangeHistory",
"servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota",
"sts:DecodeAuthorizationMessage",
"ds:*",
"workspaces:*",
"iam:GetRole",
"iam:GetContextKeysForPrincipalPolicy",
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
}
]
}
EOF
}
|
Terraform will now create these entities:
PS C:\_TERRAFORM\_AWSCore> terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_iam_role.AWC-IAM-Main-Role will be created
+ resource "aws_iam_role" "AWC-IAM-Main-Role" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ Service = "ec2.amazonaws.com"
}
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ force_detach_policies = false
+ id = (known after apply)
+ managed_policy_arns = (known after apply)
+ max_session_duration = 3600
+ name = "AWC-IAM-Main-Role"
+ name_prefix = (known after apply)
+ path = "/"
+ tags_all = (known after apply)
+ unique_id = (known after apply)
+ inline_policy (known after apply)
}
# aws_iam_role_policy.AWC-IAM-Main will be created
+ resource "aws_iam_role_policy" "AWC-IAM-Main" {
+ id = (known after apply)
+ name = "AWC-IAM-Role-Main"
+ name_prefix = (known after apply)
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "workdocs:DeregisterDirectory",
+ "workdocs:RegisterDirectory",
+ "workdocs:AddUserToGroup",
+ "ec2:ImportInstance",
+ "ec2:DescribeImages",
+ "ec2:DescribeImageAttribute",
+ "ec2:CreateKeyPair",
+ "ec2:DescribeKeyPairs",
+ "ec2:ModifyImageAttribute",
+ "ec2:DescribeVpcs",
+ "ec2:DescribeSubnets",
+ "ec2:RunInstances",
+ "ec2:DescribeSecurityGroups",
+ "ec2:CreateTags",
+ "ec2:DescribeRouteTables",
+ "ec2:DescribeInternetGateways",
+ "ec2:CreateSecurityGroup",
+ "ec2:DescribeInstanceTypes",
+ "servicequotas:ListServices",
+ "servicequotas:GetRequestedServiceQuotaChange",
+ "servicequotas:ListTagsForResource",
+ "servicequotas:GetServiceQuota",
+ "servicequotas:GetAssociationForServiceQuotaTemplate",
+ "servicequotas:ListAWSDefaultServiceQuotas",
+ "servicequotas:ListServiceQuotas",
+ "servicequotas:GetAWSDefaultServiceQuota",
+ "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate",
+ "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate",
+ "servicequotas:ListRequestedServiceQuotaChangeHistory",
+ "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota",
+ "sts:DecodeAuthorizationMessage",
+ "ds:*",
+ "workspaces:*",
+ "iam:GetRole",
+ "iam:GetContextKeysForPrincipalPolicy",
+ "iam:SimulatePrincipalPolicy",
]
+ Effect = "Allow"
+ Resource = "*"
+ Sid = "VisualEditor0"
},
]
+ Version = "2012-10-17"
}
)
+ role = (known after apply)
}
Plan: 2 to add, 0 to change, 0 to destroy.
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
PS C:\_TERRAFORM\_AWSCore> terraform apply
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_iam_role.AWC-IAM-Main-Role will be created
+ resource "aws_iam_role" "AWC-IAM-Main-Role" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ Service = "ec2.amazonaws.com"
}
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ force_detach_policies = false
+ id = (known after apply)
+ managed_policy_arns = (known after apply)
+ max_session_duration = 3600
+ name = "AWC-IAM-Main-Role"
+ name_prefix = (known after apply)
+ path = "/"
+ tags_all = (known after apply)
+ unique_id = (known after apply)
+ inline_policy (known after apply)
}
# aws_iam_role_policy.AWC-IAM-Main will be created
+ resource "aws_iam_role_policy" "AWC-IAM-Main" {
+ id = (known after apply)
+ name = "AWC-IAM-Role-Main"
+ name_prefix = (known after apply)
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "workdocs:DeregisterDirectory",
+ "workdocs:RegisterDirectory",
+ "workdocs:AddUserToGroup",
+ "ec2:ImportInstance",
+ "ec2:DescribeImages",
+ "ec2:DescribeImageAttribute",
+ "ec2:CreateKeyPair",
+ "ec2:DescribeKeyPairs",
+ "ec2:ModifyImageAttribute",
+ "ec2:DescribeVpcs",
+ "ec2:DescribeSubnets",
+ "ec2:RunInstances",
+ "ec2:DescribeSecurityGroups",
+ "ec2:CreateTags",
+ "ec2:DescribeRouteTables",
+ "ec2:DescribeInternetGateways",
+ "ec2:CreateSecurityGroup",
+ "ec2:DescribeInstanceTypes",
+ "servicequotas:ListServices",
+ "servicequotas:GetRequestedServiceQuotaChange",
+ "servicequotas:ListTagsForResource",
+ "servicequotas:GetServiceQuota",
+ "servicequotas:GetAssociationForServiceQuotaTemplate",
+ "servicequotas:ListAWSDefaultServiceQuotas",
+ "servicequotas:ListServiceQuotas",
+ "servicequotas:GetAWSDefaultServiceQuota",
+ "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate",
+ "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate",
+ "servicequotas:ListRequestedServiceQuotaChangeHistory",
+ "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota",
+ "sts:DecodeAuthorizationMessage",
+ "ds:*",
+ "workspaces:*",
+ "iam:GetRole",
+ "iam:GetContextKeysForPrincipalPolicy",
+ "iam:SimulatePrincipalPolicy",
]
+ Effect = "Allow"
+ Resource = "*"
+ Sid = "VisualEditor0"
},
]
+ Version = "2012-10-17"
}
)
+ role = (known after apply)
}
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_iam_role.AWC-IAM-Main-Role: Creating...
aws_iam_role.AWC-IAM-Main-Role: Creation complete after 1s [id=AWC-IAM-Main-Role]
aws_iam_role_policy.AWC-IAM-Main: Creating...
aws_iam_role_policy.AWC-IAM-Main: Creation complete after 0s [id=AWC-IAM-Main-Role:AWC-IAM-Role-Main]
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
PS C:\_TERRAFORM\_AWSCore>
|
Terraform successfully created the initial IAM policy.
As the various needs for IAM Policies are too divergent, the detailed description of the deployment of further IAM policies is out-of-scope of this guide.
Deploying Security Groups on the Network Entities
If you associate a Security Group with an EC2 instance, it controls the instance's inbound and outbound traffic.
Note:
Security Groups enable you to increase security for the resources in your VPC as they act like virtual firewalls.
When you create a VPC, it comes with a default Security Group. You can create additional Security Groups for a VPC, each with their own inbound and outbound rules:
You can specify each inbound rule's source, port range, and protocol.
You can specify each outbound rule's destination, port range, and protocol.
The following diagram shows a VPC with a Subnet, an Internet Gateway, and a Security Group.
The Subnet contains an EC2 instance. The Security Group is assigned to the instance and acts as a virtual firewall. The only traffic that reaches the instance is the traffic allowed by the Security Group rules.
For the Security Group bound to the Instances in the Public Subnets, use the following rules:
Type: HTTP
Protocol: TCP
Port range: 80
Source: Custom 0.0.0.0/0
Type: HTTPS
Protocol: TCP
Port range: 443
Source: Custom 0.0.0.0/0
Type: RDP
Protocol: TCP
Port range: 3389
Source: MyIP – your current external IP should be entered automatically
Create more Inbound Rules according to your needs.
For the Security Group bound to the Instances in the Private Subnets, use the following rules:
Type: HTTP
Protocol: TCP
Port range: 80
Source: Custom 0.0.0.0/0
Type: HTTPS
Protocol: TCP
Port range: 443
Source: Custom 0.0.0.0/0
Type: RDP
Protocol: TCP
Port range: 3389
Source: Custom 0.0.0.0/0
Type: Custom TCP
Protocol: TCP
Port range: 1494
Source: Custom 0.0.0.0/0
Type: Custom UDP
Protocol: UDP
Port range: 1494
Source: Custom 0.0.0.0/0
Type: Custom TCP
Protocol: TCP
Port range: 2598
Source: Custom 0.0.0.0/0
Type: Custom UDP
Protocol: UDP
Port range: 2598
Source: Custom 0.0.0.0/0
Create more Inbound Rules according to your needs.
Use Terraform to create the Security Groups and their Rules:
### Create Internal-bound Security Group
resource "aws_security_group" "AWC-SG-Internal" {
name = "SG-Internal"
vpc_id = aws_vpc.AWC-VPC.id
tags = {
Name = "AWC-TF-SecurityGroup-Internal"
}
}
### Create Public-Security Group
resource "aws_security_group" "AWC-SG-Public" {
name = "SG-External"
vpc_id = aws_vpc.AWC-VPC.id
tags = {
Name = "AWC-TF-SecurityGroup-Public"
}
}
#### Create the Security Group Rules
resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-HTTPS" {
security_group_id = aws_security_group.AWC-SG-Internal.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 0
ip_protocol = "tcp"
to_port = 443
}
resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-HTTP" {
security_group_id = aws_security_group.AWC-SG-Internal.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 0
ip_protocol = "tcp"
to_port = 80
}
resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Public-IR-HTTPS" {
security_group_id = aws_security_group.AWC-SG-Public.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 0
ip_protocol = "tcp"
to_port = 443
}
resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Public-IR-HTTP" {
security_group_id = aws_security_group.AWC-SG-Public.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 0
ip_protocol = "tcp"
to_port = 80
}
resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Pub-IR-RDP" {
security_group_id = aws_security_group.AWC-SG-Public.id
cidr_ipv4 = XXXXXXXXXX
from_port = 0
ip_protocol = "tcp"
to_port = 3389
}
resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-RDP" {
security_group_id = aws_security_group.AWC-SG-Internal.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 0
ip_protocol = "tcp"
to_port = 3389
}
resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICATCP" {
security_group_id = aws_security_group.AWC-SG-Internal.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 0
ip_protocol = "tcp"
to_port = 1494
}
resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICAUDP" {
security_group_id = aws_security_group.AWC-SG-Internal.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 0
ip_protocol = "udp"
to_port = 1494
}
resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-CGPTCP" {
security_group_id = aws_security_group.AWC-SG-Internal.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 0
ip_protocol = "tcp"
to_port = 2598
}
resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-CGPUDP" {
security_group_id = aws_security_group.AWC-SG-Internal.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 0
ip_protocol = "udp"
to_port = 2598
}
resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICMP" {
security_group_id = aws_security_group.AWC-SG-Internal.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 0
ip_protocol = "icmp"
to_port = 0
}
resource "aws_vpc_security_group_egress_rule" "AWC-SG-Int-ER-All" {
security_group_id = aws_security_group.AWC-SG-Internal.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 0
ip_protocol = "-1"
to_port = 0
}
resource "aws_vpc_security_group_egress_rule" "AWC-SG-Ext-ER-All" {
security_group_id = aws_security_group.AWC-SG-External.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 0
ip_protocol = "-1"
to_port = 0
}
|
Terraform will now create these entities:
PS C:\_TERRAFORM\_AWSCore> terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_security_group.AWS-SG-Internal will be created
+ resource "aws_security_group" "AWS-SG-Internal" {
+ arn = (known after apply)
+ description = "Managed by Terraform"
+ egress = (known after apply)
+ id = (known after apply)
+ ingress = (known after apply)
+ name = "SG-Internal"
+ name_prefix = (known after apply)
+ owner_id = (known after apply)
+ revoke_rules_on_delete = false
+ tags = {
+ "Name" = "AWC-TF-SecurityGroup-Internal"
}
+ tags_all = {
+ "Name" = "AWC-TF-SecurityGroup-Internal"
}
+ vpc_id = "vpc-0a0c4e01213dca45a"
}
# aws_security_group.AWS-SG-Public will be created
+ resource "aws_security_group" "AWS-SG-Public" {
+ arn = (known after apply)
+ description = "Managed by Terraform"
+ egress = (known after apply)
+ id = (known after apply)
+ ingress = (known after apply)
+ name = "SG-Public"
+ name_prefix = (known after apply)
+ owner_id = (known after apply)
+ revoke_rules_on_delete = false
+ tags = {
+ "Name" = "AWC-TF-SecurityGroup-Public"
}
+ tags_all = {
+ "Name" = "AWC-TF-SecurityGroup-Public"
}
+ vpc_id = "vpc-0a0c4e01213dca45a"
}
# aws_vpc_security_group_egress_rule.AWC-SG-Int-ER-All will be created
+ resource "aws_vpc_security_group_egress_rule" "AWC-SG-Int-ER-All" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "-1"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 0
}
# aws_vpc_security_group_egress_rule.AWC-SG-Pub-ER-All will be created
+ resource "aws_vpc_security_group_egress_rule" "AWC-SG-Pub-ER-All" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "-1"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 0
}
# aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-CGPTCP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-CGPTCP" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 2598
}
# aws_vpc_security_group_ingress_rule.AWC-SG—Int-IR-CGPUDP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-CGPUDP" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "udp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 2598
}
# aws_vpc_security_group_ingress_rule.AWC-SG—Int-IR-HTTP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-HTTP" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 80
}
# aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-HTTPS will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-HTTPS" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 443
}
# aws_vpc_security_group_ingress_rule.AWC-SG—Pub-IR-HTTP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Pub-IR-HTTP" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 80
}
# aws_vpc_security_group_ingress_rule.AWC-SG-Pub-IR-HTTPS will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Pub-IR-HTTPS" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 443
}
# aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICATCP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICATCP" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 1494
}
# aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICAUDP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICAUDP" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "udp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 1494
}
# aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICMP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICMP" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "icmp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 0
}
# aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-RDP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-RDP" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 3389
}
# aws_vpc_security_group_ingress_rule.AWC-SG-Pub-IR-RDP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Pub-IR-RDP" {
+ arn = (known after apply)
+ cidr_ipv4 = "XXXXXXXXXXXXX"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 3389
}
Plan: 15 to add, 0 to change, 0 to destroy.
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PS C:\_TERRAFORM\_AWSCore> terraform apply
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_security_group.AWS-SG-Internal will be created
+ resource "aws_security_group" "AWS-SG-Internal" {
+ arn = (known after apply)
+ description = "Managed by Terraform"
+ egress = (known after apply)
+ id = (known after apply)
+ ingress = (known after apply)
+ name = "SG-Internal"
+ name_prefix = (known after apply)
+ owner_id = (known after apply)
+ revoke_rules_on_delete = false
+ tags = {
+ "Name" = "AWC-TF-SecurityGroup-Internal"
}
+ tags_all = {
+ "Name" = "AWC-TF-SecurityGroup-Internal"
}
+ vpc_id = "vpc-0a0c4e01213dca45a"
}
# aws_security_group.AWS-SG-Public will be created
+ resource "aws_security_group" "AWS-SG-Public" {
+ arn = (known after apply)
+ description = "Managed by Terraform"
+ egress = (known after apply)
+ id = (known after apply)
+ ingress = (known after apply)
+ name = "SG-Public"
+ name_prefix = (known after apply)
+ owner_id = (known after apply)
+ revoke_rules_on_delete = false
+ tags = {
+ "Name" = "AWC-TF-SecurityGroup-Public"
}
+ tags_all = {
+ "Name" = "AWC-TF-SecurityGroup-Public"
}
+ vpc_id = "vpc-0a0c4e01213dca45a"
}
# aws_vpc_security_group_egress_rule.AWC-SG-Int-ER-All will be created
+ resource "aws_vpc_security_group_egress_rule" "AWC-SG-Int-ER-All" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "-1"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 0
}
# aws_vpc_security_group_egress_rule.AWC-SG-Pub-ER-All will be created
+ resource "aws_vpc_security_group_egress_rule" "AWC-SG-Pub-ER-All" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "-1"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 0
}
# aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-CGPTCP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-CGPTCP" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 2598
}
# aws_vpc_security_group_ingress_rule.AWC-SG—Int-IR-CGPUDP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-CGPUDP" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "udp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 2598
}
# aws_vpc_security_group_ingress_rule.AWC-SG—Int-IR-HTTP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-HTTP" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 80
}
# aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-HTTPS will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-HTTPS" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 443
}
# aws_vpc_security_group_ingress_rule.AWC-SG—Pub-IR-HTTP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Pub-IR-HTTP" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 80
}
# aws_vpc_security_group_ingress_rule.AWC-SG-Pub-IR-HTTPS will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Pub-IR-HTTPS" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 443
}
# aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICATCP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICATCP" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 1494
}
# aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICAUDP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICAUDP" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "udp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 1494
}
# aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICMP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-ICMP" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "icmp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 0
}
# aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-RDP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Int-IR-RDP" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 3389
}
# aws_vpc_security_group_ingress_rule.AWC-SG-Pub-IR-RDP will be created
+ resource "aws_vpc_security_group_ingress_rule" "AWC-SG-Pub-IR-RDP" {
+ arn = (known after apply)
+ cidr_ipv4 = "XXXXXXXXXXXXX"
+ from_port = 0
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 3389
}
Plan: 15 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_security_group.AWS-SG-Internal: Creation complete after 1s [id=sg-0633dbccc6f7debdc]
aws_security_group.AWS-SG-Public: Creation complete after 1s [id=sg-06a8ab84b0a692170]
aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICATCP: Creating...
aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-HTTP: Creating...
aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-CGPUDP: Creating...
aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICMP: Creating...
aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-ICAUDP: Creating...
...
aws_vpc_security_group_ingress_rule.AWC-SG-IR-ICATCP: Creation complete after 0s [id=sgr-01067ddbb01b277fa]
aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-CGPUDP: Creation complete after 0s [id=sgr-0c276bd82c1893367]
aws_vpc_security_group_ingress_rule.AWC-SG—Int-IR-RDP: Creation complete after 0s [id=sgr-036882befc2d63329]
aws_vpc_security_group_ingress_rule.AWC-SG-Int-IR-HTTPS: Creation complete after 0s [id=sgr-0f83b2b1e904eaf12]
aws_vpc_security_group_egress_rule.AWC-SG—Int-ER-All: Creation complete after 0s [id=sgr-0742921e3eee9d06b]
Apply complete! Resources: 15 added, 0 changed, 0 destroyed.
PS C:\_TERRAFORM\_AWSCore>
|
Terraform successfully created the Security Groups and its needed Rules.
Deploy all needed Instances in your VPC
An Amazon EC2 Instance is a Virtual Machine in the AWS Cloud environment.
Amazon EC2 provides a wide range of Instance types. You can choose an Instance type that provides the compute resources, memory, storage, and network configurations according to your needs.
In this guide, we will initially deploy the following Instances:
-
1 Jump Host for accessing the environment over the Internet using RDP
-
1 Domain Controller for providing all needed Active Directory functionalities
-
2 Cloud Connectors
Further Instances will be created automatically during the Machine Catalog creation.
Important:
You need an EC2 Key Pair to decrypt the administrator password to access a non-domain-joined Windows-based Instance. A Key Pair, consisting of a public key and a private key, is a set of security credentials you use to prove your identity.
After joining the Instance to a Domain, you can log on using the Domain credentials.
The Key Pair is used only for local Admin access!
Creating the EC2 Key Pair using the GUI
Before deploying Windows Instances, you must create a Key Pair to gain access to the Instance after it is created.
-
Log on to your AWS console, enter EC2 in the Search bar at the top of the page, and choose the Network & Security option. Click on Key Pairs on the Dashboard.
If no Key Pair was already created, click Create key pair.
-
Choose the needed settings and click Create key pair.
Important:
After successful creation, download and store the Key Pair in a safe place.
You will need it each time you access the Windows Instance with local administrator credentials.
Creating the EC2 Key Pair using PowerShell
The AWS EC2-Terraform provider is currently not supporting the creation of a Key Pair.
To automate this process, you must use PowerShell:
PS C:\_TERRAFORM\_AWSCore> $GetKeyPair = New-EC2KeyPair -KeyName AWC-KeyPair
PS C:\_TERRAFORM\_AWSCore> $GetKeyPair
KeyFingerprint : c1:2b:01:8d:ba:4a:50:ed:41:d1:94:f7:d6:39:df:04:b3:f9:cb:dd
KeyMaterial : -----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAskyHNFpSh+k+K+7ccyjEguX/VEcQKiYkf3ebAJ1VZSZJ0FnX
... +7IB7HL42zIt7oG29n35XycvXI6tg/mT7pEtnAehuolwtapdCFKUGjo=
-----END RSA PRIVATE KEY-----
KeyName : AWC-KeyPair
KeyPairId : key-00cb83cebc992e403
Tags : {}
PS C:\_TERRAFORM\_AWSCore> $GetKeyPair.KeyMaterial | Out-File -Encoding ascii “C:\_TERRAFORM\_AWSCore\WC-KeyPair.pem”
PS C:\_TERRAFORM\_AWSCore>
|