Kezdőlap Felfedezés Súgó
Regisztráció Bejelentkezés
AFS
/
xdr-terraform-modules
2
0
Másolás 0
Fájlok Problémák 0 Beolvasztási kérések 0 Wiki
Forráskód Böngészése

Merge pull request #116 from mdr-engineering/feature/dw_MSOCI-1566_NIH_ips

[MSOCI-1566] Add c2_services_external_ips support
Duane Waddle 4 éve
szülő
efb2dfecdc 9ce224df17
commit
bc0ef483c8
4 módosított fájl, 76 hozzáadás és 0 törlés
Osztott Nézet Diff Statisztika Mutatása
  1. 40 0
      base/repo_server/main.tf
  2. 5 0
      base/repo_server/vars.tf
  3. 26 0
      base/salt_master/main.tf
  4. 5 0
      base/salt_master/vars.tf

+ 40 - 0
base/repo_server/main.tf
Fájl Megtekintése 

@@ -216,6 +216,33 @@ resource "aws_security_group_rule" "http-in" {
 
   security_group_id = aws_security_group.repo_server_security_group.id
 
 }
 
 
+resource "aws_security_group_rule" "http-in-external-c2-users" {
 
+
 
+  # This deserves some explanation.  Terraform "for_each" expects to be
 
+  # getting as input a map of values to iterate over as part of the foreach.
 
+  # The keys of the map are used to name each of these objects created.  Looking
 
+  # in the terraform plan output of a for_each you'll see things like:
 
+  #
 
+  # aws_security_group_rule.resource_name["key-value-from-foreach"] will be created
 
+  #
 
+  # Our c2_services_external_ips is a list of maps, not a map of maps.  The for-expression
 
+  # makes a new thing that is a map of maps, where the key value is the description with
 
+  # blanks removed.
 
+  #
 
+  # We could have made the variable more natively-friendly to for_each but this seemed
 
+  # like a better solution for what we were trying to accomplish.
 
+  for_each = { for s in var.c2_services_external_ips : replace(s.description,"/\\s*/","") => s }
 
+
 
+  description = "inbound repository requests - ${each.value.description}"
 
+  type = "ingress"
 
+  from_port = 80
 
+  to_port = 80
 
+  protocol = "tcp"
 
+  cidr_blocks = each.value.cidr_blocks
 
+  security_group_id = aws_security_group.repo_server_security_group.id
 
+}
 
+
 
+
 
 resource "aws_security_group_rule" "https-in" {
 
   description = "inbound repository requests"
 
   type = "ingress"
 
@@ -226,6 +253,19 @@ resource "aws_security_group_rule" "https-in" {
 
   security_group_id = aws_security_group.repo_server_security_group.id
 
 }
 
 
+resource "aws_security_group_rule" "https-in-external-c2-users" {
 
+  for_each = { for s in var.c2_services_external_ips : replace(s.description,"/\\s*/","") => s }
 
+
 
+  description = "inbound repository requests - ${each.value.description}"
 
+  type = "ingress"
 
+  from_port = 443
 
+  to_port = 443
 
+  protocol = "tcp"
 
+  cidr_blocks = each.value.cidr_blocks
 
+  security_group_id = aws_security_group.repo_server_security_group.id
 
+}
 
+
 
+
 
 # Repo server has an extra volume that is created separately, to keep it from being destroyed
 
 # with the instance.
 
 resource "aws_ebs_volume" "repo_server_drive" {

+ 5 - 0
base/repo_server/vars.tf
Fájl Megtekintése 

@@ -41,6 +41,11 @@ variable "proxy" { type = string }
 
 variable "salt_master" { type = string }
 
 variable "repo_server_whitelist" { type = list(string) }
 
 
+variable "c2_services_external_ips" {
 
+  type = list(object({cidr_blocks=list(string),description=string}))
 
+  default = []
 
+}
 
+
 
 variable "cidr_map" { type = map }
 
 variable "dns_info" { type = map }
 
 variable "standard_tags" { type = map }

+ 26 - 0
base/salt_master/main.tf
Fájl Megtekintése 

@@ -239,6 +239,32 @@ resource "aws_security_group_rule" "saltstack" {
 
   security_group_id = aws_security_group.salt_master_security_group.id
 
 }
 
 
+resource "aws_security_group_rule" "saltstack-external-ips" {
 
+
 
+  # This deserves some explanation.  Terraform "for_each" expects to be
 
+  # getting as input a map of values to iterate over as part of the foreach.
 
+  # The keys of the map are used to name each of these objects created.  Looking
 
+  # in the terraform plan output of a for_each you'll see things like:
 
+  #
 
+  # aws_security_group_rule.resource_name["key-value-from-foreach"] will be created
 
+  #
 
+  # Our c2_services_external_ips is a list of maps, not a map of maps.  The for-expression
 
+  # makes a new thing that is a map of maps, where the key value is the description with
 
+  # blanks removed.
 
+  #
 
+  # We could have made the variable more natively-friendly to for_each but this seemed
 
+  # like a better solution for what we were trying to accomplish.
 
+  for_each = { for s in var.c2_services_external_ips : replace(s.description,"/\\s*/","") => s }
 
+
 
+  description = "Saltstack - ${each.value.description}"
 
+  type = "ingress"
 
+  from_port = "4505"
 
+  to_port = "4506"
 
+  protocol = "tcp"
 
+  cidr_blocks = each.value.cidr_blocks
 
+  security_group_id = aws_security_group.salt_master_security_group.id
 
+}
 
+
 
 resource "aws_security_group_rule" "saltstack-afs-pop" {
 
   description = "SaltStack - AFS POP"
 
   type = "ingress"

+ 5 - 0
base/salt_master/vars.tf
Fájl Megtekintése 

@@ -40,6 +40,11 @@ variable "afs_pop" { type = list(string) }
 
 variable "proxy" { type = string }
 
 variable "salt_master" { type = string }
 
 
+variable "c2_services_external_ips" {
 
+  type = list(object({cidr_blocks=list(string),description=string}))
 
+  default = []
 
+}
 
+
 
 variable "cidr_map" { type = map }
 
 variable "dns_info" { type = map }
 
 variable "standard_tags" { type = map }