Merge pull request #205 from mdr-engineering/feature/ftd_tbd_Teleport

Teleport Updates

base/teleport-single-instance/alb-internal.tf

@@ -0,0 +1,174 @@
+#----------------------------------------------------------------------------
+# EXTERNAL APPLICATION LB
+#----------------------------------------------------------------------------
+
+resource "aws_alb" "internal" {
+  name               = "${var.instance_name}-alb-internal-${var.environment}"
+  security_groups    = [ aws_security_group.alb_server_internal.id ]
+  internal           = true 
+  subnets            = var.subnets
+  load_balancer_type = "application"
+
+  access_logs {
+    bucket  = "xdr-elb-${ var.environment }"
+    enabled = true
+  }
+
+  tags = merge(var.standard_tags, var.tags, { Name = "${var.instance_name}-alb-internal-${var.environment}" })
+}
+
+# Create a new target group
+resource "aws_alb_target_group" "internal" {
+  # use name_prefix instead of name and create-before-destroy on security groups and alb target groups to make future changes easier,
+  # otherwise, you get stuck in `destroying` during routine changes.
+  name_prefix          = substr(var.instance_name, 0, 6)
+  port                 = 3080
+  protocol             = "HTTPS"
+  #deregistration_delay = "${local.lb_deregistration_delay}"
+  vpc_id               = var.vpc_id
+
+  health_check {
+    protocol = "HTTPS"
+    port     = "3080"
+    path     = "/web/login"
+    matcher  = "200-400"
+    timeout  = "4"
+    interval = "5"
+  }
+
+  stickiness {
+    type    = "lb_cookie"
+    enabled = true 
+  }
+
+  tags = merge(var.standard_tags, var.tags)
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_lb_target_group_attachment" "internal" {
+  target_group_arn = aws_alb_target_group.internal.arn
+  target_id        = aws_instance.instance.id
+  port             = 3080
+}
+
+# Create a new alb listener
+resource "aws_alb_listener" "https_internal" {
+  load_balancer_arn = aws_alb.internal.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  certificate_arn   = aws_acm_certificate.cert_internal.arn
+
+  default_action {
+    target_group_arn = aws_alb_target_group.internal.arn
+    type             = "forward"
+  }
+}
+
+resource "aws_alb_listener" "alb_3080_internal" {
+  load_balancer_arn = aws_alb.internal.arn
+  port              = "3080"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  certificate_arn   = aws_acm_certificate.cert_internal.arn
+
+  default_action {
+    target_group_arn = aws_alb_target_group.internal.arn
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_listener" "http_internal" {
+  load_balancer_arn = aws_alb.internal.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "redirect"
+
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}
+
+# #########################
+# # DNS Entry
+module "private_alb_dns_record" {
+  source = "../../submodules/dns/private_CNAME_record"
+
+  name = "${var.instance_name}-alb.${var.dns_info["private"]["zone"]}"
+  target_dns_names = [ aws_alb.internal.dns_name ]
+  dns_info = var.dns_info
+
+  providers = {
+    aws.c2 = aws.c2
+  }
+}
+
+#----------------------------------------------------------------------------
+# ALB Security Group
+#----------------------------------------------------------------------------
+
+resource "aws_security_group" "alb_server_internal" {
+  vpc_id      = var.vpc_id
+  # use name_prefix instead of name and create-before-destroy on security groups and alb target groups to make future changes easier,
+  # otherwise, you get stuck in `destroying` during routine changes.
+  name_prefix = "${var.instance_name}-alb-sg-internal"
+  description = "Teleport LB SG"
+  tags = merge(var.standard_tags, var.tags)
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
+resource "aws_security_group_rule" "alb-internal-http-in" {
+  description = "HTTPS In"
+  type = "ingress"
+  from_port = "80"
+  to_port = "80"
+  protocol = "tcp"
+  cidr_blocks = [ "10.0.0.0/8" ]
+  security_group_id = aws_security_group.alb_server_internal.id
+}
+
+resource "aws_security_group_rule" "alb-internal-https-in" {
+  description = "HTTPS In"
+  type = "ingress"
+  from_port = "443"
+  to_port = "443"
+  protocol = "tcp"
+  cidr_blocks = [ "10.0.0.0/8" ]
+  security_group_id = aws_security_group.alb_server_internal.id
+}
+
+resource "aws_security_group_rule" "alb-internal-3080-in" {
+  description = "3080 In"
+  type = "ingress"
+  from_port = "3080"
+  to_port = "3080"
+  protocol = "tcp"
+  cidr_blocks = [ "10.0.0.0/8" ]
+  security_group_id = aws_security_group.alb_server_internal.id
+}
+
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
+
+resource "aws_security_group_rule" "alb_internal-to_server" {
+  type              = "egress"
+  from_port         = 3080
+  to_port           = 3080
+  protocol          = "tcp"
+  source_security_group_id = aws_security_group.instance.id
+  description       = "Allows the ALB to talk to the Sensu servers"
+  security_group_id = aws_security_group.alb_server_internal.id
+}

base/teleport-single-instance/alb.tf

@@ -30,7 +30,7 @@ resource "aws_alb_target_group" "external" {
   health_check {
     protocol = "HTTPS"
     port     = "3080"
-    path     = "/"
+    path     = "/web/login"
     matcher  = "200-400"
     timeout  = "4"
     interval = "5"
@@ -67,6 +67,19 @@ resource "aws_alb_listener" "https_external" {
   }
 }
 
+resource "aws_alb_listener" "alb_3080_external" {
+  load_balancer_arn = aws_alb.external.arn
+  port              = "3080"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  certificate_arn   = aws_acm_certificate.cert.arn
+
+  default_action {
+    target_group_arn = aws_alb_target_group.external.arn
+    type             = "forward"
+  }
+}
+
 resource "aws_lb_listener" "http_external" {
   load_balancer_arn = aws_alb.external.arn
   port              = "80"
@@ -137,14 +150,24 @@ resource "aws_security_group_rule" "alb-https-in" {
   security_group_id = aws_security_group.alb_server_external.id
 }
 
+resource "aws_security_group_rule" "alb-3080-in" {
+  description = "3080 In"
+  type = "ingress"
+  from_port = "3080"
+  to_port = "3080"
+  protocol = "tcp"
+  cidr_blocks = [ "0.0.0.0/0" ]
+  security_group_id = aws_security_group.alb_server_external.id
+}
+
 #----------------------------------------------------------------------------
 # EGRESS
 #----------------------------------------------------------------------------
 
 resource "aws_security_group_rule" "alb_to_server" {
   type              = "egress"
-  from_port         = 443
-  to_port           = 443
+  from_port         = 3080
+  to_port           = 3080
   protocol          = "tcp"
   source_security_group_id = aws_security_group.instance.id
   description       = "Allows the ALB to talk to the Sensu servers"

base/teleport-single-instance/certificate-internal.tf

@@ -0,0 +1,31 @@
+#Certificate 
+resource "aws_acm_certificate" "cert_internal" {
+  domain_name       = "${var.instance_name}-alb.${var.dns_info["private"]["zone"]}"
+  validation_method = "DNS"
+
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_acm_certificate_validation" "cert_internal" {
+  certificate_arn         = aws_acm_certificate.cert_internal.arn
+  validation_record_fqdns = [for record in aws_route53_record.cert_validation_internal: record.fqdn]
+}
+
+resource "aws_route53_record" "cert_validation_internal" {
+  provider = aws.mdr-common-services-commercial
+
+  for_each = {
+    for dvo in aws_acm_certificate.cert_internal.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.dns_info["public"]["zone_id"]
+}

base/teleport-single-instance/security-groups.tf

@@ -17,8 +17,8 @@ resource "aws_security_group" "instance" {
   }
 }
 
-resource "aws_security_group_rule" "instance-http-in" {
-  description = "Web Interface from ALB"
+resource "aws_security_group_rule" "instance-http-in-external" {
+  description = "Web Interface from External ALB"
   type = "ingress"
   from_port = "3080"
   to_port = "3080"
@@ -27,26 +27,36 @@ resource "aws_security_group_rule" "instance-http-in" {
   security_group_id = aws_security_group.instance.id
 }
 
-resource "aws_security_group_rule" "instance-teleport-in-3023-3024" {
-  description = "Teleport Proprietary Ports via NLB"
+resource "aws_security_group_rule" "instance-http-in-internal" {
+  description = "Web Interface from Internal ALB"
   type = "ingress"
-  from_port = "3023"
-  to_port = "3024"
+  from_port = "3080"
+  to_port = "3080"
   protocol = "tcp"
-  cidr_blocks = [ "0.0.0.0/0" ]
+  source_security_group_id = aws_security_group.alb_server_internal.id
   security_group_id = aws_security_group.instance.id
 }
 
-resource "aws_security_group_rule" "instance-teleport-in-3026" {
+resource "aws_security_group_rule" "instance-teleport-in-3023-3026" {
   description = "Teleport Proprietary Ports via NLB"
   type = "ingress"
-  from_port = "3026"
+  from_port = "3023"
   to_port = "3026"
   protocol = "tcp"
   cidr_blocks = [ "0.0.0.0/0" ]
   security_group_id = aws_security_group.instance.id
 }
 
+#resource "aws_security_group_rule" "instance-teleport-in-3026" {
+#  description = "Teleport Proprietary Ports via NLB"
+#  type = "ingress"
+#  from_port = "3026"
+#  to_port = "3026"
+#  protocol = "tcp"
+#  cidr_blocks = [ "0.0.0.0/0" ]
+#  security_group_id = aws_security_group.instance.id
+#}
+
 #resource "aws_security_group_rule" "instance-teleport-proxy-in" {
 #  description = "Teleport - Proxy web server"
 #  type = "ingress"
@@ -66,3 +76,23 @@ resource "aws_security_group_rule" "instance-teleport-out-ssh" {
   cidr_blocks = [ "0.0.0.0/0" ]
   security_group_id = aws_security_group.instance.id
 }
+
+resource "aws_security_group_rule" "instance-teleport-out-teleport" {
+  description = "Outbound teleport"
+  type = "egress"
+  from_port = "3022"
+  to_port = "3026"
+  protocol = "tcp"
+  cidr_blocks = [ "0.0.0.0/0" ]
+  security_group_id = aws_security_group.instance.id
+}
+
+resource "aws_security_group_rule" "instance-teleport-out-https" {
+  description = "Outbound HTTPS, required for dynamodb Streams (no vpc endpoint available)"
+  type = "egress"
+  from_port = "443"
+  to_port = "443"
+  protocol = "tcp"
+  cidr_blocks = [ "0.0.0.0/0" ]
+  security_group_id = aws_security_group.instance.id
+}

submodules/security_group/typical_host/main.tf

@@ -39,6 +39,18 @@ resource "aws_security_group_rule" "scanner_access" {
   count = length(var.cidr_map["scanners"]) > 0 ? 1 : 0
 }
 
+resource "aws_security_group_rule" "teleport_ssh_access" {
+  security_group_id = aws_security_group.security_group.id
+  type = "ingress"
+  description = "Teleport SSH Access"
+  from_port = 3022
+  to_port = 3022
+  protocol = "tcp"
+  # Convert to a set to remove duplicates
+  cidr_blocks = var.cidr_map["vpc-access"]
+  count = length(var.cidr_map["vpc-access"]) > 0 ? 1 : 0
+}
+
 resource "aws_security_group_rule" "ssh_access" {
   security_group_id = aws_security_group.security_group.id
   type = "ingress"
@@ -127,6 +139,28 @@ resource "aws_security_group_rule" "dns_access_udp" {
   count = length(var.cidr_map["dns"]) > 0 ? 1 : 0
 }
 
+resource "aws_security_group_rule" "outbound_to_teleport" {
+  security_group_id = aws_security_group.security_group.id
+  type = "egress"
+  description = "Connect to Teleport"
+  from_port = 3080
+  to_port = 3080
+  protocol = "tcp"
+  cidr_blocks = var.cidr_map["vpc-access"]
+  count = length(var.cidr_map["vpc-access"]) > 0 ? 1 : 0
+}
+
+resource "aws_security_group_rule" "outbound_to_teleport_30xx" {
+  security_group_id = aws_security_group.security_group.id
+  type = "egress"
+ description = "Connect to Teleport"
+  from_port = 3023
+  to_port = 3026
+  protocol = "tcp"
+  cidr_blocks = var.cidr_map["vpc-access"]
+  count = length(var.cidr_map["vpc-access"]) > 0 ? 1 : 0
+}
+
 resource "aws_security_group_rule" "outbound_to_salt_masters" {
   security_group_id = aws_security_group.security_group.id
   type = "egress"