|
|
@@ -43,6 +43,11 @@ resource "aws_instance" "instance" {
|
|
|
monitoring = false
|
|
|
iam_instance_profile = "salt-master-instance-profile"
|
|
|
|
|
|
+ metadata_options {
|
|
|
+ http_endpoint = "enabled"
|
|
|
+ http_tokens = "optional" # tfsec:ignore:aws-ec2-enforce-http-token-imds salt s3 sources require optional tokens; see https://github.com/saltstack/salt/issues/60668
|
|
|
+ }
|
|
|
+
|
|
|
ami = local.ami_map[local.ami_selection]
|
|
|
# We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
|
|
|
# If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
|
|
|
@@ -51,7 +56,7 @@ resource "aws_instance" "instance" {
|
|
|
|
|
|
# These device definitions are optional, but added for clarity.
|
|
|
root_block_device {
|
|
|
- volume_type = "gp2"
|
|
|
+ volume_type = "gp3"
|
|
|
#volume_size = "60"
|
|
|
delete_on_termination = true
|
|
|
encrypted = true
|
|
|
@@ -61,6 +66,7 @@ resource "aws_instance" "instance" {
|
|
|
ebs_block_device {
|
|
|
# swap
|
|
|
device_name = "/dev/xvdm"
|
|
|
+ volume_type = "gp3"
|
|
|
volume_size = 48
|
|
|
delete_on_termination = true
|
|
|
encrypted = true
|
|
|
@@ -75,6 +81,7 @@ resource "aws_instance" "instance" {
|
|
|
ebs_block_device {
|
|
|
# /home
|
|
|
device_name = "/dev/xvdn"
|
|
|
+ volume_type = "gp3"
|
|
|
# volume_size = xx
|
|
|
delete_on_termination = true
|
|
|
encrypted = true
|
|
|
@@ -84,8 +91,9 @@ resource "aws_instance" "instance" {
|
|
|
}
|
|
|
ebs_block_device {
|
|
|
# /var
|
|
|
- device_name = "/dev/xvdo"
|
|
|
- # volume_size = xx
|
|
|
+ device_name = "/dev/xvdo"
|
|
|
+ volume_size = 30
|
|
|
+ volume_type = "gp3"
|
|
|
delete_on_termination = true
|
|
|
encrypted = true
|
|
|
kms_key_id = data.aws_kms_key.ebs-key.arn
|
|
|
@@ -94,6 +102,7 @@ resource "aws_instance" "instance" {
|
|
|
ebs_block_device {
|
|
|
# /var/tmp
|
|
|
device_name = "/dev/xvdp"
|
|
|
+ volume_type = "gp3"
|
|
|
# volume_size = xx
|
|
|
delete_on_termination = true
|
|
|
encrypted = true
|
|
|
@@ -103,6 +112,7 @@ resource "aws_instance" "instance" {
|
|
|
ebs_block_device {
|
|
|
# /var/log
|
|
|
device_name = "/dev/xvdq"
|
|
|
+ volume_type = "gp3"
|
|
|
# volume_size = xx
|
|
|
delete_on_termination = true
|
|
|
encrypted = true
|
|
|
@@ -112,6 +122,7 @@ resource "aws_instance" "instance" {
|
|
|
ebs_block_device {
|
|
|
# /var/log/audit
|
|
|
device_name = "/dev/xvdr"
|
|
|
+ volume_type = "gp3"
|
|
|
# volume_size = xx
|
|
|
delete_on_termination = true
|
|
|
encrypted = true
|
|
|
@@ -121,6 +132,7 @@ resource "aws_instance" "instance" {
|
|
|
ebs_block_device {
|
|
|
# /tmp
|
|
|
device_name = "/dev/xvds"
|
|
|
+ volume_type = "gp3"
|
|
|
# volume_size = xx
|
|
|
delete_on_termination = true
|
|
|
encrypted = true
|
|
|
@@ -265,6 +277,6 @@ resource "aws_security_group_rule" "saltstack-github" {
|
|
|
from_port = "22"
|
|
|
to_port = "22"
|
|
|
protocol = "tcp"
|
|
|
- cidr_blocks = ["0.0.0.0/0"]
|
|
|
+ cidr_blocks = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr direct access for github
|
|
|
security_group_id = aws_security_group.salt_master_security_group.id
|
|
|
}
|
Fred Damstra [afs macbook]