-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
153 lines (133 loc) · 4.17 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.25.0"
}
}
}
provider "aws" {
region = var.aws_region
}
resource "aws_key_pair" "deployer" {
key_name = "deployer-key"
public_key = var.own_ssh_key
}
resource "aws_instance" "my_aws" {
ami = var.aws_instance_ami
instance_type = var.aws_instance_type
key_name = aws_key_pair.deployer.id
vpc_security_group_ids = [aws_security_group.instance.id]
user_data = <<-EOF
#!/bin/bash
sudo dnf update -y
sudo dnf install firewalld -y
sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
sudo dnf install dnf-automatic -y
sudo sed -i 's/upgrade_type = default/upgrade_type = security/g' /etc/dnf/automatic.conf
sudo sed -i 's/apply_updates = no/apply_updates = yes/g' /etc/dnf/automatic.conf
systemctl enable --now dnf-automatic.timer
sudo dnf install httpd mod_ssl -y
sudo cp -Rf /tmp/http.conf /etc/httpd/conf.d/${var.aws_web_site_name}.conf
sudo sed -i 's/WEB_SITE_NAME/${var.aws_web_site_name}/g' /etc/httpd/conf.d/${var.aws_web_site_name}.conf
sudo mkdir /var/www/html/${var.aws_web_site_name}
sudo chown -Rf apache:apache /var/www/html/${var.aws_web_site_name}
sudo echo "<html><body><h1>It works!</h1></body></html>" > /var/www/html/${var.aws_web_site_name}/index.html
sudo systemctl enable httpd
sudo dnf install -y augeas-libs
sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install certbot certbot-apache
sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot
sudo cp -Rf /tmp/letencrypt.sh /usr/local/bin/letencrypt.sh
sudo chmod a+x /usr/local/bin/letencrypt.sh
sudo sed -i 's/DOMAIN/${var.aws_web_site_name}/g' /usr/local/bin/letencrypt.sh
sudo sed -i 's/EMAIL/${var.own_email}/g' /usr/local/bin/letencrypt.sh
sudo cp -Rf /tmp/letencrypt.service /etc/systemd/system/letencrypt.service
sudo cp -Rf /tmp/letencrypt.timer /etc/systemd/system/letencrypt.timer
sudo systemctl start letencrypt.service
sudo systemctl enable letencrypt.timer
sudo timedatectl set-timezone ${var.own_timezone}
EOF
provisioner "file" {
source = "http.conf"
destination = "/tmp/http.conf"
connection {
type = "ssh"
user = "ec2-user"
host = self.public_ip
private_key = file(var.own_path_ssh_private_key)
timeout = "2m"
}
}
provisioner "file" {
source = "letencrypt.sh"
destination = "/tmp/letencrypt.sh"
connection {
type = "ssh"
user = "ec2-user"
host = self.public_ip
private_key = file(var.own_path_ssh_private_key)
timeout = "2m"
}
}
provisioner "file" {
source = "letencrypt.service"
destination = "/tmp/letencrypt.service"
connection {
type = "ssh"
user = "ec2-user"
host = self.public_ip
private_key = file(var.own_path_ssh_private_key)
timeout = "2m"
}
}
provisioner "file" {
source = "letencrypt.timer"
destination = "/tmp/letencrypt.timer"
connection {
type = "ssh"
user = "ec2-user"
host = self.public_ip
private_key = file(var.own_path_ssh_private_key)
timeout = "2m"
}
}
}
resource "aws_security_group" "instance" {
name = var.security_group_name
ingress {
description = "SSH from the internet"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "80 from the internet"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "80 from the internet"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
lifecycle {
create_before_destroy = true
}
}