-
Notifications
You must be signed in to change notification settings - Fork 38
/
ec2.tf
115 lines (91 loc) · 2.62 KB
/
ec2.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
data "aws_ami" "main" {
count = var.ami_id != null ? 0 : 1
most_recent = true
owners = ["568608671756"]
filter {
name = "name"
values = ["fck-nat-al2023-hvm-*"]
}
filter {
name = "architecture"
values = [local.is_arm ? "arm64" : "x86_64"]
}
filter {
name = "root-device-type"
values = ["ebs"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
}
data "aws_arn" "ssm_param" {
count = var.use_cloudwatch_agent && var.cloudwatch_agent_configuration_param_arn != null ? 1 : 0
arn = var.cloudwatch_agent_configuration_param_arn
}
resource "aws_launch_template" "main" {
#checkov:skip=CKV_AWS_88:NAT instances must have a public IP.
name = var.name
image_id = local.ami_id
instance_type = var.instance_type
key_name = var.ssh_key_name
block_device_mappings {
device_name = "/dev/xvda"
ebs {
volume_size = var.ebs_root_volume_size
volume_type = "gp3"
encrypted = var.encryption
kms_key_id = var.kms_key_id
}
}
iam_instance_profile {
name = aws_iam_instance_profile.main.name
}
network_interfaces {
description = "${var.name} ephemeral public ENI"
subnet_id = var.subnet_id
associate_public_ip_address = true
security_groups = local.security_groups
}
dynamic "instance_market_options" {
for_each = var.use_spot_instances ? ["x"] : []
content {
market_type = "spot"
}
}
dynamic "tag_specifications" {
for_each = ["instance", "network-interface", "volume"]
content {
resource_type = tag_specifications.value
tags = merge({ Name = var.name }, var.tags)
}
}
user_data = base64encode(templatefile("${path.module}/templates/user_data.sh", {
TERRAFORM_ENI_ID = aws_network_interface.main.id
TERRAFORM_EIP_ID = length(var.eip_allocation_ids) != 0 ? var.eip_allocation_ids[0] : ""
TERRAFORM_CWAGENT_ENABLED = var.use_cloudwatch_agent ? "true" : ""
TERRAFORM_CWAGENT_CFG_PARAM_NAME = local.cwagent_param_name != null ? local.cwagent_param_name : ""
}))
# Enforce IMDSv2
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
}
tags = var.tags
}
resource "aws_instance" "main" {
#checkov:skip=CKV2_AWS_41:False positive, IAM role is attached via the launch template.
count = var.ha_mode ? 0 : 1
launch_template {
id = aws_launch_template.main.id
version = "$Latest"
}
tags = var.tags
lifecycle {
ignore_changes = [
source_dest_check,
user_data,
tags
]
}
}