Adds second mailrelay for authentication implementation

* Separates main.tf into main.tf and instance-mailrelay.tf
* Renames 'var.instance_name' to 'var.old_instance_name' to keep legacy
  the same.
* Adds instance-mailrelay2 to stand up second instance.

To be tagged v2.0.13

base/mailrelay/instance-mailrelay.tf

@@ -0,0 +1,161 @@
+# "Old" mailrelay that doesn't require authentication
+resource "aws_network_interface" "instance" {
+  subnet_id = var.subnets[0]
+  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.mailrelay_security_group.id ]
+  description = var.old_instance_name
+  tags = merge(var.standard_tags, var.tags, { Name = var.old_instance_name })
+}
+
+resource "aws_instance" "instance" {
+  tenancy = "default"
+  ebs_optimized = true
+  disable_api_termination = var.instance_termination_protection
+  instance_initiated_shutdown_behavior = "stop"
+  instance_type = var.instance_type
+  key_name = "msoc-build"
+  monitoring = false
+  iam_instance_profile = "msoc-default-instance-profile"
+
+  ami = local.ami_map[local.ami_selection]
+  # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
+  # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
+  # that could be removed.
+  lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }
+
+  # These device definitions are optional, but added for clarity.
+  root_block_device {
+      volume_type = "gp2"
+      #volume_size = "60"
+      delete_on_termination = true
+      encrypted = true
+      kms_key_id = data.aws_kms_key.ebs-key.arn
+  }
+
+  ebs_block_device {
+    # swap
+    device_name = "/dev/xvdm"
+    #volume_size = 48
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    # Snapshot IDs need to be grabbed from the ami, or it will replace every time. It's ugly.
+    # This may prompt replacement when the AMI is updated.
+    # See:
+    #   https://github.com/hashicorp/terraform/issues/19958
+    #   https://github.com/terraform-providers/terraform-provider-aws/issues/13118
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdm"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /home
+    device_name = "/dev/xvdn"
+    # volume_size = xx
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdn"].ebs.snapshot_id
+
+  }
+  ebs_block_device {
+    # /var
+    device_name = "/dev/xvdo"
+    # volume_size = xx
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdo"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /var/tmp
+    device_name = "/dev/xvdp"
+    # volume_size = xx
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdp"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /var/log
+    device_name = "/dev/xvdq"
+    # volume_size = xx
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdq"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /var/log/audit
+    device_name = "/dev/xvdr"
+    # volume_size = xx
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdr"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /tmp
+    device_name = "/dev/xvds"
+    # volume_size = xx
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvds"].ebs.snapshot_id
+  }
+
+  network_interface {
+    device_index = 0
+    network_interface_id = aws_network_interface.instance.id
+  }
+
+  user_data = data.template_cloudinit_config.cloud_init_config.rendered
+  tags = merge( var.standard_tags, var.tags, { Name = var.old_instance_name })
+  volume_tags = merge( var.standard_tags, var.tags, { Name = var.old_instance_name })
+}
+
+module "private_dns_record" {
+  source = "../../submodules/dns/private_A_record"
+
+  name = var.old_instance_name
+  ip_addresses = [ aws_instance.instance.private_ip ]
+  dns_info = var.dns_info
+  reverse_enabled = var.reverse_enabled
+
+  providers = {
+    aws.c2 = aws.c2
+  }
+}
+
+#The Cloud init data is to prepare the instance for use. 
+data "template_file" "cloud_init" {
+  # Should these be in a common directory? I suspect they'd be reusable
+  template = file("${path.module}/cloud-init/cloud-init.tpl")
+
+  vars = {
+    hostname = var.old_instance_name
+    fqdn = "${var.old_instance_name}.${var.dns_info["private"]["zone"]}"
+    environment = var.environment
+    salt_master  = var.salt_master
+    proxy = var.proxy
+    aws_partition = var.aws_partition
+    aws_partition_alias = var.aws_partition_alias
+    aws_region = var.aws_region
+  }
+}
+
+# Render a multi-part cloud-init config making use of the part
+# above, and other source files
+data "template_cloudinit_config" "cloud_init_config" {
+  gzip          = true
+  base64_encode = true
+
+  # Main cloud-config configuration file.
+  part {
+    filename     = "init.cfg"
+    content_type = "text/cloud-config"
+    content      = data.template_file.cloud_init.rendered
+  }
+
+  #  part {
+  #  content_type = "text/cloud-boothook"
+  #  content      = file("${path.module}/cloud-init/repo_server_volumes.boothook")
+  #}
+}

base/mailrelay/instance-mailrelay2.tf

@@ -0,0 +1,160 @@
+# MSOCI-1852 - Updated mailrelay2 server that requires authentication
+resource "aws_network_interface" "instance2" {
+  subnet_id = var.subnets[0]
+  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.mailrelay_security_group.id ]
+  description = var.instance_name
+  tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
+}
+
+resource "aws_instance" "instance2" {
+  tenancy = "default"
+  ebs_optimized = true
+  disable_api_termination = var.instance_termination_protection
+  instance_initiated_shutdown_behavior = "stop"
+  instance_type = var.instance_type
+  key_name = "msoc-build"
+  monitoring = false
+  iam_instance_profile = "msoc-default-instance-profile"
+
+  ami = local.ami_map[local.ami_selection]
+  # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
+  # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
+  # that could be removed.
+  lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }
+
+  # These device definitions are optional, but added for clarity.
+  root_block_device {
+      volume_type = "gp2"
+      #volume_size = "60"
+      delete_on_termination = true
+      encrypted = true
+      kms_key_id = data.aws_kms_key.ebs-key.arn
+  }
+
+  ebs_block_device {
+    # swap
+    device_name = "/dev/xvdm"
+    #volume_size = 48
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    # Snapshot IDs need to be grabbed from the ami, or it will replace every time. It's ugly.
+    # This may prompt replacement when the AMI is updated.
+    # See:
+    #   https://github.com/hashicorp/terraform/issues/19958
+    #   https://github.com/terraform-providers/terraform-provider-aws/issues/13118
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdm"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /home
+    device_name = "/dev/xvdn"
+    # volume_size = xx
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdn"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /var
+    device_name = "/dev/xvdo"
+    # volume_size = xx
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdo"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /var/tmp
+    device_name = "/dev/xvdp"
+    # volume_size = xx
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdp"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /var/log
+    device_name = "/dev/xvdq"
+    # volume_size = xx
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdq"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /var/log/audit
+    device_name = "/dev/xvdr"
+    # volume_size = xx
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdr"].ebs.snapshot_id
+  }
+  ebs_block_device {
+    # /tmp
+    device_name = "/dev/xvds"
+    # volume_size = xx
+    delete_on_termination = true
+    encrypted = true
+    kms_key_id = data.aws_kms_key.ebs-key.arn
+    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvds"].ebs.snapshot_id
+  }
+
+  network_interface {
+    device_index = 0
+    network_interface_id = aws_network_interface.instance2.id
+  }
+
+  user_data = data.template_cloudinit_config.cloud_init_config2.rendered
+  tags = merge( var.standard_tags, var.tags, { Name = var.instance_name })
+  volume_tags = merge( var.standard_tags, var.tags, { Name = var.instance_name })
+}
+
+module "private_dns_record2" {
+  source = "../../submodules/dns/private_A_record"
+
+  name = var.instance_name
+  ip_addresses = [ aws_instance.instance2.private_ip ]
+  dns_info = var.dns_info
+  reverse_enabled = var.reverse_enabled
+
+  providers = {
+    aws.c2 = aws.c2
+  }
+}
+
+#The Cloud init data is to prepare the instance for use. 
+data "template_file" "cloud_init2" {
+  # Should these be in a common directory? I suspect they'd be reusable
+  template = file("${path.module}/cloud-init/cloud-init.tpl")
+
+  vars = {
+    hostname = var.instance_name
+    fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
+    environment = var.environment
+    salt_master  = var.salt_master
+    proxy = var.proxy
+    aws_partition = var.aws_partition
+    aws_partition_alias = var.aws_partition_alias
+    aws_region = var.aws_region
+  }
+}
+
+# Render a multi-part cloud-init config making use of the part
+# above, and other source files
+data "template_cloudinit_config" "cloud_init_config2" {
+  gzip          = true
+  base64_encode = true
+
+  # Main cloud-config configuration file.
+  part {
+    filename     = "init.cfg"
+    content_type = "text/cloud-config"
+    content      = data.template_file.cloud_init2.rendered
+  }
+
+  #  part {
+  #  content_type = "text/cloud-boothook"
+  #  content      = file("${path.module}/cloud-init/repo_server_volumes.boothook")
+  #}
+}

base/mailrelay/main.tf

@@ -15,167 +15,6 @@ data "aws_kms_key" "ebs-key" {
   key_id = "alias/ebs_root_encrypt_decrypt"
 }
 
-resource "aws_network_interface" "instance" {
-  subnet_id = var.subnets[0]
-  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.mailrelay_security_group.id ]
-  description = var.instance_name
-  tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
-}
-
-resource "aws_instance" "instance" {
-  tenancy = "default"
-  ebs_optimized = true
-  disable_api_termination = var.instance_termination_protection
-  instance_initiated_shutdown_behavior = "stop"
-  instance_type = var.instance_type
-  key_name = "msoc-build"
-  monitoring = false
-  iam_instance_profile = "msoc-default-instance-profile"
-
-  ami = local.ami_map[local.ami_selection]
-  # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
-  # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
-  # that could be removed.
-  lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }
-
-  # These device definitions are optional, but added for clarity.
-  root_block_device {
-      volume_type = "gp2"
-      #volume_size = "60"
-      delete_on_termination = true
-      encrypted = true
-      kms_key_id = data.aws_kms_key.ebs-key.arn
-  }
-
-  ebs_block_device {
-    # swap
-    device_name = "/dev/xvdm"
-    #volume_size = 48
-    delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    # Snapshot IDs need to be grabbed from the ami, or it will replace every time. It's ugly.
-    # This may prompt replacement when the AMI is updated.
-    # See:
-    #   https://github.com/hashicorp/terraform/issues/19958
-    #   https://github.com/terraform-providers/terraform-provider-aws/issues/13118
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdm"].ebs.snapshot_id
-  }
-  ebs_block_device {
-    # /home
-    device_name = "/dev/xvdn"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdn"].ebs.snapshot_id
-
-  }
-  ebs_block_device {
-    # /var
-    device_name = "/dev/xvdo"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdo"].ebs.snapshot_id
-  }
-  ebs_block_device {
-    # /var/tmp
-    device_name = "/dev/xvdp"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdp"].ebs.snapshot_id
-  }
-  ebs_block_device {
-    # /var/log
-    device_name = "/dev/xvdq"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdq"].ebs.snapshot_id
-  }
-  ebs_block_device {
-    # /var/log/audit
-    device_name = "/dev/xvdr"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdr"].ebs.snapshot_id
-  }
-  ebs_block_device {
-    # /tmp
-    device_name = "/dev/xvds"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvds"].ebs.snapshot_id
-  }
-
-  network_interface {
-    device_index = 0
-    network_interface_id = aws_network_interface.instance.id
-  }
-
-  user_data = data.template_cloudinit_config.cloud_init_config.rendered
-  tags = merge( var.standard_tags, var.tags, { Name = var.instance_name })
-  volume_tags = merge( var.standard_tags, var.tags, { Name = var.instance_name })
-}
-
-module "private_dns_record" {
-  source = "../../submodules/dns/private_A_record"
-
-  name = var.instance_name
-  ip_addresses = [ aws_instance.instance.private_ip ]
-  dns_info = var.dns_info
-  reverse_enabled = var.reverse_enabled
-
-  providers = {
-    aws.c2 = aws.c2
-  }
-}
-
-#The Cloud init data is to prepare the instance for use. 
-data "template_file" "cloud_init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = var.instance_name
-    fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
-# Render a multi-part cloud-init config making use of the part
-# above, and other source files
-data "template_cloudinit_config" "cloud_init_config" {
-  gzip          = true
-  base64_encode = true
-
-  # Main cloud-config configuration file.
-  part {
-    filename     = "init.cfg"
-    content_type = "text/cloud-config"
-    content      = data.template_file.cloud_init.rendered
-  }
-
-  #  part {
-  #  content_type = "text/cloud-boothook"
-  #  content      = file("${path.module}/cloud-init/repo_server_volumes.boothook")
-  #}
-}
-
 resource "aws_security_group" "mailrelay_security_group" {
   name = "mailrelay_security_group"
   description = "Security Group for the Mail Relay Server(s)"

base/mailrelay/vars.tf

@@ -3,6 +3,12 @@ variable "instance_name" {
   type = string
 }
 
+# MSOCI-1852 - 2021-08-04 - Can be removed when old instance (instance-mailrelay.tf) is decomissioned
+variable "old_instance_name" {
+  description = "Instance name for non-authenticated server"
+  type = string
+}
+
 variable "azs" {
   type = list(string)
 }