Updates Phantom to Multiserver Ready

You can now stand up multiple instances by specifying a number of
servers, and they will all be attached to teh same ALB.

We do not actually have a clustered deployment, but this may make it
easier to get there in the future.

base/phantom/alb.tf

@@ -45,8 +45,9 @@ resource "aws_alb_target_group" "phantom_internal" {
 }
 
 resource "aws_lb_target_group_attachment" "phantom_internal" {
+  count = var.phantom_instance_count
   target_group_arn = aws_alb_target_group.phantom_internal.arn
-  target_id        = aws_instance.phantom-server-instance.id
+  target_id        = aws_instance.phantom-server-instance[count.index].id
   port             = 443
 }
 

base/phantom/main.tf

@@ -14,23 +14,27 @@ data "aws_kms_key" "ebs-key" {
 }
 
 resource "aws_network_interface" "phantom-server-interface" {
+  count = var.phantom_instance_count
   subnet_id = var.public_subnets[0] # Phantom is on a public subnet for direct comms
   security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.phantom_server.id ]
   description = "phantom-server"
-  tags = merge(var.standard_tags, var.tags, { Name = "phantom-server" })
+  tags = merge(var.standard_tags, var.tags, { Name = "phantom-${count.index}" })
 }
 
 resource "aws_eip" "instance" {
+  count = var.phantom_instance_count
   vpc = true
-  tags = merge(var.standard_tags, var.tags, { Name = "phantom-server" })
+  tags = merge(var.standard_tags, var.tags, { Name = "phantom-${count.index}" })
 }
 
 resource "aws_eip_association" "instance" {
-  network_interface_id = aws_network_interface.phantom-server-interface.id
-  allocation_id = aws_eip.instance.id
+  count = var.phantom_instance_count
+  network_interface_id = aws_network_interface.phantom-server-interface[count.index].id
+  allocation_id = aws_eip.instance[count.index].id
 }
 
 resource "aws_instance" "phantom-server-instance" {
+  count = var.phantom_instance_count
   tenancy = "default"
   ebs_optimized = true
   disable_api_termination = var.instance_termination_protection
@@ -60,8 +64,8 @@ resource "aws_instance" "phantom-server-instance" {
     # /opt - NOTE: Not in ami
     device_name = "/dev/xvdf"
     volume_type = "gp3"
-    volume_size = 30 # legacy was 58, but only 7.2G used
-    delete_on_termination = true
+    volume_size = var.environment == "test" ? 60 : 500 # Phantom needs extra space for upgrades
+    delete_on_termination = var.environment == "test" ? true : false # extra protection against deleting phantom drive
     encrypted = true
     kms_key_id = data.aws_kms_key.ebs-key.arn
   }
@@ -144,21 +148,21 @@ resource "aws_instance" "phantom-server-instance" {
 
   network_interface {
     device_index = 0
-    network_interface_id = aws_network_interface.phantom-server-interface.id
+    network_interface_id = aws_network_interface.phantom-server-interface[count.index].id
   }
 
-  user_data = data.template_cloudinit_config.cloud-init.rendered
-  tags = merge( var.standard_tags, var.tags, { Name = "phantom-server" })
-  volume_tags = merge( var.standard_tags, var.tags, { Name = "phantom-server" })
+  user_data = data.template_cloudinit_config.cloud-init[count.index].rendered
+  tags = merge( var.standard_tags, var.tags, { Name = "phantom-${count.index}" })
+  volume_tags = merge( var.standard_tags, var.tags, { Name = "phantom-${count.index}" })
 }
 
 data "template_file" "cloud-init" {
-  # Should these be in a common directory? I suspect they'd be reusable
+  count = var.phantom_instance_count
   template = file("${path.module}/cloud-init/cloud-init.tpl")
 
   vars = {
-    hostname = "phantom-server"
-    fqdn = "phantom-server.${var.dns_info["private"]["zone"]}"
+    hostname = "phantom-${count.index}"
+    fqdn = "phantom-${count.index}.${var.dns_info["private"]["zone"]}"
     environment = var.environment
     salt_master  = var.salt_master
     proxy = var.proxy
@@ -171,6 +175,7 @@ data "template_file" "cloud-init" {
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
+  count = var.phantom_instance_count
   gzip          = true
   base64_encode = true
 
@@ -178,7 +183,7 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init.rendered
+    content      = data.template_file.cloud-init[count.index].rendered
   }
 
   # mount /dev/xvdf at /opt/
@@ -189,10 +194,11 @@ data "template_cloudinit_config" "cloud-init" {
 }
 
 module "private_dns_record_phantom-server" {
+  count = var.phantom_instance_count
   source = "../../submodules/dns/private_A_record"
 
-  name = "phantom-server"
-  ip_addresses = [ aws_instance.phantom-server-instance.private_ip ]
+  name = "phantom-${count.index}"
+  ip_addresses = [ aws_instance.phantom-server-instance[count.index].private_ip ]
   dns_info = var.dns_info
   reverse_enabled = var.reverse_enabled
 

base/phantom/outputs.tf

@@ -1,13 +1,13 @@
 output phantom_instance_arn {
-  value = aws_instance.phantom-server-instance.arn
+  value = aws_instance.phantom-server-instance[*].arn
 }
 
 output phantom_instance_private_ip {
-  value = aws_instance.phantom-server-instance.private_ip
+  value = aws_instance.phantom-server-instance[*].private_ip
 }
 
 output private_fqdn {
-  value = module.private_dns_record_phantom-server.forward
+  value = module.private_dns_record_phantom-server[*].forward
 }
 
 output alb_fqdn {

base/phantom/securitygroup-server.tf

@@ -84,3 +84,23 @@ resource "aws_security_group_rule" "phantom_server_outbound_tcp_dns" {
   protocol                 = "udp"
   description              = "Outbound udp dns anywhere"
 }
+
+resource "aws_security_group_rule" "phantom_server_outbound_http" {
+  security_group_id        = aws_security_group.phantom_server.id
+  type                     = "egress"
+  cidr_blocks               = [ "0.0.0.0/0" ]
+  from_port                = 80
+  to_port                  = 80
+  protocol                 = "tcp"
+  description              = "Outbound http anywhere (required for saleforce and others)"
+}
+
+resource "aws_security_group_rule" "phantom_server_outbound_https" {
+  security_group_id        = aws_security_group.phantom_server.id
+  type                     = "egress"
+  cidr_blocks               = [ "0.0.0.0/0" ]
+  from_port                = 443
+  to_port                  = 443
+  protocol                 = "tcp"
+  description              = "Outbound https anywhere (required for saleforce and others)"
+}

base/phantom/vars.tf

@@ -1,3 +1,8 @@
+variable "phantom_instance_count" {
+  description = "How many to stand up"
+  type = number
+}
+
 variable "public_subnets" {
   type = list(string)
 }