nextcloud-aws/nextcloud.tf

231 lines
4.7 KiB
Terraform
Raw Permalink Normal View History

2021-12-26 13:19:05 -08:00
2021-12-26 13:26:29 -08:00
provider "aws" {
region = "us-west-2" # XXX make this configurable
}
2021-12-26 13:19:05 -08:00
resource "random_pet" "name" {}
2021-12-26 17:38:18 -08:00
# https://registry.terraform.io/modules/terraform-aws-modules/s3-bucket/aws/latest
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
2021-12-26 13:19:05 -08:00
bucket = "nextcloud-${random_pet.name.id}"
acl = "private"
2021-12-26 17:38:18 -08:00
versioning = {
enabled = false
}
2022-01-08 14:21:19 -08:00
server_side_encryption_configuration = {
rule = {
apply_server_side_encryption_by_default = {
sse_algorithm = "AES256"
}
bucket_key_enabled = true
}
}
2021-12-26 17:38:18 -08:00
}
# https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
name = "nextcloud-vpc"
cidr = "10.69.0.0/16"
azs = ["us-west-2a"]
2021-12-26 17:38:18 -08:00
# private_subnets = ["10.69.101.0/24"]
private_subnets = []
public_subnets = ["10.69.1.0/24"]
enable_nat_gateway = false
enable_vpn_gateway = false
}
resource "tls_private_key" "n" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "aws_key_pair" "n" {
key_name = "nextcloud"
public_key = tls_private_key.n.public_key_openssh
}
resource "local_file" "aws_key" {
content = tls_private_key.n.private_key_pem
filename = "privkey.pem"
}
2021-12-26 17:38:18 -08:00
resource "aws_instance" "nextcloud" {
ami = "ami-078278691222aee06"
2022-01-14 20:06:06 -08:00
instance_type = "t4g.small"
subnet_id = module.vpc.public_subnets.0
key_name = aws_key_pair.n.key_name
iam_instance_profile = aws_iam_instance_profile.nextcloud.name
# associate_public_ip_address = false
vpc_security_group_ids = [ module.nextcloud_sg.security_group_id ]
user_data = <<EOF
#!/bin/bash
sudo snap install amazon-ssm-agent --classic
EOF
2021-12-26 17:38:18 -08:00
tags = {
Name = "nextcloud"
}
2021-12-26 13:19:05 -08:00
}
# get my public IP address. For now, it's the only thing that should be able to access.
data "http" "myip" {
url = "http://ipv4.icanhazip.com"
}
module "nextcloud_sg" {
source = "terraform-aws-modules/security-group/aws"
name = "nextcloud"
description = "Nextcloud SG"
vpc_id = module.vpc.vpc_id
egress_rules = [ "all-all" ]
ingress_with_cidr_blocks = [
{
rule = "http-80-tcp"
cidr_blocks = "0.0.0.0/0"
},
{
rule = "https-443-tcp"
cidr_blocks = "0.0.0.0/0"
2022-01-03 08:08:38 -08:00
},
{
from_port = 9100
to_port = 9100
protocol = "tcp"
description = "Prometheus node-exporter"
cidr_blocks = "${chomp(data.http.myip.body)}/32"
},
]
}
resource "aws_eip" "nextcloud" {
vpc = true
instance = aws_instance.nextcloud.id
}
2021-12-26 13:19:05 -08:00
resource "aws_iam_instance_profile" "nextcloud" {
name = "nextcloud"
role = aws_iam_role.nextcloud.name
path = "/"
}
resource "aws_iam_role" "nextcloud" {
name = "nextcloud"
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
path = "/"
description = "SSM permissions for Nextcloud"
}
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
resource "aws_iam_policy" "nextcloud" {
name = "nextcloud"
policy = data.aws_iam_policy.nextcloud.policy
path = "/"
description = "SSM permissions for Nextcloud"
}
resource "aws_iam_role_policy_attachment" "nextcloud" {
role = aws_iam_role.nextcloud.name
policy_arn = aws_iam_policy.nextcloud.arn
}
locals {
iam_name = "nextcloud-session-manager"
}
data "aws_iam_policy" "nextcloud" {
arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}
2022-01-02 08:59:38 -08:00
## route53
module "zone" {
source = "terraform-aws-modules/route53/aws//modules/zones"
version = "~> 2.0"
zones = {
"cloud.stoopid.club" = {
comment = "cloud.stoopid.club"
}
}
}
module "records" {
source = "terraform-aws-modules/route53/aws//modules/records"
version = "~> 2.0"
zone_name = keys(module.zone.route53_zone_zone_id)[0]
records = [
{
name = ""
type = "A"
ttl = 600 # 10 minutes
records = [ aws_instance.nextcloud.public_ip ]
},
]
depends_on = [module.zone]
}
## generate admin password
resource "random_password" "admin" {
length = 20
special = true
lower = true
upper = true
number = true
}
resource "local_file" "adminpass" {
content = random_password.admin.result
filename = "roles/nextcloud/files/adminpass"
}
## outputs
output "instance_id" {
value = aws_instance.nextcloud.id
}
output "public_ip" {
value = aws_instance.nextcloud.public_ip
}
2022-01-02 08:59:38 -08:00
output "nameservers" {
value = module.zone.route53_zone_name_servers
}
output "bucket" {
value = module.s3_bucket.s3_bucket_id
}
2022-01-08 15:00:39 -08:00
output "myip" {
value = "${chomp(data.http.myip.body)}"
}