Created
July 6, 2016 14:45
-
-
Save quater/c58448c8796a5eeee736147f5660b75f to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Pull Request: https://github.com/hashicorp/terraform/pull/7319 | |
| # Test Case: AWS VPC Endpoint with Terraform | |
| # This was successfully tested when master branch was at de0a34fc3517893a5078f6358ca9523cd4c63490 | |
| # Steps: | |
| # 1. Alter below code by replacing MY_SSH_KEY_NAME, MY_BUCKET_NAME, My_ACCESS_KEY and My_SECRET_KEY with your values. | |
| # 2. Run `terraform apply` | |
| # 3. SSH to EC2 instance | |
| # 4. Create new file i.e. `touch /home/ec2-user/testfile.txt` | |
| # 5. Copy file from EC2 instance to S3 bucket i.e. `aws s3 cp --region eu-west-1 /home/ec2-user/testfile.txt s3://<MY_BUCKET_NAME>/` | |
| # 6. Verify that the file has been copied to S3, while outbound traffic is only permitted to the VPC endpoint | |
| # 7. Destroy this test environment `terraform destroy` | |
| provider "aws" { | |
| access_key = "My_ACCESS_KEY" | |
| secret_key = "My_SECRET_KEY" | |
| region = "eu-west-1" | |
| } | |
| resource "aws_vpc" "tf_sg_prefix_list_egress_test" { | |
| cidr_block = "10.0.0.0/16" | |
| tags { | |
| Name = "tf_sg_prefix_list_egress_test_vpc" | |
| } | |
| } | |
| resource "aws_internet_gateway" "igate" { | |
| vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" | |
| tags { | |
| Name = "tf_sg_prefix_list_egress_test_gateway" | |
| } | |
| } | |
| resource "aws_route_table" "default" { | |
| vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" | |
| } | |
| resource "aws_vpc_endpoint" "s3-eu-west-1" { | |
| vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" | |
| service_name = "com.amazonaws.eu-west-1.s3" | |
| route_table_ids = ["${aws_route_table.default.id}"] | |
| policy = <<POLICY | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid":"AllowAll", | |
| "Effect":"Allow", | |
| "Principal":"*", | |
| "Action":"*", | |
| "Resource":"*" | |
| } | |
| ] | |
| } | |
| POLICY | |
| } | |
| resource "aws_security_group" "endpointtest" { | |
| name = "terraform_acceptance_test_prefix_list_egress" | |
| description = "Used in the terraform acceptance tests" | |
| vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" | |
| ingress { | |
| from_port = 22 | |
| to_port = 22 | |
| protocol = "tcp" | |
| cidr_blocks = ["0.0.0.0/0"] | |
| } | |
| egress { | |
| protocol = "-1" | |
| from_port = 0 | |
| to_port = 0 | |
| prefix_list_ids = ["${aws_vpc_endpoint.s3-eu-west-1.prefix_list_id}"] | |
| } | |
| } | |
| resource "aws_instance" "instance_one" { | |
| count = "1" | |
| ami = "ami-f9dd458a" | |
| instance_type = "t2.nano" | |
| key_name = "MY_SSH_KEY_NAME" | |
| vpc_security_group_ids = ["${aws_security_group.endpointtest.id}"] | |
| subnet_id = "${aws_subnet.public-subnet.id}" | |
| associate_public_ip_address = true | |
| iam_instance_profile = "${aws_iam_instance_profile.profile.id}" | |
| root_block_device { | |
| delete_on_termination = false | |
| volume_size = "10" | |
| } | |
| } | |
| /* | |
| Public Subnet | |
| */ | |
| resource "aws_subnet" "public-subnet" { | |
| vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" | |
| cidr_block = "10.0.0.0/24" | |
| tags { | |
| Name = "tf_sg_prefix_list_egress_test_vpc_subnet" | |
| } | |
| } | |
| resource "aws_route_table" "public-subnet" { | |
| vpc_id = "${aws_vpc.tf_sg_prefix_list_egress_test.id}" | |
| route { | |
| cidr_block = "0.0.0.0/0" | |
| gateway_id = "${aws_internet_gateway.igate.id}" | |
| } | |
| tags { | |
| Name = "tf_sg_prefix_list_egress_test_vpc_subnet_route" | |
| } | |
| } | |
| resource "aws_route_table_association" "public-subnet" { | |
| subnet_id = "${aws_subnet.public-subnet.id}" | |
| route_table_id = "${aws_route_table.public-subnet.id}" | |
| } | |
| /* | |
| Instance Profile | |
| */ | |
| resource "aws_iam_instance_profile" "profile" { | |
| name = "tf_sg_prefix_list_egress_test_profile" | |
| path = "/" | |
| roles = ["${aws_iam_role.role.name}"] | |
| } | |
| resource "aws_iam_role" "role" { | |
| name = "tf_sg_prefix_list_egress_test_role" | |
| path = "/" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": "sts:AssumeRole", | |
| "Principal": { | |
| "Service": "ec2.amazonaws.com" | |
| }, | |
| "Effect": "Allow", | |
| "Sid": "" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_role_policy" "_policy" { | |
| name = "tf_sg_prefix_list_egress_test_role" | |
| role = "${aws_iam_role.role.id}" | |
| policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:DeleteObject", | |
| "s3:DeleteObjectVersion", | |
| "s3:GetBucketLocation", | |
| "s3:GetBucketVersioning", | |
| "s3:GetObject", | |
| "s3:GetObjectAcl", | |
| "s3:GetObjectVersion", | |
| "s3:ListAllMyBuckets", | |
| "s3:ListBucket", | |
| "s3:ListBucketMultipartUploads", | |
| "s3:ListBucketVersions", | |
| "s3:ListMultipartUploadParts", | |
| "s3:PutObject", | |
| "s3:PutObjectAcl", | |
| "s3:PutObjectVersionAcl" | |
| ], | |
| "Resource": [ | |
| "arn:aws:s3:::MY_BUCKET_NAME*" | |
| ] | |
| } | |
| ] | |
| } | |
| EOF | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment