diff --git a/.github/workflows/on-demand_terraform.yml b/.github/workflows/on-demand_terraform.yml new file mode 100644 index 000000000..8d6ac7fa2 --- /dev/null +++ b/.github/workflows/on-demand_terraform.yml @@ -0,0 +1,60 @@ +--- +# Copyright 2022 Samsung Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Check Terraform scripts +# yamllint disable-line rule:truthy +on: + push: + branches: + - master + paths: + - '**.tf' + pull_request: + branches: + - master + paths: + - '**.tf' + +jobs: + check-checkov: + name: Check static code (checkov) + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Run Checkov action + uses: bridgecrewio/checkov-action@master + with: + directory: ./deployment/terraform/aws + quiet: true + soft_fail: true + framework: terraform + download_external_modules: true + check-lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Lint Terraform + uses: actionshub/terraform-lint@main + check-terrascan: + runs-on: ubuntu-latest + name: terrascan-action + steps: + - uses: actions/checkout@v3 + - name: Run Terrascan + id: terrascan + uses: accurics/terrascan-action@main + with: + iac_type: 'terraform' + only_warn: true diff --git a/deployment/terraform/aws/main.tf b/deployment/terraform/aws/main.tf index 75a8f7212..c8e86758f 100644 --- a/deployment/terraform/aws/main.tf +++ b/deployment/terraform/aws/main.tf @@ -1,93 +1,93 @@ provider "aws" { - alias = "region_1" - region = var.region_1 + alias = "region_1" + region = var.region_1 } provider "aws" { - alias = "region_2" - region = var.region_2 + alias = "region_2" + region = var.region_2 } # Validator module "validator" { - source = "./validator" - providers = { - aws = aws.region_1 - } + source = "./validator" + providers = { + aws = aws.region_1 + } } # Private Sentries module "private_sentries" { - source = "./private-sentries" + source = "./private-sentries" - providers = { - aws = aws.region_1 - aws.peer = aws.region_1 - } + providers = { + aws = aws.region_1 + aws.peer = aws.region_1 + } - peer_vpc = module.validator.vpc + peer_vpc = module.validator.vpc } # Public Sentries region 1 module "public_sentries_1" { - source = "./public-sentries" - nodes_count = 1 - - # enable_ipv6 = false - - providers = { - aws = aws.region_1 - aws.peer = aws.region_1 - } - - region_index = 1 - peer_vpc = module.private_sentries.vpc + source = "./public-sentries" + nodes_count = 1 + + # enable_ipv6 = false + + providers = { + aws = aws.region_1 + aws.peer = aws.region_1 + } + + region_index = 1 + peer_vpc = module.private_sentries.vpc } # Public Sentries region 2 module "public_sentries_2" { - source = "./public-sentries" - nodes_count = 1 + source = "./public-sentries" + nodes_count = 1 - # enable_ipv6 = false + # enable_ipv6 = false - providers = { - aws = aws.region_2 - aws.peer = aws.region_1 - } + providers = { + aws = aws.region_2 + aws.peer = aws.region_1 + } - region_index = 2 - peer_vpc = module.private_sentries.vpc + region_index = 2 + peer_vpc = module.private_sentries.vpc } # Observers region 1 module "observers_1" { - source = "./observers" - - providers = { - aws = aws.region_1 - aws.peer = aws.region_1 - } - - root_domain_name = var.root_domain_name - enable_tls = var.enable_tls - - region_index = 1 - peer_vpc = module.private_sentries.vpc + source = "./observers" + + providers = { + aws = aws.region_1 + aws.peer = aws.region_1 + } + + root_domain_name = var.root_domain_name + enable_tls = var.enable_tls + + region_index = 1 + peer_vpc = module.private_sentries.vpc } # Observers region 2 module "observers_2" { - source = "./observers" - - providers = { - aws = aws.region_2 - aws.peer = aws.region_1 - } - - root_domain_name = var.root_domain_name - enable_tls = var.enable_tls - - region_index = 2 - peer_vpc = module.private_sentries.vpc + source = "./observers" + + providers = { + aws = aws.region_2 + aws.peer = aws.region_1 + } + + root_domain_name = var.root_domain_name + enable_tls = var.enable_tls + + region_index = 2 + peer_vpc = module.private_sentries.vpc } \ No newline at end of file diff --git a/deployment/terraform/aws/observers/acm.tf b/deployment/terraform/aws/observers/acm.tf index 179243db0..106b9b1c7 100644 --- a/deployment/terraform/aws/observers/acm.tf +++ b/deployment/terraform/aws/observers/acm.tf @@ -1,25 +1,25 @@ resource "aws_acm_certificate" "this_acm_cert" { - count = local.enable_tls ? 1 : 0 + count = local.enable_tls ? 1 : 0 - domain_name = "on.${data.aws_route53_zone.this_zone[0].name}" - validation_method = "DNS" + domain_name = "on.${data.aws_route53_zone.this_zone[0].name}" + validation_method = "DNS" } resource "aws_route53_record" "this_acm_val_records" { - count = local.enable_tls ? length(aws_acm_certificate.this_acm_cert[0].domain_validation_options) : 0 + count = local.enable_tls ? length(aws_acm_certificate.this_acm_cert[0].domain_validation_options) : 0 - name = tolist(aws_acm_certificate.this_acm_cert[0].domain_validation_options)[count.index].resource_record_name - records = [tolist(aws_acm_certificate.this_acm_cert[0].domain_validation_options)[count.index].resource_record_value] - type = tolist(aws_acm_certificate.this_acm_cert[0].domain_validation_options)[count.index].resource_record_type + name = tolist(aws_acm_certificate.this_acm_cert[0].domain_validation_options)[count.index].resource_record_name + records = [tolist(aws_acm_certificate.this_acm_cert[0].domain_validation_options)[count.index].resource_record_value] + type = tolist(aws_acm_certificate.this_acm_cert[0].domain_validation_options)[count.index].resource_record_type - allow_overwrite = true - ttl = 60 - zone_id = data.aws_route53_zone.this_zone[0].zone_id + allow_overwrite = true + ttl = 60 + zone_id = data.aws_route53_zone.this_zone[0].zone_id } resource "aws_acm_certificate_validation" "this_acm_cert_validation" { - count = local.enable_tls ? 1 : 0 + count = local.enable_tls ? 1 : 0 - certificate_arn = aws_acm_certificate.this_acm_cert[0].arn - validation_record_fqdns = aws_route53_record.this_acm_val_records[*].fqdn + certificate_arn = aws_acm_certificate.this_acm_cert[0].arn + validation_record_fqdns = aws_route53_record.this_acm_val_records[*].fqdn } diff --git a/deployment/terraform/aws/observers/elb.tf b/deployment/terraform/aws/observers/elb.tf index a6e6d7265..9feae8eeb 100644 --- a/deployment/terraform/aws/observers/elb.tf +++ b/deployment/terraform/aws/observers/elb.tf @@ -1,162 +1,162 @@ resource "aws_lb" "this_nlb" { - name = "observers-network-lb" - internal = false - load_balancer_type = "network" - subnets = module.this_vpc.public_subnets + name = "observers-network-lb" + internal = false + load_balancer_type = "network" + subnets = module.this_vpc.public_subnets - enable_cross_zone_load_balancing = true - # enable_deletion_protection = true + enable_cross_zone_load_balancing = true + # enable_deletion_protection = true - tags = { - Name = "Observers NLB" - } + tags = { + Name = "Observers NLB" + } } locals { - tls_cert_arn = var.enable_tls ? aws_acm_certificate_validation.this_acm_cert_validation[0].certificate_arn : "" - ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06" # TLS 1.3 (recommended) + tls_cert_arn = var.enable_tls ? aws_acm_certificate_validation.this_acm_cert_validation[0].certificate_arn : "" + ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06" # TLS 1.3 (recommended) } resource "aws_lb_listener" "rest" { - count = local.enable_tls ? 0 : 1 + count = local.enable_tls ? 0 : 1 - load_balancer_arn = aws_lb.this_nlb.arn - port = "80" - protocol = "TCP" + load_balancer_arn = aws_lb.this_nlb.arn + port = "80" + protocol = "TCP" - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.rest.arn - } + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.rest.arn + } } resource "aws_lb_listener" "grpc" { - count = local.enable_tls ? 0 : 1 + count = local.enable_tls ? 0 : 1 - load_balancer_arn = aws_lb.this_nlb.arn - port = "9090" - protocol = "TCP" + load_balancer_arn = aws_lb.this_nlb.arn + port = "9090" + protocol = "TCP" - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.grpc.arn - } + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.grpc.arn + } } resource "aws_lb_listener" "rpc" { - count = local.enable_tls ? 0 : 1 + count = local.enable_tls ? 0 : 1 - load_balancer_arn = aws_lb.this_nlb.arn - port = "8080" - protocol = "TCP" + load_balancer_arn = aws_lb.this_nlb.arn + port = "8080" + protocol = "TCP" - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.rpc.arn - } + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.rpc.arn + } } resource "aws_lb_listener" "tls_rest" { - count = local.enable_tls ? 1 : 0 - - load_balancer_arn = aws_lb.this_nlb.arn - port = "443" - protocol = "TLS" - certificate_arn = local.tls_cert_arn - ssl_policy = local.ssl_policy - - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.rest.arn - } - - depends_on = [ - aws_acm_certificate_validation.this_acm_cert_validation[0] - ] + count = local.enable_tls ? 1 : 0 + + load_balancer_arn = aws_lb.this_nlb.arn + port = "443" + protocol = "TLS" + certificate_arn = local.tls_cert_arn + ssl_policy = local.ssl_policy + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.rest.arn + } + + depends_on = [ + aws_acm_certificate_validation.this_acm_cert_validation[0] + ] } resource "aws_lb_listener" "tls_grpc" { - count = local.enable_tls ? 1 : 0 - - load_balancer_arn = aws_lb.this_nlb.arn - port = "8443" - protocol = "TLS" - certificate_arn = local.tls_cert_arn - ssl_policy = local.ssl_policy - - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.grpc.arn - } - - depends_on = [ - aws_acm_certificate_validation.this_acm_cert_validation[0] - ] + count = local.enable_tls ? 1 : 0 + + load_balancer_arn = aws_lb.this_nlb.arn + port = "8443" + protocol = "TLS" + certificate_arn = local.tls_cert_arn + ssl_policy = local.ssl_policy + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.grpc.arn + } + + depends_on = [ + aws_acm_certificate_validation.this_acm_cert_validation[0] + ] } resource "aws_lb_listener" "tls_rpc" { - count = local.enable_tls ? 1 : 0 - - load_balancer_arn = aws_lb.this_nlb.arn - port = "26657" - protocol = "TLS" - certificate_arn = local.tls_cert_arn - ssl_policy = local.ssl_policy - - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.rpc.arn - } - - depends_on = [ - aws_acm_certificate_validation.this_acm_cert_validation[0] - ] + count = local.enable_tls ? 1 : 0 + + load_balancer_arn = aws_lb.this_nlb.arn + port = "26657" + protocol = "TLS" + certificate_arn = local.tls_cert_arn + ssl_policy = local.ssl_policy + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.rpc.arn + } + + depends_on = [ + aws_acm_certificate_validation.this_acm_cert_validation[0] + ] } resource "aws_lb_target_group" "rest" { - name = "observers-rest-target-group" - port = 1317 - protocol = "TCP" - vpc_id = module.this_vpc.vpc_id - preserve_client_ip = false + name = "observers-rest-target-group" + port = 1317 + protocol = "TCP" + vpc_id = module.this_vpc.vpc_id + preserve_client_ip = false } resource "aws_lb_target_group" "grpc" { - name = "observers-grpc-target-group" - port = 9090 - protocol = "TCP" - vpc_id = module.this_vpc.vpc_id - preserve_client_ip = false + name = "observers-grpc-target-group" + port = 9090 + protocol = "TCP" + vpc_id = module.this_vpc.vpc_id + preserve_client_ip = false } resource "aws_lb_target_group" "rpc" { - name = "observers-rpc-target-group" - port = 26657 - protocol = "TCP" - vpc_id = module.this_vpc.vpc_id - preserve_client_ip = false + name = "observers-rpc-target-group" + port = 26657 + protocol = "TCP" + vpc_id = module.this_vpc.vpc_id + preserve_client_ip = false } resource "aws_lb_target_group_attachment" "rest_targets" { - count = length(aws_instance.this_nodes) + count = length(aws_instance.this_nodes) - target_group_arn = aws_lb_target_group.rest.arn - target_id = aws_instance.this_nodes[count.index].id - port = 80 + target_group_arn = aws_lb_target_group.rest.arn + target_id = aws_instance.this_nodes[count.index].id + port = 80 } resource "aws_lb_target_group_attachment" "grpc_targets" { - count = length(aws_instance.this_nodes) + count = length(aws_instance.this_nodes) - target_group_arn = aws_lb_target_group.grpc.arn - target_id = aws_instance.this_nodes[count.index].id - port = 9090 + target_group_arn = aws_lb_target_group.grpc.arn + target_id = aws_instance.this_nodes[count.index].id + port = 9090 } resource "aws_lb_target_group_attachment" "rpc_targets" { - count = length(aws_instance.this_nodes) + count = length(aws_instance.this_nodes) - target_group_arn = aws_lb_target_group.rpc.arn - target_id = aws_instance.this_nodes[count.index].id - port = 26657 + target_group_arn = aws_lb_target_group.rpc.arn + target_id = aws_instance.this_nodes[count.index].id + port = 26657 } \ No newline at end of file diff --git a/deployment/terraform/aws/observers/locals.tf b/deployment/terraform/aws/observers/locals.tf index 02dd04920..c42ea355b 100644 --- a/deployment/terraform/aws/observers/locals.tf +++ b/deployment/terraform/aws/observers/locals.tf @@ -1,3 +1,3 @@ locals { - enable_tls = var.enable_tls && var.root_domain_name != "" + enable_tls = var.enable_tls && var.root_domain_name != "" } \ No newline at end of file diff --git a/deployment/terraform/aws/observers/main.tf b/deployment/terraform/aws/observers/main.tf index 81e33786d..c15043993 100644 --- a/deployment/terraform/aws/observers/main.tf +++ b/deployment/terraform/aws/observers/main.tf @@ -1,43 +1,47 @@ data "aws_ami" "ubuntu" { - most_recent = true - owners = ["099720109477"] - - filter { - name = "name" - values = ["ubuntu-minimal/images/hvm-ssd/ubuntu-focal-20.04-amd64-minimal-*"] - } - - filter { - name = "virtualization-type" - values = ["hvm"] - } + most_recent = true + owners = ["099720109477"] + + filter { + name = "name" + values = ["ubuntu-minimal/images/hvm-ssd/ubuntu-focal-20.04-amd64-minimal-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } } resource "aws_key_pair" "key_pair" { - public_key = file(var.ssh_public_key_path) + public_key = file(var.ssh_public_key_path) } resource "aws_instance" "this_nodes" { - count = var.nodes_count + count = var.nodes_count - ami = data.aws_ami.ubuntu.id - instance_type = "t3.medium" + ami = data.aws_ami.ubuntu.id + instance_type = "t3.medium" - subnet_id = element(module.this_vpc.public_subnets, count.index % length(module.this_vpc.public_subnets)) - vpc_security_group_ids = [ - module.this_dev_sg.security_group_id, - module.this_private_sg.security_group_id - ] + subnet_id = element(module.this_vpc.public_subnets, count.index % length(module.this_vpc.public_subnets)) + vpc_security_group_ids = [ + module.this_dev_sg.security_group_id, + module.this_private_sg.security_group_id + ] - key_name = aws_key_pair.key_pair.id - monitoring = true + key_name = aws_key_pair.key_pair.id + monitoring = true - tags = { - Name = "Observer Node [${count.index}]" - } + tags = { + Name = "Observer Node [${count.index}]" + } - root_block_device { - encrypted = true - volume_size = 30 - } -} \ No newline at end of file + root_block_device { + encrypted = true + volume_size = 30 + } + + metadata_options { + http_tokens = "required" + } +} diff --git a/deployment/terraform/aws/observers/provider.tf b/deployment/terraform/aws/observers/provider.tf index 9abe0ebfd..4c126d3b8 100644 --- a/deployment/terraform/aws/observers/provider.tf +++ b/deployment/terraform/aws/observers/provider.tf @@ -1,9 +1,9 @@ terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.72" - configuration_aliases = [aws, aws.peer] - } + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.72" + configuration_aliases = [aws, aws.peer] } + } } \ No newline at end of file diff --git a/deployment/terraform/aws/observers/route53.tf b/deployment/terraform/aws/observers/route53.tf index cbe1d5398..459cf1def 100644 --- a/deployment/terraform/aws/observers/route53.tf +++ b/deployment/terraform/aws/observers/route53.tf @@ -1,26 +1,26 @@ locals { - enable_routing = var.root_domain_name == "" ? 0 : 1 + enable_routing = var.root_domain_name == "" ? 0 : 1 } data "aws_route53_zone" "this_zone" { - count = local.enable_routing - name = var.root_domain_name + count = local.enable_routing + name = var.root_domain_name } data "aws_region" "current" {} resource "aws_route53_record" "on" { - count = local.enable_routing + count = local.enable_routing - zone_id = data.aws_route53_zone.this_zone[0].zone_id - name = "on.${data.aws_route53_zone.this_zone[0].name}" - type = "CNAME" - ttl = "300" + zone_id = data.aws_route53_zone.this_zone[0].zone_id + name = "on.${data.aws_route53_zone.this_zone[0].name}" + type = "CNAME" + ttl = "300" - latency_routing_policy { - region = data.aws_region.current.name - } + latency_routing_policy { + region = data.aws_region.current.name + } - set_identifier = "Observers NLB [${var.region_index}]" - records = ["${aws_lb.this_nlb.dns_name}"] + set_identifier = "Observers NLB [${var.region_index}]" + records = ["${aws_lb.this_nlb.dns_name}"] } \ No newline at end of file diff --git a/deployment/terraform/aws/observers/security.tf b/deployment/terraform/aws/observers/security.tf index a5e993e1e..3c1e054d1 100644 --- a/deployment/terraform/aws/observers/security.tf +++ b/deployment/terraform/aws/observers/security.tf @@ -1,55 +1,55 @@ module "this_dev_sg" { - source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + source = "terraform-aws-modules/security-group/aws" + version = "~> 4.0" - name = "observer-dev-security-group" - description = "Observer nodes security group for development" + name = "observer-dev-security-group" + description = "Observer nodes security group for development" - vpc_id = module.this_vpc.vpc_id + vpc_id = module.this_vpc.vpc_id - ingress_cidr_blocks = ["0.0.0.0/0"] - ingress_rules = ["all-icmp", "ssh-tcp"] - egress_rules = ["all-all"] + ingress_cidr_blocks = ["0.0.0.0/0"] + ingress_rules = ["all-icmp", "ssh-tcp"] + egress_rules = ["all-all"] } module "this_private_sg" { - source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + source = "terraform-aws-modules/security-group/aws" + version = "~> 4.0" - name = "observer-private-security-group" - description = "Observer nodes security group for internal connections" + name = "observer-private-security-group" + description = "Observer nodes security group for internal connections" - vpc_id = module.this_vpc.vpc_id + vpc_id = module.this_vpc.vpc_id - egress_rules = ["all-all"] - ingress_with_cidr_blocks = [ - { - from_port = 26656 - to_port = 26656 - protocol = "tcp" - description = "Allow p2p from internal IPs" - cidr_blocks = "10.0.0.0/8" - }, - { - from_port = 26657 - to_port = 26657 - protocol = "tcp" - description = "Allow RPC from internal IPs" - cidr_blocks = "10.0.0.0/8" - }, - { - from_port = 9090 - to_port = 9090 - protocol = "tcp" - description = "Allow gRPC from internal IPs" - cidr_blocks = "10.0.0.0/8" - }, - { - from_port = 1317 - to_port = 1317 - protocol = "tcp" - description = "Allow REST from internal IPs" - cidr_blocks = "10.0.0.0/8" - }, - ] + egress_rules = ["all-all"] + ingress_with_cidr_blocks = [ + { + from_port = 26656 + to_port = 26656 + protocol = "tcp" + description = "Allow p2p from internal IPs" + cidr_blocks = "10.0.0.0/8" + }, + { + from_port = 26657 + to_port = 26657 + protocol = "tcp" + description = "Allow RPC from internal IPs" + cidr_blocks = "10.0.0.0/8" + }, + { + from_port = 9090 + to_port = 9090 + protocol = "tcp" + description = "Allow gRPC from internal IPs" + cidr_blocks = "10.0.0.0/8" + }, + { + from_port = 1317 + to_port = 1317 + protocol = "tcp" + description = "Allow REST from internal IPs" + cidr_blocks = "10.0.0.0/8" + }, + ] } \ No newline at end of file diff --git a/deployment/terraform/aws/observers/variables.tf b/deployment/terraform/aws/observers/variables.tf index ceb1eb93c..a947bbf21 100644 --- a/deployment/terraform/aws/observers/variables.tf +++ b/deployment/terraform/aws/observers/variables.tf @@ -1,38 +1,38 @@ variable "ssh_public_key_path" { - description = "SSH public key file path" - default = "~/.ssh/id_rsa.pub" + description = "SSH public key file path" + default = "~/.ssh/id_rsa.pub" } variable "ssh_private_key_path" { - description = "SSH private key file path" - default = "~/.ssh/id_rsa" + description = "SSH private key file path" + default = "~/.ssh/id_rsa" } variable "ssh_username" { - description = "SSH username" - default = "ubuntu" + description = "SSH username" + default = "ubuntu" } variable "nodes_count" { - description = "Number of Observer nodes" - default = 5 + description = "Number of Observer nodes" + default = 5 } variable "region_index" { - description = "Observer Region Index" - default = 0 + description = "Observer Region Index" + default = 0 } variable "enable_tls" { - description = "Enable TLS on LB listeners" - default = false + description = "Enable TLS on LB listeners" + default = false } variable "root_domain_name" { - description = "Root domain name" - default = "" + description = "Root domain name" + default = "" } variable "peer_vpc" { - description = "Peer VPC" + description = "Peer VPC" } diff --git a/deployment/terraform/aws/observers/vpc.tf b/deployment/terraform/aws/observers/vpc.tf index c15b48a0a..7fc0cd37f 100644 --- a/deployment/terraform/aws/observers/vpc.tf +++ b/deployment/terraform/aws/observers/vpc.tf @@ -1,22 +1,22 @@ data "aws_availability_zones" "available" { - state = "available" + state = "available" } locals { - vpc_network_prefix = "10.${30 + var.region_index}" + vpc_network_prefix = "10.${30 + var.region_index}" } module "this_vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "3.14.0" + source = "terraform-aws-modules/vpc/aws" + version = "3.14.0" - name = "observers-vpc-1" - cidr = "${local.vpc_network_prefix}.0.0/16" + name = "observers-vpc-1" + cidr = "${local.vpc_network_prefix}.0.0/16" - azs = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1]] + azs = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1]] - public_subnets = ["${local.vpc_network_prefix}.1.0/24", "${local.vpc_network_prefix}.2.0/24"] + public_subnets = ["${local.vpc_network_prefix}.1.0/24", "${local.vpc_network_prefix}.2.0/24"] - enable_nat_gateway = true - enable_dns_hostnames = true + enable_nat_gateway = true + enable_dns_hostnames = true } diff --git a/deployment/terraform/aws/observers/vpc_peering.tf b/deployment/terraform/aws/observers/vpc_peering.tf index afc910b27..485549b89 100644 --- a/deployment/terraform/aws/observers/vpc_peering.tf +++ b/deployment/terraform/aws/observers/vpc_peering.tf @@ -1,21 +1,21 @@ module "this_vpc_peerings" { - source = "grem11n/vpc-peering/aws" - version = "4.1.0" - - providers = { - aws.this = aws - aws.peer = aws.peer - } + source = "grem11n/vpc-peering/aws" + version = "4.1.0" - this_vpc_id = module.this_vpc.vpc_id - peer_vpc_id = var.peer_vpc.vpc_id + providers = { + aws.this = aws + aws.peer = aws.peer + } - this_rts_ids = module.this_vpc.public_route_table_ids - peer_rts_ids = [element(var.peer_vpc.public_route_table_ids, 0)] + this_vpc_id = module.this_vpc.vpc_id + peer_vpc_id = var.peer_vpc.vpc_id - auto_accept_peering = true + this_rts_ids = module.this_vpc.public_route_table_ids + peer_rts_ids = [element(var.peer_vpc.public_route_table_ids, 0)] - tags = { - Name = "Observers to Private Sentries peering" - } + auto_accept_peering = true + + tags = { + Name = "Observers to Private Sentries peering" + } } \ No newline at end of file diff --git a/deployment/terraform/aws/private-sentries/main.tf b/deployment/terraform/aws/private-sentries/main.tf index 98a97396a..b84977e91 100644 --- a/deployment/terraform/aws/private-sentries/main.tf +++ b/deployment/terraform/aws/private-sentries/main.tf @@ -1,54 +1,58 @@ data "aws_ami" "ubuntu" { - most_recent = true - owners = ["099720109477"] - - filter { - name = "name" - values = ["ubuntu-minimal/images/hvm-ssd/ubuntu-focal-20.04-amd64-minimal-*"] - } - - filter { - name = "virtualization-type" - values = ["hvm"] - } + most_recent = true + owners = ["099720109477"] + + filter { + name = "name" + values = ["ubuntu-minimal/images/hvm-ssd/ubuntu-focal-20.04-amd64-minimal-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } } resource "aws_key_pair" "key_pair" { - public_key = file(var.ssh_public_key_path) + public_key = file(var.ssh_public_key_path) } resource "aws_instance" "this_nodes" { - count = var.nodes_count + count = var.nodes_count - ami = data.aws_ami.ubuntu.id - instance_type = "t3.medium" + ami = data.aws_ami.ubuntu.id + instance_type = "t3.medium" - subnet_id = element(module.this_vpc.public_subnets, 0) - vpc_security_group_ids = [ - module.this_dev_sg.security_group_id, - module.this_private_sg.security_group_id, - module.this_public_sg.security_group_id - ] + subnet_id = element(module.this_vpc.public_subnets, 0) + vpc_security_group_ids = [ + module.this_dev_sg.security_group_id, + module.this_private_sg.security_group_id, + module.this_public_sg.security_group_id + ] - key_name = aws_key_pair.key_pair.id - monitoring = true + key_name = aws_key_pair.key_pair.id + monitoring = true - tags = { - Name = "Private Sentry Node ${count.index}" - } + tags = { + Name = "Private Sentry Node ${count.index}" + } - root_block_device { - encrypted = true - volume_size = 30 - } + root_block_device { + encrypted = true + volume_size = 30 + } + + metadata_options { + http_tokens = "required" + } } resource "aws_eip" "this_eip" { - count = length(aws_instance.this_nodes) > 0 ? 1 : 0 - instance = aws_instance.this_nodes[0].id - vpc = true - - tags = { - Name = "Private Sentry Node ${count.index} Elastic IP" - } -} \ No newline at end of file + count = length(aws_instance.this_nodes) > 0 ? 1 : 0 + instance = aws_instance.this_nodes[0].id + vpc = true + + tags = { + Name = "Private Sentry Node ${count.index} Elastic IP" + } +} diff --git a/deployment/terraform/aws/private-sentries/outputs.tf b/deployment/terraform/aws/private-sentries/outputs.tf index 12bcae675..34c776785 100644 --- a/deployment/terraform/aws/private-sentries/outputs.tf +++ b/deployment/terraform/aws/private-sentries/outputs.tf @@ -1,3 +1,3 @@ output "vpc" { - value = module.this_vpc + value = module.this_vpc } \ No newline at end of file diff --git a/deployment/terraform/aws/private-sentries/provider.tf b/deployment/terraform/aws/private-sentries/provider.tf index 9abe0ebfd..4c126d3b8 100644 --- a/deployment/terraform/aws/private-sentries/provider.tf +++ b/deployment/terraform/aws/private-sentries/provider.tf @@ -1,9 +1,9 @@ terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.72" - configuration_aliases = [aws, aws.peer] - } + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.72" + configuration_aliases = [aws, aws.peer] } + } } \ No newline at end of file diff --git a/deployment/terraform/aws/private-sentries/security.tf b/deployment/terraform/aws/private-sentries/security.tf index 60269d6a3..141a1d0f0 100644 --- a/deployment/terraform/aws/private-sentries/security.tf +++ b/deployment/terraform/aws/private-sentries/security.tf @@ -1,62 +1,62 @@ module "this_dev_sg" { - source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + source = "terraform-aws-modules/security-group/aws" + version = "~> 4.0" - name = "private-sentry-dev-security-group" - description = "Private Sentry nodes security group for development" - vpc_id = module.this_vpc.vpc_id + name = "private-sentry-dev-security-group" + description = "Private Sentry nodes security group for development" + vpc_id = module.this_vpc.vpc_id - ingress_cidr_blocks = ["0.0.0.0/0"] - ingress_rules = ["all-icmp", "ssh-tcp"] - egress_rules = ["all-all"] + ingress_cidr_blocks = ["0.0.0.0/0"] + ingress_rules = ["all-icmp", "ssh-tcp"] + egress_rules = ["all-all"] } module "this_private_sg" { - source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" - - name = "private-sentry-private-security-group" - description = "Private Sentry nodes security group for internal connections" - vpc_id = module.this_vpc.vpc_id - - egress_rules = ["all-all"] - ingress_with_cidr_blocks = [ - { - from_port = 26656 - to_port = 26656 - protocol = "tcp" - description = "Allow p2p from internal IPs" - cidr_blocks = "10.0.0.0/8" - }, - { - from_port = 26657 - to_port = 26657 - protocol = "tcp" - description = "Allow RPC from internal IPs" - cidr_blocks = "10.0.0.0/8" - }, - ] + source = "terraform-aws-modules/security-group/aws" + version = "~> 4.0" + + name = "private-sentry-private-security-group" + description = "Private Sentry nodes security group for internal connections" + vpc_id = module.this_vpc.vpc_id + + egress_rules = ["all-all"] + ingress_with_cidr_blocks = [ + { + from_port = 26656 + to_port = 26656 + protocol = "tcp" + description = "Allow p2p from internal IPs" + cidr_blocks = "10.0.0.0/8" + }, + { + from_port = 26657 + to_port = 26657 + protocol = "tcp" + description = "Allow RPC from internal IPs" + cidr_blocks = "10.0.0.0/8" + }, + ] } module "this_public_sg" { - source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" - - name = "private-sentry-public-security-group" - description = "Private Sentry nodes security group for external connections" - vpc_id = module.this_vpc.vpc_id - - # ingress_cidr_blocks = ["10.0.0.0/8"] - egress_rules = ["all-all"] - - - ingress_with_cidr_blocks = [ - { - from_port = 26656 - to_port = 26656 - protocol = "tcp" - description = "Allow P2P from Some Organization" - cidr_blocks = "10.1.1.1/32" # whitelist IP - }, - ] + source = "terraform-aws-modules/security-group/aws" + version = "~> 4.0" + + name = "private-sentry-public-security-group" + description = "Private Sentry nodes security group for external connections" + vpc_id = module.this_vpc.vpc_id + + # ingress_cidr_blocks = ["10.0.0.0/8"] + egress_rules = ["all-all"] + + + ingress_with_cidr_blocks = [ + { + from_port = 26656 + to_port = 26656 + protocol = "tcp" + description = "Allow P2P from Some Organization" + cidr_blocks = "10.1.1.1/32" # whitelist IP + }, + ] } \ No newline at end of file diff --git a/deployment/terraform/aws/private-sentries/variables.tf b/deployment/terraform/aws/private-sentries/variables.tf index a29d22eb9..47c6a0bc6 100644 --- a/deployment/terraform/aws/private-sentries/variables.tf +++ b/deployment/terraform/aws/private-sentries/variables.tf @@ -1,23 +1,23 @@ variable "ssh_public_key_path" { - description = "SSH public key file path" - default = "~/.ssh/id_rsa.pub" + description = "SSH public key file path" + default = "~/.ssh/id_rsa.pub" } variable "ssh_private_key_path" { - description = "SSH private key file path" - default = "~/.ssh/id_rsa" + description = "SSH private key file path" + default = "~/.ssh/id_rsa" } variable "ssh_username" { - description = "SSH username" - default = "ubuntu" + description = "SSH username" + default = "ubuntu" } variable "peer_vpc" { - description = "Peer VPC" + description = "Peer VPC" } variable "nodes_count" { - description = "Number of Private Sentry nodes" - default = 2 + description = "Number of Private Sentry nodes" + default = 2 } \ No newline at end of file diff --git a/deployment/terraform/aws/private-sentries/vpc.tf b/deployment/terraform/aws/private-sentries/vpc.tf index 56412bda2..6d3650f84 100644 --- a/deployment/terraform/aws/private-sentries/vpc.tf +++ b/deployment/terraform/aws/private-sentries/vpc.tf @@ -3,20 +3,20 @@ data "aws_availability_zones" "available" { } locals { - vpc_network_prefix = "10.10" + vpc_network_prefix = "10.10" } module "this_vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "3.14.0" + source = "terraform-aws-modules/vpc/aws" + version = "3.14.0" - name = "private-sentries-vpc" - cidr = "${local.vpc_network_prefix}.0.0/16" + name = "private-sentries-vpc" + cidr = "${local.vpc_network_prefix}.0.0/16" - azs = [data.aws_availability_zones.available.names[0]] + azs = [data.aws_availability_zones.available.names[0]] - public_subnets = ["${local.vpc_network_prefix}.1.0/24"] + public_subnets = ["${local.vpc_network_prefix}.1.0/24"] - enable_nat_gateway = true - enable_dns_hostnames = true + enable_nat_gateway = true + enable_dns_hostnames = true } diff --git a/deployment/terraform/aws/private-sentries/vpc_peering.tf b/deployment/terraform/aws/private-sentries/vpc_peering.tf index f8aa45dcc..f9aa3fcb9 100644 --- a/deployment/terraform/aws/private-sentries/vpc_peering.tf +++ b/deployment/terraform/aws/private-sentries/vpc_peering.tf @@ -1,21 +1,21 @@ module "this_vpc_peering" { - source = "grem11n/vpc-peering/aws" - version = "4.1.0" - - providers = { - aws.this = aws - aws.peer = aws.peer - } + source = "grem11n/vpc-peering/aws" + version = "4.1.0" - this_vpc_id = module.this_vpc.vpc_id - peer_vpc_id = var.peer_vpc.vpc_id + providers = { + aws.this = aws + aws.peer = aws.peer + } - this_rts_ids = [element(module.this_vpc.public_route_table_ids, 0)] - peer_rts_ids = [element(var.peer_vpc.public_route_table_ids, 0)] + this_vpc_id = module.this_vpc.vpc_id + peer_vpc_id = var.peer_vpc.vpc_id - auto_accept_peering = true + this_rts_ids = [element(module.this_vpc.public_route_table_ids, 0)] + peer_rts_ids = [element(var.peer_vpc.public_route_table_ids, 0)] - tags = { - Name = "Private Sentries to Validator VPC peering" - } + auto_accept_peering = true + + tags = { + Name = "Private Sentries to Validator VPC peering" + } } \ No newline at end of file diff --git a/deployment/terraform/aws/public-sentries/main.tf b/deployment/terraform/aws/public-sentries/main.tf index ea06eba57..93e4d8d9d 100644 --- a/deployment/terraform/aws/public-sentries/main.tf +++ b/deployment/terraform/aws/public-sentries/main.tf @@ -1,92 +1,100 @@ data "aws_ami" "ubuntu" { - most_recent = true - owners = ["099720109477"] - - filter { - name = "name" - values = ["ubuntu-minimal/images/hvm-ssd/ubuntu-focal-20.04-amd64-minimal-*"] - } - - filter { - name = "virtualization-type" - values = ["hvm"] - } + most_recent = true + owners = ["099720109477"] + + filter { + name = "name" + values = ["ubuntu-minimal/images/hvm-ssd/ubuntu-focal-20.04-amd64-minimal-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } } resource "aws_key_pair" "key_pair" { - public_key = file(var.ssh_public_key_path) + public_key = file(var.ssh_public_key_path) } resource "aws_instance" "this_nodes" { - count = var.nodes_count - - ami = data.aws_ami.ubuntu.id - instance_type = "t3.medium" - - subnet_id = element(module.this_vpc.public_subnets, 0) - ipv6_address_count = var.enable_ipv6 ? 1 : 0 - - vpc_security_group_ids = [ - module.this_dev_sg.security_group_id, - module.this_public_sg.security_group_id - ] - - key_name = aws_key_pair.key_pair.id - monitoring = true - - tags = { - Name = "Public Sentry Node ${count.index}" - } - - root_block_device { - encrypted = true - volume_size = 30 - } + count = var.nodes_count + + ami = data.aws_ami.ubuntu.id + instance_type = "t3.medium" + + subnet_id = element(module.this_vpc.public_subnets, 0) + ipv6_address_count = var.enable_ipv6 ? 1 : 0 + + vpc_security_group_ids = [ + module.this_dev_sg.security_group_id, + module.this_public_sg.security_group_id + ] + + key_name = aws_key_pair.key_pair.id + monitoring = true + + tags = { + Name = "Public Sentry Node ${count.index}" + } + + root_block_device { + encrypted = true + volume_size = 30 + } + + metadata_options { + http_tokens = "required" + } } resource "aws_instance" "this_seed_node" { - ami = data.aws_ami.ubuntu.id - instance_type = "t3.medium" + ami = data.aws_ami.ubuntu.id + instance_type = "t3.medium" - subnet_id = element(module.this_vpc.public_subnets, 0) - ipv6_address_count = var.enable_ipv6 ? 1 : 0 + subnet_id = element(module.this_vpc.public_subnets, 0) + ipv6_address_count = var.enable_ipv6 ? 1 : 0 - vpc_security_group_ids = [ - module.this_dev_sg.security_group_id, - module.this_seed_sg.security_group_id - ] + vpc_security_group_ids = [ + module.this_dev_sg.security_group_id, + module.this_seed_sg.security_group_id + ] - key_name = aws_key_pair.key_pair.id - monitoring = true + key_name = aws_key_pair.key_pair.id + monitoring = true - tags = { - Name = "Public Sentries' Seed Node" - } + tags = { + Name = "Public Sentries' Seed Node" + } - root_block_device { - encrypted = true - volume_size = 30 - } + root_block_device { + encrypted = true + volume_size = 30 + } + + metadata_options { + http_tokens = "required" + } } resource "aws_eip" "this_nodes_eips" { - count = var.enable_ipv6 ? 0 : length(aws_instance.this_nodes) + count = var.enable_ipv6 ? 0 : length(aws_instance.this_nodes) - instance = aws_instance.this_nodes[count.index].id - vpc = true + instance = aws_instance.this_nodes[count.index].id + vpc = true - tags = { - Name = "Public Sentry Node [${count.index}] Elastic IP" - } + tags = { + Name = "Public Sentry Node [${count.index}] Elastic IP" + } } resource "aws_eip" "this_seed_eip" { - count = var.enable_ipv6 ? 0 : 1 + count = var.enable_ipv6 ? 0 : 1 - instance = aws_instance.this_seed_node.id - vpc = true + instance = aws_instance.this_seed_node.id + vpc = true - tags = { - Name = "Public Sentries' Seed Node Elastic IP" - } -} \ No newline at end of file + tags = { + Name = "Public Sentries' Seed Node Elastic IP" + } +} diff --git a/deployment/terraform/aws/public-sentries/provider.tf b/deployment/terraform/aws/public-sentries/provider.tf index 9abe0ebfd..4c126d3b8 100644 --- a/deployment/terraform/aws/public-sentries/provider.tf +++ b/deployment/terraform/aws/public-sentries/provider.tf @@ -1,9 +1,9 @@ terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.72" - configuration_aliases = [aws, aws.peer] - } + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.72" + configuration_aliases = [aws, aws.peer] } + } } \ No newline at end of file diff --git a/deployment/terraform/aws/public-sentries/security.tf b/deployment/terraform/aws/public-sentries/security.tf index aca46045d..eb38f55c6 100644 --- a/deployment/terraform/aws/public-sentries/security.tf +++ b/deployment/terraform/aws/public-sentries/security.tf @@ -1,80 +1,80 @@ module "this_dev_sg" { - source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + source = "terraform-aws-modules/security-group/aws" + version = "~> 4.0" - name = "public-sentry-dev-security-group" - description = "Public Sentry nodes security group for development" - vpc_id = module.this_vpc.vpc_id + name = "public-sentry-dev-security-group" + description = "Public Sentry nodes security group for development" + vpc_id = module.this_vpc.vpc_id - ingress_cidr_blocks = ["0.0.0.0/0"] - ingress_ipv6_cidr_blocks = ["::/0"] - ingress_rules = ["all-icmp", "ssh-tcp"] - egress_rules = ["all-all"] + ingress_cidr_blocks = ["0.0.0.0/0"] + ingress_ipv6_cidr_blocks = ["::/0"] + ingress_rules = ["all-icmp", "ssh-tcp"] + egress_rules = ["all-all"] } module "this_public_sg" { - source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + source = "terraform-aws-modules/security-group/aws" + version = "~> 4.0" - name = "public-sentry-public-security-group" - description = "Public Sentry nodes security group for external connections" - vpc_id = module.this_vpc.vpc_id + name = "public-sentry-public-security-group" + description = "Public Sentry nodes security group for external connections" + vpc_id = module.this_vpc.vpc_id - egress_rules = ["all-all"] - ingress_with_cidr_blocks = [ - { - from_port = 26656 - to_port = 26656 - protocol = "tcp" - description = "Allow p2p from all external IPs" - cidr_blocks = "0.0.0.0/0" - }, - { - from_port = 26657 - to_port = 26657 - protocol = "tcp" - description = "Allow RPC from all external IPs" - cidr_blocks = "0.0.0.0/0" - }, - ] + egress_rules = ["all-all"] + ingress_with_cidr_blocks = [ + { + from_port = 26656 + to_port = 26656 + protocol = "tcp" + description = "Allow p2p from all external IPs" + cidr_blocks = "0.0.0.0/0" + }, + { + from_port = 26657 + to_port = 26657 + protocol = "tcp" + description = "Allow RPC from all external IPs" + cidr_blocks = "0.0.0.0/0" + }, + ] - ingress_with_ipv6_cidr_blocks = [ - { - from_port = 26656 - to_port = 26656 - protocol = "tcp" - description = "Allow p2p from all external IPs" - ipv6_cidr_blocks = "::/0" - }, - { - from_port = 26657 - to_port = 26657 - protocol = "tcp" - description = "Allow RPC from all external IPs" - ipv6_cidr_blocks = "::/0" - }, - ] + ingress_with_ipv6_cidr_blocks = [ + { + from_port = 26656 + to_port = 26656 + protocol = "tcp" + description = "Allow p2p from all external IPs" + ipv6_cidr_blocks = "::/0" + }, + { + from_port = 26657 + to_port = 26657 + protocol = "tcp" + description = "Allow RPC from all external IPs" + ipv6_cidr_blocks = "::/0" + }, + ] } module "this_seed_sg" { - source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + source = "terraform-aws-modules/security-group/aws" + version = "~> 4.0" - name = "public-sentries-seed-security-group" - description = "Public Sentries Seed node security group for external connections" - vpc_id = module.this_vpc.vpc_id + name = "public-sentries-seed-security-group" + description = "Public Sentries Seed node security group for external connections" + vpc_id = module.this_vpc.vpc_id - # ingress_cidr_blocks = ["10.0.0.0/8"] - egress_rules = ["all-all"] + # ingress_cidr_blocks = ["10.0.0.0/8"] + egress_rules = ["all-all"] - ingress_with_cidr_blocks = [ - { - from_port = 26656 - to_port = 26656 - protocol = "tcp" - description = "Allow P2P from all" - cidr_blocks = "0.0.0.0/0" - }, - ] -} \ No newline at end of file + ingress_with_cidr_blocks = [ + { + from_port = 26656 + to_port = 26656 + protocol = "tcp" + description = "Allow P2P from all" + cidr_blocks = "0.0.0.0/0" + }, + ] +} diff --git a/deployment/terraform/aws/public-sentries/variables.tf b/deployment/terraform/aws/public-sentries/variables.tf index 70e82e716..d077ba679 100644 --- a/deployment/terraform/aws/public-sentries/variables.tf +++ b/deployment/terraform/aws/public-sentries/variables.tf @@ -1,33 +1,33 @@ variable "ssh_public_key_path" { - description = "SSH public key file path" - default = "~/.ssh/id_rsa.pub" + description = "SSH public key file path" + default = "~/.ssh/id_rsa.pub" } variable "ssh_private_key_path" { - description = "SSH private key file path" - default = "~/.ssh/id_rsa" + description = "SSH private key file path" + default = "~/.ssh/id_rsa" } variable "ssh_username" { - description = "SSH username" - default = "ubuntu" + description = "SSH username" + default = "ubuntu" } variable "nodes_count" { - description = "Number of Public Sentry nodes" - default = 2 + description = "Number of Public Sentry nodes" + default = 2 } variable "region_index" { - description = "Public Sentries Region Index" - default = 0 + description = "Public Sentries Region Index" + default = 0 } variable "enable_ipv6" { - description = "Enable public IPv6 addresses" - default = true + description = "Enable public IPv6 addresses" + default = true } variable "peer_vpc" { - description = "Peer VPC" + description = "Peer VPC" } \ No newline at end of file diff --git a/deployment/terraform/aws/public-sentries/vpc.tf b/deployment/terraform/aws/public-sentries/vpc.tf index 4db3769bc..0cf9a87db 100644 --- a/deployment/terraform/aws/public-sentries/vpc.tf +++ b/deployment/terraform/aws/public-sentries/vpc.tf @@ -1,26 +1,26 @@ data "aws_availability_zones" "available" { - state = "available" + state = "available" } locals { - vpc_network_prefix = "10.${20 + var.region_index}" + vpc_network_prefix = "10.${20 + var.region_index}" } module "this_vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "3.14.0" + source = "terraform-aws-modules/vpc/aws" + version = "3.14.0" - name = "public-sentries-vpc" - cidr = "${local.vpc_network_prefix}.0.0/16" + name = "public-sentries-vpc" + cidr = "${local.vpc_network_prefix}.0.0/16" - enable_ipv6 = var.enable_ipv6 - public_subnet_assign_ipv6_address_on_creation = var.enable_ipv6 - public_subnet_ipv6_prefixes = var.enable_ipv6 ? [1] : [] + enable_ipv6 = var.enable_ipv6 + public_subnet_assign_ipv6_address_on_creation = var.enable_ipv6 + public_subnet_ipv6_prefixes = var.enable_ipv6 ? [1] : [] - azs = [data.aws_availability_zones.available.names[0]] + azs = [data.aws_availability_zones.available.names[0]] - public_subnets = ["${local.vpc_network_prefix}.1.0/24"] + public_subnets = ["${local.vpc_network_prefix}.1.0/24"] - enable_nat_gateway = true - enable_dns_hostnames = true + enable_nat_gateway = true + enable_dns_hostnames = true } diff --git a/deployment/terraform/aws/public-sentries/vpc_peering.tf b/deployment/terraform/aws/public-sentries/vpc_peering.tf index 7b6d904f1..c865ad47c 100644 --- a/deployment/terraform/aws/public-sentries/vpc_peering.tf +++ b/deployment/terraform/aws/public-sentries/vpc_peering.tf @@ -1,21 +1,21 @@ module "this_vpc_peering" { - source = "grem11n/vpc-peering/aws" - version = "4.1.0" - - providers = { - aws.this = aws - aws.peer = aws.peer - } + source = "grem11n/vpc-peering/aws" + version = "4.1.0" - this_vpc_id = module.this_vpc.vpc_id - peer_vpc_id = var.peer_vpc.vpc_id + providers = { + aws.this = aws + aws.peer = aws.peer + } - this_rts_ids = [element(module.this_vpc.public_route_table_ids, 0)] - peer_rts_ids = [element(var.peer_vpc.public_route_table_ids, 0)] + this_vpc_id = module.this_vpc.vpc_id + peer_vpc_id = var.peer_vpc.vpc_id - auto_accept_peering = true + this_rts_ids = [element(module.this_vpc.public_route_table_ids, 0)] + peer_rts_ids = [element(var.peer_vpc.public_route_table_ids, 0)] - tags = { - Name = "Public Sentries to Private Sentries VPC peering" - } + auto_accept_peering = true + + tags = { + Name = "Public Sentries to Private Sentries VPC peering" + } } \ No newline at end of file diff --git a/deployment/terraform/aws/validator/main.tf b/deployment/terraform/aws/validator/main.tf index 71252462d..751e951cb 100644 --- a/deployment/terraform/aws/validator/main.tf +++ b/deployment/terraform/aws/validator/main.tf @@ -1,41 +1,45 @@ data "aws_ami" "ubuntu" { - most_recent = true - owners = ["099720109477"] - - filter { - name = "name" - values = ["ubuntu-minimal/images/hvm-ssd/ubuntu-focal-20.04-amd64-minimal-*"] - } - - filter { - name = "virtualization-type" - values = ["hvm"] - } + most_recent = true + owners = ["099720109477"] + + filter { + name = "name" + values = ["ubuntu-minimal/images/hvm-ssd/ubuntu-focal-20.04-amd64-minimal-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } } resource "aws_key_pair" "key_pair" { - public_key = file(var.ssh_public_key_path) + public_key = file(var.ssh_public_key_path) } resource "aws_instance" "this_node" { - ami = data.aws_ami.ubuntu.id - instance_type = "t3.medium" - - subnet_id = element(module.this_vpc.public_subnets, 0) - vpc_security_group_ids = [ - module.this_dev_sg.security_group_id, - module.this_private_sg.security_group_id - ] - - key_name = aws_key_pair.key_pair.id - monitoring = true - - tags = { - Name = "Validator Node" - } - - root_block_device { - encrypted = true - volume_size = 30 - } -} \ No newline at end of file + ami = data.aws_ami.ubuntu.id + instance_type = "t3.medium" + + subnet_id = element(module.this_vpc.public_subnets, 0) + vpc_security_group_ids = [ + module.this_dev_sg.security_group_id, + module.this_private_sg.security_group_id + ] + + key_name = aws_key_pair.key_pair.id + monitoring = true + + tags = { + Name = "Validator Node" + } + + root_block_device { + encrypted = true + volume_size = 30 + } + + metadata_options { + http_tokens = "required" + } +} diff --git a/deployment/terraform/aws/validator/outputs.tf b/deployment/terraform/aws/validator/outputs.tf index 12bcae675..34c776785 100644 --- a/deployment/terraform/aws/validator/outputs.tf +++ b/deployment/terraform/aws/validator/outputs.tf @@ -1,3 +1,3 @@ output "vpc" { - value = module.this_vpc + value = module.this_vpc } \ No newline at end of file diff --git a/deployment/terraform/aws/validator/provider.tf b/deployment/terraform/aws/validator/provider.tf index 95016b08a..335d1f1fd 100644 --- a/deployment/terraform/aws/validator/provider.tf +++ b/deployment/terraform/aws/validator/provider.tf @@ -1,8 +1,8 @@ terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.72" - } + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.72" } + } } \ No newline at end of file diff --git a/deployment/terraform/aws/validator/security.tf b/deployment/terraform/aws/validator/security.tf index fd5eac6bc..96185f9d2 100644 --- a/deployment/terraform/aws/validator/security.tf +++ b/deployment/terraform/aws/validator/security.tf @@ -1,38 +1,38 @@ module "this_dev_sg" { - source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + source = "terraform-aws-modules/security-group/aws" + version = "~> 4.0" - name = "validator-dev-security-group" - description = "Validator security group for development" - vpc_id = module.this_vpc.vpc_id + name = "validator-dev-security-group" + description = "Validator security group for development" + vpc_id = module.this_vpc.vpc_id - ingress_cidr_blocks = ["0.0.0.0/0"] - ingress_rules = ["all-icmp", "ssh-tcp"] - egress_rules = ["all-all"] + ingress_cidr_blocks = ["0.0.0.0/0"] + ingress_rules = ["all-icmp", "ssh-tcp"] + egress_rules = ["all-all"] } module "this_private_sg" { - source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + source = "terraform-aws-modules/security-group/aws" + version = "~> 4.0" - name = "validator-private-security-group" - description = "Validator node security group for internal connections" - vpc_id = module.this_vpc.vpc_id + name = "validator-private-security-group" + description = "Validator node security group for internal connections" + vpc_id = module.this_vpc.vpc_id - egress_rules = ["all-all"] - ingress_with_cidr_blocks = [ - { - from_port = 26656 - to_port = 26656 - protocol = "tcp" - description = "Allow p2p from internal IPs" - cidr_blocks = "10.0.0.0/8" - }, - { - from_port = 26657 - to_port = 26657 - protocol = "tcp" - description = "Allow RPC from internal IPs" - cidr_blocks = "10.0.0.0/8" - }, - ] + egress_rules = ["all-all"] + ingress_with_cidr_blocks = [ + { + from_port = 26656 + to_port = 26656 + protocol = "tcp" + description = "Allow p2p from internal IPs" + cidr_blocks = "10.0.0.0/8" + }, + { + from_port = 26657 + to_port = 26657 + protocol = "tcp" + description = "Allow RPC from internal IPs" + cidr_blocks = "10.0.0.0/8" + }, + ] } \ No newline at end of file diff --git a/deployment/terraform/aws/validator/vpc.tf b/deployment/terraform/aws/validator/vpc.tf index 628cc1fdf..753cca2a7 100644 --- a/deployment/terraform/aws/validator/vpc.tf +++ b/deployment/terraform/aws/validator/vpc.tf @@ -1,22 +1,22 @@ data "aws_availability_zones" "available" { - state = "available" + state = "available" } locals { - vpc_network_prefix = "10.0" + vpc_network_prefix = "10.0" } module "this_vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "3.14.0" + source = "terraform-aws-modules/vpc/aws" + version = "3.14.0" - name = "validator-vpc" - cidr = "${local.vpc_network_prefix}.0.0/16" + name = "validator-vpc" + cidr = "${local.vpc_network_prefix}.0.0/16" - azs = [data.aws_availability_zones.available.names[0]] + azs = [data.aws_availability_zones.available.names[0]] - public_subnets = ["${local.vpc_network_prefix}.1.0/24"] + public_subnets = ["${local.vpc_network_prefix}.1.0/24"] - enable_nat_gateway = true - enable_dns_hostnames = true + enable_nat_gateway = true + enable_dns_hostnames = true } \ No newline at end of file diff --git a/deployment/terraform/aws/variables.tf b/deployment/terraform/aws/variables.tf index 9d43acb89..2208300fa 100644 --- a/deployment/terraform/aws/variables.tf +++ b/deployment/terraform/aws/variables.tf @@ -1,19 +1,19 @@ variable "region_1" { - description = "AWS Region 1" - default = "us-west-1" + description = "AWS Region 1" + default = "us-west-1" } variable "region_2" { - description = "AWS Region 2" - default = "us-east-2" + description = "AWS Region 2" + default = "us-east-2" } variable "root_domain_name" { - description = "Root domain name for dcl observer endpoints" - default = "" + description = "Root domain name for dcl observer endpoints" + default = "" } variable "enable_tls" { - description = "Enable tls for observer endpoints" - default = false + description = "Enable tls for observer endpoints" + default = false } \ No newline at end of file diff --git a/terrascan.toml b/terrascan.toml new file mode 100644 index 000000000..430453479 --- /dev/null +++ b/terrascan.toml @@ -0,0 +1,6 @@ +[severity] +level = "medium" +[rules] + skip-rules = [ + "AC_AWS_0276" + ]