examples: modernize aws-two-tier

* Set up a VPC instead of assuming EC2 classic * Set up a keypair instead of requiring one be created beforehand; this fixes #1567 * Use SSH Agent for authentication instead of explicit private key.
2015-12-02 17:39:24 -06:00 · 2015-12-02 17:39:24 -06:00 · 3f5997a6c1
parent 81f7fb1e6f
commit 3f5997a6c1
2 changed files with 92 additions and 39 deletions
--- a/examples/aws-two-tier/main.tf
+++ b/examples/aws-two-tier/main.tf
@ -3,33 +3,81 @@ provider "aws" {
  region = "${var.aws_region}"
 }

-# Our default security group to access
-# the instances over SSH and HTTP
-resource "aws_security_group" "default" {
-  name = "terraform_example"
-  description = "Used in the terraform"
+# Create a VPC to launch our instances into
+resource "aws_vpc" "default" {
+  cidr_block = "10.0.0.0/16"
+}

-  # SSH access from anywhere
-  ingress {
-    from_port = 22
-    to_port = 22
-    protocol = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+# Create an internet gateway to give our subnet access to the outside world
+resource "aws_internet_gateway" "default" {
+  vpc_id = "${aws_vpc.default.id}"
+}
+
+# Grant the VPC internet access on its main route table
+resource "aws_route" "internet_access" {
+  route_table_id         = "${aws_vpc.default.main_route_table_id}"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = "${aws_internet_gateway.default.id}"
+}
+
+# Create a subnet to launch our instances into
+resource "aws_subnet" "default" {
+  vpc_id                  = "${aws_vpc.default.id}"
+  cidr_block              = "10.0.1.0/24"
+  map_public_ip_on_launch = true
+}
+
+# A security group for the ELB so it is accessible via the web
+resource "aws_security_group" "elb" {
+  name        = "terraform_example_elb"
+  description = "Used in the terraform"
+  vpc_id      = "${aws_vpc.default.id}"

  # HTTP access from anywhere
  ingress {
-    from_port = 80
-    to_port = 80
-    protocol = "tcp"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  # outbound internet access
  egress {
-    from_port = 0
-    to_port = 0
-    protocol = "-1"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+# Our default security group to access
+# the instances over SSH and HTTP
+resource "aws_security_group" "default" {
+  name        = "terraform_example"
+  description = "Used in the terraform"
+  vpc_id      = "${aws_vpc.default.id}"
+
+  # SSH access from anywhere
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # HTTP access from the VPC
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["10.0.0.0/16"]
+  }
+
+  # outbound internet access
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
 }
@ -38,20 +86,23 @@ resource "aws_security_group" "default" {
 resource "aws_elb" "web" {
  name = "terraform-example-elb"

-  # The same availability zone as our instance
-  availability_zones = ["${aws_instance.web.availability_zone}"]
+  subnets         = ["${aws_subnet.default.id}"]
+  security_groups = ["${aws_security_group.elb.id}"]
+  instances       = ["${aws_instance.web.id}"]

  listener {
-    instance_port = 80
+    instance_port     = 80
    instance_protocol = "http"
-    lb_port = 80
-    lb_protocol = "http"
+    lb_port           = 80
+    lb_protocol       = "http"
  }

-  # The instance is registered automatically
-  instances = ["${aws_instance.web.id}"]
 }

+resource "aws_key_pair" "auth" {
+  key_name   = "tf-aws-two-tier-example"
+  public_key = "${file(var.public_key_path)}"
+}

 resource "aws_instance" "web" {
  # The connection block tells our provisioner how to
@ -60,8 +111,7 @@ resource "aws_instance" "web" {
    # The default username for our AMI
    user = "ubuntu"

-    # The path to your keyfile
-    key_file = "${var.key_path}"
+    # The connection will use the local SSH agent for authentication.
  }

  instance_type = "m1.small"
@ -70,15 +120,16 @@ resource "aws_instance" "web" {
  # we specified
  ami = "${lookup(var.aws_amis, var.aws_region)}"

-  # The name of our SSH keypair you've created and downloaded
-  # from the AWS console.
-  #
-  # https://console.aws.amazon.com/ec2/v2/home?region=us-west-2#KeyPairs:
-  #
-  key_name = "${var.key_name}"
+  # The name of our SSH keypair we created above.
+  key_name = "${aws_key_pair.auth.id}"

  # Our Security group to allow HTTP and SSH access
-  security_groups = ["${aws_security_group.default.name}"]
+  vpc_security_group_ids = ["${aws_security_group.default.id}"]
+
+  # We're going to launch into the same subnet as our ELB. In a production
+  # environment it's more common to have a separate private subnet for
+  # backend instances.
+  subnet_id = "${aws_subnet.default.id}"

  # We run a remote provisioner on the instance after creating it.
  # In this case, we just install nginx and start it. By default,
--- a/examples/aws-two-tier/variables.tf
+++ b/examples/aws-two-tier/variables.tf
@ -1,9 +1,11 @@
-variable "key_name" {
-  description = "Name of the SSH keypair to use in AWS."
-}
+variable "public_key_path" {
+  description = <<DESCRIPTION
+Path to the SSH public key to be used for authentication.
+Ensure this keypair is added to your local SSH agent so provisioners can
+connect.

-variable "key_path" {
-  description = "Path to the private portion of the SSH key specified."
+Example: ~/.ssh/id_rsa.pub
+DESCRIPTION
 }

 variable "aws_region" {