Merge pull request #255 from mdr-engineering/feature/ftd_MSOCI-1274_VMRay_Modernization

VMRay Improvements for Worker/Server

base/vmray_instances/cloud-init/cloud-init.tpl

@@ -6,10 +6,12 @@ fqdn: ${fqdn}
 
 # Write files happens early
 write_files:
-#- content: |
-#    proxy=http://${proxy}:80
-#  path: /etc/yum.conf
-#  append: true
+- content: |
+    Acquire::http::Proxy "http://${proxy}:80/";
+    Acquire::https::Proxy "http://${proxy}:80/";
+    APT::ExtractTemplates::TempDir "/opt/tmp/";
+  path: /etc/apt/apt.conf.d/75xdrexecpath
+  append: true
 - content: |
     [global]
     proxy=${proxy}:80

base/vmray_instances/outputs.tf

@@ -1,3 +1,7 @@
 output "vmray-server-private-ip" {
   value = aws_instance.vmray-server-instance.private_ip
 }
+
+output "vmray-server-workers-ip" {
+  value = aws_instance.vmray-worker-instance[*].private_ip
+}

base/vmray_instances/security-groups.tf

@@ -1,36 +1,102 @@
-resource "aws_security_group" "vmray_sg" {
-  name        = "vmray_sg"
+# From vmray admin installation guide, page 24
+# Clients to server on 443
+# Server to workers on 5900-5999 (VNC)
+# Workers to server on 80 and 443
+
+# Server
+resource "aws_security_group" "vmray_server_sg" {
+  name        = "vmray_server_sg"
   description = "Security Rules Specific to VMRay"
   vpc_id      = var.vpc_id
-
   tags        = merge(var.standard_tags, var.tags)
 }
 
-resource "aws_security_group_rule" "vmray-ssh" {
+resource "aws_security_group_rule" "vmray_server_https_in" {
   type              = "ingress"
-  from_port         = 22
-  to_port           = 22
+  from_port         = 443
+  to_port           = 443
   protocol          = "tcp"
-  cidr_blocks       = var.portal_test_whitelist
-  security_group_id = aws_security_group.vmray_sg.id
+  cidr_blocks       = var.cidr_map["vpc-access"]
+  security_group_id = aws_security_group.vmray_server_sg.id
 }
 
-resource "aws_security_group_rule" "vmray-https" {
-  type              = "ingress"
+# Proxy? Ubuntu doesn't have it configured yet
+resource "aws_security_group_rule" "vmray_server_http_out" {
+  type              = "egress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  cidr_blocks       = [ "0.0.0.0/0" ]
+  security_group_id = aws_security_group.vmray_server_sg.id
+}
+
+resource "aws_security_group_rule" "vmray_server_https_out" {
+  type              = "egress"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  cidr_blocks       = var.portal_test_whitelist
-  security_group_id = aws_security_group.vmray_sg.id
+  cidr_blocks       = [ "0.0.0.0/0" ]
+  security_group_id = aws_security_group.vmray_server_sg.id
+}
+
+resource "aws_security_group_rule" "vmray_server_vnc_to_workers" {
+  type              = "egress"
+  from_port         = 5900
+  to_port           = 5999
+  protocol          = "tcp"
+  source_security_group_id = aws_security_group.vmray_worker_sg.id
+  security_group_id = aws_security_group.vmray_server_sg.id
+}
+
+# Workers
+resource "aws_security_group" "vmray_worker_sg" {
+  name        = "vmray_worker_sg"
+  description = "Security Rules for the VMRay Worker Nodes"
+  vpc_id      = var.vpc_id
+  tags        = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_security_group_rule" "vmwary_worker_vnc_from_server" {
+  type              = "ingress"
+  from_port         = 5900
+  to_port           = 5999
+  protocol          = "tcp"
+  source_security_group_id = aws_security_group.vmray_server_sg.id
+  security_group_id = aws_security_group.vmray_worker_sg.id
+}
+
+resource "aws_security_group_rule" "vmray_worker_http_out" {
+  type              = "egress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  cidr_blocks       = [ "0.0.0.0/0" ]
+  security_group_id = aws_security_group.vmray_worker_sg.id
 }
 
-resource "aws_security_group_rule" "vmray-egress" {
+resource "aws_security_group_rule" "vmray_worker_https_out" {
   type              = "egress"
-  from_port         = 0 # all ports
-  to_port           = 0 # all ports
-  protocol          = "all"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
   cidr_blocks       = [ "0.0.0.0/0" ]
-  security_group_id = aws_security_group.vmray_sg.id
+  security_group_id = aws_security_group.vmray_worker_sg.id
 }
 
+resource "aws_security_group_rule" "vmray_worker_http_to_server" {
+  type              = "egress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  source_security_group_id = aws_security_group.vmray_server_sg.id
+  security_group_id = aws_security_group.vmray_worker_sg.id
+}
 
+resource "aws_security_group_rule" "vmray_worker_https_to_server" {
+  type              = "egress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  source_security_group_id = aws_security_group.vmray_server_sg.id
+  security_group_id = aws_security_group.vmray_worker_sg.id
+}

base/vmray_instances/main.tf → base/vmray_instances/server.tf

@@ -41,7 +41,7 @@ data "aws_kms_key" "ebs-key" {
 
 resource "aws_network_interface" "vmray-server-interface" {
   subnet_id = var.private_subnets[0]
-  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.vmray_sg.id ]
+  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.vmray_server_sg.id ]
   description = "vmray-server"
   tags = merge(var.standard_tags, var.tags, { Name = "vmray-server" })
 }

base/vmray_instances/worker.tf

@@ -0,0 +1,93 @@
+resource "aws_network_interface" "vmray-worker-interface" {
+  count = var.vmray_worker_instance_count
+  subnet_id = var.private_subnets[count.index % 3]
+  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.vmray_worker_sg.id ]
+  description = "vmray-worker"
+  tags = merge(var.standard_tags, var.tags, { Name = "vmray-worker" })
+}
+
+resource "aws_instance" "vmray-worker-instance" {
+  count = var.vmray_worker_instance_count
+  tenancy = "default"
+  ebs_optimized = true
+  disable_api_termination = var.instance_termination_protection
+  instance_initiated_shutdown_behavior = "stop"
+  instance_type = var.instance_types["vmray-worker"]
+  key_name = "msoc-build"
+  monitoring = false
+  iam_instance_profile = "msoc-default-instance-profile"
+
+  ami = data.aws_ami.ubuntu2004.image_id
+  # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
+  # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
+  # that could be removed.
+  lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }
+
+  root_block_device {
+      volume_type = "gp3"
+      volume_size = "60"
+      delete_on_termination = true
+      encrypted = true
+      kms_key_id = data.aws_kms_key.ebs-key.arn
+  }
+
+  network_interface {
+    device_index = 0
+    network_interface_id = aws_network_interface.vmray-worker-interface[count.index].id
+  }
+
+  user_data = data.template_cloudinit_config.cloud-init-vmray-worker[count.index].rendered
+  tags = merge( var.standard_tags, var.tags, { Name = "vmray-worker-${ count.index }" })
+  volume_tags = merge( var.standard_tags, var.tags, { Name = "vmray-worker-${ count.index }" })
+}
+
+data "template_file" "cloud-init-vmray-worker" {
+  count = var.vmray_worker_instance_count
+  template = file("${path.module}/cloud-init/cloud-init.tpl")
+
+  vars = {
+    hostname = "vmray-worker-${ count.index }"
+    fqdn = "vmray-worker-${ count.index }.${var.dns_info["private"]["zone"]}"
+    environment = var.environment
+    salt_master  = var.salt_master
+    proxy = var.proxy
+    aws_partition = var.aws_partition
+    aws_partition_alias = var.aws_partition_alias
+    aws_region = var.aws_region
+  }
+}
+
+# Render a multi-part cloud-init config making use of the part
+# above, and other source files
+data "template_cloudinit_config" "cloud-init-vmray-worker" {
+  count = var.vmray_worker_instance_count
+  gzip          = true
+  base64_encode = true
+
+  # Main cloud-config configuration file.
+  part {
+    filename     = "init.cfg"
+    content_type = "text/cloud-config"
+    content      = data.template_file.cloud-init-vmray-worker[count.index].rendered
+  }
+
+  # Additional parts as needed
+  #part {
+  #  content_type = "text/x-shellscript"
+  #  content      = "ffbaz"
+  #}
+}
+
+module "private_dns_record_vmray_worker" {
+  count = var.vmray_worker_instance_count
+  source = "../../submodules/dns/private_A_record"
+
+  name = "vmray-worker-${ count.index }"
+  ip_addresses = [ aws_instance.vmray-worker-instance[count.index].private_ip ]
+  dns_info = var.dns_info
+  reverse_enabled = true
+
+  providers = {
+    aws.c2 = aws.c2
+  }
+}