Merge pull request #13 from mdr-engineering/feature/ftd_MSOCI-1277_Building_the_Interconnects

Stands up interconnect instances successful in test

base/transit-gateway-interconnect-vpn/main.tf

@@ -1,8 +1,15 @@
-resource "aws_customer_gateway" "pa_attachment" {
+resource "aws_customer_gateway" "xdr_attachment" {
   count = var.xdr_interconnects_count
   bgp_asn = var.xdr_interconnect_asn
-  ip_address = var.firewall_public_ips[count.index]
+  ip_address = var.xdr_interconnect_public_ips[count.index]
   type = "ipsec.1"
   tags = merge(var.standard_tags, var.tags)
 }
 
+resource "aws_vpn_connection" "xdr_vpn" {
+  count = var.xdr_interconnects_count
+  customer_gateway_id = aws_customer_gateway.xdr_attachment[count.index].id
+  transit_gateway_id  = var.transit_gateway_id
+  type                = aws_customer_gateway.xdr_attachment[count.index].type
+  tags = merge(var.standard_tags, var.tags)
+}

base/transit-gateway-interconnect-vpn/outputs.tf

@@ -0,0 +1,60 @@
+# Some of this is redundant or not generated from this module, but it's a nice
+# centralized place to get all of the data needed to setup the VPN connections.
+output vpn_info {
+  value = [
+      for index, connection in aws_vpn_connection.xdr_vpn:
+      {
+        "cgw_public_ip" = var.xdr_interconnect_public_ips[index]
+        "vgw_public_ips" = [
+            connection.tunnel1_address, 
+            connection.tunnel2_address
+        ],
+        "cgw_inside_address" = [
+          connection.tunnel1_cgw_inside_address,
+          connection.tunnel2_cgw_inside_address
+        ],
+        "vgw_inside_address" = [
+          connection.tunnel1_vgw_inside_address,
+          connection.tunnel2_vgw_inside_address
+        ]
+        "preshared_key" = [
+          connection.tunnel1_preshared_key,
+          connection.tunnel2_preshared_key
+        ]
+        "vgw_bgp_asn" = connection.tunnel1_bgp_asn, # Tunnel 1 and 2 are same
+        "cgw_bgp_asn" = var.xdr_interconnect_asn
+      }
+  ]
+}
+
+output yaml {
+  # The contents are the same as above, in an environment key
+  value = yamlencode({
+    "" = {
+      (var.aws_partition_alias) = [
+        for index, connection in aws_vpn_connection.xdr_vpn:
+        {
+          "cgw_public_ip" = var.xdr_interconnect_public_ips[index]
+          "vgw_public_ips" = [
+              connection.tunnel1_address, 
+              connection.tunnel2_address
+          ],
+          "cgw_inside_address" = [
+            connection.tunnel1_cgw_inside_address,
+            connection.tunnel2_cgw_inside_address
+          ],
+          "vgw_inside_address" = [
+            connection.tunnel1_vgw_inside_address,
+            connection.tunnel2_vgw_inside_address
+          ]
+          "preshared_key" = [
+            connection.tunnel1_preshared_key,
+            connection.tunnel2_preshared_key
+          ]
+          "vgw_bgp_asn" = connection.tunnel1_bgp_asn, # Tunnel 1 and 2 are same
+          "cgw_bgp_asn" = var.xdr_interconnect_asn
+        }
+      ]
+    }
+  })
+}

base/transit-gateway-interconnect-vpn/vars.tf

@@ -1,6 +1,8 @@
-variable firewall_public_ips { type = list }
-
+variable xdr_interconnect_public_ips { type = list }
+variable transit_gateway_id { type = string }
 variable xdr_interconnects_count { type = number }
 variable xdr_interconnect_asn { type = number }
 variable standard_tags { type = map }
 variable tags { type = map }
+variable environment { type = string }
+variable aws_partition_alias { type = string }

base/xdr_interconnects/ami.tf

@@ -1,50 +0,0 @@
-#data "aws_ami" "ubuntu_pro" {
-#  # Ubuntu Pro 18.04 Product ID: fc15dd7b-2aa0-47e5-bb05-94c75950b5de
-#
-#  most_recent = true
-#  owners = [ var.aws_marketplace_ubuntu_owner_id ]
-#
-#  # sadly, it looks like the image isn't named correctly in govcloud. I've given
-#  # canonical feedback on this, but for now we'll use the ami id directly.
-#  #filter {
-#  #  name   = "name"
-#  #  values = ["ubuntu-pro/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*", ]
-#  #}
-#
-#  filter {
-#    name   = "image-id"
-#    values = [ "ami-0a4050943619c0460" ]
-#  }
-#
-#  filter {
-#    name   = "root-device-type"
-#    values = ["ebs"]
-#  }
-#
-#  filter {
-#    name   = "virtualization-type"
-#    values = ["hvm"]
-#  }
-#}
-
-# This works in govcloud and commercial, but only for centos 7. If you change to 8,
-# you will get a third party vendor.
-data "aws_ami" "centos7" {
-  owners      = ["aws-marketplace"]
-  most_recent = true
-
-  filter {
-    name   = "name"
-    values = ["CentOS Linux 7 x86_64 HVM EBS *"]
-  }
-
-  filter {
-    name   = "architecture"
-    values = ["x86_64"]
-  }
-
-  filter {
-    name   = "root-device-type"
-    values = ["ebs"]
-  }
-}

base/xdr_interconnects/cloud-init.tf

@@ -5,8 +5,9 @@ data "template_file" "cloud-init" {
   template = "${file("${path.module}/cloud-init/cloud-init.tpl")}"
 
   vars = {
-    hostname = "xdr-interconnect-asg-member-${count.index}"
-    fqdn = "xdr-interconnect-asg-member.TODO"
+    hostname = "xdr-interconnect-${count.index}"
+    fqdn = "xdr-interconnect-${count.index}.${var.dns_private["name"]}"
+    saltmaster = "salt-master.${ var.dns_public["name"] }"
     environment = var.environment
   }
 }

base/xdr_interconnects/cloud-init/cloud-init.tpl

@@ -1,6 +1,7 @@
 #cloud-config
 preserve_hostname: false
 hostname: ${hostname}
+salt-master: ${saltmaster}
 fqdn: ${fqdn}
 
 # A lot of this could be done via salt. But for simplicity, i'm presently keeping it out.
@@ -21,11 +22,13 @@ package_update: true # Always patch
 
 growpart:
   mode: auto
-  devices: [ '/' ]
+  devices: [ '/', '/var', '/var/log', '/var/log/audit', '/var/tmp', '/tmp', '/home' ]
   ignore_growroot_disabled: false
 
 runcmd:
  - echo "${fqdn}" > /etc/salt/minion_id
+ - 'echo master: ${saltmaster} > /etc/salt/minion'
+ - echo "${ environment }" > /ENVIRONMENT
  - /bin/systemctl restart salt-minion 
  - /bin/systemctl enable salt-minion
  - /bin/systemctl start amazon-ssm-agent

base/xdr_interconnects/main.tf

@@ -19,6 +19,9 @@ resource "aws_network_interface" "xdr_interconnects" {
 resource "aws_eip" "xdr_interconnects" {
   count = var.xdr_interconnects_count
   vpc = true
+  tags = {
+    Name = "xdr-interconnect-${count.index}"
+  }
 }
 
 resource "aws_eip_association" "xdr_interconnects" {
@@ -27,9 +30,12 @@ resource "aws_eip_association" "xdr_interconnects" {
   allocation_id = aws_eip.xdr_interconnects[count.index].id
 }
 
+output "ami" {
+  value = var.default_ami
+}
+
 resource "aws_instance" "xdr_interconnects" {
   count = var.xdr_interconnects_count
-  ami = data.aws_ami.centos7.image_id
   availability_zone = var.azs[count.index % 2]
   placement_group = aws_placement_group.xdr_interconnects.id
   tenancy = "default"
@@ -40,10 +46,15 @@ resource "aws_instance" "xdr_interconnects" {
   key_name = var.xdr_interconnects_key_name
   monitoring = false
 
+  ami = var.default_ami
+  lifecycle { ignore_changes = [ ami ] }
+
   tags = merge(
     var.standard_tags,
     var.tags,
-    { Name = "xdr-interconnect-${count.index}" }
+    { 
+      Name = "xdr-interconnect-${count.index}"
+    }
   )
 
   root_block_device {
@@ -65,3 +76,24 @@ resource "aws_instance" "xdr_interconnects" {
     #create_before_destroy = true
   #}
 }
+
+# DNS Records
+resource "aws_route53_record" "xdr_interconnects" {
+  count = var.xdr_interconnects_count
+  name = "xdr-interconnect-${ var.environment }-${ count.index }"
+  type = "A"
+  ttl  = 300
+  zone_id = var.dns_public["id"]
+  records = [ aws_eip.xdr_interconnects[count.index].public_ip ]
+  provider = aws.legacy
+}
+
+resource "aws_route53_record" "xdr_interconnects_pvt" {
+  count = var.xdr_interconnects_count
+  name = "xdr-interconnect-${ count.index }"
+  type = "A"
+  ttl  = 300
+  zone_id = var.dns_private["id"]
+  records = [ aws_instance.xdr_interconnects[count.index].private_ip ]
+  provider = aws.legacy
+}

base/xdr_interconnects/outputs.tf

@@ -14,3 +14,11 @@ output "private_ips" {
 output "public_ips" {
     value = aws_eip.xdr_interconnects[*].public_ip
 }
+
+output "public_dns" {
+  value = aws_route53_record.xdr_interconnects[*].fqdn
+}
+
+output "private_dns" {
+  value = aws_route53_record.xdr_interconnects_pvt[*].fqdn
+}

base/xdr_interconnects/security-groups.tf

@@ -15,12 +15,29 @@ resource "aws_security_group_rule" "trusted_ssh" {
   security_group_id = aws_security_group.xdr_interconnects_sg.id
 }
 
-# TODO: Tighten this down
-resource "aws_security_group_rule" "ipsec_ingress" {
+resource "aws_security_group_rule" "ipsec_l2tp_ingress" {
   type              = "ingress"
-  from_port         = 0 # all ports
-  to_port           = 0 # all ports
-  protocol          = "all"
+  from_port         = 1701
+  to_port           = 1701
+  protocol          = "udp"
+  cidr_blocks       = [ "0.0.0.0/0" ]
+  security_group_id = aws_security_group.xdr_interconnects_sg.id
+}
+
+resource "aws_security_group_rule" "ipsec_ike_ingress" {
+  type              = "ingress"
+  from_port         = 500
+  to_port           = 500
+  protocol          = "udp"
+  cidr_blocks       = [ "0.0.0.0/0" ]
+  security_group_id = aws_security_group.xdr_interconnects_sg.id
+}
+
+resource "aws_security_group_rule" "ipsec_ike_nat_t_ingress" {
+  type              = "ingress"
+  from_port         = 4500
+  to_port           = 4500
+  protocol          = "udp"
   cidr_blocks       = [ "0.0.0.0/0" ]
   security_group_id = aws_security_group.xdr_interconnects_sg.id
 }
@@ -33,5 +50,3 @@ resource "aws_security_group_rule" "ipsec_egress" {
   cidr_blocks       = [ "0.0.0.0/0" ]
   security_group_id = aws_security_group.xdr_interconnects_sg.id
 }
-
-

base/xdr_interconnects/vars.tf

@@ -15,3 +15,6 @@ variable "trusted_ips" { type = list }
 variable "aws_region" { type = string }
 variable "aws_partition" { type = string }
 variable "aws_account_id" { type = string }
+variable "default_ami" { type = string }
+variable "dns_public" { type = map }
+variable "dns_private" { type = map }