diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index ebec1a0c..00000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -version: 2 -workflows: - version: 2 - test: - jobs: - - format_check - - validation_check - -jobs: - format_check: - docker: - - image: "hashicorp/terraform:0.12.13" - steps: - - checkout - - run: - name: Check terraform formatting - command: terraform fmt -check=true -write=false -diff - validation_check: - working_directory: ~ - docker: - - image: "hashicorp/terraform:0.12.13" - steps: - - checkout - - run: - name: create fake license file - command: touch ~/fake.rli - - run: - name: create fake tfvars file and provider stub - command: echo -e "domain = \"example.com\"\nlicense_file = \"~/fake.rli\"\nvpc_id = \"vpc-1234567890\"\n" > terraform.tfvars - - run: - name: create provider stub - command: echo -e "provider \"aws\" {\n region = \"us-west-2\"\n}\n" > provider.tf - - run: - name: init configs and check if valid - command: terraform init && terraform validate diff --git a/.gitignore b/.gitignore index 29ca86ef..24a75fd7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,16 @@ -# Local .terraform directories +# Local .terraform directories +/.terraform/ **/.terraform/* -work/ \ No newline at end of file +# .tfstate files +*.tfstate +*.tfstate.* + +# .tfvars files +*.tfvars + +# Terraform lock file +.terraform.lock.hcl + +.DS_Store +*.bk diff --git a/.scripts/doc-gen.sh b/.scripts/doc-gen.sh deleted file mode 100755 index 6a70a491..00000000 --- a/.scripts/doc-gen.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/bash - -set -e - -BINARY_DIR=./work -BINARY_FILE="${BINARY_DIR}/terraform-docs" -BINARY_VERSION=0.8.2 -BINARY_URL_PREFIX="https://github.com/segmentio/terraform-docs/releases/download/v${BINARY_VERSION}/terraform-docs-v${BINARY_VERSION}" - -DOCS_CMDS="--sort-by-required --no-header markdown table" -DOCS_DIR=docs - -VARS_TF=variables.tf -OUTS_TF=outputs.tf - -INS_MD=inputs.md -OUTS_MD=outputs.md - - -function setup { - mkdir -p ${BINARY_DIR} - if [[ ! -e "${BINARY_FILE}" ]]; then - if [[ "$OSTYPE" == "linux-gnu" ]]; then - BINARY_URL="${BINARY_URL_PREFIX}-linux-amd64" - elif [[ "$OSTYPE" == "darwin"* ]]; then - BINARY_URL="${BINARY_URL_PREFIX}-darwin-amd64" - else - echo "Please run this in either a Linux or Mac environment." - exit 1 - fi - echo "Downloading ${BINARY_URL}" - curl -L -o "${BINARY_FILE}" "${BINARY_URL}" - chmod +x "${BINARY_FILE}" - fi -} - -function main_docs { - if test ! -d "${DOCS_DIR}"; then - mkdir "${DOCS_DIR}" - fi - - echo -e "# Terraform Enterprise: Clustering\n" | tee "${DOCS_DIR}/${INS_MD}" "${DOCS_DIR}/${OUTS_MD}" &> /dev/null - - eval "${BINARY_FILE} ${DOCS_CMDS} --no-outputs --no-providers" . >> "${DOCS_DIR}/${INS_MD}" - eval "${BINARY_FILE} ${DOCS_CMDS} --no-inputs --no-providers" . >> "${DOCS_DIR}/${OUTS_MD}" - -} - - -function module_docs { - if test -d ./modules; then - for dir in ./modules/*; do - mkdir -p "${dir}/${DOCS_DIR}" - - echo -e "# Terraform Enterprise: Clustering\n" | tee "${dir}/${DOCS_DIR}/${INS_MD}" "${dir}/${DOCS_DIR}/${OUTS_MD}" &> /dev/null - - eval "${BINARY_FILE} ${DOCS_CMDS} --no-outputs --no-providers ${dir}" >> "${dir}/${DOCS_DIR}/${INS_MD}" - eval "${BINARY_FILE} ${DOCS_CMDS} --no-inputs --no-providers ${dir}" >> "${dir}/${DOCS_DIR}/${OUTS_MD}" - done - else - echo "No modules directory, skipping." - fi -} - - -setup -main_docs -module_docs - - - diff --git a/LICENSE b/LICENSE index 261eeb9e..a612ad98 100644 --- a/LICENSE +++ b/LICENSE @@ -1,201 +1,373 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. +Mozilla Public License Version 2.0 +================================== + +1. Definitions +-------------- + +1.1. "Contributor" + means each individual or legal entity that creates, contributes to + the creation of, or owns Covered Software. + +1.2. "Contributor Version" + means the combination of the Contributions of others (if any) used + by a Contributor and that particular Contributor's Contribution. + +1.3. "Contribution" + means Covered Software of a particular Contributor. + +1.4. "Covered Software" + means Source Code Form to which the initial Contributor has attached + the notice in Exhibit A, the Executable Form of such Source Code + Form, and Modifications of such Source Code Form, in each case + including portions thereof. + +1.5. "Incompatible With Secondary Licenses" + means + + (a) that the initial Contributor has attached the notice described + in Exhibit B to the Covered Software; or + + (b) that the Covered Software was made available under the terms of + version 1.1 or earlier of the License, but not also under the + terms of a Secondary License. + +1.6. "Executable Form" + means any form of the work other than Source Code Form. + +1.7. "Larger Work" + means a work that combines Covered Software with other material, in + a separate file or files, that is not Covered Software. + +1.8. "License" + means this document. + +1.9. "Licensable" + means having the right to grant, to the maximum extent possible, + whether at the time of the initial grant or subsequently, any and + all of the rights conveyed by this License. + +1.10. "Modifications" + means any of the following: + + (a) any file in Source Code Form that results from an addition to, + deletion from, or modification of the contents of Covered + Software; or + + (b) any new file in Source Code Form that contains any Covered + Software. + +1.11. "Patent Claims" of a Contributor + means any patent claim(s), including without limitation, method, + process, and apparatus claims, in any patent Licensable by such + Contributor that would be infringed, but for the grant of the + License, by the making, using, selling, offering for sale, having + made, import, or transfer of either its Contributions or its + Contributor Version. + +1.12. "Secondary License" + means either the GNU General Public License, Version 2.0, the GNU + Lesser General Public License, Version 2.1, the GNU Affero General + Public License, Version 3.0, or any later versions of those + licenses. + +1.13. "Source Code Form" + means the form of the work preferred for making modifications. + +1.14. "You" (or "Your") + means an individual or a legal entity exercising rights under this + License. For legal entities, "You" includes any entity that + controls, is controlled by, or is under common control with You. For + purposes of this definition, "control" means (a) the power, direct + or indirect, to cause the direction or management of such entity, + whether by contract or otherwise, or (b) ownership of more than + fifty percent (50%) of the outstanding shares or beneficial + ownership of such entity. + +2. License Grants and Conditions +-------------------------------- + +2.1. Grants + +Each Contributor hereby grants You a world-wide, royalty-free, +non-exclusive license: + +(a) under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or + as part of a Larger Work; and + +(b) under Patent Claims of such Contributor to make, use, sell, offer + for sale, have made, import, and otherwise transfer either its + Contributions or its Contributor Version. + +2.2. Effective Date + +The licenses granted in Section 2.1 with respect to any Contribution +become effective for each Contribution on the date the Contributor first +distributes such Contribution. + +2.3. Limitations on Grant Scope + +The licenses granted in this Section 2 are the only rights granted under +this License. No additional rights or licenses will be implied from the +distribution or licensing of Covered Software under this License. +Notwithstanding Section 2.1(b) above, no patent license is granted by a +Contributor: + +(a) for any code that a Contributor has removed from Covered Software; + or + +(b) for infringements caused by: (i) Your and any other third party's + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + +(c) under Patent Claims infringed by Covered Software in the absence of + its Contributions. + +This License does not grant any rights in the trademarks, service marks, +or logos of any Contributor (except as may be necessary to comply with +the notice requirements in Section 3.4). + +2.4. Subsequent Licenses + +No Contributor makes additional grants as a result of Your choice to +distribute the Covered Software under a subsequent version of this +License (see Section 10.2) or under the terms of a Secondary License (if +permitted under the terms of Section 3.3). + +2.5. Representation + +Each Contributor represents that the Contributor believes its +Contributions are its original creation(s) or it has sufficient rights +to grant the rights to its Contributions conveyed by this License. + +2.6. Fair Use + +This License is not intended to limit any rights You have under +applicable copyright doctrines of fair use, fair dealing, or other +equivalents. + +2.7. Conditions + +Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted +in Section 2.1. + +3. Responsibilities +------------------- + +3.1. Distribution of Source Form + +All distribution of Covered Software in Source Code Form, including any +Modifications that You create or to which You contribute, must be under +the terms of this License. You must inform recipients that the Source +Code Form of the Covered Software is governed by the terms of this +License, and how they can obtain a copy of this License. You may not +attempt to alter or restrict the recipients' rights in the Source Code +Form. + +3.2. Distribution of Executable Form + +If You distribute Covered Software in Executable Form then: + +(a) such Covered Software must also be made available in Source Code + Form, as described in Section 3.1, and You must inform recipients of + the Executable Form how they can obtain a copy of such Source Code + Form by reasonable means in a timely manner, at a charge no more + than the cost of distribution to the recipient; and + +(b) You may distribute such Executable Form under the terms of this + License, or sublicense it under different terms, provided that the + license for the Executable Form does not attempt to limit or alter + the recipients' rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + +You may create and distribute a Larger Work under terms of Your choice, +provided that You also comply with the requirements of this License for +the Covered Software. If the Larger Work is a combination of Covered +Software with a work governed by one or more Secondary Licenses, and the +Covered Software is not Incompatible With Secondary Licenses, this +License permits You to additionally distribute such Covered Software +under the terms of such Secondary License(s), so that the recipient of +the Larger Work may, at their option, further distribute the Covered +Software under the terms of either this License or such Secondary +License(s). + +3.4. Notices + +You may not remove or alter the substance of any license notices +(including copyright notices, patent notices, disclaimers of warranty, +or limitations of liability) contained within the Source Code Form of +the Covered Software, except that You may alter any license notices to +the extent required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + +You may choose to offer, and to charge a fee for, warranty, support, +indemnity or liability obligations to one or more recipients of Covered +Software. However, You may do so only on Your own behalf, and not on +behalf of any Contributor. You must make it absolutely clear that any +such warranty, support, indemnity, or liability obligation is offered by +You alone, and You hereby agree to indemnify every Contributor for any +liability incurred by such Contributor as a result of warranty, support, +indemnity or liability terms You offer. You may include additional +disclaimers of warranty and limitations of liability specific to any +jurisdiction. + +4. Inability to Comply Due to Statute or Regulation +--------------------------------------------------- + +If it is impossible for You to comply with any of the terms of this +License with respect to some or all of the Covered Software due to +statute, judicial order, or regulation then You must: (a) comply with +the terms of this License to the maximum extent possible; and (b) +describe the limitations and the code they affect. Such description must +be placed in a text file included with all distributions of the Covered +Software under this License. Except to the extent prohibited by statute +or regulation, such description must be sufficiently detailed for a +recipient of ordinary skill to be able to understand it. + +5. Termination +-------------- + +5.1. The rights granted under this License will terminate automatically +if You fail to comply with any of its terms. However, if You become +compliant, then the rights granted under this License from a particular +Contributor are reinstated (a) provisionally, unless and until such +Contributor explicitly and finally terminates Your grants, and (b) on an +ongoing basis, if such Contributor fails to notify You of the +non-compliance by some reasonable means prior to 60 days after You have +come back into compliance. Moreover, Your grants from a particular +Contributor are reinstated on an ongoing basis if such Contributor +notifies You of the non-compliance by some reasonable means, this is the +first time You have received notice of non-compliance with this License +from such Contributor, and You become compliant prior to 30 days after +Your receipt of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent +infringement claim (excluding declaratory judgment actions, +counter-claims, and cross-claims) alleging that a Contributor Version +directly or indirectly infringes any patent, then the rights granted to +You by any and all Contributors for the Covered Software under Section +2.1 of this License shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all +end user license agreements (excluding distributors and resellers) which +have been validly granted by You or Your distributors under this License +prior to termination shall survive termination. + +************************************************************************ +* * +* 6. Disclaimer of Warranty * +* ------------------------- * +* * +* Covered Software is provided under this License on an "as is" * +* basis, without warranty of any kind, either expressed, implied, or * +* statutory, including, without limitation, warranties that the * +* Covered Software is free of defects, merchantable, fit for a * +* particular purpose or non-infringing. The entire risk as to the * +* quality and performance of the Covered Software is with You. * +* Should any Covered Software prove defective in any respect, You * +* (not any Contributor) assume the cost of any necessary servicing, * +* repair, or correction. This disclaimer of warranty constitutes an * +* essential part of this License. No use of any Covered Software is * +* authorized under this License except under this disclaimer. * +* * +************************************************************************ + +************************************************************************ +* * +* 7. Limitation of Liability * +* -------------------------- * +* * +* Under no circumstances and under no legal theory, whether tort * +* (including negligence), contract, or otherwise, shall any * +* Contributor, or anyone who distributes Covered Software as * +* permitted above, be liable to You for any direct, indirect, * +* special, incidental, or consequential damages of any character * +* including, without limitation, damages for lost profits, loss of * +* goodwill, work stoppage, computer failure or malfunction, or any * +* and all other commercial damages or losses, even if such party * +* shall have been informed of the possibility of such damages. This * +* limitation of liability shall not apply to liability for death or * +* personal injury resulting from such party's negligence to the * +* extent applicable law prohibits such limitation. Some * +* jurisdictions do not allow the exclusion or limitation of * +* incidental or consequential damages, so this exclusion and * +* limitation may not apply to You. * +* * +************************************************************************ + +8. Litigation +------------- + +Any litigation relating to this License may be brought only in the +courts of a jurisdiction where the defendant maintains its principal +place of business and such litigation shall be governed by laws of that +jurisdiction, without reference to its conflict-of-law provisions. +Nothing in this Section shall prevent a party's ability to bring +cross-claims or counter-claims. + +9. Miscellaneous +---------------- + +This License represents the complete agreement concerning the subject +matter hereof. If any provision of this License is held to be +unenforceable, such provision shall be reformed only to the extent +necessary to make it enforceable. Any law or regulation which provides +that the language of a contract shall be construed against the drafter +shall not be used to construe this License against a Contributor. + +10. Versions of the License +--------------------------- + +10.1. New Versions + +Mozilla Foundation is the license steward. Except as provided in Section +10.3, no one other than the license steward has the right to modify or +publish new versions of this License. Each version will be given a +distinguishing version number. + +10.2. Effect of New Versions + +You may distribute the Covered Software under the terms of the version +of the License under which You originally received the Covered Software, +or under the terms of any subsequent version published by the license +steward. + +10.3. Modified Versions + +If you create software not governed by this License, and you want to +create a new license for such software, you may create and use a +modified version of this License if you rename the license and remove +any references to the name of the license steward (except to note that +such modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary +Licenses + +If You choose to distribute Source Code Form that is Incompatible With +Secondary Licenses under the terms of this version of the License, the +notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice +------------------------------------------- + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, You can obtain one at http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular +file, then You may include the notice in a location (such as a LICENSE +file in a relevant directory) where a recipient would be likely to look +for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - "Incompatible With Secondary Licenses" Notice +--------------------------------------------------------- + + This Source Code Form is "Incompatible With Secondary Licenses", as + defined by the Mozilla Public License, v. 2.0. diff --git a/Makefile b/Makefile deleted file mode 100644 index a2ac87ef..00000000 --- a/Makefile +++ /dev/null @@ -1,3 +0,0 @@ -.PHONY: docs -docs: - .scripts/doc-gen.sh diff --git a/README.md b/README.md index e00a2b5e..bf507d68 100644 --- a/README.md +++ b/README.md @@ -1,40 +1,126 @@ -# Terraform Enterprise: Clustering for AWS (Deprecated) +# Terraform Enterprise AWS Module -![Terraform Logo](https://github.com/hashicorp/terraform-aws-terraform-enterprise/blob/master/assets/TerraformLogo.png?raw=true) +This is a Terraform module for provisioning a Terraform Enterprise Cluster on AWS. Terraform Enterprise is our self-hosted distribution of Terraform Cloud. It offers enterprises a private instance of the Terraform Cloud application, with no resource limits and with additional enterprise-grade architectural features like audit logging and SAML single sign-on. -![Status: Deprecated](https://img.shields.io/badge/Status-Deprecated-red) +## About This Module -## Deprecation +This module will install Terraform Enterprise on AWS according to the [HashiCorp Reference Architecture](https://www.terraform.io/docs/enterprise/before-installing/reference-architecture/aws.html). This module is intended to be used by practitioners seeking a Terraform Enterprise installation which requires minimal configuration in the AWS cloud. -This module is a legacy install and is still available for customers who have already installed Terraform Enterprise: Clustering. New users should use this guide to install Terraform Enterprise: [terraform.io/docs/enterprise/install](https://www.terraform.io/docs/enterprise/install/index.html) or contact your Technical Account Manager for more details. +As the goal for this main module is to provide a drop-in solution for installing Terraform Enterprise via the Golden Path, it leverages AWS native solutions such as Route 53 and a vanilla AWS-supplied base AMI. We have provided guidance and limited examples for other use cases. -## Description +## Pre-requisites -This module installs Terraform Enterprise: Clustering onto three or more AWS instances. +This module is intended to run in an AWS account with minimal preparation, however it does have the following pre-requisites: -The Replicated license used must have been activated for Terraform Enterprise: Clustering before this module can be used. +### Terraform version >= 0.13 -*Note: This module is for Terraform 0.12+.* If you require a version this module for Terraform 0.11.x you can find an archived unsupported version in the `v0.1` branch of this project. +This module requires Terraform version `0.13` or greater to be installed on the running machine. -## Architecture +### Credentials / Permissions -![basic diagram](https://github.com/hashicorp/terraform-aws-terraform-enterprise/blob/master/assets/aws_diagram.jpg?raw=true) -_example architecture_ +#### AWS Services Used -Please contact your Technical Account Manager for more information, and support for any issues you have. +* AWS Identity & Access Management (IAM) +* AWS Key Management System (KMS) +* Amazon RDS (Postgres) +* Amazon EC2 +* Amazon Elastic Loadbalancing (ALB) +* Amazon Certificate Manager (ACM) +* Amazon Route53 +* Amazon Elasticache (Redis) +* Amazon VPC +* Amazon S3 +* [OPTIONAL] Amazon Secrets Manager -## Examples +### Public Hosted Zone + +If you are managing DNS via AWS Route53 the hosted zone entry is created automatically as part of your domain management. + +If you're managing DNS outside of Route53, please see the documentation on [creating a hosted zone for a subdomain](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-routing-traffic-for-subdomains.html), which you will need to do for the subdomain you are planning to use for your Terraform Enterprise installation. To create this hosted zone with Terraform, use [the `aws_route53_zone` resource](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone). + +### ACM Certificate + +Certificate validation can take up two hours, causing timeouts during module apply if the cert is generated as one of the resources contained in the module. For that reason, once the hosted zone has been created, the certificate must be created or imported into ACM. To create or import manually, see the [AWS ACM certificate documentation](https://docs.aws.amazon.com/acm/latest/userguide/gs.html). To create or manage certificates with Terraform, we recommend the [official ACM module in the Terraform Registry](https://registry.terraform.io/modules/terraform-aws-modules/acm/aws/latest). + +**Note:** This module has been tested in the following AWS regions: +- `us-east-1` +- `eu-west-1` +- `eu-west-2` + +## How to Use This Module + +- Ensure account meets module pre-requisites from above. + +- Create a Terraform configuration that pulls in this module and specifies values + of the required variables: + +```hcl +provider "aws" { + region = "" +} -Please see the [examples directory](https://github.com/hashicorp/terraform-aws-terraform-enterprise/tree/master/examples/) for more extensive examples. +module "tfe_node" { + source = "" + friendly_name_prefix = "" + domain_name = "" + tfe_license_filepath = "" + acm_certificate_arn = "" +} +``` -## Inputs +- *OPTIONAL*: This module can be deployed with a custom AMI rather than the default base given (Ubuntu 20.04 LTS), and has been verified to be functional with Ubuntu 20.04 LTS and RHEL 7.x based images. To deploy using a custom image, use the following configuration instead: -Please see the [inputs documentation](https://registry.terraform.io/modules/hashicorp/terraform-enterprise/aws/?tab=inputs) +```hcl +provider "aws" { + region = "" +} + +module "tfe_node" { + source = "" + ami_id = "" + friendly_name_prefix = "" + domain_name = "" + tfe_license_filepath = "" + acm_certificate_arn = "" +} +``` + +- Run `terraform init` and `terraform apply` + +* Note: When using SSH to connect from the bastion host to the TFE instances, specify the SSH private key with the following command: + +```shell +$ ssh -i ~/.ssh/tfe +``` + +## Module Manifest + +This module will create all infrastructure resources required to install Terraform Enterprise in a standalone or active-active configuration (depending on how many nodes you specify) on AWS in the designated region according to the Reference Architecture. The default base AMI used is Ubuntu 20.04 LTS but you may specify a RHEL 7.x AMI ID by using the `ami_id` variable. + +The resources created are: + +* VPC with public and private subnets and bastion host +* PostgreSQL instance +* Redis cache +* S3 bucket for installation bootstrapping +* Auto-scaling group behind Application Load Balancer (ALB) +* Secrets Manager Secret used for deploys +* KMS key +* IAM Instance Role and IAM Policy to allow instances to retrieve bootstrap secrets +* Route53 A Record for Load Balancer on TFE domain +* Supporting security groups and rules for application functionality + +## Examples -Repository versions of the inputs documentation can be found in [docs/inputs.md](docs/inputs.md) +We have included documentation and reference examples for additional common installation scenarios for TFE, as well as examples for supporting resources that lack official modules. -## Outputs +* [Example: Deploying behind a proxy](./examples/behind-proxy) +* [Example: Deploying into an existing private network](./examples/existing-private-network) +* [Example: Deploying while managing DNS outside of AWS](./examples/external-dns) +* [Example: Deploying the Startup Persona](./examples/personas-startup) +* [Example: Deploying the Retailer Persona](./examples/personas-retailer) +* [Example: Deploying the Bank Persona](./examples/personas-bank) -Please see the [outputs documentation](https://registry.terraform.io/modules/hashicorp/terraform-enterprise/aws/?tab=outputs) +## License -Repository versions of the outputs documentation can be found in [docs/outputs.md](docs/outputs.md) +This code is released under the Mozilla Public License 2.0. Please see [LICENSE](https://github.com/hashicorp/terraform-aws-consul-oss/blob/master/LICENSE) for more details. diff --git a/assets/TerraformLogo.png b/assets/TerraformLogo.png deleted file mode 100644 index 4ce159ea..00000000 Binary files a/assets/TerraformLogo.png and /dev/null differ diff --git a/assets/aws_diagram.jpg b/assets/aws_diagram.jpg deleted file mode 100644 index aafb1998..00000000 Binary files a/assets/aws_diagram.jpg and /dev/null differ diff --git a/assets/output.jpg b/assets/output.jpg deleted file mode 100644 index 13b02265..00000000 Binary files a/assets/output.jpg and /dev/null differ diff --git a/config.tf b/config.tf deleted file mode 100644 index 63035fb1..00000000 --- a/config.tf +++ /dev/null @@ -1,131 +0,0 @@ -locals { - app_data_mode = var.postgresql_address != "" ? "external_services" : "demo" - app_network_type = var.airgap_package_url != "" ? "airgap" : "online" - install_type = "${local.app_data_mode}-${local.app_network_type}" -} - -# Settings for automated PTFE installation -data "template_file" "repl_ptfe_config" { - template = local.rptfeconf[local.install_type] - - vars = { - hostname = module.lb.endpoint - enc_password = local.encryption_password - iact_subnet_list = var.iact_subnet_list - iact_subnet_time_limit = var.iact_subnet_time_limit - pg_user = var.postgresql_user - pg_password = var.postgresql_password - pg_netloc = var.postgresql_address - pg_dbname = var.postgresql_database - pg_extra_params = var.postgresql_extra_params - aws_instance_profile = var.aws_instance_profile ? "1" : "0" - aws_access_key_id = var.aws_access_key_id - aws_secret_access_key = var.aws_secret_access_key - s3_bucket_name = var.s3_bucket - s3_bucket_region = var.s3_region - additional_no_proxy = var.additional_no_proxy - } -} - -# Settings for automated replicated installation. -data "template_file" "repl_config" { - template = local.replconf[local.install_type] - - vars = { - console_password = random_pet.console_password.id - proxy_url = var.http_proxy_url - additional_no_proxy = var.additional_no_proxy - release_sequence = var.release_sequence - } -} - -locals { - internal_airgap_url = "http://${aws_elb.cluster_api.dns_name}:${local.assistant_port}/setup-files/replicated.tar.gz?token=${random_string.setup_token.result}" -} - -data "template_file" "cloud_config" { - count = local.primary_count - template = file("${path.module}/templates/cloud-config.yaml") - - vars = { - hostname = module.lb.endpoint - license_b64 = filebase64(var.license_file) - install_ptfe_sh = base64gzip(file("${path.module}/files/install-ptfe.sh")) - # Needed for Airgap installations - airgap_package_url = var.airgap_package_url - airgap_installer_url = var.airgap_package_url == "" ? "" : count.index == 0 ? var.airgap_installer_url : local.internal_airgap_url - bootstrap_token = "${random_string.bootstrap_token_id.result}.${random_string.bootstrap_token_suffix.result}" - cluster_api_lb = aws_elb.cluster_api.dns_name - cluster_api_endpoint = "${aws_elb.cluster_api.dns_name}:6443" - setup_token = random_string.setup_token.result - primary_pki_url = "http://${aws_elb.cluster_api.dns_name}:${local.assistant_port}/api/v1/pki-download?token=${random_string.setup_token.result}" - role_id = count.index - health_url = "http://${aws_elb.cluster_api.dns_name}:${local.assistant_port}/healthz" - assistant_host = "http://${aws_elb.cluster_api.dns_name}:${local.assistant_port}" - assistant_token = random_string.setup_token.result - proxy_url = var.http_proxy_url - additional_no_proxy = var.additional_no_proxy - installer_url = var.installer_url - weave_cidr = var.weave_cidr - repl_cidr = var.repl_cidr - ca_bundle_url = var.ca_bundle_url - import_key = var.import_key - startup_script = base64gzip(var.startup_script) - role = count.index == 0 ? "main" : "primary" - distro = var.distribution - rptfeconf = base64gzip(data.template_file.repl_ptfe_config.rendered) - replconf = base64gzip(data.template_file.repl_config.rendered) - } -} - -data "template_cloudinit_config" "config" { - count = local.primary_count - gzip = true - base64_encode = true - - part { - content_type = "text/cloud-config" - content = data.template_file.cloud_config[count.index].rendered - } -} - -data "template_file" "cloud_config_secondary" { - template = file("${path.module}/templates/cloud-config-secondary.yaml") - - vars = { - install_ptfe_sh = base64gzip(file("${path.module}/files/install-ptfe.sh")) - bootstrap_token = "${random_string.bootstrap_token_id.result}.${random_string.bootstrap_token_suffix.result}" - cluster_api_endpoint = "${aws_elb.cluster_api.dns_name}:6443" - health_url = "http://${aws_elb.cluster_api.dns_name}:${local.assistant_port}/healthz" - assistant_host = "http://${aws_elb.cluster_api.dns_name}:${local.assistant_port}" - assistant_token = random_string.setup_token.result - proxy_url = var.http_proxy_url - additional_no_proxy = var.additional_no_proxy - installer_url = var.installer_url - role = "secondary" - airgap_installer_url = var.airgap_package_url == "" ? "" : local.internal_airgap_url - ca_bundle_url = var.ca_bundle_url - import_key = var.import_key - } -} - -data "template_cloudinit_config" "config_secondary" { - gzip = true - base64_encode = true - - part { - content_type = "text/cloud-config" - content = data.template_file.cloud_config_secondary.rendered - } -} - -data "template_file" "ssh_config" { - template = file("${path.module}/templates/ssh_config") - - vars = { - hostname = element(aws_instance.primary.*.public_ip, 0) - ssh_user = var.ssh_user != "" ? var.ssh_user : local.default_ssh_user - keyfile_path = module.common.ssh_priv_key_file - } -} - diff --git a/data/airgap.json b/data/airgap.json deleted file mode 100644 index 2d0efd30..00000000 --- a/data/airgap.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "hostname": { - "value": "${hostname}" - }, - "installation_type": { - "value": "poc" - }, - "enc_password": { - "value": "${enc_password}" - }, - "iact_subnet_list": { - "value": "${iact_subnet_list}" - }, - "iact_subnet_time_limit": { - "value": "${iact_subnet_time_limit}" - }, - "extra_no_proxy": { - "value": "${additional_no_proxy}" - } -} diff --git a/data/airgap_replicated.json b/data/airgap_replicated.json deleted file mode 100644 index e7c7cd3c..00000000 --- a/data/airgap_replicated.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "DaemonAuthenticationType" : "password", - "DaemonAuthenticationPassword" : "${console_password}", - "TlsBootstrapType" : "self-signed", - "BypassPreflightChecks" : true, - "ImportSettingsFrom" : "/etc/replicated-ptfe.conf", - "LicenseFileLocation" : "/etc/replicated.rli", - "LicenseBootstrapAirgapPackagePath" : "/var/lib/ptfe/ptfe.airgap", - "HttpProxy" : "${proxy_url}" - %{ if release_sequence != "" } - ,"ReleaseSequence": ${release_sequence} - %{ endif } -} diff --git a/data/demo.json b/data/demo.json deleted file mode 100644 index 37e256e2..00000000 --- a/data/demo.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "hostname": { - "value": "${hostname}" - }, - "installation_type": { - "value": "poc" - }, - "enc_password": { - "value": "${enc_password}" - }, - "iact_subnet_list": { - "value": "${iact_subnet_list}" - }, - "iact_subnet_time_limit": { - "value": "${iact_subnet_time_limit}" - }, - "extra_no_proxy": { - "value": "${additional_no_proxy}" - } -} diff --git a/data/demo_replicated.json b/data/demo_replicated.json deleted file mode 100644 index 333aa710..00000000 --- a/data/demo_replicated.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "DaemonAuthenticationType": "password", - "DaemonAuthenticationPassword": "${console_password}", - "TlsBootstrapType": "self-signed", - "BypassPreflightChecks": true, - "ImportSettingsFrom": "/etc/replicated-ptfe.conf", - "LicenseFileLocation": "/etc/replicated.rli", - "HttpProxy": "${proxy_url}" - %{ if release_sequence != "" } - ,"ReleaseSequence": ${release_sequence} - %{ endif } -} diff --git a/data/es.json b/data/es.json deleted file mode 100644 index fcbbe376..00000000 --- a/data/es.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "hostname": { - "value": "${hostname}" - }, - "installation_type": { - "value": "production" - }, - "production_type": { - "value": "external" - }, - "pg_user": { - "value": "${pg_user}" - }, - "pg_password": { - "value": "${pg_password}" - }, - "pg_netloc": { - "value": "${pg_netloc}" - }, - "pg_dbname": { - "value": "${pg_dbname}" - }, - "pg_extra_params": { - "value": "${pg_extra_params}" - }, - "aws_instance_profile": { - "value": "${aws_instance_profile}" - }, - "aws_access_key_id": { - "value": "${aws_access_key_id}" - }, - "aws_secret_access_key": { - "value": "${aws_secret_access_key}" - }, - "s3_bucket": { - "value": "${s3_bucket_name}" - }, - "s3_region": { - "value": "${s3_bucket_region}" - }, - "enc_password": { - "value": "${enc_password}" - }, - "iact_subnet_list": { - "value": "${iact_subnet_list}" - }, - "iact_subnet_time_limit": { - "value": "${iact_subnet_time_limit}" - }, - "extra_no_proxy": { - "value": "${additional_no_proxy}" - } -} - diff --git a/data/es_airgap.json b/data/es_airgap.json deleted file mode 100644 index 3f1b4b8c..00000000 --- a/data/es_airgap.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "hostname": { - "value": "${hostname}" - }, - "installation_type": { - "value": "production" - }, - "production_type": { - "value": "external" - }, - "pg_user": { - "value": "${pg_user}" - }, - "pg_password": { - "value": "${pg_password}" - }, - "pg_netloc": { - "value": "${pg_netloc}" - }, - "pg_dbname": { - "value": "${pg_dbname}" - }, - "pg_extra_params": { - "value": "${pg_extra_params}" - }, - "aws_instance_profile": { - "value": "${aws_instance_profile}" - }, - "aws_access_key_id": { - "value": "${aws_access_key_id}" - }, - "aws_secret_access_key": { - "value": "${aws_secret_access_key}" - }, - "s3_bucket": { - "value": "${s3_bucket_name}" - }, - "s3_region": { - "value": "${s3_bucket_region}" - }, - "enc_password": { - "value": "${enc_password}" - }, - "iact_subnet_list": { - "value": "${iact_subnet_list}" - }, - "iact_subnet_time_limit": { - "value": "${iact_subnet_time_limit}" - }, - "extra_no_proxy": { - "value": "${additional_no_proxy}" - } -} diff --git a/data/es_airgap_replicated.json b/data/es_airgap_replicated.json deleted file mode 100644 index a1f4c3e9..00000000 --- a/data/es_airgap_replicated.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "DaemonAuthenticationType": "password", - "DaemonAuthenticationPassword": "${console_password}", - "TlsBootstrapType": "self-signed", - "BypassPreflightChecks": true, - "ImportSettingsFrom": "/etc/replicated-ptfe.conf", - "LicenseFileLocation": "/etc/replicated.rli", - "LicenseBootstrapAirgapPackagePath" : "/var/lib/ptfe/ptfe.airgap" - %{ if release_sequence != "" } - ,"ReleaseSequence": ${release_sequence} - %{ endif } -} diff --git a/data/es_replicated.json b/data/es_replicated.json deleted file mode 100644 index 333aa710..00000000 --- a/data/es_replicated.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "DaemonAuthenticationType": "password", - "DaemonAuthenticationPassword": "${console_password}", - "TlsBootstrapType": "self-signed", - "BypassPreflightChecks": true, - "ImportSettingsFrom": "/etc/replicated-ptfe.conf", - "LicenseFileLocation": "/etc/replicated.rli", - "HttpProxy": "${proxy_url}" - %{ if release_sequence != "" } - ,"ReleaseSequence": ${release_sequence} - %{ endif } -} diff --git a/docs/inputs.md b/docs/inputs.md deleted file mode 100644 index b8411cc5..00000000 --- a/docs/inputs.md +++ /dev/null @@ -1,51 +0,0 @@ -# Terraform Enterprise: Clustering - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:-----:| -| domain | Route53 Domain to manage DNS under | `string` | n/a | yes | -| license\_file | path to license file | `string` | n/a | yes | -| vpc\_id | AWS VPC id to install into | `string` | n/a | yes | -| additional\_no\_proxy | Comma delimitted list of addresses (no spaces) to not use the proxy for | `string` | `""` | no | -| airgap\_installer\_url | URL to airgap installer package | `string` | `"https://s3.amazonaws.com/replicated-airgap-work/replicated__docker__kubernetes.tar.gz"` | no | -| airgap\_package\_url | signed URL to download the package | `string` | `""` | no | -| ami | AMI to launch instance with; defaults to latest Ubuntu Xenial | `string` | `""` | no | -| aws\_access\_key\_id | AWS access key id to connect to s3 with | `string` | `""` | no | -| aws\_instance\_profile | When set, use credentials from the AWS instance profile | `bool` | `false` | no | -| aws\_secret\_access\_key | AWS secret access key to connect to s3 with | `string` | `""` | no | -| ca\_bundle\_url | URL to Custom CA bundle used for outgoing connections | `string` | `"none"` | no | -| cert\_arn | Amazon Resource Name (ARN) for Certificate in the ACM you'd like to use (default uses domain or cert\_domain to look it up) | `string` | `""` | no | -| cert\_domain | domain to search for ACM certificate with (default is *.domain) | `string` | `""` | no | -| distribution | Type of linux distribution to use. (ubuntu or rhel) | `string` | `"ubuntu"` | no | -| egress\_allow\_list | List of CIDR blocks we allow the infrastructyre to access | `set(string)` | 
[
  "0.0.0.0/0"
]
| no | -| encryption\_password | encryption password to use as root secret (default is autogenerated) | `string` | `""` | no | -| hostname | hostname to assign to cluster under domain (default is autogenerated one) | `string` | `""` | no | -| http\_proxy\_url | HTTP(S) Proxy URL | `string` | `""` | no | -| iact\_subnet\_list | List of subnets to allow to access Initial Admin Creation Token (IACT) API. https://www.terraform.io/docs/enterprise/private/automating-initial-user.html | `string` | `""` | no | -| iact\_subnet\_time\_limit | Amount of time to allow access to IACT API after initial boot | `string` | `""` | no | -| import\_key | an ssh pub key to import to all machines | `string` | `""` | no | -| ingress\_allow\_list | List of CIDR blocks we allow to access the infrastructure | `set(string)` | `[]` | no | -| installer\_url | URL to the cluster setup tool | `string` | `"https://install.terraform.io/installer/ptfe-0.1.zip"` | no | -| postgresql\_address | address to connect to external postgresql database at | `string` | `""` | no | -| postgresql\_database | database name to use in exetrnal postgresql database | `string` | `""` | no | -| postgresql\_extra\_params | additional connection string parameters (must be url query params) | `string` | `""` | no | -| postgresql\_password | password to connect to external postgresql database as | `string` | `""` | no | -| postgresql\_user | user to connect to external postgresql database as | `string` | `""` | no | -| prefix | Name prefix for resource names and tags | `string` | `"tfe"` | no | -| primary\_instance\_type | ec2 instance type | `string` | `"m4.xlarge"` | no | -| private\_zone | set to true if your route53 zone is private | `string` | `false` | no | -| release\_sequence | Replicated release sequence number to install - this locks the install to a specific release | `string` | `""` | no | -| repl\_cidr | Specify a non-standard CIDR range for the replicated services. The default is 10.96.0.0/12 | `string` | `""` | no | -| s3\_bucket | S3 bucket to store objects into | `string` | `""` | no | -| s3\_region | Region of the S3 bucket | `string` | `""` | no | -| secondary\_count | The number of secondary cluster nodes to run | `string` | `5` | no | -| secondary\_instance\_type | ec2 instance type (Defaults to `primary_instance_type` if not set.) | `string` | `""` | no | -| ssh\_user | the user to connect to the instance as | `string` | `""` | no | -| startup\_script | shell script to run when primary instance boots the first time | `string` | `""` | no | -| subnet\_tags | tags to use to match subnets to use | `map(string)` | `{}` | no | -| tags | Map of tags to add to all resources | `map(string)` | `{}` | no | -| update\_route53 | whether or not to automatically update route53 records for the cluster | `string` | `true` | no | -| volume\_size | size of the root volume in gb | `string` | `"100"` | no | -| weave\_cidr | Specify a non-standard CIDR range for weave. The default is 10.32.0.0/12 | `string` | `""` | no | - diff --git a/docs/outputs.md b/docs/outputs.md deleted file mode 100644 index 72336f4d..00000000 --- a/docs/outputs.md +++ /dev/null @@ -1,21 +0,0 @@ -# Terraform Enterprise: Clustering - -## Outputs - -| Name | Description | -|------|-------------| -| allow\_ptfe\_sg\_id | n/a | -| application\_endpoint | n/a | -| application\_health\_check | n/a | -| iam\_role | n/a | -| install\_id | n/a | -| installer\_dashboard\_password | n/a | -| installer\_dashboard\_url | n/a | -| intra\_vpc\_ingress\_and\_egress\_sg\_id | n/a | -| load\_balancer\_dns\_name | n/a | -| primary\_public\_ip | n/a | -| public\_subnets | n/a | -| ssh\_config\_file | n/a | -| ssh\_key\_name | ## Some small outputs to allow simpler testing of things like proxies ## as we need these bits to spin up an additional instance along side the cluster ## In the future we should probably be outputting resources. | -| ssh\_private\_key | n/a | - diff --git a/examples/airgap/README.md b/examples/airgap/README.md deleted file mode 100644 index dcfcd05d..00000000 --- a/examples/airgap/README.md +++ /dev/null @@ -1,11 +0,0 @@ -## Terraform Enterprise Airgap Example - -This example shows using the external-services module along with a the main -module to deploy TFE using external services using an airgap package. - -This example uses a setup bucket that has been previously created and is -populated with the following items: - -* tfe-setup/ptfe.zip mirrored https://install.terraform.io/installer/ptfe.zip with ACL **public-read**. **NOTE** This file must have a public-read ACL configured so it can be downloaded directly via http. -* tfe-setup/replicated.tar.gz mirriored from https://s3.amazonaws.com/replicated-airgap-work/replicated__docker__kubernetes.tar.gz with ACL **private** -* tfe-setup/v201911-1.airgap with ACL **private** has been uploaded from the replicated.com portal. This contains the release we are deploying. diff --git a/examples/airgap/main.tf b/examples/airgap/main.tf deleted file mode 100644 index 0097a691..00000000 --- a/examples/airgap/main.tf +++ /dev/null @@ -1,107 +0,0 @@ -locals { - vpc_id = "vpc-aabbccddeeffgghhiijj" - tag = "tfe" - setup_bucket = "mycompany-tfe-setup" - domain = "mycompany-internal.net" - hostname = "tfe" - license_file = "mylicense.rli" - airgap_package = "v201911-1.airgap" - region = "us-west-2" -} - -provider "aws" { - region = local.region -} - -module "external" { - source = "hashicorp/terraform-enterprise/aws//modules/external-services" - version = "0.1.2" - - vpc_id = local.vpc_id - install_id = module.terraform-enterprise.install_id - - rds_subnet_tags = { - "Usage" = local.tag - } -} - -data "aws_iam_policy_document" "setup-bucket" { - # TFE Admin settings > Object Storage > S3 Configuration's 'Test Authentication' test calls ListBuckets - statement { - actions = [ - "s3:GetBucketLocation", - "s3:ListAllMyBuckets", - ] - - resources = [ - "*", - ] - } - - statement { - actions = [ - "s3:*", - ] - - resources = [ - "arn:aws:s3:::${local.setup_bucket}", - "arn:aws:s3:::${local.setup_bucket}/*", - ] - } -} - -resource "aws_iam_role_policy" "setup-bucket" { - role = module.terraform-enterprise.iam_role - name = "${local.setup_bucket}-${module.terraform-enterprise.install_id}" - policy = data.aws_iam_policy_document.setup-bucket.json -} - -module "terraform-enterprise" { - source = "hashicorp/terraform-enterprise/aws" - version = "0.1.0" - - vpc_id = local.vpc_id - domain = local.domain - - subnet_tags = { - "Usage" = local.tag - } - - license_file = local.license_file - secondary_count = 5 - hostname = local.hostname - distribution = "ubuntu" - - # The data at ptfe.zip at the normal location has been uploaded to a private bucket to be used - installer_url = "https://${local.setup_bucket}.s3-${local.region}.amazonaws.com/tfe-setup/ptfe.zip" - - # The airgap installer tar.gz is also within the setup bucket - airgap_installer_url = "s3://${local.setup_bucket}/tfe-setup/replicated.tar.gz?region=${local.region}" - - # The airgap package is located within a bucket that the instances can access. - airgap_package_url = "s3://${local.setup_bucket}/tfe-setup/${local.airgap_package}?region=${local.region}" - - postgresql_user = module.external.database_username - postgresql_password = module.external.database_password - postgresql_address = module.external.database_endpoint - postgresql_database = module.external.database_name - postgresql_extra_params = "sslmode=disable" - - s3_bucket = module.external.s3_bucket - s3_region = local.region - - aws_access_key_id = module.external.iam_access_key - aws_secret_access_key = module.external.iam_secret_key -} - -output "primary_public_ip" { - value = module.terraform-enterprise.primary_public_ip -} - -output "installer_dashboard_password" { - value = module.terraform-enterprise.installer_dashboard_password -} - -output "endpoint" { - value = module.terraform-enterprise.application_endpoint -} diff --git a/examples/behind-proxy/README.md b/examples/behind-proxy/README.md new file mode 100644 index 00000000..40daa4b4 --- /dev/null +++ b/examples/behind-proxy/README.md @@ -0,0 +1,49 @@ +# EXAMPLE: Deploying Terraform Enterprise behind a proxy + +## About This Example + +This example functions as a reference for how to use this module to install Terraform Enterprise in an existing VPC using your own proxy. + +## Module Prerequisites + +As with the main version of this module, this example assumes the following resources already exist: + +* Valid DNS Zone managed in Route53 +* Valid AWS ACM certificate + +When deploying in an existing VPC the `bastion` and `networking` submodules will not be used. Therefore when deploying, the existing VPC must have: + +* Public and private subnets +* Nat gateway and appropriate rules +* Routing table and appropriate rules + +## How to Use This Module + +- Ensure account meets module pre-requisites from above. + +- Create a Terraform configuration that pulls in this module and specifies values + of the required variables: + +```hcl +provider "aws" { + region = "" +} + +module "espd-tfe-aws" { + source = "../espd-tfe-aws/" + + deploy_vpc = false + deploy_bastion = false + domain_name = "" + friendly_name_prefix = "" + tfe_license_filepath = "" + network_id = "" + network_private_subnets = "" + network_public_subnets = "" + proxy_ip = "" + proxy_cert_bundle_filepath = "" + proxy_cert_bundle_name = "" +} +``` + +- Run `terraform init` and `terraform apply` \ No newline at end of file diff --git a/examples/existing-private-network/README.md b/examples/existing-private-network/README.md new file mode 100644 index 00000000..1091dbff --- /dev/null +++ b/examples/existing-private-network/README.md @@ -0,0 +1,68 @@ +# EXAMPLE: Using this module to deploy in an existing private network. + +## About This Example + +This example functions as a reference for how to use this module to install Terraform Enterprise in an existing VPC on AWS. + +## Module Prerequisites + +As with the main version of this module, this example assumes the following resources already exist: + +* Valid DNS Zone managed in Route53 +* Valid AWS ACM certificate + +When deploying in an existing VPC the `bastion` and `networking` submodules will not be used. Therefore when deploying, the existing VPC must have: + +* Public and private subnets +* Nat gateway and appropriate rules +* Routing table and appropriate rules + +## How to Use This Module + +- Ensure account meets module pre-requisites from above. + +- Create a Terraform configuration that pulls in this module and specifies values + of the required variables: + +```hcl +provider "aws" { + region = "" +} + +module "espd-tfe-aws" { + source = "../espd-tfe-aws/" + + deploy_vpc = false + deploy_bastion = false + domain_name = "" + friendly_name_prefix = "" + tfe_license_filepath = "" + network_id = "" + network_private_subnets = "" + network_public_subnets = "" +} +``` + +- *OPTIONAL*: This module can be deployed with a custom AMI rather than the default base given (Ubuntu 20.04 LTS), and has been verified to be functional with Ubuntu 20.04 LTS and RHEL 7.x based images. To deploy using a custom image, use the following configuration instead: + +```hcl +provider "aws" { + region = "" +} + +module "espd-tfe-aws" { + source = "../espd-tfe-aws/" + + ami_id = "" + deploy_vpc = false + deploy_bastion = false + domain_name = "" + friendly_name_prefix = "" + tfe_license_filepath = "" + network_id = "" + network_private_subnets = "" + network_public_subnets = "" +} +``` + +- Run `terraform init` and `terraform apply` \ No newline at end of file diff --git a/examples/external-dns/README.md b/examples/external-dns/README.md new file mode 100644 index 00000000..dd996a79 --- /dev/null +++ b/examples/external-dns/README.md @@ -0,0 +1,9 @@ +# EXAMPLE: Deploying while managing DNS outside of AWS + +## About This Example + +This example contains a reference implementation for how to use this module to deploy Terraform Enterprise on AWS while managing DNS externally. + +## What's different? + +Whereas the main module uses a datasource to find your Route 53 hosted zone in order to automatically create an entry to your load balancer, this scenario assumes you are managing all DNS configuration. For this reason, you will need to use the provided output for the load balancer endpoint from the main module and configure that value wherever you are managing DNS. diff --git a/examples/personas-bank/README.md b/examples/personas-bank/README.md new file mode 100644 index 00000000..006e2198 --- /dev/null +++ b/examples/personas-bank/README.md @@ -0,0 +1,101 @@ +# EXAMPLE: Deploying Terraform Enterprise Persona as Bank + +## About this example + +This example functions as a reference for how to use this module to install +Terraform Enterprise as a Bank persona. + +Traits of the Bank persona include: + +- Active/Active mode +- a large VM machine type (m5.xlarge) +- Red Hat 7.8 as the VM image +- a privately accessible TCP load balancer with TLS pass-through +- a proxy server with TLS termination +- Redis authentication +- Redis encryption in transit + +## Module pre-requisites + +As with the main version of this module, this example assumes the following +resources already exist: + +- Valid DNS Zone managed in Route53 +- Valid AWS ACM certificate + +When deploying in an existing VPC the `bastion` and `networking` submodules will +not be used. Therefore when deploying, the existing VPC must have: + +- Public and private subnets +- NAT gateway and appropriate rules +- Routing table and appropriate rules + +## How to use this module + +- Ensure account meets module pre-requisites from above. +- Create a Terraform configuration that pulls in this module and specifies + values of the required variables: + +```hcl +domain_name = "" +license_path = "" +acm_certificate_arn = "" + +# Leverages an AWS Key Pair for accessing the Bastion instance +bastion_keypair = "" + +ami_id = "" + +proxy_cert_bundle_filepath = "" +proxy_cert_bundle_name = "" +proxy_ip = "" + +# Configure Redis security +redis_require_password = true +redis_encryption_in_transit = true +redis_encryption_at_rest = true +``` + +With the configuration created, run `terraform init` and `terraform apply` to provision the example infrastructure. + +### Accessing the Private Deployment via Web Browser + +An SOCKS5 proxy over an SSH channel on your workstation can be used +to access the TFE deployment from outside of the AWS network. The +following example demonstrates how to establish a SOCKS5 proxy using +Bash, a bastion host virtual machine, and an Internet browser. + +First, establish the SOCKS5 proxy. The following command creates a +proxy listening to port 5000 and bound to localhost which forwards +traffic through one of the compute instances in the TFE delpoyment. +Be sure to change the values in between `< >`: + +```bash +ssh \ + -N \ + -p 22 \ + -D localhost:5000 \ + -i \ + @ +``` + +Second, a web browser or the operating system must be configured to use +the SOCKS5 proxy. The instructions to accomplish this vary depending on +the browser or operating system in use, but in Firefox, this can be +configured in: + +> Preferences > Network Settings > Manual proxy configuration > +SOCKS: Host; Port + +Third, the URL from the login_url Terraform output can be accessed +through the browser to start using the deployment. It is expected that +the browser will issue an untrusted certificate warning as this example +attaches a self-signed certificate to the internal load balancer. + +### Proxy examples + +The proxy in this example is not intended to be a production-grade example of +proxy configurations. The only requirement for this example is to provide a +proxy IP address and optionally a proxy PORT number for setting up TFE to +leverage your proxy. The example in this directory leverages a +development-configured MITM proxy. diff --git a/examples/personas-bank/certificates.tf b/examples/personas-bank/certificates.tf new file mode 100644 index 00000000..a5824493 --- /dev/null +++ b/examples/personas-bank/certificates.tf @@ -0,0 +1,30 @@ +resource "tls_private_key" "ca" { + algorithm = "RSA" +} + +resource "tls_self_signed_cert" "ca" { + key_algorithm = tls_private_key.ca.algorithm + private_key_pem = tls_private_key.ca.private_key_pem + validity_period_hours = 24 * 30 * 6 + + subject { + organization = "HashiCorp (NonTrusted)" + common_name = "HashiCorp (NonTrusted) Private Certificate Authority" + country = "US" + } + + is_ca_certificate = true + + allowed_uses = [ + "cert_signing", + "key_encipherment", + "digital_signature" + ] +} + +resource "local_file" "ca" { + filename = "${path.module}/files/mitmproxy.pem" + + content = tls_self_signed_cert.ca.cert_pem + file_permission = "0644" +} diff --git a/examples/personas-bank/files/.gitkeep b/examples/personas-bank/files/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/examples/personas-bank/main.tf b/examples/personas-bank/main.tf new file mode 100644 index 00000000..d5193f04 --- /dev/null +++ b/examples/personas-bank/main.tf @@ -0,0 +1,81 @@ +locals { + complete_prefix = "${var.prefix}-${random_string.friendly_name.result}" + http_proxy_port = 3128 +} + +resource "random_pet" "subdomain" { + length = 2 + separator = "-" + prefix = var.prefix +} + +resource "random_string" "friendly_name" { + length = 4 + upper = false # Some AWS resources do not accept uppercase characters. + number = false + special = false +} + +data "aws_ami" "rhel" { + owners = ["309956199498"] # RedHat + + most_recent = true + + filter { + name = "name" + values = ["RHEL-7.4_HVM-*-x86_64-*-Hourly2-GP2"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } +} + +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +module "bank_deployment" { + source = "../../" + + tfe_license_filepath = var.license_path + tfe_license_name = "replicated_license.rli" + + tfe_subdomain = (var.tfe_subdomain == null) ? random_pet.subdomain.id : var.tfe_subdomain + domain_name = var.domain_name + + friendly_name_prefix = "${var.prefix}-${random_string.friendly_name.result}" + + node_count = 2 + + deploy_secretsmanager = false + + acm_certificate_arn = var.acm_certificate_arn + + bastion_keypair = var.existing_aws_keypair + + proxy_cert_bundle_filepath = local_file.ca.filename + proxy_cert_bundle_name = "mitmproxy" + proxy_ip = "${aws_instance.proxy.private_ip}:${local.http_proxy_port}" + + ami_id = data.aws_ami.rhel.id + + redis_require_password = true + redis_encryption_in_transit = true + redis_encryption_at_rest = true + + common_tags = var.common_tags +} diff --git a/examples/personas-bank/outputs.tf b/examples/personas-bank/outputs.tf new file mode 100644 index 00000000..f6562166 --- /dev/null +++ b/examples/personas-bank/outputs.tf @@ -0,0 +1,11 @@ +output "random_pet_subdomain" { + value = random_pet.subdomain.id +} + +output "random_string_friendly_name" { + value = local.complete_prefix +} + +output "bank_deployment" { + value = module.bank_deployment +} diff --git a/examples/personas-bank/proxy.tf b/examples/personas-bank/proxy.tf new file mode 100644 index 00000000..c9610adf --- /dev/null +++ b/examples/personas-bank/proxy.tf @@ -0,0 +1,71 @@ +resource "aws_security_group" "proxy" { + name = "${local.complete_prefix}-sg-proxy-allow" + vpc_id = module.bank_deployment.network_id + + tags = merge( + { Name = "${local.complete_prefix}-sg-proxy-allow" }, + var.common_tags + ) +} + +resource "aws_security_group_rule" "proxy_ingress_mitmproxy" { + type = "ingress" + from_port = local.http_proxy_port + to_port = local.http_proxy_port + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + description = "Allow TFE traffic to proxy instance" + + security_group_id = aws_security_group.proxy.id +} + +resource "aws_security_group_rule" "proxy_ingress_ssh" { + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + description = "Allow SSH to proxy instance" + + security_group_id = aws_security_group.proxy.id +} + +resource "aws_security_group_rule" "proxy_egress" { + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + description = "Allow all egress traffic from proxy instance" + + security_group_id = aws_security_group.proxy.id +} + +resource "aws_instance" "proxy" { + ami = data.aws_ami.ubuntu.id + instance_type = "m4.xlarge" + + subnet_id = module.bank_deployment.public_subnet_ids[0] + + vpc_security_group_ids = [ + aws_security_group.proxy.id + ] + + key_name = var.existing_aws_keypair + + user_data = base64encode( + templatefile( + "${path.module}/templates/mitmproxy.sh.tpl", + { + certificate = tls_self_signed_cert.ca.cert_pem + http_proxy_port = local.http_proxy_port + private_key = tls_private_key.ca.private_key_pem + } + ) + ) + + root_block_device { + volume_type = "gp2" + volume_size = "100" + } +} diff --git a/examples/personas-bank/templates/mitmproxy.sh.tpl b/examples/personas-bank/templates/mitmproxy.sh.tpl new file mode 100644 index 00000000..6fa9624f --- /dev/null +++ b/examples/personas-bank/templates/mitmproxy.sh.tpl @@ -0,0 +1,35 @@ +#!/bin/bash + +set -e -u -o pipefail + +mkdir -p /etc/mitmproxy + +touch /etc/systemd/system/mitmproxy.service +chown root:root /etc/systemd/system/mitmproxy.service +chmod 0644 /etc/systemd/system/mitmproxy.service + +cat </etc/systemd/system/mitmproxy.service +[Unit] +Description=mitmproxy +ConditionPathExists=/etc/mitmproxy +[Service] +ExecStart=/usr/local/bin/mitmdump -p ${http_proxy_port} --set confdir=/etc/mitmproxy --ssl-insecure +Restart=always +[Install] +WantedBy=multi-user.target +EOF + +echo "[$(date +"%FT%T")] Downloading mitmproxy tar from the web" +curl -Lo /tmp/mitmproxy.tar.gz https://snapshots.mitmproxy.org/6.0.2/mitmproxy-6.0.2-linux.tar.gz +tar xvf /tmp/mitmproxy.tar.gz -C /usr/local/bin/ + +echo "[$(date +"%FT%T")] Deploying certificates for mitmproxy" +cat </etc/mitmproxy/mitmproxy-ca.pem +${certificate} +${private_key} +EOF + +echo "[$(date +"%FT%T")] Starting mitmproxy service" +systemctl daemon-reload +systemctl start mitmproxy +systemctl enable mitmproxy diff --git a/examples/personas-bank/variables.tf b/examples/personas-bank/variables.tf new file mode 100644 index 00000000..651425d3 --- /dev/null +++ b/examples/personas-bank/variables.tf @@ -0,0 +1,40 @@ +variable "prefix" { + type = string + default = "tfe" + description = "This prefix is used in the subdomain and friendly_name generation." +} + +variable "tfe_subdomain" { + type = string + default = null + description = <`: + +```bash +ssh \ + -N \ + -p 22 \ + -D localhost:5000 \ + -i \ + @ +``` + +Second, a web browser or the operating system must be configured to use +the SOCKS5 proxy. The instructions to accomplish this vary depending on +the browser or operating system in use, but in Firefox, this can be +configured in: + +> Preferences > Network Settings > Manual proxy configuration > +SOCKS: Host; Port + +Third, the URL from the login_url Terraform output can be accessed +through the browser to start using the deployment. It is expected that +the browser will issue an untrusted certificate warning as this example +attaches a self-signed certificate to the internal load balancer. + +### Proxy examples + +The proxy in this example is not intended to be a production-grade example of +proxy configurations. The only requirement for this example is to provide a +proxy IP address and optionally a proxy PORT number for setting up TFE to +leverage your proxy. The example in this directory leverages a +development-configured Squid proxy. diff --git a/examples/personas-retailer/main.tf b/examples/personas-retailer/main.tf new file mode 100644 index 00000000..5a365af1 --- /dev/null +++ b/examples/personas-retailer/main.tf @@ -0,0 +1,64 @@ +resource "random_pet" "subdomain" { + length = 2 + separator = "-" + prefix = var.prefix +} + +resource "random_string" "friendly_name" { + length = 4 + upper = false # Some AWS resources do not accept uppercase characters. + number = false + special = false +} + +data "aws_ami" "rhel" { + owners = ["309956199498"] # RedHat + + most_recent = true + + filter { + name = "name" + values = ["RHEL-7.9_HVM-*-x86_64-*-Hourly2-GP2"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } +} + +locals { + complete_prefix = "${var.prefix}-${random_string.friendly_name.result}" + http_proxy_port = 3128 +} + +module "retailer_deployment" { + source = "../../" + + tfe_license_filepath = var.license_path + tfe_license_name = "replicated_license.rli" + + tfe_subdomain = (var.tfe_subdomain == null) ? random_pet.subdomain.id : var.tfe_subdomain + domain_name = var.domain_name + + friendly_name_prefix = local.complete_prefix + + node_count = 2 + + deploy_secretsmanager = false + + acm_certificate_arn = var.acm_certificate_arn + + deploy_bastion = true + bastion_keypair = var.existing_aws_keypair + + proxy_ip = "${aws_instance.proxy.private_ip}:${http_proxy_port}" + + ami_id = data.aws_ami.rhel.id + + load_balancing_scheme = true + + redis_encryption_in_transit = true + redis_require_password = true + redis_encryption_at_rest = false +} diff --git a/examples/personas-retailer/outputs.tf b/examples/personas-retailer/outputs.tf new file mode 100644 index 00000000..ed189446 --- /dev/null +++ b/examples/personas-retailer/outputs.tf @@ -0,0 +1,19 @@ +output "random_pet_subdomain" { + value = random_pet.subdomain.id +} + +output "random_string_friendly_name" { + value = local.complete_prefix +} + +output "retailer_deployment" { + value = module.retailer_deployment +} + +output "retailer_proxy_public_address" { + value = aws_instance.proxy.public_ip +} + +output "retailer_proxy_private_address" { + value = aws_instance.proxy.private_ip +} diff --git a/examples/personas-retailer/proxy.tf b/examples/personas-retailer/proxy.tf new file mode 100644 index 00000000..ffef368e --- /dev/null +++ b/examples/personas-retailer/proxy.tf @@ -0,0 +1,67 @@ +data "template_cloudinit_config" "config_proxy" { + gzip = true + base64_encode = true + + part { + content_type = "text/cloud-config" + content = templatefile( + "${path.module}/templates/cloud-config-proxy.yaml", + { + http_proxy_port = local.http_proxy_port + } + ) + } +} + +resource "aws_instance" "proxy" { + ami = data.aws_ami.rhel.id + instance_type = var.squid_instance_type + + subnet_id = module.retailer_deployment.private_subnet_ids[0] + + vpc_security_group_ids = [ + aws_security_group.proxy.id, + ] + + key_name = var.existing_aws_keypair + + user_data = data.template_cloudinit_config.config_proxy.rendered + + root_block_device { + volume_type = "gp2" + volume_size = var.squid_volume_size + + } +} + +resource "aws_security_group" "proxy" { + name = "${local.complete_prefix}-sg-proxy-allow" + vpc_id = module.retailer_deployment.network_id + + tags = merge( + { Name = "${local.complete_prefix}-sg-proxy-allow" }, + var.common_tags + ) +} + +resource "aws_security_group_rule" "proxy_ingress" { + type = "ingress" + from_port = local.http_proxy_port + to_port = local.http_proxy_port + protocol = "tcp" + cidr_blocks = module.retailer_deployment.network_private_subnet_cidrs + description = "Allow internal traffic to proxy instance" + + security_group_id = aws_security_group.proxy.id +} + +resource "aws_security_group_rule" "proxy_egress" { + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + description = "Allow all egress traffic from proxy instance" + + security_group_id = aws_security_group.proxy.id +} diff --git a/examples/personas-retailer/templates/cloud-config-proxy.yaml b/examples/personas-retailer/templates/cloud-config-proxy.yaml new file mode 100644 index 00000000..191821b5 --- /dev/null +++ b/examples/personas-retailer/templates/cloud-config-proxy.yaml @@ -0,0 +1,46 @@ +#cloud-config + +write_files: + - path: /etc/squid/squid.conf + owner: root:root + permissions: "0644" + content: | + acl all src 0.0.0.0/0 + acl localnet src 10.0.0.0/8 # RFC1918 possible internal network + acl SSL_ports port 443 + acl Safe_ports port 80 # http + acl Safe_ports port 21 # ftp + acl Safe_ports port 443 # https + acl Safe_ports port 70 # gopher + acl Safe_ports port 210 # wais + acl Safe_ports port 1025-65535 # unregistered ports + acl Safe_ports port 280 # http-mgmt + acl Safe_ports port 488 # gss-http + acl Safe_ports port 591 # filemaker + acl Safe_ports port 777 # multiling http + acl CONNECT method CONNECT + debug_options ALL,1 33,2 28,9 + http_access deny !Safe_ports + http_access deny CONNECT !SSL_ports + http_access allow localhost manager + http_access deny manager + http_access allow localnet + http_access allow localhost + http_access allow all + http_access deny all + http_port ${http_proxy_port} + coredump_dir /var/spool/squid + refresh_pattern ^ftp: 1440 20% 10080 + refresh_pattern ^gopher: 1440 0% 1440 + refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 + refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 + refresh_pattern . 0 20% 4320 + +packages: + - squid + +runcmd: + - firewall-cmd --permanent --add-port=${http_proxy_port}/tcp + - firewall-cmd --reload + - systemctl start squid + - systemctl enable squid diff --git a/examples/personas-retailer/variables.tf b/examples/personas-retailer/variables.tf new file mode 100644 index 00000000..9fa5b334 --- /dev/null +++ b/examples/personas-retailer/variables.tf @@ -0,0 +1,57 @@ +variable "prefix" { + type = string + default = "tfe" + description = "This prefix is used in the subdomain and friendly_name generation." +} + +variable "tfe_subdomain" { + type = string + default = null + description = < /tmp/chrony.conf -cat "$CONF" >> /tmp/chrony.conf -cp /tmp/chrony.conf "$CONF" -systemctl restart $SERVICE - -if [ ! -f /usr/bin/ptfe ]; then - pushd /tmp - wget -O ptfe.zip "$(cat /etc/ptfe/ptfe_url)" - unzip ptfe.zip - cp ptfe /usr/bin - chmod a+x /usr/bin/ptfe - popd -fi - -role="$(cat /etc/ptfe/role)" -export role - -airgap_url_path="/etc/ptfe/airgap-package-url" -airgap_installer_url_path="/etc/ptfe/airgap-installer-url" -weave_cidr="/etc/ptfe/weave-cidr" -repl_cidr="/etc/ptfe/repl-cidr" - - - - -health_url="$(cat /etc/ptfe/health-url)" - -ptfe_install_args=( - -DD - "--bootstrap-token=$(cat /etc/ptfe/bootstrap-token)" \ - "--cluster-api-endpoint=$(cat /etc/ptfe/cluster-api-endpoint)" \ - --health-url "$health_url" - --assistant-host "$(cat /etc/ptfe/assistant-host)" - --assistant-token "$(cat /etc/ptfe/assistant-token)" -) - -role_id=0 - -if test -e /etc/ptfe/role-id; then - role_id="$(cat /etc/ptfe/role-id)" - ptfe_install_args+=( - --role-id "$role_id" - ) -fi - -if [ -s /etc/ptfe/proxy-url ]; then - ptfe_install_args+=( - "--additional-no-proxy=$no_proxy" - "--http-proxy=$http_proxy" - ) -fi - -if [ "x${role}x" == "xmainx" ]; then - verb="setup" - export verb - # main - ptfe_install_args+=( - "--private-address=$(curl -sfSL http://169.254.169.254/latest/meta-data/local-ipv4)" - --cluster - "--auth-token=@/etc/ptfe/setup-token" - ) - # If we are airgapping, then set the arguments needed for Replicated. - # We also setup the replicated.conf.tmpl to include the path to the downloaded - # airgap file. - if test -e "$airgap_url_path"; then - mkdir -p /var/lib/ptfe - pushd /var/lib/ptfe - airgap_url="$(< "$airgap_url_path")" - echo "Downloading airgap package from $airgap_url" - ptfe util download "$airgap_url" /var/lib/ptfe/ptfe.airgap - popd - fi - - if test -e "$weave_cidr"; then - ptfe_install_args+=( - "--ip-alloc-range=$(cat /etc/ptfe/weave-cidr)" - ) - fi - - if test -e "$repl_cidr"; then - ptfe_install_args+=( - "--service-cidr=$(cat /etc/ptfe/repl-cidr)" - ) - fi - - # ------------------------------------------------------------------------------ - # Custom CA certificate download and configuration block - # ------------------------------------------------------------------------------ - if [[ -n $(< /etc/ptfe/custom-ca-cert-url) && \ - $(< /etc/ptfe/custom-ca-cert-url) != none ]]; then - custom_ca_bundle_url=$(cat /etc/ptfe/custom-ca-cert-url) - custom_ca_cert_file_name=$(echo "${custom_ca_bundle_url}" | awk -F '/' '{ print $NF }') - ca_tmp_dir="/tmp/ptfe-customer-certs" - replicated_conf_file="replicated-ptfe.conf" - local_messages_file="local_messages.log" - # Setting up a tmp directory to do this `jq` transform to leave artifacts if anything goes "boom", - # since we're trusting user input to be both a working URL and a valid certificate. - # These artifacts will live in /tmp/ptfe/customer-certs/{local_messages.log,wget_output.log} files. - mkdir -p "${ca_tmp_dir}" - pushd "${ca_tmp_dir}" - touch ${local_messages_file} - if wget --trust-server-names "${custom_ca_bundle_url}" >> ./wget_output.log 2>&1; - then - if [ -f "${ca_tmp_dir}/${custom_ca_cert_file_name}" ]; - then - if openssl x509 -in "${custom_ca_cert_file_name}" -text -noout; - then - mv "${custom_ca_cert_file_name}" cust-ca-certificates.crt - cp /etc/${replicated_conf_file} ./${replicated_conf_file}.original - jq ". + { ca_certs: { value: \"$(cat cust-ca-certificates.crt)\" } }" -- ${replicated_conf_file}.original > ${replicated_conf_file}.updated - if jq -e . > /dev/null 2>&1 -- ${replicated_conf_file}.updated; - then - cp ./${replicated_conf_file}.updated /etc/${replicated_conf_file} - else - echo "The updated ${replicated_conf_file} file is not valid JSON." | tee -a "${local_messages_file}" - echo "Review ${ca_tmp_dir}/${replicated_conf_file}.original and ${ca_tmp_dir}/${replicated_conf_file}.updated." | tee -a "${local_messages_file}" - echo "" | tee -a "${local_messages_file}" - fi - else - echo "The certificate file wasn't able to validated via openssl" | tee -a "${local_messages_file}" - echo "" | tee -a "${local_messages_file}" - fi - else - echo "The filename ${custom_ca_cert_file_name} was not what ${custom_ca_bundle_url} downloaded." | tee -a "${local_messages_file}" - echo "Inspect the ${ca_tmp_dir} directory to verify the file that was downloaded." | tee -a "${local_messages_file}" - echo "" | tee -a "${local_messages_file}" - fi - else - echo "There was an error downloading the file ${custom_ca_cert_file_name} from ${custom_ca_bundle_url}." | tee -a "${local_messages_file}" - echo "See the ${ca_tmp_dir}/wget_output.log file." | tee -a "${local_messages_file}" - echo "" | tee -a "${local_messages_file}" - fi - - popd - fi -else - # We do this before continuing so that the airgap_installer_url can reference - # the internal load balancer and retrieve files from the primary - echo "Waiting for cluster to start before continuing..." - ptfe install join --role-id "$role_id" --health-url "$health_url" --wait-for-cluster -fi - -if [ "x${role}x" != "xsecondaryx" ]; then - ptfe_install_args+=( - --primary-pki-url "$(cat /etc/ptfe/primary-pki-url)" - ) -fi - -if [ "x${role}x" == "xprimaryx" ]; then - verb="join" - ptfe_install_args+=( - --as-primary - ) - export verb -fi - -if [ "x${role}x" == "xsecondaryx" ]; then - verb="join" - export verb -fi - -if test -e "$airgap_installer_url_path"; then - mkdir -p /var/lib/ptfe - pushd /var/lib/ptfe - airgap_installer_url="$(< "$airgap_installer_url_path")" - echo "Downloading airgap installer from $airgap_installer_url" - ptfe util download "$airgap_installer_url" /var/lib/ptfe/replicated.tar.gz - popd - - ptfe_install_args+=( - --airgap-installer /var/lib/ptfe/replicated.tar.gz - ) -fi - -echo "Running 'ptfe install $verb ${ptfe_install_args[@]}'" -ptfe install $verb "${ptfe_install_args[@]}" diff --git a/iam.tf b/iam.tf deleted file mode 100644 index 5ff91e41..00000000 --- a/iam.tf +++ /dev/null @@ -1,25 +0,0 @@ -data "aws_iam_policy_document" "ptfe" { - statement { - actions = [ - "sts:AssumeRole", - ] - - principals { - type = "Service" - identifiers = [ - "ec2.amazonaws.com", - ] - } - } -} -resource "aws_iam_role" "ptfe" { - name = "ptfe-${module.common.install_id}" - - assume_role_policy = data.aws_iam_policy_document.ptfe.json -} - -resource "aws_iam_instance_profile" "ptfe" { - name = "${var.prefix}-${module.common.install_id}" - role = aws_iam_role.ptfe.name -} - diff --git a/main.tf b/main.tf new file mode 100644 index 00000000..9c438b67 --- /dev/null +++ b/main.tf @@ -0,0 +1,239 @@ +terraform { + required_version = ">= 0.13" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.5.0" + } + random = { + source = "hashicorp/random" + version = "~> 3.1.0" + } + template = { + source = "hashicorp/template" + version = "~> 2.1.2" + } + tls = { + source = "hashicorp/tls" + version = "~> 3.0.0" + } + } +} + +data "aws_region" "current" {} + +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_kms_key" "tfe_key" { + deletion_window_in_days = var.kms_key_deletion_window + description = "AWS KMS Customer-managed key to encrypt TFE and other resources" + enable_key_rotation = false + is_enabled = true + key_usage = "ENCRYPT_DECRYPT" + + tags = merge( + { Name = "${var.friendly_name_prefix}-tfe-kms-key" }, + var.common_tags, + ) +} + +resource "aws_kms_alias" "key_alias" { + name = "alias/${var.kms_key_alias}" + target_key_id = aws_kms_key.tfe_key.key_id +} + +locals { + active_active = var.node_count >= 2 + ami_id = local.default_ami_id ? data.aws_ami.ubuntu.id : var.ami_id + aws_lb_target_group_tfe_tg_8800_arn = local.active_active ? "" : module.load_balancer.aws_lb_target_group_tfe_tg_8800_arn + default_ami_id = var.ami_id == "" + fqdn = "${var.tfe_subdomain}.${var.domain_name}" +} + +module "object_storage" { + source = "./modules/object_storage" + + friendly_name_prefix = var.friendly_name_prefix + kms_key_arn = aws_kms_key.tfe_key.arn + tfe_license_filepath = var.tfe_license_filepath + tfe_license_name = var.tfe_license_name + proxy_cert_bundle_filepath = var.proxy_cert_bundle_filepath + proxy_cert_bundle_name = var.proxy_cert_bundle_name + + common_tags = var.common_tags +} + +module "service_accounts" { + source = "./modules/service_accounts" + + aws_bucket_bootstrap_arn = module.object_storage.s3_bucket_bootstrap_arn + aws_bucket_data_arn = module.object_storage.s3_bucket_data_arn + friendly_name_prefix = var.friendly_name_prefix + kms_key_arn = aws_kms_key.tfe_key.arn + + common_tags = var.common_tags +} + +module "secrets_manager" { + source = "./modules/secrets_manager" + + friendly_name_prefix = var.friendly_name_prefix + deploy_secretsmanager = var.deploy_secretsmanager + + common_tags = var.common_tags +} + +module "networking" { + source = "./modules/networking" + + deploy_vpc = var.deploy_vpc + friendly_name_prefix = var.friendly_name_prefix + network_cidr = var.network_cidr + network_private_subnet_cidrs = var.network_private_subnet_cidrs + network_public_subnet_cidrs = var.network_public_subnet_cidrs + + common_tags = var.common_tags +} + +locals { + bastion_host_subnet = var.deploy_vpc ? module.networking.bastion_host_subnet : var.bastion_host_subnet + network_id = var.deploy_vpc ? module.networking.network_id : var.network_id + network_private_subnets = var.deploy_vpc ? module.networking.network_private_subnets : var.network_private_subnets + network_public_subnets = var.deploy_vpc ? module.networking.network_public_subnets : var.network_public_subnets +} + +module "redis" { + source = "./modules/redis" + + active_active = local.active_active + friendly_name_prefix = var.friendly_name_prefix + network_id = local.network_id + network_private_subnet_cidrs = var.network_private_subnet_cidrs + network_subnets_private = local.network_private_subnets + tfe_instance_sg = module.vm.tfe_instance_sg + + cache_size = var.redis_cache_size + engine_version = var.redis_engine_version + parameter_group_name = var.redis_parameter_group_name + + kms_key_arn = aws_kms_key.tfe_key.arn + redis_encryption_in_transit = var.redis_encryption_in_transit + redis_encryption_at_rest = var.redis_encryption_at_rest + redis_require_password = var.redis_require_password + + common_tags = var.common_tags +} + +module "database" { + source = "./modules/database" + + db_size = var.db_size + engine_version = var.postgres_engine_version + friendly_name_prefix = var.friendly_name_prefix + network_id = local.network_id + network_private_subnet_cidrs = var.network_private_subnet_cidrs + network_subnets_private = local.network_private_subnets + tfe_instance_sg = module.vm.tfe_instance_sg + + common_tags = var.common_tags +} + +module "bastion" { + source = "./modules/bastion" + + ami_id = local.ami_id + bastion_host_subnet = local.bastion_host_subnet + bastion_ingress_cidr_allow = var.bastion_ingress_cidr_allow + bastion_keypair = var.bastion_keypair + deploy_bastion = var.deploy_bastion + deploy_vpc = var.deploy_vpc + friendly_name_prefix = var.friendly_name_prefix + kms_key_id = aws_kms_key.tfe_key.arn + network_id = local.network_id + userdata_script = module.user_data.bastion_userdata_base64_encoded + + common_tags = var.common_tags +} + +locals { + bastion_key_private = var.deploy_bastion ? module.bastion.generated_bastion_key_private : var.bastion_key_private + bastion_key_public = var.deploy_bastion ? module.bastion.generated_bastion_key_public : var.bastion_key_private + bastion_sg = var.deploy_bastion ? module.bastion.bastion_sg : var.bastion_sg +} + +module "user_data" { + source = "./modules/user_data" + + active_active = local.active_active + aws_bucket_bootstrap = module.object_storage.s3_bucket_bootstrap + aws_bucket_data = module.object_storage.s3_bucket_data + aws_region = data.aws_region.current.name + fqdn = local.fqdn + friendly_name_prefix = var.friendly_name_prefix + generated_bastion_key_private = local.bastion_key_private + kms_key_arn = aws_kms_key.tfe_key.arn + pg_dbname = module.database.db_name + pg_password = module.database.db_password + pg_netloc = module.database.db_endpoint + pg_user = module.database.db_username + proxy_cert_bundle_name = var.proxy_cert_bundle_name + proxy_ip = var.proxy_ip + no_proxy = var.no_proxy + redis_host = module.redis.redis_endpoint + redis_pass = module.redis.redis_password + redis_port = module.redis.redis_port + redis_use_password_auth = module.redis.redis_use_password_auth + redis_use_tls = module.redis.redis_transit_encryption_enabled + tfe_license = var.tfe_license_name +} + +module "load_balancer" { + source = "./modules/load_balancer" + + active_active = local.active_active + admin_dashboard_ingress_ranges = var.admin_dashboard_ingress_ranges + certificate_arn = var.acm_certificate_arn + domain_name = var.domain_name + friendly_name_prefix = var.friendly_name_prefix + fqdn = local.fqdn + load_balancing_scheme = var.load_balancing_scheme + network_id = local.network_id + network_public_subnets = local.network_public_subnets + ssl_policy = var.ssl_policy + + common_tags = var.common_tags +} + +module "vm" { + source = "./modules/vm" + + active_active = local.active_active + aws_iam_instance_profile = module.service_accounts.aws_iam_instance_profile + ami_id = local.ami_id + aws_lb = module.load_balancer.aws_lb_security_group + aws_lb_target_group_tfe_tg_443_arn = module.load_balancer.aws_lb_target_group_tfe_tg_443_arn + aws_lb_target_group_tfe_tg_8800_arn = module.load_balancer.aws_lb_target_group_tfe_tg_8800_arn + bastion_key = local.bastion_key_public + bastion_sg = local.bastion_sg + default_ami_id = local.default_ami_id + friendly_name_prefix = var.friendly_name_prefix + instance_type = var.instance_type + network_id = local.network_id + network_subnets_private = local.network_private_subnets + node_count = var.node_count + userdata_script = module.user_data.tfe_userdata_base64_encoded +} diff --git a/module-common.tf b/module-common.tf deleted file mode 100644 index 33b23cfe..00000000 --- a/module-common.tf +++ /dev/null @@ -1,9 +0,0 @@ -module "common" { - source = "./modules/common-user-vpc" - vpc_id = var.vpc_id - subnet_tags = var.subnet_tags - ingress_allow_list = var.ingress_allow_list - prefix = var.prefix - tags = var.tags -} - diff --git a/module-lb.tf b/module-lb.tf deleted file mode 100644 index eba43dbd..00000000 --- a/module-lb.tf +++ /dev/null @@ -1,24 +0,0 @@ -module "lb" { - source = "./modules/lb" - - vpc_id = module.common.vpc_id - install_id = module.common.install_id - - prefix = var.prefix - domain = var.domain - private_zone = var.private_zone - - public_subnets = module.common.public_subnets - private_subnets = module.common.private_subnets - public_subnets_cidr_blocks = module.common.public_subnets_cidr_blocks - private_subnets_cidr_blocks = module.common.private_subnets_cidr_blocks - - hostname = var.hostname - update_route53 = var.update_route53 - - cert_domain = var.cert_domain - cert_arn = var.cert_arn - - tags = var.tags -} - diff --git a/modules/bastion/main.tf b/modules/bastion/main.tf new file mode 100644 index 00000000..c9047e7f --- /dev/null +++ b/modules/bastion/main.tf @@ -0,0 +1,83 @@ +################ +# BASTION HOST # +################ + +resource "aws_instance" "bastion" { + count = var.deploy_bastion == true && var.deploy_vpc == true ? 1 : 0 + + ami = var.ami_id + instance_type = "t2.micro" + subnet_id = var.bastion_host_subnet + vpc_security_group_ids = [aws_security_group.bastion[0].id] + key_name = var.bastion_keypair + associate_public_ip_address = "true" + user_data = var.userdata_script + + root_block_device { + volume_size = 20 + volume_type = "gp2" + encrypted = true + kms_key_id = var.kms_key_id + } + + tags = merge( + { Name = "${var.friendly_name_prefix}-tfe-bastion" }, + var.common_tags + ) + + metadata_options { + http_tokens = "optional" + http_endpoint = "enabled" + } + +} + +resource "aws_security_group" "bastion" { + count = var.deploy_bastion == true && var.deploy_vpc == true ? 1 : 0 + + name = "${var.friendly_name_prefix}-sg-bastion-allow" + vpc_id = var.network_id + + tags = merge( + { Name = "${var.friendly_name_prefix}-sg-bastion-allow" }, + var.common_tags + ) +} + +resource "aws_security_group_rule" "bastion_ingress_ssh" { + count = length(aws_security_group.bastion) > 0 ? 1 : 0 + + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = var.bastion_ingress_cidr_allow + description = "Allow SSH to Bastion instance" + + security_group_id = aws_security_group.bastion[0].id +} + +resource "aws_security_group_rule" "bastion_egress" { + count = length(aws_security_group.bastion) > 0 ? 1 : 0 + + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + description = "Allow all egress traffic from Bastion instance" + + security_group_id = aws_security_group.bastion[0].id +} + +# Generate a keypair for bastion host to TFE instance connectivity + +resource "tls_private_key" "tfe_bastion" { + algorithm = "RSA" + rsa_bits = 4096 +} + +resource "aws_key_pair" "generated_bastion_key" { + key_name = "${var.friendly_name_prefix}-tfe-bastion" + public_key = tls_private_key.tfe_bastion.public_key_openssh +} diff --git a/modules/bastion/outputs.tf b/modules/bastion/outputs.tf new file mode 100644 index 00000000..9e417aae --- /dev/null +++ b/modules/bastion/outputs.tf @@ -0,0 +1,19 @@ +output "bastion_public_dns" { + value = var.deploy_bastion == true ? aws_instance.bastion[0].public_dns : null +} + +output "bastion_public_ip" { + value = var.deploy_bastion == true ? aws_instance.bastion[0].public_ip : null +} + +output "bastion_sg" { + value = var.deploy_bastion == true ? aws_security_group.bastion[0].id : null +} + +output "generated_bastion_key_public" { + value = var.deploy_bastion == true ? aws_key_pair.generated_bastion_key.key_name : null +} + +output "generated_bastion_key_private" { + value = var.deploy_bastion == true ? tls_private_key.tfe_bastion.private_key_pem : null +} diff --git a/modules/bastion/variables.tf b/modules/bastion/variables.tf new file mode 100644 index 00000000..5e22c31c --- /dev/null +++ b/modules/bastion/variables.tf @@ -0,0 +1,50 @@ +variable "common_tags" { + type = map(string) + description = "(Optional) Map of common tags for all taggable AWS resources." + default = {} +} + +variable "kms_key_id" {} + +variable "userdata_script" {} + +variable "network_id" {} + +variable "ami_id" { + type = string + default = "" + description = "AMI ID to use for TFE instances and bastion host" +} + +variable "bastion_host_subnet" {} + +variable "friendly_name_prefix" { + type = string + description = "(Required) Friendly name prefix used for tagging and naming AWS resources." +} + +# Network +variable "deploy_vpc" { + type = bool + description = "(Optional) Boolean indicating whether to deploy a VPC (true) or not (false)." + default = true +} + +# Bastion +variable "deploy_bastion" { + type = bool + description = "(Optional) Boolean indicating whether to deploy a Bastion instance (true) or not (false). Only specify true if deploy_vpc is true." + default = true +} + +variable "bastion_keypair" { + type = string + description = "(Optional) Specifies existing SSH key pair to use for Bastion instance. Only specify if deploy_bastion is true." + default = null +} + +variable "bastion_ingress_cidr_allow" { + type = list(string) + description = "(Optional) List of CIDR ranges to allow SSH ingress to Bastion instance. Only specify if deploy_bastion is true." + default = ["0.0.0.0/0"] +} diff --git a/modules/common-user-vpc/docs/inputs.md b/modules/common-user-vpc/docs/inputs.md deleted file mode 100644 index 478df55f..00000000 --- a/modules/common-user-vpc/docs/inputs.md +++ /dev/null @@ -1,13 +0,0 @@ -# Terraform Enterprise: Clustering - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:-----:| -| prefix | Prefix for resource names | `string` | n/a | yes | -| vpc\_id | AWS VPC id to install into | `string` | n/a | yes | -| egress\_allow\_list | List of CIDR blocks we allow the infrastructure to access | `set(string)` | 
[
  "0.0.0.0/0"
]
| no | -| ingress\_allow\_list | list of CIDR blocks we allow to access the infrastructure | `set(string)` | `[]` | no | -| subnet\_tags | tags to use to match subnets to use | `map` | `{}` | no | -| tags | Map of tags to add to security groups | `map(string)` | `{}` | no | - diff --git a/modules/common-user-vpc/docs/outputs.md b/modules/common-user-vpc/docs/outputs.md deleted file mode 100644 index bf433d0b..00000000 --- a/modules/common-user-vpc/docs/outputs.md +++ /dev/null @@ -1,19 +0,0 @@ -# Terraform Enterprise: Clustering - -## Outputs - -| Name | Description | -|------|-------------| -| allow\_ptfe\_sg\_id | n/a | -| availability\_zones | n/a | -| collect\_diag\_file | n/a | -| install\_id | n/a | -| intra\_vpc\_ingress\_and\_egress\_sg\_id | n/a | -| private\_subnets | n/a | -| private\_subnets\_cidr\_blocks | n/a | -| public\_subnets | n/a | -| public\_subnets\_cidr\_blocks | n/a | -| ssh\_key\_name | n/a | -| ssh\_priv\_key\_file | n/a | -| vpc\_id | n/a | - diff --git a/modules/common-user-vpc/outputs.tf b/modules/common-user-vpc/outputs.tf deleted file mode 100644 index e9b37c8d..00000000 --- a/modules/common-user-vpc/outputs.tf +++ /dev/null @@ -1,55 +0,0 @@ -data "aws_availability_zones" "available" { - state = "available" -} - -locals { - availability_zones = slice(data.aws_availability_zones.available.names, 0, 2) -} - -output "install_id" { - value = random_string.install_id.result -} - -output "vpc_id" { - value = var.vpc_id -} - -output "availability_zones" { - value = local.availability_zones -} - -output "ssh_priv_key_file" { - value = local.private_key_filename -} - -output "ssh_key_name" { - value = local.key_name -} - -output "private_subnets" { - value = matchkeys(values(data.aws_subnet.selected)[*].id, values(data.aws_subnet.selected)[*].map_public_ip_on_launch, list("false")) -} - -output "public_subnets" { - value = matchkeys(values(data.aws_subnet.selected)[*].id, values(data.aws_subnet.selected)[*].map_public_ip_on_launch, list("true")) -} - -output "private_subnets_cidr_blocks" { - value = matchkeys(values(data.aws_subnet.selected)[*].cidr_block, values(data.aws_subnet.selected)[*].map_public_ip_on_launch, list("false")) -} - -output "public_subnets_cidr_blocks" { - value = matchkeys(values(data.aws_subnet.selected)[*].cidr_block, values(data.aws_subnet.selected)[*].map_public_ip_on_launch, list("true")) -} - -output "intra_vpc_ingress_and_egress_sg_id" { - value = aws_security_group.intra_vpc_ingress_and_egress.id -} - -output "allow_ptfe_sg_id" { - value = aws_security_group.allow_ptfe.id -} - -output "collect_diag_file" { - value = "${path.module}/../common/files/collect-diag.sh" ## I am lazy -} diff --git a/modules/common-user-vpc/security_groups.tf b/modules/common-user-vpc/security_groups.tf deleted file mode 100644 index 3c1b5b6b..00000000 --- a/modules/common-user-vpc/security_groups.tf +++ /dev/null @@ -1,84 +0,0 @@ -resource "aws_security_group" "intra_vpc_ingress_and_egress" { - description = "allow instances to talk to each other, and set up trusted ingress and egress" - vpc_id = var.vpc_id - name = "${var.prefix}-${random_string.install_id.result}-intra-cluster-and-trusted-blocks" - - ingress { - protocol = "-1" - from_port = 0 - to_port = 0 - self = true - } - - egress { - protocol = "-1" - from_port = 0 - to_port = 0 - cidr_blocks = var.egress_allow_list - } - - dynamic "ingress" { - for_each = var.ingress_allow_list - content { - protocol = "-1" - from_port = 0 - to_port = 0 - cidr_blocks = ingress.value - } - } - - tags = merge( - var.tags, - { - Name = "${var.prefix}" - }, - ) -} - -resource "aws_security_group" "allow_ptfe" { - name = "ptfe ingress ${random_string.install_id.result}" - description = "allow access to ptfe and replicated console" - vpc_id = var.vpc_id - - ingress { - description = "ssh, because debugging" - - protocol = "tcp" - from_port = 22 - to_port = 22 - - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - description = "http to ptfe application" - - protocol = "tcp" - from_port = 80 - to_port = 80 - - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - description = "https to ptfe application" - - protocol = "tcp" - from_port = 443 - to_port = 443 - - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - description = "https to replicated console" - - protocol = "tcp" - from_port = 8800 - to_port = 8800 - - cidr_blocks = ["0.0.0.0/0"] - } - - tags = var.tags -} diff --git a/modules/common-user-vpc/ssh-key.tf b/modules/common-user-vpc/ssh-key.tf deleted file mode 100644 index ca592c8b..00000000 --- a/modules/common-user-vpc/ssh-key.tf +++ /dev/null @@ -1,35 +0,0 @@ -## mostly copied from https://github.com/cloudposse/terraform-aws-key-pair, -## which has some problems with their label module (recursively included). - -locals { - ssh_public_key_path = "${path.root}/work" - key_name = "${var.prefix}-${random_string.install_id.result}" - - public_key_filename = "${local.ssh_public_key_path}/${local.key_name}.pub" - private_key_filename = "${local.ssh_public_key_path}/${local.key_name}.priv" -} - -resource "tls_private_key" "default" { - algorithm = "RSA" -} - -resource "aws_key_pair" "generated" { - key_name = local.key_name - public_key = tls_private_key.default.public_key_openssh -} - -resource "local_file" "private_key_pem" { - content = tls_private_key.default.private_key_pem - filename = local.private_key_filename - file_permission = "0600" -} - -resource "null_resource" "chmod" { - triggers = { - key_data = local_file.private_key_pem.content - } - - provisioner "local-exec" { - command = "chmod 600 ${local.private_key_filename}" - } -} diff --git a/modules/common-user-vpc/variables.tf b/modules/common-user-vpc/variables.tf deleted file mode 100644 index ff36df1e..00000000 --- a/modules/common-user-vpc/variables.tf +++ /dev/null @@ -1,46 +0,0 @@ -### =================================================================== REQUIRED - -variable "vpc_id" { - type = string - description = "AWS VPC id to install into" -} - -variable "prefix" { - type = string - description = "Prefix for resource names" -} - -### =================================================================== OPTIONAL - -variable "subnet_tags" { - type = map - description = "tags to use to match subnets to use" - default = {} -} - -variable "ingress_allow_list" { - type = set(string) - description = "list of CIDR blocks we allow to access the infrastructure" - default = [] -} - -variable "egress_allow_list" { - type = set(string) - description = "List of CIDR blocks we allow the infrastructure to access" - default = ["0.0.0.0/0"] -} - -variable "tags" { - type = map(string) - description = "Map of tags to add to security groups" - default = {} -} - - -### ======================================================================= MISC - -resource "random_string" "install_id" { - length = 8 - special = false - upper = false -} diff --git a/modules/common-user-vpc/vpc.tf b/modules/common-user-vpc/vpc.tf deleted file mode 100644 index 4660aa93..00000000 --- a/modules/common-user-vpc/vpc.tf +++ /dev/null @@ -1,14 +0,0 @@ -data "aws_vpc" "selected" { - id = var.vpc_id -} - -data "aws_subnet_ids" "selected" { - vpc_id = var.vpc_id - tags = var.subnet_tags -} - -data "aws_subnet" "selected" { - # https://github.com/terraform-providers/terraform-provider-aws/issues/7522 - for_each = data.aws_subnet_ids.selected.ids - id = each.value -} diff --git a/modules/database/main.tf b/modules/database/main.tf new file mode 100644 index 00000000..66390cdb --- /dev/null +++ b/modules/database/main.tf @@ -0,0 +1,85 @@ +resource "random_string" "postgresql_password" { + length = 128 + special = false +} + +resource "aws_security_group" "postgresql" { + description = "The security group of the PostgreSQL deployment for TFE." + name = "${var.friendly_name_prefix}-tfe-postgresql" + vpc_id = var.network_id + + tags = var.common_tags +} + +resource "aws_security_group_rule" "postgresql_tfe_ingress" { + security_group_id = aws_security_group.postgresql.id + type = "ingress" + from_port = 5432 + to_port = 5432 + protocol = "tcp" + source_security_group_id = var.tfe_instance_sg +} + +resource "aws_security_group_rule" "postgresql_tfe_egress" { + security_group_id = aws_security_group.postgresql.id + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + source_security_group_id = var.tfe_instance_sg +} + +resource "aws_security_group_rule" "postgresql_ingress" { + security_group_id = aws_security_group.postgresql.id + type = "ingress" + from_port = 5432 + to_port = 5432 + protocol = "tcp" + cidr_blocks = var.network_private_subnet_cidrs +} + +resource "aws_security_group_rule" "postgresql_egress" { + security_group_id = aws_security_group.postgresql.id + type = "egress" + from_port = 5432 + to_port = 5432 + protocol = "tcp" + cidr_blocks = var.network_private_subnet_cidrs +} + +resource "aws_db_subnet_group" "tfe" { + name = var.friendly_name_prefix + subnet_ids = var.network_subnets_private + + tags = var.common_tags +} + +resource "aws_db_instance" "postgresql" { + allocated_storage = 20 + engine = "postgres" + instance_class = var.db_size + password = random_string.postgresql_password.result + # no special characters allowed + username = "espdtfe" + + allow_major_version_upgrade = false + apply_immediately = true + backup_retention_period = 0 + db_subnet_group_name = aws_db_subnet_group.tfe.name + delete_automated_backups = true + deletion_protection = false + engine_version = var.engine_version + identifier_prefix = "${var.friendly_name_prefix}-tfe" + max_allocated_storage = 0 + multi_az = true + # no special characters allowed + name = "espdtfe" + port = 5432 + publicly_accessible = false + skip_final_snapshot = true + storage_encrypted = true + storage_type = "gp2" + vpc_security_group_ids = [aws_security_group.postgresql.id] + + tags = var.common_tags +} diff --git a/modules/database/outputs.tf b/modules/database/outputs.tf new file mode 100644 index 00000000..86c0427e --- /dev/null +++ b/modules/database/outputs.tf @@ -0,0 +1,15 @@ +output "db_endpoint" { + value = aws_db_instance.postgresql.endpoint +} + +output "db_name" { + value = aws_db_instance.postgresql.name +} + +output "db_password" { + value = aws_db_instance.postgresql.password +} + +output "db_username" { + value = aws_db_instance.postgresql.username +} diff --git a/modules/database/variables.tf b/modules/database/variables.tf new file mode 100644 index 00000000..73f31831 --- /dev/null +++ b/modules/database/variables.tf @@ -0,0 +1,34 @@ +variable "network_id" {} + +variable "db_size" { + type = string + default = "db.m4.xlarge" + description = "PostgreSQL instance size." +} + +variable "engine_version" { + type = string + default = "9.5.15" + description = "PostgreSQL version." +} + +variable "network_subnets_private" {} + +variable "tfe_instance_sg" {} + +variable "friendly_name_prefix" { + type = string + description = "(Required) Friendly name prefix used for tagging and naming AWS resources." +} + +variable "network_private_subnet_cidrs" { + type = list(string) + description = "(Optional) List of private subnet CIDR ranges to create in VPC." + default = ["10.0.32.0/20", "10.0.48.0/20"] +} + +variable "common_tags" { + type = map(string) + description = "(Optional) Map of common tags for all taggable AWS resources." + default = {} +} diff --git a/modules/external-services/README.md b/modules/external-services/README.md deleted file mode 100644 index 8700a65d..00000000 --- a/modules/external-services/README.md +++ /dev/null @@ -1,10 +0,0 @@ -## Terraform Enterprise External Services - -This module provides basic AWS external service resources in the form of: - -* An S3 bucket -* An IAM user that can access the S3 bucket -* An Aurora cluster with a single instance in Postgresql mode - -This module assumes basic setup with reasonable defaults. If need extensive changes, -best to copy this module and make your own local changes to it. diff --git a/modules/external-services/docs/inputs.md b/modules/external-services/docs/inputs.md deleted file mode 100644 index d3a8cd6e..00000000 --- a/modules/external-services/docs/inputs.md +++ /dev/null @@ -1,14 +0,0 @@ -# Terraform Enterprise: Clustering - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:-----:| -| install\_id | Identifier for installation | `string` | n/a | yes | -| vpc\_id | AWS VPC id to install into | `string` | n/a | yes | -| database\_name | name of the initial database | `string` | `"tfe"` | no | -| database\_username | username of the initial user | `string` | `"tfe"` | no | -| prefix | string to prefix all resources with | `string` | `""` | no | -| rds\_instance\_class | instance class of the database | `string` | `"db.r5.large"` | no | -| rds\_subnet\_tags | tags to use to match subnets to use | `map` | `{}` | no | -| demo | Defines whether these resources are deployed as a demo | `bool` | `false` | no | \ No newline at end of file diff --git a/modules/external-services/docs/outputs.md b/modules/external-services/docs/outputs.md deleted file mode 100644 index c2080ee5..00000000 --- a/modules/external-services/docs/outputs.md +++ /dev/null @@ -1,15 +0,0 @@ -# Terraform Enterprise: Clustering - -## Outputs - -| Name | Description | -|------|-------------| -| database\_endpoint | n/a | -| database\_name | n/a | -| database\_password | n/a | -| database\_username | n/a | -| iam\_access\_key | n/a | -| iam\_secret\_key | n/a | -| s3\_bucket | n/a | -| s3\_region | n/a | - diff --git a/modules/external-services/iam.tf b/modules/external-services/iam.tf deleted file mode 100644 index 5819a9fe..00000000 --- a/modules/external-services/iam.tf +++ /dev/null @@ -1,29 +0,0 @@ -resource "aws_iam_user" "tfe_objects" { - name = "${var.prefix}tfe-object-store-${var.install_id}" - force_destroy = true -} - -## credentials to be passed to archivist -resource "aws_iam_access_key" "tfe_objects" { - user = aws_iam_user.tfe_objects.name -} - -data aws_iam_policy_document "tfe_objects" { - statement { - actions = [ - "s3:*", - ] - - resources = [ - aws_s3_bucket.tfe_objects.arn, - "${aws_s3_bucket.tfe_objects.arn}/*", - ] - } -} - -resource "aws_iam_user_policy" "tfe_objects" { - user = aws_iam_user.tfe_objects.name - name = "${var.prefix}archivist-bucket-${var.install_id}" - - policy = data.aws_iam_policy_document.tfe_objects.json -} diff --git a/modules/external-services/main.tf b/modules/external-services/main.tf deleted file mode 100644 index 6f356d55..00000000 --- a/modules/external-services/main.tf +++ /dev/null @@ -1,49 +0,0 @@ -### =================================================================== REQUIRED - -variable "vpc_id" { - type = string - description = "AWS VPC id to install into" -} - -variable "install_id" { - type = string - description = "Identifier for installation" -} - -### =================================================================== OPTIONAL - -variable "prefix" { - type = string - description = "string to prefix all resources with " - default = "" -} - -variable "rds_instance_class" { - type = string - description = "instance class of the database" - default = "db.r5.large" -} - -variable "rds_subnet_tags" { - type = map - description = "tags to use to match subnets to use" - default = {} -} - -variable "database_name" { - type = string - description = "name of the initial database" - default = "tfe" -} - -variable "database_username" { - type = string - description = "username of the initial user" - default = "tfe" -} - -variable "demo" { - type = bool - description = "Defines whether these resources are deployed as a demo" - default = false -} diff --git a/modules/external-services/output.tf b/modules/external-services/output.tf deleted file mode 100644 index 31c850a4..00000000 --- a/modules/external-services/output.tf +++ /dev/null @@ -1,31 +0,0 @@ -output "iam_access_key" { - value = aws_iam_access_key.tfe_objects.id -} - -output "iam_secret_key" { - value = aws_iam_access_key.tfe_objects.secret -} - -output "s3_bucket" { - value = aws_s3_bucket.tfe_objects.id -} - -output "s3_region" { - value = aws_s3_bucket.tfe_objects.region -} - -output "database_password" { - value = random_string.database_password.result -} - -output "database_username" { - value = var.database_username -} - -output "database_endpoint" { - value = aws_rds_cluster.tfe.endpoint -} - -output "database_name" { - value = var.database_name -} diff --git a/modules/external-services/rds.tf b/modules/external-services/rds.tf deleted file mode 100644 index 28692e21..00000000 --- a/modules/external-services/rds.tf +++ /dev/null @@ -1,67 +0,0 @@ -locals { - postgres_port = "5432" -} - -data "aws_vpc" "selected" { - id = var.vpc_id -} - -data "aws_subnet_ids" "rds" { - vpc_id = var.vpc_id - tags = var.rds_subnet_tags -} - -data "aws_subnet" "selected" { - count = length(data.aws_subnet_ids.rds.ids) - id = element(tolist(data.aws_subnet_ids.rds.ids), count.index) -} - -resource "aws_security_group" "db_access" { - description = "allow instances to talk to each other, and have unfettered egress" - vpc_id = var.vpc_id - - ingress { - protocol = "tcp" - from_port = local.postgres_port - to_port = local.postgres_port - - cidr_blocks = data.aws_subnet.selected.*.cidr_block - } -} - -resource "random_string" "database_password" { - length = 40 - special = false -} - -resource "aws_db_subnet_group" "tfe" { - name_prefix = "${var.prefix}tfe-${var.install_id}" - subnet_ids = data.aws_subnet.selected.*.id - - tags = { - Name = "tfe subnet group" - } -} - -resource "aws_rds_cluster" "tfe" { - cluster_identifier_prefix = "${var.prefix}tfe-${var.install_id}" - engine = "aurora-postgresql" - database_name = var.database_name - master_username = var.database_username - master_password = random_string.database_password.result - db_subnet_group_name = aws_db_subnet_group.tfe.name - backup_retention_period = 5 - preferred_backup_window = "07:00-09:00" - vpc_security_group_ids = [aws_security_group.db_access.id] - final_snapshot_identifier = "${var.prefix}tfe-${var.install_id}-final" - skip_final_snapshot = var.demo == true -} - -resource "aws_rds_cluster_instance" "tfe1" { - apply_immediately = true - cluster_identifier = aws_rds_cluster.tfe.id - identifier_prefix = "${var.prefix}tfe1" - engine = "aurora-postgresql" - instance_class = var.rds_instance_class - db_subnet_group_name = aws_db_subnet_group.tfe.name -} diff --git a/modules/external-services/s3.tf b/modules/external-services/s3.tf deleted file mode 100644 index 9d4e87ea..00000000 --- a/modules/external-services/s3.tf +++ /dev/null @@ -1,3 +0,0 @@ -resource "aws_s3_bucket" "tfe_objects" { - bucket = "${var.prefix}tfe-${var.install_id}" -} diff --git a/modules/lb/docs/inputs.md b/modules/lb/docs/inputs.md deleted file mode 100644 index 34c519fa..00000000 --- a/modules/lb/docs/inputs.md +++ /dev/null @@ -1,21 +0,0 @@ -# Terraform Enterprise: Clustering - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:-----:| -| domain | this is used to find an existing issued wildcard cert and route53 zone | `string` | n/a | yes | -| install\_id | the ID of the install | `string` | n/a | yes | -| prefix | Prefix for resources | `string` | n/a | yes | -| private\_subnets | list of private subnets | `set(string)` | n/a | yes | -| private\_subnets\_cidr\_blocks | list of CIDRs for the private subnets | `set(string)` | n/a | yes | -| public\_subnets | list of public subnets | `set(string)` | n/a | yes | -| public\_subnets\_cidr\_blocks | list of CIDRs for the public subnets | `set(string)` | n/a | yes | -| vpc\_id | the ID of the VPC | `string` | n/a | yes | -| cert\_arn | Amazon Resource Name (ARN) for Certificate in the ACM you'd like to use (default uses domain or cert\_domain to look it up) | `string` | `""` | no | -| cert\_domain | domain to search for ACM certificate with (default is *.domain) | `string` | `""` | no | -| hostname | hostname to assign to cluster under domain (default is autogenerated one) | `string` | `""` | no | -| private\_zone | set to true if your route53 zone is private | `string` | `false` | no | -| tags | Map of tags to add to load balancer | `map(string)` | `{}` | no | -| update\_route53 | indicate if route53 should be updated automatically | `string` | `true` | no | - diff --git a/modules/lb/docs/outputs.md b/modules/lb/docs/outputs.md deleted file mode 100644 index 3f3143e9..00000000 --- a/modules/lb/docs/outputs.md +++ /dev/null @@ -1,13 +0,0 @@ -# Terraform Enterprise: Clustering - -## Outputs - -| Name | Description | -|------|-------------| -| admin\_group | n/a | -| endpoint | n/a | -| https\_group | n/a | -| lb\_endpoint | n/a | -| lb\_id | n/a | -| sg\_lb\_to\_instance | n/a | - diff --git a/modules/lb/elb.tf b/modules/lb/elb.tf deleted file mode 100644 index 2cfb3cb7..00000000 --- a/modules/lb/elb.tf +++ /dev/null @@ -1,84 +0,0 @@ -resource "aws_lb" "ptfe" { - subnets = var.private_zone ? var.private_subnets : var.public_subnets - load_balancer_type = "application" - internal = var.private_zone - - security_groups = [ - aws_security_group.lb_public.id, - aws_security_group.lb_to_instance.id, - ] - - idle_timeout = 3600 ## for ssh - - tags = merge( - var.tags, - { - Name = var.prefix - }, - ) -} - -resource "aws_lb_target_group" "https" { - port = 443 - protocol = "HTTPS" - vpc_id = var.vpc_id - - health_check { - path = "/_health_check" - protocol = "HTTPS" - } -} - -resource "aws_lb_target_group" "admin" { - port = 8800 - protocol = "HTTPS" - vpc_id = var.vpc_id - - health_check { - path = "/ping" - protocol = "HTTPS" - matcher = "200-399" - } -} - -resource "aws_lb_listener" "http" { - load_balancer_arn = aws_lb.ptfe.arn - port = "80" - protocol = "HTTP" - - default_action { - type = "redirect" - - redirect { - port = "443" - protocol = "HTTPS" - status_code = "HTTP_301" - } - } -} - -resource "aws_lb_listener" "https" { - load_balancer_arn = aws_lb.ptfe.arn - port = "443" - protocol = "HTTPS" - ssl_policy = "ELBSecurityPolicy-2016-08" - certificate_arn = var.cert_arn != "" ? var.cert_arn : data.aws_acm_certificate.lb.arn - - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.https.arn - } -} - -resource "aws_lb_listener" "admin" { - load_balancer_arn = aws_lb.ptfe.arn - port = "8800" - protocol = "HTTPS" - ssl_policy = "ELBSecurityPolicy-2016-08" - certificate_arn = var.cert_arn != "" ? var.cert_arn : data.aws_acm_certificate.lb.arn - - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.admin.arn - } -} diff --git a/modules/lb/outputs.tf b/modules/lb/outputs.tf deleted file mode 100644 index 0a2db1f3..00000000 --- a/modules/lb/outputs.tf +++ /dev/null @@ -1,27 +0,0 @@ -output "sg_lb_to_instance" { - value = aws_security_group.lb_to_instance.id -} - -output "lb_id" { - value = aws_lb.ptfe.id -} - -output "lb_endpoint" { - value = aws_lb.ptfe.dns_name -} - -output "lb_zone_id" { - value = aws_lb.ptfe.zone_id -} - -output "endpoint" { - value = local.endpoint -} - -output "https_group" { - value = aws_lb_target_group.https.arn -} - -output "admin_group" { - value = aws_lb_target_group.admin.arn -} diff --git a/modules/lb/route53.tf b/modules/lb/route53.tf deleted file mode 100644 index b32f0c04..00000000 --- a/modules/lb/route53.tf +++ /dev/null @@ -1,14 +0,0 @@ -resource "aws_route53_record" "ptfe_lb" { - count = var.update_route53 ? 1 : 0 - - zone_id = data.aws_route53_zone.zone[count.index].zone_id - name = local.endpoint - type = "A" - - alias { - name = aws_lb.ptfe.dns_name - zone_id = aws_lb.ptfe.zone_id - - evaluate_target_health = false - } -} diff --git a/modules/lb/security-groups.tf b/modules/lb/security-groups.tf deleted file mode 100644 index 36d57ad9..00000000 --- a/modules/lb/security-groups.tf +++ /dev/null @@ -1,85 +0,0 @@ -locals { - publ_priv_subnet_cidr_blocks = setunion(var.public_subnets_cidr_blocks, var.private_subnets_cidr_blocks) -} - -resource "aws_security_group" "lb_to_instance" { - description = "allow access to instances from the lb" - vpc_id = var.vpc_id - - ingress { - description = "ssh, because debugging" - protocol = "tcp" - from_port = 22 - to_port = 22 - cidr_blocks = local.publ_priv_subnet_cidr_blocks - } - - ingress { - description = "https to ptfe application" - protocol = "tcp" - from_port = 443 - to_port = 443 - cidr_blocks = local.publ_priv_subnet_cidr_blocks - } - - ingress { - description = "https to replicated console" - protocol = "tcp" - from_port = 8800 - to_port = 8800 - cidr_blocks = local.publ_priv_subnet_cidr_blocks - } -} - -resource "aws_security_group" "lb_public" { - description = "allow access to ptfe and replicated console" - vpc_id = var.vpc_id - - ingress { - description = "ssh, because debugging" - protocol = "tcp" - from_port = 22 - to_port = 22 - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - description = "http to ptfe application" - protocol = "tcp" - from_port = 80 - to_port = 80 - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - description = "https to ptfe application" - protocol = "tcp" - from_port = 443 - to_port = 443 - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - description = "https to replicated console" - protocol = "tcp" - from_port = 8800 - to_port = 8800 - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - description = "allow all access to instances" - protocol = "-1" - from_port = 0 - to_port = 0 - cidr_blocks = var.private_subnets_cidr_blocks - } - - egress { - description = "allow all access to instances" - protocol = "-1" - from_port = 0 - to_port = 0 - cidr_blocks = var.public_subnets_cidr_blocks - } -} diff --git a/modules/lb/variables.tf b/modules/lb/variables.tf deleted file mode 100644 index 7339f7ae..00000000 --- a/modules/lb/variables.tf +++ /dev/null @@ -1,103 +0,0 @@ -### =================================================================== REQUIRED - -variable "vpc_id" { - type = string - description = "the ID of the VPC" -} - -variable "install_id" { - type = string - description = "the ID of the install" -} - -variable "public_subnets" { - type = set(string) - description = "list of public subnets" -} - -variable "private_subnets" { - type = set(string) - description = "list of private subnets" -} - -variable "public_subnets_cidr_blocks" { - type = set(string) - description = "list of CIDRs for the public subnets" -} - -variable "private_subnets_cidr_blocks" { - type = set(string) - description = "list of CIDRs for the private subnets" -} - -## `*.${var.domain}` in ACM, `${var.domain}` in route53 -variable "domain" { - type = string - description = "this is used to find an existing issued wildcard cert and route53 zone" -} - -variable "private_zone" { - type = string - description = "set to true if your route53 zone is private" - default = false -} - -variable "hostname" { - type = string - description = "hostname to assign to cluster under domain (default is autogenerated one)" - default = "" -} - -variable "update_route53" { - type = string - description = "indicate if route53 should be updated automatically" - default = true -} - -variable "cert_arn" { - type = string - description = "Amazon Resource Name (ARN) for Certificate in the ACM you'd like to use (default uses domain or cert_domain to look it up)" - default = "" -} - -variable "cert_domain" { - type = string - description = "domain to search for ACM certificate with (default is *.domain)" - default = "" -} - -variable "prefix" { - type = string - description = "Prefix for resources" -} - -variable "tags" { - type = map(string) - description = "Map of tags to add to load balancer" - default = {} -} - -### =================================================================== OPTIONAL - -### ======================================================================= MISC - -## issued certificate that the lb will be configured to use -data "aws_acm_certificate" "lb" { - domain = var.cert_domain != "" ? var.cert_domain : "*.${var.domain}" - statuses = ["ISSUED"] - most_recent = true -} - -## existing route53 zone where we'll create an alias to the lb -data "aws_route53_zone" "zone" { - count = var.update_route53 ? 1 : 0 - name = var.domain - private_zone = var.private_zone -} - -locals { - hostname = var.hostname != "" ? var.hostname : "ptfe-${var.install_id}" - - ## https://${local.endpoint}/… - endpoint = "${local.hostname}.${var.domain}" -} diff --git a/modules/load_balancer/main.tf b/modules/load_balancer/main.tf new file mode 100644 index 00000000..f8e7c9e9 --- /dev/null +++ b/modules/load_balancer/main.tf @@ -0,0 +1,161 @@ +resource "aws_security_group" "tfe_lb_allow" { + name = "${var.friendly_name_prefix}-tfe-lb-allow" + vpc_id = var.network_id + + tags = var.common_tags +} + +resource "aws_security_group_rule" "tfe_lb_allow_inbound_http" { + type = "ingress" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + description = "Allow HTTP (port 80) traffic inbound to TFE LB" + security_group_id = aws_security_group.tfe_lb_allow.id +} + +resource "aws_security_group_rule" "tfe_lb_allow_inbound_https" { + type = "ingress" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + description = "Allow HTTPS (port 443) traffic inbound to TFE LB" + security_group_id = aws_security_group.tfe_lb_allow.id +} + +resource "aws_security_group_rule" "tfe_lb_allow_inbound_dashboard" { + count = var.active_active ? 0 : 1 + type = "ingress" + from_port = 8800 + to_port = 8800 + protocol = "tcp" + cidr_blocks = var.admin_dashboard_ingress_ranges + description = "Allow dashboard traffic inbound to TFE LB" + security_group_id = aws_security_group.tfe_lb_allow.id +} + +resource "aws_security_group" "tfe_outbound_allow" { + name = "${var.friendly_name_prefix}-tfe-outbound-allow" + vpc_id = var.network_id + + tags = var.common_tags +} + +resource "aws_security_group_rule" "tfe_outbound_allow_all" { + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + description = "Allow all traffic outbound from TFE" + + security_group_id = aws_security_group.tfe_outbound_allow.id +} + +resource "aws_lb" "tfe_alb" { + name = "${var.friendly_name_prefix}-tfe-web-alb" + internal = var.load_balancing_scheme + load_balancer_type = "application" + subnets = var.network_public_subnets + + security_groups = [ + aws_security_group.tfe_lb_allow.id, + aws_security_group.tfe_outbound_allow.id + ] + + tags = var.common_tags +} + +resource "aws_lb_listener" "tfe_listener_80" { + load_balancer_arn = aws_lb.tfe_alb.arn + port = 80 + protocol = "HTTP" + + default_action { + type = "redirect" + + redirect { + port = 443 + protocol = "HTTPS" + status_code = "HTTP_301" + } + } +} + +resource "aws_lb_listener" "tfe_listener_443" { + load_balancer_arn = aws_lb.tfe_alb.arn + port = 443 + protocol = "HTTPS" + ssl_policy = var.ssl_policy + certificate_arn = var.certificate_arn + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.tfe_tg_443.arn + } +} + +resource "aws_lb_target_group" "tfe_tg_443" { + name = "${var.friendly_name_prefix}-tfe-alb-tg-443" + port = 443 + protocol = "HTTPS" + vpc_id = var.network_id + + health_check { + path = "/_health_check" + protocol = "HTTPS" + matcher = "200-399" + } + + tags = var.common_tags +} + +resource "aws_lb_listener" "tfe_listener_8800" { + count = var.active_active ? 0 : 1 + load_balancer_arn = aws_lb.tfe_alb.arn + port = 8800 + protocol = "HTTPS" + ssl_policy = var.ssl_policy + certificate_arn = var.certificate_arn + + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.tfe_tg_8800[0].arn + } +} + +resource "aws_lb_target_group" "tfe_tg_8800" { + count = var.active_active ? 0 : 1 + name = "${var.friendly_name_prefix}-tfe-alb-tg-8800" + port = 8800 + protocol = "HTTPS" + vpc_id = var.network_id + + health_check { + path = "/" + protocol = "HTTPS" + matcher = "200-399" + } + + tags = var.common_tags +} + +data "aws_route53_zone" "tfe" { + name = var.domain_name + private_zone = false +} + +resource "aws_route53_record" "tfe" { + zone_id = data.aws_route53_zone.tfe.zone_id + name = var.fqdn + type = "A" + + alias { + name = aws_lb.tfe_alb.dns_name + zone_id = aws_lb.tfe_alb.zone_id + evaluate_target_health = true + } +} diff --git a/modules/load_balancer/outputs.tf b/modules/load_balancer/outputs.tf new file mode 100644 index 00000000..cee62409 --- /dev/null +++ b/modules/load_balancer/outputs.tf @@ -0,0 +1,15 @@ +output "aws_lb_security_group" { + value = aws_security_group.tfe_lb_allow.id +} + +output "aws_lb_target_group_tfe_tg_443_arn" { + value = aws_lb_target_group.tfe_tg_443.arn +} + +output "aws_lb_target_group_tfe_tg_8800_arn" { + value = var.active_active ? "" : aws_lb_target_group.tfe_tg_8800[0].arn +} + +output "load_balancer_address" { + value = aws_lb.tfe_alb.dns_name +} diff --git a/modules/load_balancer/variables.tf b/modules/load_balancer/variables.tf new file mode 100644 index 00000000..d156e982 --- /dev/null +++ b/modules/load_balancer/variables.tf @@ -0,0 +1,35 @@ +variable "domain_name" {} + +variable "admin_dashboard_ingress_ranges" {} + +variable "certificate_arn" {} + +variable "fqdn" {} + +variable "load_balancing_scheme" { + type = bool + description = "(Optional) Boolean indicating whether the load balancer is internal or external. Defaults to internal." + default = true +} + +variable "ssl_policy" {} + +variable "network_id" {} + +variable "network_public_subnets" {} + +variable "active_active" { + type = bool + description = "Flag for active-active configuation: true for active-active, false for standalone." +} + +variable "friendly_name_prefix" { + type = string + description = "(Required) Friendly name prefix used for tagging and naming AWS resources." +} + +variable "common_tags" { + type = map(string) + description = "(Optional) Map of common tags for all taggable AWS resources." + default = {} +} diff --git a/modules/networking/main.tf b/modules/networking/main.tf new file mode 100644 index 00000000..31af6fcb --- /dev/null +++ b/modules/networking/main.tf @@ -0,0 +1,167 @@ +################################################# +# AZs +################################################# +data "aws_availability_zones" "available" { + state = "available" +} + +################################################# +# VPC +################################################# +resource "aws_vpc" "main" { + count = var.deploy_vpc == true ? 1 : 0 + + cidr_block = var.network_cidr + enable_dns_hostnames = true + enable_dns_support = true + + tags = merge( + { Name = "${var.friendly_name_prefix}-tfe-vpc" }, + var.common_tags + ) +} + +################################################# +# Subnets +################################################# +resource "aws_subnet" "public" { + count = var.deploy_vpc == true ? length(var.network_public_subnet_cidrs) : 0 + + vpc_id = aws_vpc.main[0].id + cidr_block = var.network_public_subnet_cidrs[count.index] + availability_zone = element(data.aws_availability_zones.available.names, count.index) + map_public_ip_on_launch = true + + tags = merge( + { Name = "${var.friendly_name_prefix}-public-${element(data.aws_availability_zones.available.names, count.index)}" }, + var.common_tags + ) +} + +resource "aws_subnet" "private" { + count = var.deploy_vpc == true ? length(var.network_private_subnet_cidrs) : 0 + + vpc_id = aws_vpc.main[0].id + cidr_block = var.network_private_subnet_cidrs[count.index] + availability_zone = element(data.aws_availability_zones.available.names, count.index) + map_public_ip_on_launch = false + + tags = merge( + { Name = "${var.friendly_name_prefix}-private-${element(data.aws_availability_zones.available.names, count.index)}" }, + var.common_tags + ) +} + +################################################# +# Internet Gateway +################################################# +resource "aws_internet_gateway" "igw" { + count = var.deploy_vpc == true ? 1 : 0 + + vpc_id = aws_vpc.main[0].id + + tags = merge( + { Name = "${var.friendly_name_prefix}-tfe-igw" }, + var.common_tags + ) +} + +################################################# +# Elastic IPs +################################################# +resource "aws_eip" "nat_eip" { + count = var.deploy_vpc == true && length(var.network_public_subnet_cidrs) > 0 ? length(var.network_public_subnet_cidrs) : 0 + + vpc = true + depends_on = [aws_internet_gateway.igw] + + tags = merge( + { Name = "${var.friendly_name_prefix}-tfe-nat-eip" }, + var.common_tags + ) +} + +################################################# +# NAT Gateways +################################################# +resource "aws_nat_gateway" "ngw" { + count = var.deploy_vpc == true && length(var.network_public_subnet_cidrs) > 0 ? length(var.network_public_subnet_cidrs) : 0 + + allocation_id = element(aws_eip.nat_eip.*.id, count.index) + subnet_id = element(aws_subnet.public.*.id, count.index) + + depends_on = [ + aws_internet_gateway.igw, + aws_eip.nat_eip, + aws_subnet.public, + ] + + tags = merge( + { Name = "${var.friendly_name_prefix}-tfe-ngw-${count.index}" }, + var.common_tags + ) +} + +################################################# +# Route Tables & Routes +################################################# +resource "aws_route_table" "rtb_public" { + count = var.deploy_vpc == true ? 1 : 0 + + vpc_id = aws_vpc.main[0].id + + depends_on = [aws_internet_gateway.igw] + + tags = merge( + { Name = "${var.friendly_name_prefix}-tfe-rtb-public" }, + var.common_tags + ) +} + +resource "aws_route" "route_public" { + count = var.deploy_vpc == true ? 1 : 0 + + route_table_id = aws_route_table.rtb_public[0].id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.igw[0].id +} + +resource "aws_route_table" "rtb_private" { + count = var.deploy_vpc == true ? length(var.network_private_subnet_cidrs) : 0 + + vpc_id = aws_vpc.main[0].id + + depends_on = [aws_nat_gateway.ngw] + + tags = merge( + { Name = "${var.friendly_name_prefix}-tfe-rtb-private-${count.index}" }, + var.common_tags + ) +} + +resource "aws_route" "route_private" { + count = var.deploy_vpc == true ? length(var.network_private_subnet_cidrs) : 0 + + route_table_id = element(aws_route_table.rtb_private.*.id, count.index) + destination_cidr_block = "0.0.0.0/0" + nat_gateway_id = element(aws_nat_gateway.ngw.*.id, count.index) +} + +resource "aws_route_table_association" "rtbassoc-public" { + count = var.deploy_vpc == true ? length(var.network_public_subnet_cidrs) : 0 + + subnet_id = element(aws_subnet.public.*.id, count.index) + route_table_id = aws_route_table.rtb_public[0].id +} + +resource "aws_route_table_association" "rtbassoc-private" { + count = var.deploy_vpc == true ? length(var.network_private_subnet_cidrs) : 0 + + subnet_id = element(aws_subnet.private.*.id, count.index) + route_table_id = element(aws_route_table.rtb_private.*.id, count.index) +} + +locals { + network_id = var.deploy_vpc == true ? aws_vpc.main[0].id : "" + bastion_host_subnet = var.deploy_vpc == true ? aws_subnet.public[0].id : "" +} diff --git a/modules/networking/outputs.tf b/modules/networking/outputs.tf new file mode 100644 index 00000000..9d867a89 --- /dev/null +++ b/modules/networking/outputs.tf @@ -0,0 +1,19 @@ +output "bastion_host_subnet" { + value = local.bastion_host_subnet +} + +output "network_id" { + value = local.network_id +} + +output "network_private_subnets" { + value = aws_subnet.private[*].id +} + +output "network_public_subnets" { + value = aws_subnet.public[*].id +} + +output "network_private_subnet_cidrs" { + value = aws_subnet.private[*].cidr_block +} diff --git a/modules/networking/variables.tf b/modules/networking/variables.tf new file mode 100644 index 00000000..d34ba039 --- /dev/null +++ b/modules/networking/variables.tf @@ -0,0 +1,35 @@ +variable "friendly_name_prefix" { + type = string + description = "(Required) Friendly name prefix used for tagging and naming AWS resources." +} + +variable "common_tags" { + type = map(string) + description = "(Optional) Map of common tags for all taggable AWS resources." + default = {} +} + +# Network +variable "deploy_vpc" { + type = bool + description = "(Optional) Boolean indicating whether to deploy a VPC (true) or not (false)." + default = true +} + +variable "network_cidr" { + type = string + description = "(Optional) CIDR block for VPC." + default = "10.0.0.0/16" +} + +variable "network_private_subnet_cidrs" { + type = list(string) + description = "(Optional) List of private subnet CIDR ranges to create in VPC." + default = ["10.0.32.0/20", "10.0.48.0/20"] +} + +variable "network_public_subnet_cidrs" { + type = list(string) + description = "(Optional) List of public subnet CIDR ranges to create in VPC." + default = ["10.0.0.0/20", "10.0.16.0/20"] +} diff --git a/modules/object_storage/main.tf b/modules/object_storage/main.tf new file mode 100644 index 00000000..9a8b2a3e --- /dev/null +++ b/modules/object_storage/main.tf @@ -0,0 +1,82 @@ +data "aws_region" "current" {} + +data "aws_caller_identity" "current" {} + +resource "aws_s3_bucket" "tfe_bootstrap_bucket" { + bucket = "${var.friendly_name_prefix}-tfe-bootstrap" + acl = "private" + + versioning { + enabled = true + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = var.kms_key_arn + sse_algorithm = "aws:kms" + } + } + } + + force_destroy = true + + tags = var.common_tags +} + +resource "aws_s3_bucket_object" "tfe_license" { + bucket = aws_s3_bucket.tfe_bootstrap_bucket.id + key = var.tfe_license_name + source = var.tfe_license_filepath + + tags = var.common_tags +} + +resource "aws_s3_bucket_object" "proxy_cert_bundle" { + count = var.proxy_cert_bundle_name != "" ? 1 : 0 + bucket = aws_s3_bucket.tfe_bootstrap_bucket.id + key = var.proxy_cert_bundle_name + source = var.proxy_cert_bundle_filepath + + tags = var.common_tags +} + +resource "aws_s3_bucket_public_access_block" "tfe_bootstrap_bucket" { + bucket = aws_s3_bucket.tfe_bootstrap_bucket.id + + block_public_acls = true + block_public_policy = true + restrict_public_buckets = true + ignore_public_acls = true +} + +resource "aws_s3_bucket" "tfe_data_bucket" { + bucket = "${var.friendly_name_prefix}-tfe-data" + acl = "private" + + versioning { + enabled = true + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = var.kms_key_arn + sse_algorithm = "aws:kms" + } + } + } + + force_destroy = true + + tags = var.common_tags +} + +resource "aws_s3_bucket_public_access_block" "tfe_data" { + bucket = aws_s3_bucket.tfe_data_bucket.id + + block_public_acls = true + block_public_policy = true + restrict_public_buckets = true + ignore_public_acls = true +} diff --git a/modules/object_storage/outputs.tf b/modules/object_storage/outputs.tf new file mode 100644 index 00000000..44db3d7e --- /dev/null +++ b/modules/object_storage/outputs.tf @@ -0,0 +1,15 @@ +output "s3_bucket_bootstrap" { + value = aws_s3_bucket.tfe_bootstrap_bucket.id +} + +output "s3_bucket_bootstrap_arn" { + value = aws_s3_bucket.tfe_bootstrap_bucket.arn +} + +output "s3_bucket_data" { + value = aws_s3_bucket.tfe_data_bucket.id +} + +output "s3_bucket_data_arn" { + value = aws_s3_bucket.tfe_data_bucket.arn +} \ No newline at end of file diff --git a/modules/object_storage/variables.tf b/modules/object_storage/variables.tf new file mode 100644 index 00000000..c9efd90f --- /dev/null +++ b/modules/object_storage/variables.tf @@ -0,0 +1,26 @@ +variable "common_tags" { + type = map(string) + description = "(Optional) Map of common tags for all taggable AWS resources." + default = {} +} + +variable "kms_key_arn" {} + +variable "tfe_license_name" { + type = string + default = "ptfe-license.rli" + description = "(Required) Filename for PTFE license file." +} + +variable "tfe_license_filepath" { + type = string + description = "(Required) Absolute filepath to location of PTFE license file." +} + +variable "friendly_name_prefix" { + type = string + description = "(Required) Friendly name prefix used for tagging and naming AWS resources." +} + +variable "proxy_cert_bundle_filepath" {} +variable "proxy_cert_bundle_name" {} diff --git a/modules/redis/main.tf b/modules/redis/main.tf new file mode 100644 index 00000000..f331ba4e --- /dev/null +++ b/modules/redis/main.tf @@ -0,0 +1,86 @@ +resource "random_id" "redis_password" { + count = var.active_active ? 1 : 0 + byte_length = 16 +} + +resource "aws_security_group" "redis" { + count = var.active_active ? 1 : 0 + description = "The security group of the Redis deployment for TFE." + name = "${var.friendly_name_prefix}-tfe-redis" + vpc_id = var.network_id + + tags = var.common_tags +} + +resource "aws_security_group_rule" "redis_tfe_ingress" { + count = var.active_active ? 1 : 0 + security_group_id = aws_security_group.redis[0].id + type = "ingress" + from_port = var.redis_port + to_port = var.redis_port + protocol = "tcp" + source_security_group_id = var.tfe_instance_sg +} + +resource "aws_security_group_rule" "redis_tfe_egress" { + count = var.active_active ? 1 : 0 + security_group_id = aws_security_group.redis[0].id + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + source_security_group_id = var.tfe_instance_sg +} + +resource "aws_security_group_rule" "redis_ingress" { + count = var.active_active ? 1 : 0 + security_group_id = aws_security_group.redis[0].id + type = "ingress" + from_port = var.redis_port + to_port = var.redis_port + protocol = "tcp" + cidr_blocks = var.network_private_subnet_cidrs +} + +resource "aws_security_group_rule" "redis_egress" { + count = var.active_active ? 1 : 0 + security_group_id = aws_security_group.redis[0].id + type = "egress" + from_port = var.redis_port + to_port = var.redis_port + protocol = "tcp" + cidr_blocks = var.network_private_subnet_cidrs +} + +resource "aws_elasticache_subnet_group" "tfe" { + count = var.active_active ? 1 : 0 + name = "${var.friendly_name_prefix}-tfe-redis" + subnet_ids = var.network_subnets_private +} + +resource "aws_elasticache_replication_group" "redis" { + count = var.active_active ? 1 : 0 + node_type = var.cache_size + number_cache_clusters = 1 + replication_group_description = "The replication group of the Redis deployment for TFE." + replication_group_id = "${var.friendly_name_prefix}-tfe" + + apply_immediately = true + automatic_failover_enabled = false + auto_minor_version_upgrade = true + engine = "redis" + engine_version = var.engine_version + parameter_group_name = var.parameter_group_name + port = var.redis_port + security_group_ids = [aws_security_group.redis[0].id] + snapshot_retention_limit = 0 + subnet_group_name = aws_elasticache_subnet_group.tfe[0].name + + auth_token = (var.redis_encryption_in_transit == true && var.redis_require_password == true) ? random_id.redis_password[0].hex : null + transit_encryption_enabled = var.redis_encryption_in_transit + + at_rest_encryption_enabled = var.redis_encryption_at_rest + kms_key_id = (var.redis_encryption_at_rest == true) ? var.kms_key_arn : null + + tags = var.common_tags +} diff --git a/modules/redis/outputs.tf b/modules/redis/outputs.tf new file mode 100644 index 00000000..7fd1d20a --- /dev/null +++ b/modules/redis/outputs.tf @@ -0,0 +1,27 @@ +output "aws_elasticache_subnet_group_name" { + value = var.active_active ? aws_elasticache_subnet_group.tfe[0].name : "" +} + +output "aws_security_group_redis" { + value = var.active_active ? aws_security_group.redis[0].id : "" +} + +output "redis_endpoint" { + value = var.active_active ? aws_elasticache_replication_group.redis[0].primary_endpoint_address : "" +} + +output "redis_port" { + value = var.active_active ? aws_elasticache_replication_group.redis[0].port : "" +} + +output "redis_password" { + value = (var.active_active == true && var.redis_require_password == true) ? random_id.redis_password[0].hex : "" +} + +output "redis_use_password_auth" { + value = (var.active_active == true && var.redis_require_password == true) ? true : false +} + +output "redis_transit_encryption_enabled" { + value = (var.active_active == true) ? aws_elasticache_replication_group.redis[0].transit_encryption_enabled : false +} diff --git a/modules/redis/variables.tf b/modules/redis/variables.tf new file mode 100644 index 00000000..e53de81f --- /dev/null +++ b/modules/redis/variables.tf @@ -0,0 +1,72 @@ +variable "active_active" { + type = bool + description = "Flag for active-active configuation: true for active-active, false for standalone" +} + +variable "common_tags" { + type = map(string) + description = "(Optional) Map of common tags for all taggable AWS resources." + default = {} +} + +variable "kms_key_arn" {} + +variable "tfe_instance_sg" {} + +variable "network_id" {} + +variable "network_subnets_private" {} + +variable "friendly_name_prefix" { + type = string + description = "(Required) Friendly name prefix used for tagging and naming AWS resources." +} + +variable "network_private_subnet_cidrs" { + type = list(string) + description = "(Optional) List of private subnet CIDR ranges to create in VPC." + default = ["10.0.32.0/20", "10.0.48.0/20"] +} + +variable "redis_port" { + type = number + description = "Set port for Redis. Defaults to 6379 default port" + default = 6379 +} + +variable "cache_size" { + type = string + default = "cache.m4.large" + description = "Redis instance size." +} + +variable "engine_version" { + type = string + default = "5.0.6" + description = "Redis enginer version." +} + +variable "parameter_group_name" { + type = string + default = "default.redis5.0" + description = "Redis parameter group name." +} + +# Security +variable "redis_encryption_in_transit" { + type = bool + description = "Determine whether Redis traffic is encrypted in transit." + default = false +} + +variable "redis_encryption_at_rest" { + type = bool + description = "Determine whether Redis data is encrypted at rest." + default = false +} + +variable "redis_require_password" { + type = bool + description = "Determine if a password is required for Redis." + default = false +} diff --git a/modules/secrets_manager/main.tf b/modules/secrets_manager/main.tf new file mode 100644 index 00000000..120ef594 --- /dev/null +++ b/modules/secrets_manager/main.tf @@ -0,0 +1,19 @@ +resource "aws_secretsmanager_secret" "tfe_install" { + count = var.deploy_secretsmanager == true ? 1 : 0 + + name = var.secretsmanager_secret_name == null ? "${var.friendly_name_prefix}-tfe-install-secrets" : var.secretsmanager_secret_name + description = "TFE install secret metadata" + + tags = merge( + { Name = "${var.friendly_name_prefix}-tfe-install-secrets" }, + var.common_tags + ) +} + +resource "aws_secretsmanager_secret_version" "tfe_install_secrets" { + count = var.secretsmanager_secrets != {} && var.deploy_secretsmanager == true ? 1 : 0 + + secret_id = aws_secretsmanager_secret.tfe_install[0].id + secret_string = jsonencode(var.secretsmanager_secrets) +} + diff --git a/modules/secrets_manager/outputs.tf b/modules/secrets_manager/outputs.tf new file mode 100644 index 00000000..3b473637 --- /dev/null +++ b/modules/secrets_manager/outputs.tf @@ -0,0 +1,3 @@ +output "secretsmanager_secret_arn" { + value = (var.deploy_secretsmanager == true) ? aws_secretsmanager_secret.tfe_install[0].arn : null +} diff --git a/modules/secrets_manager/variables.tf b/modules/secrets_manager/variables.tf new file mode 100644 index 00000000..19dfce77 --- /dev/null +++ b/modules/secrets_manager/variables.tf @@ -0,0 +1,25 @@ +variable "friendly_name_prefix" {} + +variable "common_tags" { + type = map(string) + description = "(Optional) Map of common tags for all taggable AWS resources." + default = {} +} + +variable "deploy_secretsmanager" { + type = bool + description = "(Optional) Boolean indicating whether to deploy AWS Secrets Manager secret (true) or not (false)." + default = true +} + +variable "secretsmanager_secret_name" { + type = string + description = "(Optional) Name of AWS Secrets Manager secret metadata. Only specify if deploy_secretsmanager is true (this value will be auto-generated if left unspecified and deploy_secretsmanager is true)." + default = null +} + +variable "secretsmanager_secrets" { + type = map(string) + description = "(Optional) Map of key/value pairs of TFE install secrets. Only specify if deploy_secretsmanager is true." + default = null +} diff --git a/modules/service_accounts/main.tf b/modules/service_accounts/main.tf new file mode 100644 index 00000000..a1a2fb23 --- /dev/null +++ b/modules/service_accounts/main.tf @@ -0,0 +1,112 @@ +resource "aws_iam_instance_profile" "tfe" { + name_prefix = "${var.friendly_name_prefix}-tfe" + role = aws_iam_role.instance_role.name +} + +resource "aws_iam_role" "instance_role" { + name_prefix = "${var.friendly_name_prefix}-tfe" + assume_role_policy = data.aws_iam_policy_document.instance_role.json + + tags = var.common_tags +} + +data "aws_iam_policy_document" "instance_role" { + statement { + effect = "Allow" + actions = [ + "sts:AssumeRole", + ] + + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + } +} + +resource "aws_iam_role_policy" "s3_bootstrap_bucket" { + name = "${var.friendly_name_prefix}-tfe-bootstrap" + role = aws_iam_role.instance_role.id + policy = data.aws_iam_policy_document.tfe_s3_bootstrap_bucket.json +} + +data "aws_iam_policy_document" "tfe_s3_bootstrap_bucket" { + statement { + sid = "AllowS3ActionsBootstrap" + effect = "Allow" + actions = [ + "s3:Get*", + "s3:List*", + "s3:PutObject*" + ] + resources = [ + var.aws_bucket_bootstrap_arn, + "${var.aws_bucket_bootstrap_arn}/*", + ] + } + statement { + sid = "AllowKMSActionsBootstrap" + effect = "Allow" + actions = [ + "kms:Decrypt", + "kms:ReEncrypt", + "kms:GenerateDataKey", + "kms:DescribeKey", + ] + resources = [ + var.kms_key_arn, + ] + } +} + +resource "aws_iam_role_policy" "s3_data_bucket_put" { + name = "${var.friendly_name_prefix}-tfe-data" + role = aws_iam_role.instance_role.id + policy = data.aws_iam_policy_document.tfe_s3_data_bucket_put.json +} + +data "aws_iam_policy_document" "tfe_s3_data_bucket_put" { + statement { + sid = "AllowS3ActionsData" + effect = "Allow" + actions = [ + "s3:*" + ] + resources = [ + var.aws_bucket_data_arn, + "${var.aws_bucket_data_arn}/*" + ] + } + + statement { + sid = "AllowKMSActionsData" + effect = "Allow" + actions = [ + "kms:Decrypt", + "kms:ReEncrypt", + "kms:GenerateDataKey", + "kms:DescribeKey", + ] + resources = [ + var.kms_key_arn, + ] + } +} + +resource "aws_iam_role_policy" "tfe_asg_discovery" { + name = "${var.friendly_name_prefix}-tfe-asg-discovery" + role = aws_iam_role.instance_role.id + policy = data.aws_iam_policy_document.tfe_asg_discovery.json +} + +data "aws_iam_policy_document" "tfe_asg_discovery" { + statement { + effect = "Allow" + + actions = [ + "autoscaling:Describe*" + ] + + resources = ["*"] + } +} diff --git a/modules/service_accounts/outputs.tf b/modules/service_accounts/outputs.tf new file mode 100644 index 00000000..5f8a7ff7 --- /dev/null +++ b/modules/service_accounts/outputs.tf @@ -0,0 +1,4 @@ +output "aws_iam_instance_profile" { + value = aws_iam_instance_profile.tfe.name +} + diff --git a/modules/service_accounts/variables.tf b/modules/service_accounts/variables.tf new file mode 100644 index 00000000..38504b11 --- /dev/null +++ b/modules/service_accounts/variables.tf @@ -0,0 +1,16 @@ +variable "friendly_name_prefix" { + type = string + description = "(Required) Friendly name prefix used for tagging and naming AWS resources." +} + +variable "aws_bucket_bootstrap_arn" {} + +variable "aws_bucket_data_arn" {} + +variable "kms_key_arn" {} + +variable "common_tags" { + type = map(string) + description = "(Optional) Map of common tags for all taggable AWS resources." + default = {} +} diff --git a/modules/user_data/main.tf b/modules/user_data/main.tf new file mode 100644 index 00000000..9e964996 --- /dev/null +++ b/modules/user_data/main.tf @@ -0,0 +1,219 @@ +resource "random_string" "password" { + length = 16 + special = false +} + +resource "random_id" "archivist_token" { + byte_length = 16 +} + +resource "random_id" "cookie_hash" { + byte_length = 16 +} + +resource "random_id" "enc_password" { + byte_length = 16 +} + +resource "random_id" "install_id" { + byte_length = 16 +} + +resource "random_id" "internal_api_token" { + byte_length = 16 +} + +resource "random_id" "root_secret" { + byte_length = 16 +} + +resource "random_id" "registry_session_secret_key" { + byte_length = 16 +} + +resource "random_id" "registry_session_encryption_key" { + byte_length = 16 +} + +resource "random_id" "user_token" { + byte_length = 16 +} + +locals { + base_configs = { + installation_type = { + value = "production" + } + + production_type = { + value = "external" + } + + hostname = { + value = var.fqdn + } + user_token = { + value = random_id.user_token.hex + } + + archivist_token = { + value = random_id.archivist_token.hex + } + + cookie_hash = { + value = random_id.cookie_hash.hex + } + + root_secret = { + value = random_id.root_secret.hex + } + + registry_session_secret_key = { + value = random_id.registry_session_secret_key.hex + } + + registry_session_encryption_key = { + value = random_id.registry_session_encryption_key.hex + } + + internal_api_token = { + value = random_id.internal_api_token.hex + } + + install_id = { + value = random_id.install_id.hex + } + } + + base_external_configs = { + enable_active_active = { + value = var.active_active ? "1" : "0" + } + + pg_dbname = { + value = var.pg_dbname + } + + pg_netloc = { + value = var.pg_netloc + } + + pg_password = { + value = var.pg_password + } + + pg_user = { + value = var.pg_user + } + + enc_password = { + value = random_id.enc_password.hex + } + } + + external_aws_configs = { + placement = { + value = "placement_s3" + } + + aws_instance_profile = { + value = "1" + } + + s3_bucket = { + value = var.aws_bucket_data + } + + s3_region = { + value = var.aws_region + } + + s3_sse = { + value = "aws:kms" + } + + s3_sse_kms_key_id = { + value = var.kms_key_arn + } + } + + redis_configs = { + redis_host = { + value = var.redis_host + } + + redis_pass = { + value = var.redis_pass + } + + redis_port = { + value = var.redis_port + } + + redis_use_password_auth = { + value = var.redis_use_password_auth + } + + redis_use_tls = { + value = var.redis_use_tls + } + } +} + +locals { + replicated_base_config = { + BypassPreflightChecks = true + DaemonAuthenticationPassword = random_string.password.result + DaemonAuthenticationType = "password" + ImportSettingsFrom = "/etc/ptfe-settings.json" + LicenseFileLocation = "/etc/ptfe-license.rli" + TlsBootstrapType = "self-signed" + TlsBootstrapHostname = var.fqdn + } +} + +## Build tfe config json +locals { + # take all the partials and merge them into the base configs, if false, merging empty map is noop + is_redis_configs = var.active_active ? local.redis_configs : {} + tfe_configs = jsonencode(merge(local.base_configs, local.base_external_configs, local.external_aws_configs, local.is_redis_configs)) +} + +## build replicated config json +locals { + repl_configs = jsonencode(merge(local.replicated_base_config)) +} + +locals { + tfe_user_data = templatefile( + "${path.module}/templates/tfe_ec2.sh.tpl", + { + s3_bucket_bootstrap = var.aws_bucket_bootstrap + region = var.aws_region + tfe_license = var.tfe_license + replicated = base64encode(local.repl_configs) + settings = base64encode(local.tfe_configs) + active_active = var.active_active + proxy_ip = var.proxy_ip + proxy_cert = var.proxy_cert_bundle_name + friendly_name_prefix = var.friendly_name_prefix + no_proxy = join( + ",", + concat( + [ + "127.0.0.1", + "169.254.169.254", + ".aws.ce.redhat.com", + ], + var.no_proxy + ) + ) + } + ) + bastion_user_data = templatefile( + "${path.module}/templates/bastion_user_data.sh.tpl", + { + tfe_bastion_private_key = var.generated_bastion_key_private + } + ) +} diff --git a/modules/user_data/outputs.tf b/modules/user_data/outputs.tf new file mode 100644 index 00000000..1f7122e4 --- /dev/null +++ b/modules/user_data/outputs.tf @@ -0,0 +1,15 @@ +output "bastion_userdata_base64_encoded" { + value = base64encode(local.bastion_user_data) +} + +output "replicated_dashboard_password" { + value = random_string.password.result +} + +output "tfe_userdata_base64_encoded" { + value = base64encode(local.tfe_user_data) +} + +output "user_token" { + value = local.base_configs.user_token +} diff --git a/modules/user_data/templates/bastion_user_data.sh.tpl b/modules/user_data/templates/bastion_user_data.sh.tpl new file mode 100644 index 00000000..d40a2456 --- /dev/null +++ b/modules/user_data/templates/bastion_user_data.sh.tpl @@ -0,0 +1,45 @@ +#!/usr/bin/env bash + +apt_packages() { + sudo apt update -y + sudo apt install unzip -y +} + +dnf_packages() { + sudo dnf update -y + sudo dnf install unzip -y +} + +yum_packages() { + sudo yum update -y + sudo yum install unzip -y +} + +detect_distro() { + DISTRO_NAME=$(grep "^NAME=" /etc/os-release | cut -d"\"" -f2) + MAJOR_VERSION=$(grep "^VERSION=" /etc/os-release | cut -d"\"" -f2 | cut -b1) + + case "$DISTRO_NAME" in + "Red Hat"*) + if [[ "$MAJOR_VERSION" == "7" ]]; then + yum_packages + fi + if [[ "$MAJOR_VERSION" == "8" ]]; then + dnf_packages + fi + BASTION_USER="ec2-user" + ;; + "Ubuntu"*) + apt_packages + BASTION_USER="ubuntu" + ;; + esac +} + +detect_distro + +echo "${tfe_bastion_private_key}" > /home/$BASTION_USER/.ssh/tfe +sudo chown $BASTION_USER:$BASTION_USER /home/$BASTION_USER/.ssh/tfe +sudo chown $BASTION_USER:$BASTION_USER /home/$BASTION_USER/.ssh +sudo chmod 600 /home/$BASTION_USER/.ssh/tfe +sudo chmod 600 /home/$BASTION_USER/.ssh/authorized_keys \ No newline at end of file diff --git a/modules/user_data/templates/tfe_ec2.sh.tpl b/modules/user_data/templates/tfe_ec2.sh.tpl new file mode 100644 index 00000000..a5f4545d --- /dev/null +++ b/modules/user_data/templates/tfe_ec2.sh.tpl @@ -0,0 +1,164 @@ +#!/usr/bin/env bash +set -euo pipefail +# General OS management +install_jq() { + curl --silent -Lo /bin/jq https://github.com/stedolan/jq/releases/download/jq-1.5/jq-linux64 + chmod +x /bin/jq +} + +install_awscli() { + curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" + unzip awscliv2.zip + ./aws/install + rm -f ./awscliv2.zip + rm -rf ./aws +} + +configure_proxy() { + local proxy_ip="$1" + # Use a unique name so no_proxy can be exported + local no_proxy_local="$2" + local proxy_cert="$3" + local s3_bucket_bootstrap="$4" + local distribution="$5" + local cert_pathname="" + + if [[ $proxy_cert != "" ]] + then + if [[ $distribution == "ubuntu" ]] + then + mkdir -p /usr/local/share/ca-certificates/extra + cert_pathname="/usr/local/share/ca-certificates/extra/cust-ca-certificates.crt" + aws s3 cp "s3://$s3_bucket_bootstrap/$proxy_cert" "$cert_pathname" + update-ca-certificates + elif [[ $distribution == "rhel" ]] + then + mkdir -p /usr/share/pki/ca-trust-source/anchors + cert_pathname="/usr/share/pki/ca-trust-source/anchors/cust-ca-certificates.crt" + aws s3 cp "s3://$s3_bucket_bootstrap/$proxy_cert" "$cert_pathname" + update-ca-trust + fi + fi + + cat <>/etc/environment +http_proxy="$proxy_ip" +https_proxy="$proxy_ip" +no_proxy="$no_proxy_local" +EOF + + cat </etc/profile.d/proxy.sh +http_proxy="$proxy_ip" +https_proxy="$proxy_ip" +no_proxy="$no_proxy_local" +EOF + + export http_proxy="$proxy_ip" + export https_proxy="$proxy_ip" + export no_proxy="$no_proxy_local" + + if [[ $proxy_cert != "" ]] + then + install_jq + jq ". + { ca_certs: { value: \"$(cat $cert_pathname)\" } }" -- /etc/ptfe-settings.json > ptfe-settings.json.updated + cp ./ptfe-settings.json.updated /etc/ptfe-settings.json + fi +} + +install_packages() { + local distribution="$1" + + case "$distribution" in + "ubuntu") + apt-get update -y + apt-get install -y unzip + ;; + "rhel") + yum install -y unzip + ;; + esac +} + +detect_distribution() { + local distribution_name="" + local distribution="" + + distribution_name=$(grep "^NAME=" /etc/os-release | cut -d"\"" -f2) + + case "$distribution_name" in + "Red Hat"*) + distribution="rhel" + ;; + "Ubuntu"*) + distribution="ubuntu" + ;; + *) + echo "Unsupported operating system '$distribution_name' detected" + exit 1 + esac + + echo "$distribution" +} + +retrieve_tfe_license() { + local s3_bucket_bootstrap="$1" + local tfe_license="$2" + + aws s3 cp "s3://$s3_bucket_bootstrap/$tfe_license" /etc/ptfe-license.rli +} + +install_tfe() { + echo "[Terraform Enterprise] Setting up" | tee -a /var/log/ptfe.log + + local proxy_ip="$1" + local no_proxy="$2" + local active_active="$3" + local private_ip="" + local arguments=() + + private_ip=$(curl http://169.254.169.254/latest/meta-data/local-ipv4) + arguments+=("fast-timeouts" "private-address=$private_ip" "public-address=$private_ip") + + if [[ $proxy_ip != "" ]] + then + arguments+=("http-proxy=$proxy_ip" "additional-no-proxy=$no_proxy") + else + arguments+=("no-proxy") + fi + + if [[ $active_active != "" ]] + then + arguments+=("disable-replicated-ui") + fi + + curl -o /tmp/install.sh https://get.replicated.com/docker/terraformenterprise/active-active + chmod +x /tmp/install.sh + /tmp/install.sh "$${arguments[@]}" | tee -a /var/log/ptfe.log +} + +configure_tfe() { + local replicated="$1" + local settings="$2" + + echo "$replicated" | base64 -d > /etc/replicated.conf + echo "$settings" | base64 -d > /etc/ptfe-settings.json +} + +proxy_ip="${proxy_ip}" +no_proxy="${no_proxy}" +proxy_cert="${proxy_cert}" +s3_bucket_bootstrap="${s3_bucket_bootstrap}" +tfe_license="${tfe_license}" +replicated="${replicated}" +settings="${settings}" +active_active="${active_active}" + +distribution=$(detect_distribution) +configure_tfe "$replicated" "$settings" +install_packages "$distribution" +install_awscli +retrieve_tfe_license "$s3_bucket_bootstrap" "$tfe_license" +if [[ $proxy_ip != "" ]] +then + configure_proxy "$proxy_ip" "$no_proxy" "$proxy_cert" "$s3_bucket_bootstrap" "$distribution" +fi +install_tfe "$proxy_ip" "$no_proxy" "$active_active" diff --git a/modules/user_data/variables.tf b/modules/user_data/variables.tf new file mode 100644 index 00000000..5b51f733 --- /dev/null +++ b/modules/user_data/variables.tf @@ -0,0 +1,52 @@ + +variable "fqdn" {} +variable "active_active" { + default = true + type = bool +} +variable "generated_bastion_key_private" {} +variable "aws_bucket_bootstrap" {} +variable "aws_bucket_data" {} +variable "aws_region" {} +variable "tfe_license" {} +variable "kms_key_arn" {} +variable "redis_host" { + default = "" +} +variable "redis_pass" { + default = "" +} +variable "redis_port" { + default = "" +} + +variable "redis_use_password_auth" { + type = bool + default = false + description = "Determines if the Replicated configuration is aware to use password auth." +} + +variable "redis_use_tls" { + type = bool + default = false + description = "Determines if the Replicated configuration is aware to use TLS/HTTPS." +} + +variable "pg_netloc" {} +variable "pg_dbname" {} +variable "pg_user" {} +variable "pg_password" {} + +variable "proxy_ip" {} +variable "proxy_cert_bundle_name" { + type = string + description = "(Optional) name of cert bundle stored in S3" + default = "" +} +variable "no_proxy" { + type = list(string) + description = "(Optional) List of IP addresses to not proxy" + default = [] +} + +variable "friendly_name_prefix" {} diff --git a/modules/vm/main.tf b/modules/vm/main.tf new file mode 100644 index 00000000..2f35bbcc --- /dev/null +++ b/modules/vm/main.tf @@ -0,0 +1,111 @@ +############### +# TFE CLUSTER # +############### +resource "aws_security_group" "tfe_instance" { + name = "${var.friendly_name_prefix}-tfe-ec2-sg" + vpc_id = var.network_id + + tags = var.common_tags +} + +resource "aws_security_group_rule" "tfe_ui" { + security_group_id = aws_security_group.tfe_instance.id + type = "ingress" + from_port = 443 + to_port = 443 + protocol = "tcp" + source_security_group_id = var.aws_lb +} + +resource "aws_security_group_rule" "tfe_inbound" { + security_group_id = aws_security_group.tfe_instance.id + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + self = true +} + +resource "aws_security_group_rule" "tfe_outbound" { + security_group_id = aws_security_group.tfe_instance.id + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_security_group_rule" "tfe_bastion_ssh_allow" { + security_group_id = aws_security_group.tfe_instance.id + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + source_security_group_id = var.bastion_sg +} + +resource "aws_security_group_rule" "tfe_dashboard" { + count = var.active_active ? 0 : 1 + security_group_id = aws_security_group.tfe_instance.id + type = "ingress" + from_port = 8800 + to_port = 8800 + protocol = "tcp" + source_security_group_id = var.aws_lb +} + +resource "aws_launch_configuration" "tfe" { + name_prefix = "${var.friendly_name_prefix}-tfe-ec2-asg-lt-" + image_id = var.ami_id + instance_type = var.instance_type + key_name = var.bastion_key + user_data = var.userdata_script + + iam_instance_profile = var.aws_iam_instance_profile + security_groups = [aws_security_group.tfe_instance.id] + + root_block_device { + encrypted = true + volume_type = "gp2" + volume_size = 50 + delete_on_termination = true + } + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_autoscaling_group" "tfe_asg" { + name = "${var.friendly_name_prefix}-tfe-asg" + min_size = var.node_count + max_size = var.node_count + desired_capacity = var.node_count + vpc_zone_identifier = var.network_subnets_private + target_group_arns = var.active_active ? [var.aws_lb_target_group_tfe_tg_443_arn] : [ + var.aws_lb_target_group_tfe_tg_8800_arn, + var.aws_lb_target_group_tfe_tg_443_arn, + ] + # Increases grace period for any AMI that is not the default Ubuntu + # since RHEL has longer startup time + health_check_grace_period = var.default_ami_id ? 900 : 1500 + health_check_type = "ELB" + launch_configuration = aws_launch_configuration.tfe.name + + tags = concat( + [ + { + key = "Name" + value = "${var.friendly_name_prefix}-tfe" + propagate_at_launch = true + }, + ], + [ + for k, v in var.common_tags : { + key = k + value = v + propagate_at_launch = true + } + ] + ) +} diff --git a/modules/vm/outputs.tf b/modules/vm/outputs.tf new file mode 100644 index 00000000..0ecab9bc --- /dev/null +++ b/modules/vm/outputs.tf @@ -0,0 +1,4 @@ +output "tfe_instance_sg" { + value = aws_security_group.tfe_instance.id +} + diff --git a/modules/vm/variables.tf b/modules/vm/variables.tf new file mode 100644 index 00000000..4aad8de4 --- /dev/null +++ b/modules/vm/variables.tf @@ -0,0 +1,52 @@ +variable "default_ami_id" {} + +variable "userdata_script" {} + +variable "aws_lb" {} + +variable "aws_lb_target_group_tfe_tg_443_arn" {} + +variable "aws_lb_target_group_tfe_tg_8800_arn" {} + +variable "aws_iam_instance_profile" {} + +variable "bastion_sg" {} + +variable "bastion_key" {} + +variable "network_id" {} + +variable "network_subnets_private" {} + +variable "instance_type" {} + +variable "active_active" { + type = bool + description = "Flag for active-active configuation: true for active-active, false for standalone" +} + +variable "ami_id" { + type = string + description = "AMI ID to use for TFE instances and bastion host" +} + +variable "friendly_name_prefix" { + type = string + description = "(Required) Friendly name prefix used for tagging and naming AWS resources." +} + +variable "node_count" { + type = number + description = "The number of nodes you want in your autoscaling group (1 for standalone, 2 for active-active configuration)" +} + +variable "tfe_license_name" { + type = string + default = "ptfe-license.rli" +} + +variable "common_tags" { + type = map(string) + description = "(Optional) Map of common tags for all taggable AWS resources." + default = {} +} diff --git a/outputs.tf b/outputs.tf index 4cdd2ae2..7336040b 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,68 +1,67 @@ -output "application_endpoint" { - value = "https://${module.lb.endpoint}" +# Bastion +output "bastion_public_dns" { + value = module.bastion.bastion_public_dns } -output "application_health_check" { - value = "https://${module.lb.endpoint}/_health_check" +output "bastion_public_ip" { + value = module.bastion.bastion_public_ip } -output "iam_role" { - value = aws_iam_role.ptfe.name +# KMS +output "kms_key_arn" { + value = aws_kms_key.tfe_key.arn } -output "install_id" { - value = module.common.install_id +output "kms_key_id" { + value = aws_kms_key.tfe_key.key_id } -output "installer_dashboard_password" { - value = random_pet.console_password.id +# Network +output "network_id" { + value = module.networking.network_id } -output "installer_dashboard_url" { - value = "https://${module.lb.endpoint}:8800" +output "private_subnet_ids" { + value = module.networking.network_private_subnets } -## this allows the user to do `ssh -F ssh-config default` -resource "local_file" "ssh_config" { - filename = "${path.root}/work/ssh-config" - content = data.template_file.ssh_config.rendered +output "public_subnet_ids" { + value = module.networking.network_public_subnets } -output "primary_public_ip" { - value = element(aws_instance.primary.*.public_ip, 0) +output "network_private_subnet_cidrs" { + value = module.networking.network_private_subnet_cidrs } -output "load_balancer_dns_name" { - value = module.lb.lb_endpoint +# Security Groups +output "tfe_instance_sg" { + value = module.vm.tfe_instance_sg } -output "load_balancer_zone_id" { - value = module.lb.lb_zone_id +# Secrets Manager +output "secretsmanager_secret_arn" { + value = module.secrets_manager.secretsmanager_secret_arn } -output "ssh_config_file" { - value = local_file.ssh_config.filename +# S3 +output "bootstrap_bucket_name" { + value = module.object_storage.s3_bucket_bootstrap } -output "ssh_private_key" { - value = module.common.ssh_priv_key_file +output "bootstrap_bucket_arn" { + value = module.object_storage.s3_bucket_bootstrap_arn } -### Some small outputs to allow simpler testing of things like proxies -### as we need these bits to spin up an additional instance along side the cluster -### In the future we should probably be outputting resources. -output "ssh_key_name" { - value = module.common.ssh_key_name +# Load balancer +output "load_balancer_address" { + value = module.load_balancer.load_balancer_address } -output "public_subnets" { - value = module.common.public_subnets +output "dns_configuration_notice" { + value = "If you are using external DNS, please make sure to create a DNS record using the load_balancer_address output that has been provided" } -output "intra_vpc_ingress_and_egress_sg_id" { - value = module.common.intra_vpc_ingress_and_egress_sg_id -} - -output "allow_ptfe_sg_id" { - value = module.common.allow_ptfe_sg_id +output "login_url" { + value = "https://${local.fqdn}/admin/account/new?token=${module.user_data.user_token.value}" + description = "Login URL to setup the TFE instance once it is initialized" } diff --git a/password.tf b/password.tf deleted file mode 100644 index 56202cde..00000000 --- a/password.tf +++ /dev/null @@ -1,10 +0,0 @@ -resource "random_string" "default_enc_password" { - length = 32 - upper = true - special = false -} - -locals { - encryption_password = var.encryption_password != "" ? var.encryption_password : random_string.default_enc_password.result -} - diff --git a/primary.tf b/primary.tf deleted file mode 100644 index 45cad3d6..00000000 --- a/primary.tf +++ /dev/null @@ -1,77 +0,0 @@ -resource "aws_instance" "primary" { - # The number of primaries must be hard coded to 3 always for now. - # In the future we'll allow for different variables of primary, but it - # make sense to constrain the domain of problem related to primary counts - # for now. - count = 3 - - ami = var.ami != "" ? var.ami : local.distro_ami - instance_type = var.primary_instance_type - - subnet_id = element(var.private_zone ? module.common.private_subnets : module.common.public_subnets, count.index) - - vpc_security_group_ids = [ - module.lb.sg_lb_to_instance, - module.common.intra_vpc_ingress_and_egress_sg_id, - module.common.allow_ptfe_sg_id, - ] - - iam_instance_profile = aws_iam_instance_profile.ptfe.name - - key_name = module.common.ssh_key_name - - user_data = element( - data.template_cloudinit_config.config.*.rendered, - count.index, - ) - - root_block_device { - volume_type = "gp2" - volume_size = var.volume_size - } - - tags = merge( - var.tags, - { - Name = "${var.prefix}-${module.common.install_id}:primary" - InstallationId = module.common.install_id - }, - ) -} - -resource "aws_elb_attachment" "ptfe_app-primary" { - count = local.primary_count - elb = aws_elb.cluster_api.id - instance = element(aws_instance.primary.*.id, count.index) -} - -resource "aws_elb_attachment" "ptfe_admin-primary" { - count = local.primary_count - elb = aws_elb.cluster_api.id - instance = element(aws_instance.primary.*.id, count.index) -} - -resource "aws_elb_attachment" "cluster_api-primary" { - count = local.primary_count - elb = aws_elb.cluster_api.id - instance = element(aws_instance.primary.*.id, count.index) -} - -resource "aws_elb_attachment" "cluster_assistant-primary" { - count = local.primary_count - elb = aws_elb.cluster_api.id - instance = element(aws_instance.primary.*.id, count.index) -} - -resource "aws_lb_target_group_attachment" "admin-primary" { - count = local.primary_count - target_group_arn = module.lb.admin_group - target_id = aws_instance.primary[count.index].id -} - -resource "aws_lb_target_group_attachment" "https-primary" { - count = local.primary_count - target_group_arn = module.lb.https_group - target_id = aws_instance.primary[count.index].id -} - diff --git a/primary_lb.tf b/primary_lb.tf deleted file mode 100644 index 66645d94..00000000 --- a/primary_lb.tf +++ /dev/null @@ -1,45 +0,0 @@ -resource "aws_elb" "cluster_api" { - # Lowered to be sure it's compliant with - # https://github.com/kubernetes/apimachinery/blob/461753078381c979582f217a28eb759ebee5295d/pkg/util/validation/validation.go#L132 - name_prefix = lower(var.prefix) - subnets = module.common.private_subnets - internal = true - - cross_zone_load_balancing = true - - security_groups = [module.common.intra_vpc_ingress_and_egress_sg_id] - - idle_timeout = 3600 # for kubectl commands - - listener { - instance_protocol = "TCP" - instance_port = 6443 - - lb_protocol = "TCP" - lb_port = 6443 - } - - listener { - instance_protocol = "HTTP" - instance_port = local.assistant_port - - lb_protocol = "HTTP" - lb_port = local.assistant_port - } - - health_check { - healthy_threshold = 2 - unhealthy_threshold = 2 - target = "HTTPS:6443/healthz" - interval = 10 - timeout = 5 - } - - tags = merge( - var.tags, - { - Name = var.prefix - }, - ) -} - diff --git a/replicated.tf b/replicated.tf deleted file mode 100644 index c16c5b44..00000000 --- a/replicated.tf +++ /dev/null @@ -1,16 +0,0 @@ -locals { - rptfeconf = { - "demo-online" = file("${path.module}/data/demo.json") - "demo-airgap" = file("${path.module}/data/airgap.json") - "external_services-online" = file("${path.module}/data/es.json") - "external_services-airgap" = file("${path.module}/data/es_airgap.json") - } - - replconf = { - "demo-online" = file("${path.module}/data/demo_replicated.json") - "demo-airgap" = file("${path.module}/data/airgap_replicated.json") - "external_services-online" = file("${path.module}/data/es_replicated.json") - "external_services-airgap" = file("${path.module}/data/es_airgap_replicated.json") - } -} - diff --git a/secondary.tf b/secondary.tf deleted file mode 100644 index d6cba4f2..00000000 --- a/secondary.tf +++ /dev/null @@ -1,68 +0,0 @@ -locals { - asg_tags = [ - for item in keys(var.tags) : - map( - "key", item, - "value", element(values(var.tags), index(keys(var.tags), item)), - "propagate_at_launch", "true" - ) - ] -} - -resource "aws_launch_configuration" "secondary" { - image_id = var.ami != "" ? var.ami : local.distro_ami - instance_type = local.rendered_secondary_instance_type - - key_name = module.common.ssh_key_name - - user_data = data.template_cloudinit_config.config_secondary.rendered - - security_groups = [ - module.lb.sg_lb_to_instance, - module.common.intra_vpc_ingress_and_egress_sg_id, - module.common.allow_ptfe_sg_id, - ] - - iam_instance_profile = aws_iam_instance_profile.ptfe.name - - root_block_device { - volume_type = "gp2" - volume_size = var.volume_size - } -} - -resource "aws_autoscaling_group" "secondary" { - # Interpolating the LC name into the ASG name here causes any changes that - # would replace the LC (like, most commonly, an AMI ID update) to _also_ - # replace the ASG. - name = "${var.prefix}-lc-${aws_launch_configuration.secondary.name}" - - launch_configuration = aws_launch_configuration.secondary.name - desired_capacity = var.secondary_count - min_size = var.secondary_count - max_size = var.secondary_count - vpc_zone_identifier = module.common.private_subnets - target_group_arns = [module.lb.https_group] - - tags = concat( - [ - { - key = "Name" - value = "${var.prefix}-${module.common.install_id}:secondary" - propagate_at_launch = true - }, - { - key = "Hostname" - value = module.lb.endpoint - propagate_at_launch = true - }, - { - key = "InstallationId" - value = module.common.install_id - propagate_at_launch = true - }, - ], - local.asg_tags - ) -} - diff --git a/templates/cloud-config-secondary.yaml b/templates/cloud-config-secondary.yaml deleted file mode 100644 index e99abd18..00000000 --- a/templates/cloud-config-secondary.yaml +++ /dev/null @@ -1,82 +0,0 @@ -#cloud-config - -ssh_import_id: -${import_key != "" ? "- ${import_key}" : ""} - -write_files: -- path: /etc/ptfe/role - owner: root:root - permissions: "0444" - content: "${role}" - -- path: /etc/ptfe/ptfe_url - owner: root:root - permissions: "0644" - content: "${installer_url}" - -- path: /etc/ptfe/bootstrap-token - owner: root:root - permissions: "0500" - content: ${bootstrap_token} - -- path: /etc/ptfe/cluster-api-endpoint - owner: root:root - permissions: "0500" - content: ${cluster_api_endpoint} - -- path: /etc/ptfe/health-url - owner: root:root - permissions: "0400" - content: "${health_url}" - -- path: /etc/ptfe/assistant-host - owner: root:root - permissions: "0400" - content: "${assistant_host}" - -- path: /etc/ptfe/assistant-token - owner: root:root - permissions: "0400" - content: "${assistant_token}" - -%{ if airgap_installer_url != "" } -- path: /etc/ptfe/airgap-installer-url - owner: root:root - permissions: "0644" - content: ${airgap_installer_url} -%{ endif } - -- path: /var/lib/cloud/scripts/per-once/install-ptfe.sh - owner: root:root - permissions: "0555" - encoding: gz+b64 - content: ${install_ptfe_sh} - -- path: /etc/ptfe/proxy-url - owner: root:root - permissions: "0400" - content: "${proxy_url}" - -- path: /etc/ptfe/additional-no-proxy - owner: root:root - permissions: "0400" - content: "${additional_no_proxy}" - -- path: /etc/ptfe/custom-ca-cert-url - owner: root:root - permissions: "0400" - content: "${ca_bundle_url}" - -- path: /etc/apt/apt.conf.d/00aaa_proxy - owner: root:root - permissions: "0400" - content: | - Acquire::http::proxy "${proxy_url}"; - Acquire::https::proxy "${proxy_url}"; - -packages: -- jq -- chrony -- ipvsadm -- unzip -- wget diff --git a/templates/cloud-config.yaml b/templates/cloud-config.yaml deleted file mode 100644 index 076c5cc2..00000000 --- a/templates/cloud-config.yaml +++ /dev/null @@ -1,168 +0,0 @@ -#cloud-config -%{ if import_key != "" } -ssh_import_id: -- "${import_key}" -%{ endif } - -write_files: - -- path: /etc/ptfe/role - owner: root:root - permissions: "0444" - content: "${role}" - -- path: /etc/ptfe/ptfe_url - owner: root:root - permissions: "0644" - content: "${installer_url}" - -- path: /etc/ptfe/bootstrap-token - owner: root:root - permissions: "0400" - content: "${bootstrap_token}" -%{ if role != "secondary" } - -- path: /etc/ptfe/setup-token - owner: root:root - permissions: "0400" - content: "${setup_token}" - -- path: /etc/ptfe/primary-pki-url - owner: root:root - permissions: "0400" - content: "${primary_pki_url}" -%{ endif } - -- path: /etc/ptfe/cluster-api-endpoint - owner: root:root - permissions: "0400" - content: "${cluster_api_endpoint}" - -- path: /etc/ptfe/health-url - owner: root:root - permissions: "0400" - content: "${health_url}" - -- path: /etc/ptfe/assistant-host - owner: root:root - permissions: "0400" - content: "${assistant_host}" - -- path: /etc/ptfe/assistant-token - owner: root:root - permissions: "0400" - content: "${assistant_token}" - -- path: /etc/ptfe/role-id - owner: root:root - permissions: "0444" - content: "${role_id}" - -%{ if startup_script != "" } -- path: /var/lib/cloud/scripts/per-once/000-user-startup-script.sh - owner: root:root - permissions: "0555" - encoding: gz+b64 - content: ${startup_script} -%{ endif } - -- path: /var/lib/cloud/scripts/per-once/install-ptfe.sh - owner: root:root - permissions: "0555" - encoding: gz+b64 - content: ${install_ptfe_sh} - -- path: /etc/ptfe/proxy-url - owner: root:root - permissions: "0400" - content: "${proxy_url}" - -- path: /etc/ptfe/additional-no-proxy - owner: root:root - permissions: "0400" - content: "${additional_no_proxy}" - -- path: /etc/ptfe/custom-ca-cert-url - owner: root:root - permissions: "0400" - content: "${ca_bundle_url}" - -- path: /etc/profile.d/proxy.sh - owner: root:root - permissions: "0755" - content: | - export http_proxy="${proxy_url}" - export https_proxy="${proxy_url}" - export no_proxy=10.0.0.0/8,127.0.0.1,169.254.169.254,${cluster_api_lb} -%{ if additional_no_proxy != "" } - export no_proxy=$no_proxy,${additional_no_proxy} -%{ endif } -%{ if repl_cidr != "" } - export no_proxy=$no_proxy,${repl_cidr} -%{ endif } - - -%{ if airgap_installer_url != "" } -- path: /etc/ptfe/airgap-installer-url - owner: root:root - permissions: "0644" - content: ${airgap_installer_url} -%{ endif } - -%{ if role == "main" } -- path: /etc/replicated.rli - owner: root:root - permissions: "0444" - encoding: b64 - content: ${license_b64} - -- path: /etc/replicated-ptfe.conf - owner: root:root - permissions: "0644" - encoding: gz+b64 - content: ${rptfeconf} - -## https://help.replicated.com/docs/kb/developer-resources/automate-install/ -- path: /etc/replicated.conf - owner: root:root - permissions: "0644" - encoding: gz+b64 - content: ${replconf} - -%{ if airgap_package_url != "" } -- path: /etc/ptfe/airgap-package-url - owner: root:root - permissions: "0644" - content: ${airgap_package_url} -%{ endif } - -%{ if weave_cidr != "" } -- path: /etc/ptfe/weave-cidr - owner: root:root - permissions: "0644" - content: ${weave_cidr} -%{ endif } - -%{ if repl_cidr != "" } -- path: /etc/ptfe/repl-cidr - owner: root:root - permissions: "0644" - content: ${repl_cidr} -%{ endif } -%{ endif } - -%{ if distro == "ubuntu" } -- path: /etc/apt/apt.conf.d/00_aaa_proxy.conf - owner: root:root - permissions: "0400" - content: | - Acquire::http::proxy "${proxy_url}"; - Acquire::https::proxy "${proxy_url}"; - -packages: -- jq -- chrony -- ipvsadm -- unzip -- wget -%{ endif } diff --git a/templates/ssh_config b/templates/ssh_config deleted file mode 100644 index 5fb8b044..00000000 --- a/templates/ssh_config +++ /dev/null @@ -1,10 +0,0 @@ -Host default - HostName ${hostname} - User ${ssh_user} - Port 22 - UserKnownHostsFile /dev/null - StrictHostKeyChecking no - PasswordAuthentication no - IdentityFile ${keyfile_path} - IdentitiesOnly yes - LogLevel FATAL \ No newline at end of file diff --git a/variables.tf b/variables.tf index 1bf38fbb..e7ef8f1a 100644 --- a/variables.tf +++ b/variables.tf @@ -1,334 +1,276 @@ -locals { - assistant_port = 23010 - distro_ami = var.distribution == "ubuntu" ? data.aws_ami.ubuntu.id : data.aws_ami.rhel.id - default_ssh_user = var.distribution == "ubuntu" ? "ubuntu" : "ec2-user" - primary_count = 3 # The number of primary cluster master nodes to run, only 3 support now. - rendered_secondary_instance_type = var.secondary_instance_type != "" ? var.secondary_instance_type : var.primary_instance_type -} - -### =================================================================== REQUIRED +# Common -variable "domain" { +variable "ami_id" { type = string - description = "Route53 Domain to manage DNS under" + default = "" + description = "AMI ID to use for TFE instances and bastion host" } -variable "private_zone" { +variable "acm_certificate_arn" { type = string - description = "set to true if your route53 zone is private" - default = false + description = "ACM certificate ARN to use with load balancer" } -variable "license_file" { - type = string - description = "path to license file" +variable "common_tags" { + type = map(string) + description = "(Optional) Map of common tags for all taggable AWS resources." + default = {} } -variable "vpc_id" { +variable "redis_cache_size" { type = string - description = "AWS VPC id to install into" + default = "cache.m4.large" + description = "Redis instance size." } -### =================================================================== OPTIONAL - -variable "prefix" { +variable "redis_engine_version" { type = string - description = "Name prefix for resource names and tags" - default = "tfe" + default = "5.0.6" + description = "Redis enginer version." } -variable "airgap_installer_url" { +variable "redis_parameter_group_name" { type = string - description = "URL to airgap installer package" - default = "https://s3.amazonaws.com/replicated-airgap-work/replicated__docker__kubernetes.tar.gz" + default = "default.redis5.0" + description = "Redis parameter group name." } -variable "airgap_package_url" { +variable "db_size" { type = string - description = "signed URL to download the package" - default = "" + default = "db.m4.xlarge" + description = "PostgreSQL instance size." } -variable "ca_bundle_url" { +variable "postgres_engine_version" { type = string - description = "URL to Custom CA bundle used for outgoing connections" - default = "none" + default = "9.6.20" + description = "PostgreSQL version." } -variable "ami" { +variable "domain_name" { type = string - description = "AMI to launch instance with; defaults to latest Ubuntu Xenial" - default = "" + description = "Domain for creating the Terraform Enterprise subdomain on." } -variable "cert_arn" { +variable "friendly_name_prefix" { type = string - description = "Amazon Resource Name (ARN) for Certificate in the ACM you'd like to use (default uses domain or cert_domain to look it up)" - default = "" + description = "(Required) Friendly name prefix used for tagging and naming AWS resources." } -variable "cert_domain" { - type = string - description = "domain to search for ACM certificate with (default is *.domain)" +variable "instance_type" { + default = "m5.xlarge" +} + +variable "network_id" { default = "" + description = "Network ID for existing network to deploy in." } -variable "distribution" { - type = string - description = "Type of linux distribution to use. (ubuntu or rhel)" - default = "ubuntu" +variable "bastion_host_subnet" { + default = "" } -variable "encryption_password" { - type = string - description = "encryption password to use as root secret (default is autogenerated)" - default = "" +variable "network_private_subnets" { + default = [] } -variable "hostname" { - type = string - description = "hostname to assign to cluster under domain (default is autogenerated one)" - default = "" +variable "network_public_subnets" { + default = [] } -variable "iact_subnet_list" { - type = string - description = "List of subnets to allow to access Initial Admin Creation Token (IACT) API. https://www.terraform.io/docs/enterprise/private/automating-initial-user.html" - default = "" +variable "node_count" { + type = number + default = 2 + description = "The number of nodes you want in your autoscaling group (1 for standalone, 2 for active-active configuration)" + + validation { + condition = var.node_count <= 5 + error_message = "The node_count value must be less than or equal to 5." + } } -variable "iact_subnet_time_limit" { +variable "ssl_policy" { type = string - description = "Amount of time to allow access to IACT API after initial boot" - default = "" + default = "ELBSecurityPolicy-2016-08" + description = "SSL policy to use on ALB listener" } -variable "import_key" { +variable "tfe_subdomain" { type = string - description = "an ssh pub key to import to all machines" - default = "" + default = "tfe" + description = "Subdomain for accessing the Terraform Enterprise UI." } -variable "installer_url" { - type = string - description = "URL to the cluster setup tool" - default = "https://install.terraform.io/installer/ptfe-0.1.zip" +variable "tfe_license_name" { + type = string + default = "ptfe-license.rli" } -variable "primary_instance_type" { - type = string - description = "ec2 instance type" - default = "m4.xlarge" +variable "tfe_license_filepath" { + type = string } -variable "secondary_count" { - type = string - description = "The number of secondary cluster nodes to run" - default = 5 +# S3 Object Storage +variable "deploy_bootstrap_bucket" { + type = bool + description = "(Optional) Boolean indicating whether to deploy an S3 bootstrap bucket in the primary region (true) or not (false)." + default = true } -variable "secondary_instance_type" { +variable "bootstrap_bucket_name" { type = string - description = "ec2 instance type (Defaults to `primary_instance_type` if not set.)" - default = "" + description = "(Optional) Name of S3 bootstrap bucket in primary region. Only specify if deploy_bootstrap_bucket is true." + default = "tfe-bootstrap-bucket" } -variable "ssh_user" { +# KMS +variable "kms_key_alias" { type = string - description = "the user to connect to the instance as" - default = "" + description = "KMS key alias for AWS KMS Customer managed key." + default = "tfe-managed-kms" } -variable "startup_script" { - type = string - description = "shell script to run when primary instance boots the first time" - default = "" +variable "kms_key_deletion_window" { + type = number + description = "(Optional) Duration in days to destroy the key after it is deleted. Must be between 7 and 30 days." + default = 7 } -variable "subnet_tags" { - type = map(string) - description = "tags to use to match subnets to use" - default = {} +# Secrets Manager +variable "deploy_secretsmanager" { + type = bool + description = "(Optional) Boolean indicating whether to deploy AWS Secrets Manager secret (true) or not (false)." + default = false } -variable "update_route53" { +variable "secretsmanager_secret_name" { type = string - description = "whether or not to automatically update route53 records for the cluster" - default = true + description = "(Optional) Name of AWS Secrets Manager secret metadata. Only specify if deploy_secretsmanager is true (this value will be auto-generated if left unspecified and deploy_secretsmanager is true)." + default = null } -variable "volume_size" { - type = string - description = "size of the root volume in gb" - default = "100" +variable "secretsmanager_secrets" { + type = map(string) + description = "(Optional) Map of key/value pairs of TFE install secrets. Only specify if deploy_secretsmanager is true." + default = null } -variable "weave_cidr" { - type = string - description = "Specify a non-standard CIDR range for weave. The default is 10.32.0.0/12" - default = "" +# Load Balancer +variable "load_balancing_scheme" { + type = bool + description = "(Optional) Boolean indicating whether the load balancer is internal or external. Defaults to internal." + default = true } -variable "release_sequence" { - type = string - description = "Replicated release sequence number to install - this locks the install to a specific release" - default = "" +# Network +variable "deploy_vpc" { + type = bool + description = "(Optional) Boolean indicating whether to deploy a VPC (true) or not (false)." + default = true } -variable "repl_cidr" { +variable "network_cidr" { type = string - description = "Specify a non-standard CIDR range for the replicated services. The default is 10.96.0.0/12" - default = "" + description = "(Optional) CIDR block for VPC." + default = "10.0.0.0/16" } -variable "tags" { - type = map(string) - description = "Map of tags to add to all resources" - default = {} +variable "network_private_subnet_cidrs" { + type = list(string) + description = "(Optional) List of private subnet CIDR ranges to create in VPC." + default = ["10.0.32.0/20", "10.0.48.0/20"] } - -### ================================ External Services Support - -variable "aws_instance_profile" { - type = bool - description = "When set, use credentials from the AWS instance profile" - default = false +variable "network_public_subnet_cidrs" { + type = list(string) + description = "(Optional) List of public subnet CIDR ranges to create in VPC." + default = ["10.0.0.0/20", "10.0.16.0/20"] } -variable "aws_access_key_id" { - type = string - description = "AWS access key id to connect to s3 with" - default = "" +variable "admin_dashboard_ingress_ranges" { + type = list(string) + description = "(Optional) List of CIDR ranges that are allowed to acces the admin dashboard. Only used for standalone installations." + default = ["0.0.0.0/0"] } -variable "aws_secret_access_key" { - type = string - description = "AWS secret access key to connect to s3 with" - default = "" +# Bastion +variable "deploy_bastion" { + type = bool + description = "(Optional) Boolean indicating whether to deploy a Bastion instance (true) or not (false). Only specify true if deploy_vpc is true." + default = true } -variable "http_proxy_url" { +variable "bastion_keypair" { type = string - description = "HTTP(S) Proxy URL" - default = "" + description = "(Optional) Specifies existing SSH key pair to use for Bastion instance. Only specify if deploy_bastion is true." + default = null } -variable "additional_no_proxy" { - type = string - description = "Comma delimitted list of addresses (no spaces) to not use the proxy for" - default = "" +variable "bastion_ingress_cidr_allow" { + type = list(string) + description = "(Optional) List of CIDR ranges to allow SSH ingress to Bastion instance. Only specify if deploy_bastion is true." + default = ["0.0.0.0/0"] } -variable "postgresql_address" { +variable "bastion_key_private" { type = string - description = "address to connect to external postgresql database at" + description = "(Optional) Private key for existing bastion host. Only specify if deploy_bastion is false." default = "" } -variable "postgresql_database" { +variable "bastion_key_public" { type = string - description = "database name to use in exetrnal postgresql database" + description = "(Optional) Public key for existing bastion host. Only specify if deploy_bastion is false." default = "" } -variable "postgresql_extra_params" { +variable "bastion_sg" { type = string - description = "additional connection string parameters (must be url query params)" + description = "(Optional) Security group id for bastion security group to allow traffic between bastion and nodes. Only specify if deploy_bastion is false." default = "" } -variable "postgresql_password" { - type = string - description = "password to connect to external postgresql database as" - default = "" -} +# PROXY SETTINGS -variable "postgresql_user" { +variable "proxy_ip" { type = string - description = "user to connect to external postgresql database as" + description = "(Optional) IP address of existing web proxy to route TFE traffic through." default = "" } -variable "s3_bucket" { +variable "proxy_cert_bundle_name" { type = string - description = "S3 bucket to store objects into" + description = "(Optional) Name for proxy cert bundle in S3." default = "" } -variable "s3_region" { +variable "proxy_cert_bundle_filepath" { type = string - description = "Region of the S3 bucket" + description = "(Optional) Filepath for proxy cert bundle to copy to S3." default = "" } -variable "ingress_allow_list" { - type = set(string) - description = "List of CIDR blocks we allow to access the infrastructure" +variable "no_proxy" { + type = list(string) + description = "(Optional) List of IP addresses to not proxy" default = [] } -variable "egress_allow_list" { - type = set(string) - description = "List of CIDR blocks we allow the infrastructyre to access" - default = ["0.0.0.0/0"] -} - - -### ======================================================================= MISC - -data "aws_ami" "ubuntu" { - owners = ["099720109477", "513442679011"] # Canonical, Canonical (GovCloud) - - most_recent = true - - filter { - name = "name" - values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"] - } - - filter { - name = "virtualization-type" - values = ["hvm"] - } -} - -data "aws_ami" "rhel" { - owners = ["309956199498", "219670896067"] # RedHat, RedHat (GovCloud) - - most_recent = true - - filter { - name = "name" - values = ["RHEL-7.7*GA*"] - } - - filter { - name = "virtualization-type" - values = ["hvm"] - } -} - -## random password for the installer dashboard -resource "random_pet" "console_password" { - length = 3 -} - -resource "random_string" "bootstrap_token_id" { - length = 6 - upper = false - special = false +# Redis +variable "redis_encryption_in_transit" { + type = bool + description = "Determine whether Redis traffic is encrypted in transit." + default = false } -resource "random_string" "bootstrap_token_suffix" { - length = 16 - upper = false - special = false +variable "redis_encryption_at_rest" { + type = bool + description = "Determine whether Redis data is encrypted at rest." + default = false } -resource "random_string" "setup_token" { - length = 32 - upper = false - special = false +variable "redis_require_password" { + type = bool + description = "Determine if a password is required for Redis." + default = false } - diff --git a/versions.tf b/versions.tf deleted file mode 100644 index ec900db2..00000000 --- a/versions.tf +++ /dev/null @@ -1,3 +0,0 @@ -terraform { - required_version = "~> 0.12" -}