Merge pull request #276 from mdr-engineering/feature/jc_MSOCI-1916_Decomm_Mailrelay_Shutdown

Feature/jc_MSOCI-1916_Decomm-Mailrelay-Shutdown

base/mailrelay/instance-mailrelay.tf

@@ -1,155 +0,0 @@
-# "Old" mailrelay that doesn't require authentication
-resource "aws_network_interface" "instance" {
-  subnet_id = var.subnets[0]
-  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.mailrelay_security_group.id ]
-  description = var.old_instance_name
-  tags = merge(var.standard_tags, var.tags, { Name = var.old_instance_name })
-}
-
-resource "aws_instance" "instance" {
-  tenancy = "default"
-  ebs_optimized = true
-  disable_api_termination = var.instance_termination_protection
-  instance_initiated_shutdown_behavior = "stop"
-  instance_type = var.instance_type
-  key_name = "msoc-build"
-  monitoring = false
-  iam_instance_profile = "msoc-default-instance-profile"
-
-  ami = local.ami_map[local.ami_selection]
-  # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
-  # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
-  # that could be removed.
-  lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }
-
-  # These device definitions are optional, but added for clarity.
-  root_block_device {
-      volume_type = "gp2"
-      #volume_size = "60"
-      delete_on_termination = true
-      encrypted = true
-      kms_key_id = data.aws_kms_key.ebs-key.arn
-  }
-
-  ebs_block_device {
-    # swap
-    device_name = "/dev/xvdm"
-    #volume_size = 48
-    delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    # Snapshot IDs need to be grabbed from the ami, or it will replace every time. It's ugly.
-    # This may prompt replacement when the AMI is updated.
-    # See:
-    #   https://github.com/hashicorp/terraform/issues/19958
-    #   https://github.com/terraform-providers/terraform-provider-aws/issues/13118
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdm"].ebs.snapshot_id
-  }
-  ebs_block_device {
-    # /home
-    device_name = "/dev/xvdn"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdn"].ebs.snapshot_id
-
-  }
-  ebs_block_device {
-    # /var
-    device_name = "/dev/xvdo"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdo"].ebs.snapshot_id
-  }
-  ebs_block_device {
-    # /var/tmp
-    device_name = "/dev/xvdp"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdp"].ebs.snapshot_id
-  }
-  ebs_block_device {
-    # /var/log
-    device_name = "/dev/xvdq"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdq"].ebs.snapshot_id
-  }
-  ebs_block_device {
-    # /var/log/audit
-    device_name = "/dev/xvdr"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdr"].ebs.snapshot_id
-  }
-  ebs_block_device {
-    # /tmp
-    device_name = "/dev/xvds"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted = true
-    kms_key_id = data.aws_kms_key.ebs-key.arn
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvds"].ebs.snapshot_id
-  }
-
-  network_interface {
-    device_index = 0
-    network_interface_id = aws_network_interface.instance.id
-  }
-
-  user_data = data.template_cloudinit_config.cloud_init_config.rendered
-  tags = merge( var.standard_tags, var.tags, { Name = var.old_instance_name })
-  volume_tags = merge( var.standard_tags, var.tags, { Name = var.old_instance_name })
-}
-
-module "private_dns_record" {
-  source = "../../submodules/dns/private_A_record"
-
-  name = var.old_instance_name
-  ip_addresses = [ aws_instance.instance.private_ip ]
-  dns_info = var.dns_info
-  reverse_enabled = var.reverse_enabled
-
-  providers = {
-    aws.c2 = aws.c2
-  }
-}
-
-# Render a multi-part cloud-init config making use of the part
-# above, and other source files
-data "template_cloudinit_config" "cloud_init_config" {
-  gzip          = true
-  base64_encode = true
-
-  # Main cloud-config configuration file.
-  part {
-    filename     = "init.cfg"
-    content_type = "text/cloud-config"
-    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
-      {
-        hostname = var.old_instance_name
-        fqdn = "${var.old_instance_name}.${var.dns_info["private"]["zone"]}"
-        environment = var.environment
-        salt_master  = var.salt_master
-        proxy = var.proxy
-        aws_partition = var.aws_partition
-        aws_partition_alias = var.aws_partition_alias
-        aws_region = var.aws_region
-      }
-    )
-  }
-
-  #  part {
-  #  content_type = "text/cloud-boothook"
-  #  content      = file("${path.module}/cloud-init/repo_server_volumes.boothook")
-  #}
-}

base/mailrelay/instance-mailrelay2.tf

@@ -1,4 +1,4 @@
-# MSOCI-1852 - Updated mailrelay2 server that requires authentication
+# MSOCI-1852 - Mailrelay2 server that requires authentication
 resource "aws_network_interface" "instance2" {
   subnet_id = var.subnets[0]
   security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.mailrelay_security_group.id ]

base/mailrelay/main.tf

@@ -33,7 +33,7 @@ resource "aws_security_group_rule" "smtp-in" {
 }
 
 resource "aws_security_group_rule" "submission-in" {
-  description = "inbound smtp requests"
+  description = "inbound submission (smtp-s) requests"
   type = "ingress"
   from_port = 587
   to_port = 587

base/mailrelay/outputs.tf

@@ -1,7 +1,7 @@
 output instance_arn {
-  value = aws_instance.instance.arn
+  value = aws_instance.instance2.arn
 }
 
 output instance_private_ip {
-  value = aws_instance.instance.private_ip
+  value = aws_instance.instance2.private_ip
 }

base/mailrelay/vars.tf

@@ -3,12 +3,6 @@ variable "instance_name" {
   type = string
 }
 
-# MSOCI-1852 - 2021-08-04 - Can be removed when old instance (instance-mailrelay.tf) is decomissioned
-variable "old_instance_name" {
-  description = "Instance name for non-authenticated server"
-  type = string
-}
-
 variable "azs" {
   type = list(string)
 }

scripts/all_xdr_port_references.csv

@@ -160,6 +160,7 @@
 /base/github/securitygroup-server.tf,ghe_server_outbound_https,from_port,443,tcp
 /base/github/securitygroup-server.tf,ghe_server_outbound_syslog,from_port,1514,tcp
 /base/mailrelay/main.tf,smtp-in,from_port,25,tcp
+/base/mailrelay/main.tf,submission-in,from_port,587,tcp
 /base/mailrelay/main.tf,submission-out,from_port,587,tcp
 /base/teleport-single-instance/alb.tf,alb_to_server,from_port,3080,tcp
 /base/teleport-single-instance/alb-internal.tf,alb_internal-to_server,from_port,3080,tcp

scripts/xdr_port_references.csv

@@ -32,6 +32,7 @@
 /base/github/securitygroup-server.tf,ghe_server_inbound_https_external_elb_8444,to_port,8444,tcp
 /base/github/securitygroup-server.tf,ghe_server_outbound_syslog,from_port,1514,tcp
 /base/mailrelay/main.tf,smtp-in,from_port,25,tcp
+/base/mailrelay/main.tf,submission-in,from_port,587,tcp
 /base/mailrelay/main.tf,submission-out,from_port,587,tcp
 /base/teleport-single-instance/alb-internal.tf,alb_internal-to_server,from_port,3080,tcp
 /base/nessus/instance_nessus_scanner/securitygroup-server.tf,nessus_scanner_inbound_3022,from_port,3022,tcp