aws-ec2-instance-dual-stack-ipv4-ipv6

clstokes · clstokes · commit ebed1adab214 · 2024-09-16T12:49:54.000-07:00
diff --git a/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf b/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf
@@ -1,16 +1,40 @@
 locals {
   name = "example-${basename(path.cwd)}"
 
-  tags = {
+  aws_tags = {
     Name = local.name
   }
+
+  tailscale_acl_tags = [
+    "tag:example-infra",
+    "tag:example-exitnode",
+    "tag:example-subnetrouter",
+    "tag:example-appconnector",
+  ]
+  tailscale_set_preferences = [
+    "--auto-update",
+    "--ssh",
+    "--advertise-connector",
+    "--advertise-exit-node",
+    "--advertise-routes=${join(",", [
+      local.vpc_cidr_block,
+    ])}",
+  ]
+
+  // Modify these to use your own VPC
+  vpc_cidr_block     = module.vpc.vpc_cidr_block
+  vpc_id             = module.vpc.vpc_id
+  subnet_id          = module.vpc.public_subnets[0]
+  security_group_ids = [aws_security_group.tailscale.id]
+  instance_type      = "t4g.micro"
 }
 
+// Remove this to use your own VPC.
 module "vpc" {
   source = "../internal-modules/aws-vpc"
 
   name = local.name
-  tags = local.tags
+  tags = local.aws_tags
 
   cidr = "10.0.80.0/22"
 
@@ -25,41 +49,59 @@ resource "tailscale_tailnet_key" "main" {
   preauthorized       = true
   reusable            = true
   recreate_if_invalid = "always"
-  tags = [
-    "tag:example-infra",
-    "tag:example-exitnode",
-    "tag:example-subnetrouter",
-    "tag:example-appconnector",
-  ]
+  tags                = local.tailscale_acl_tags
 }
 
 module "tailscale_aws_ec2" {
   source = "../internal-modules/aws-ec2-instance"
 
-  instance_type = "t4g.micro"
-  instance_tags = local.tags
+  instance_type = local.instance_type
+  instance_tags = local.aws_tags
 
-  subnet_id = module.vpc.private_subnets[0]
-  vpc_security_group_ids = [
-    module.vpc.tailscale_security_group_id,
-  ]
-  ipv6_address_count = 1
+  subnet_id              = local.subnet_id
+  vpc_security_group_ids = local.security_group_ids
+  ipv6_address_count     = 1
 
   # Variables for Tailscale resources
-  tailscale_hostname = local.name
-  tailscale_auth_key = tailscale_tailnet_key.main.key
-  tailscale_set_preferences = [
-    "--auto-update",
-    "--ssh",
-    "--advertise-connector",
-    "--advertise-exit-node",
-    "--advertise-routes=${join(",", [
-      module.vpc.vpc_cidr_block,
-      module.vpc.vpc_ipv6_cidr_block,
-    ])}",
-  ]
+  tailscale_hostname        = local.name
+  tailscale_auth_key        = tailscale_tailnet_key.main.key
+  tailscale_set_preferences = local.tailscale_set_preferences
 
   depends_on = [
-    module.vpc.natgw_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets
+    module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
   ]
 }
+
+resource "aws_security_group" "tailscale" {
+  vpc_id = local.vpc_id
+  name   = local.name
+}
+
+resource "aws_security_group_rule" "tailscale_ingress" {
+  security_group_id = aws_security_group.tailscale.id
+  type              = "ingress"
+  from_port         = 41641
+  to_port           = 41641
+  protocol          = "udp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
+
+resource "aws_security_group_rule" "egress" {
+  security_group_id = aws_security_group.tailscale.id
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
+
+resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" {
+  security_group_id = aws_security_group.tailscale.id
+  type              = "ingress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = [local.vpc_cidr_block]
+}
