Updates to Teleport

* ALB for web
* NLB for ports
* Instance cloud init update
* DNS updated

To be tagged v1.24.2

base/teleport-single-instance/alb.tf

@@ -0,0 +1,142 @@
+#----------------------------------------------------------------------------
+# EXTERNAL APPLICATION LB
+#----------------------------------------------------------------------------
+
+resource "aws_alb" "external" {
+  name               = "${var.instance_name}-alb-external-${var.environment}"
+  security_groups    = [ aws_security_group.alb_server_external.id ]
+  internal           = false 
+  subnets            = var.subnets
+  load_balancer_type = "application"
+
+  access_logs {
+    bucket  = "xdr-elb-${ var.environment }"
+    enabled = true
+  }
+
+  tags = merge(var.standard_tags, var.tags, { Name = "${var.instance_name}-alb-external-${var.environment}" })
+}
+
+# Create a new target group
+resource "aws_alb_target_group" "external" {
+  name                 = "${var.instance_name}-alb-external"
+  port                 = 443
+  protocol             = "HTTPS"
+  #deregistration_delay = "${local.lb_deregistration_delay}"
+  vpc_id               = var.vpc_id
+
+  health_check {
+    protocol = "HTTPS"
+    port     = "443"
+    path     = "/"
+    matcher  = "200-400"
+    timeout  = "4"
+    interval = "5"
+  }
+
+  stickiness {
+    type    = "lb_cookie"
+    enabled = true 
+  }
+
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_lb_target_group_attachment" "external" {
+  target_group_arn = aws_alb_target_group.external.arn
+  target_id        = aws_instance.instance.id
+  port             = 443 # maybe 3080?
+}
+
+# Create a new alb listener
+resource "aws_alb_listener" "https_external" {
+  load_balancer_arn = aws_alb.external.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  certificate_arn   = aws_acm_certificate.cert.arn
+
+  default_action {
+    target_group_arn = aws_alb_target_group.external.arn
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_listener" "http_external" {
+  load_balancer_arn = aws_alb.external.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "redirect"
+
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}
+
+# #########################
+# # DNS Entry
+module "public_dns_record_for_alb" {
+  source = "../../submodules/dns/public_ALIAS_record"
+
+  name = var.instance_name
+  target_dns_name = aws_alb.external.dns_name
+  target_zone_id  = aws_alb.external.zone_id
+  dns_info = var.dns_info
+
+  providers = {
+    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
+  }
+}
+
+#----------------------------------------------------------------------------
+# ALB Security Group
+#----------------------------------------------------------------------------
+
+resource "aws_security_group" "alb_server_external" {
+  vpc_id      = var.vpc_id
+  name        = "${var.instance_name}-alb-sg-external"
+  description = "Teleport LB SG"
+  tags = merge(var.standard_tags, var.tags)
+}
+
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
+resource "aws_security_group_rule" "alb-http-in" {
+  description = "HTTPS In"
+  type = "ingress"
+  from_port = "80"
+  to_port = "80"
+  protocol = "tcp"
+  cidr_blocks = [ "0.0.0.0/0" ]
+  security_group_id = aws_security_group.alb_server_external.id
+}
+
+resource "aws_security_group_rule" "alb-https-in" {
+  description = "HTTPS In"
+  type = "ingress"
+  from_port = "443"
+  to_port = "443"
+  protocol = "tcp"
+  cidr_blocks = [ "0.0.0.0/0" ]
+  security_group_id = aws_security_group.alb_server_external.id
+}
+
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
+
+resource "aws_security_group_rule" "alb_to_server" {
+  type              = "egress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  source_security_group_id = aws_security_group.instance.id
+  description       = "Allows the ALB to talk to the Sensu servers"
+  security_group_id = aws_security_group.alb_server_external.id
+}

base/teleport-single-instance/amis.tf

@@ -1,105 +0,0 @@
-locals {
-  ami_map = {
-    "base"       = data.aws_ami.base.image_id,
-    "minion"     = data.aws_ami.minion.image_id,
-    "master"     = data.aws_ami.master.image_id,
-    #    "ubuntu1804" = data.aws_ami.ubuntu1804.image_id,
-  }
-  # We need some data from the block devices
-  block_device_mappings = {
-    "base"       = {
-      for bd in data.aws_ami.base.block_device_mappings:
-        bd.device_name => bd
-    }
-    "minion"     = {
-      for bd in data.aws_ami.minion.block_device_mappings:
-        bd.device_name => bd
-    }
-    "master"     = {
-      for bd in data.aws_ami.master.block_device_mappings:
-        bd.device_name => bd
-    }
-    #    "ubuntu1804" = data.aws_ami.ubuntu1804.image_id,
-  }
-}
-
-data "aws_ami" "base" {
-  most_recent = true
-  owners = [ var.common_services_account ]
-
-  filter {
-    name   = "virtualization-type"
-    values = ["hvm"]
-  }
-
-  filter {
-    name = "root-device-type"
-    values = ["ebs"]
-  }
-
-  filter {
-    name = "name"
-    values = [ "MSOC_RedHat_Base_*" ]
-  }
-}
-
-data "aws_ami" "minion" {
-  most_recent = true
-  owners = [ var.common_services_account ]
-
-  filter {
-    name   = "virtualization-type"
-    values = ["hvm"]
-  }
-
-  filter {
-    name = "root-device-type"
-    values = ["ebs"]
-  }
-
-  filter {
-    name = "name"
-    values = [ "MSOC_RedHat_Minion_*" ]
-  }
-}
-
-data "aws_ami" "master" {
-  most_recent = true
-  owners = [ var.common_services_account ]
-
-  filter {
-    name   = "virtualization-type"
-    values = ["hvm"]
-  }
-
-  filter {
-    name = "root-device-type"
-    values = ["ebs"]
-  }
-
-  filter {
-    name = "name"
-    values = [ "MSOC_RedHat_Master_*" ]
-  }
-}
-
-# Not presently in commercial
-#data "aws_ami" "ubuntu1804" {
-#  most_recent = true
-#  owners = [ var.common_services_account ]
-#
-#  filter {
-#    name   = "virtualization-type"
-#    values = ["hvm"]
-#  }
-#
-#  filter {
-#    name = "root-device-type"
-#    values = ["ebs"]
-#  }
-#
-#  filter {
-#    name = "name"
-#    values = [ "MSOC_Ubuntu_1804_*" ]
-#  }
-#}

base/teleport-single-instance/amis.tf

@@ -0,0 +1 @@
+../amis.tf

base/teleport-single-instance/certificate.tf

@@ -0,0 +1,31 @@
+#Certificate 
+resource "aws_acm_certificate" "cert" {
+  domain_name       = "${var.instance_name}.${var.dns_info["public"]["zone"]}"
+  validation_method = "DNS"
+
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_acm_certificate_validation" "cert" {
+  certificate_arn         = aws_acm_certificate.cert.arn
+  validation_record_fqdns = [for record in aws_route53_record.cert_validation: record.fqdn]
+}
+
+resource "aws_route53_record" "cert_validation" {
+  provider = aws.mdr-common-services-commercial
+
+  for_each = {
+    for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.dns_info["public"]["zone_id"]
+}

base/teleport-single-instance/cloud-init/cloud-init.tpl

@@ -5,24 +5,27 @@ salt-master: ${salt_master}
 fqdn: ${fqdn}
 
 # Write files happens early
-# but no proxy for the proxy. Commenting these out for other proxies
 write_files:
-#- content: |
-#    proxy=http://${proxy}:80
-#  path: /etc/yum.conf
-#  append: true
-#- content: |
-#    [global]
-#    proxy=${proxy}
-#  path: /etc/pip.conf
-#- content: |
-#    export HTTPS_PROXY=http://${proxy}:80
-#    export HTTP_PROXY=http://${proxy}:80
-#    export NO_PROXY=localhost,127.0.0.1,169.254.169.254,pvt.xdrtest.accenturefederalcyber.com,pvt.xdr.accenturefederalcyber.com,reposerver.msoc.defpoint.local,jenkins.msoc.defpoint.local,pod1search-splunk-sh.msoc.defpoint.local,s3.amazonaws.com,ssm.us-east-1.amazonaws.com,ec2messages.us-east-1.amazonaws.com,ec2.us-east-1.amazonaws.com,ssmmessages.us-east-1.amazonaws.com,iratemoses.mdr.defpoint.com,jira.mdr.defpoint.com,reposerver.pvt.xdr.accenturefederalcyber.com,jenkins.pvt.xdr.accenturefederalcyber.com,pod1search-splunk-sh.pvt.xdr.accenturefederalcyber.com,reposerver.pvt.xdrtest.accenturefederalcyber.com,jenkins.pvt.xdrtest.accenturefederalcyber.com,pod1search-splunk-sh.pvt.xdrtest.accenturefederalcyber.com,iratemoses.xdr.accenturefederalcyber.com,jira.xdr.accenturefederalcyber.com,iratemoses.xdrtest.accenturefederalcyber.com,jira.xdrtest.accenturefederalcyber.com
-#    export https_proxy=$HTTPS_PROXY
-#    export http_proxy=$HTTP_PROXY
-#    export no_proxy=$NO_PROXY
-#  path: /etc/profile.d/proxy.sh
+- content: |
+    proxy=http://${proxy}:80
+  path: /etc/yum.conf
+  append: true
+- content: |
+    proxy_host: ${proxy}
+    proxy_port: 80
+  path: /etc/salt/minion.d/proxy.conf
+- content: |
+    [global]
+    proxy=${proxy}
+  path: /etc/pip.conf
+- content: |
+    export HTTPS_PROXY=http://${proxy}:80
+    export HTTP_PROXY=http://${proxy}:80
+    export NO_PROXY=localhost,127.0.0.1,169.254.169.254,pvt.xdrtest.accenturefederalcyber.com,pvt.xdr.accenturefederalcyber.com,reposerver.msoc.defpoint.local,jenkins.msoc.defpoint.local,pod1search-splunk-sh.msoc.defpoint.local,s3.amazonaws.com,ssm.${ aws_region }.amazonaws.com,ec2messages.${ aws_region }.amazonaws.com,ec2.${ aws_region }.amazonaws.com,ssmmessages.${ aws_region }.amazonaws.com,iratemoses.mdr.defpoint.com,jira.mdr.defpoint.com,reposerver.pvt.xdr.accenturefederalcyber.com,jenkins.pvt.xdr.accenturefederalcyber.com,pod1search-splunk-sh.pvt.xdr.accenturefederalcyber.com,reposerver.pvt.xdrtest.accenturefederalcyber.com,jenkins.pvt.xdrtest.accenturefederalcyber.com,pod1search-splunk-sh.pvt.xdrtest.accenturefederalcyber.com,iratemoses.xdr.accenturefederalcyber.com,jira.xdr.accenturefederalcyber.com,iratemoses.xdrtest.accenturefederalcyber.com,jira.xdrtest.accenturefederalcyber.com
+    export https_proxy=$HTTPS_PROXY
+    export http_proxy=$HTTP_PROXY
+    export no_proxy=$NO_PROXY
+  path: /etc/profile.d/proxy.sh
 - content: |
     ${fqdn}
   path: /etc/salt/minion_id
@@ -32,9 +35,9 @@ write_files:
 - content: |
     grains:
       environment: ${ environment }
-      aws_region: ${ aws_region }
       aws_partition: ${ aws_partition }
       aws_partition_alias: ${ aws_partition_alias }
+      aws_region: ${ aws_region }
   path: /etc/salt/minion.d/cloud_init_grains.conf
 
 #yum_repos:

base/teleport-single-instance/main.tf

@@ -44,7 +44,7 @@ resource "aws_instance" "instance" {
 
   # These device definitions are optional, but added for clarity.
   root_block_device {
-      volume_type = "gp2"
+      volume_type = "gp3"
       #volume_size = "60"
       delete_on_termination = true
       encrypted = true
@@ -54,6 +54,7 @@ resource "aws_instance" "instance" {
   ebs_block_device {
     # swap
     device_name = "/dev/xvdm"
+    volume_type = "gp3"
     #volume_size = 48
     delete_on_termination = true
     encrypted = true
@@ -68,6 +69,7 @@ resource "aws_instance" "instance" {
   ebs_block_device {
     # /home
     device_name = "/dev/xvdn"
+    volume_type = "gp3"
     # volume_size = xx
     delete_on_termination = true
     encrypted = true
@@ -78,6 +80,7 @@ resource "aws_instance" "instance" {
   ebs_block_device {
     # /var
     device_name = "/dev/xvdo"
+    volume_type = "gp3"
     # volume_size = xx
     delete_on_termination = true
     encrypted = true
@@ -87,6 +90,7 @@ resource "aws_instance" "instance" {
   ebs_block_device {
     # /var/tmp
     device_name = "/dev/xvdp"
+    volume_type = "gp3"
     # volume_size = xx
     delete_on_termination = true
     encrypted = true
@@ -96,6 +100,7 @@ resource "aws_instance" "instance" {
   ebs_block_device {
     # /var/log
     device_name = "/dev/xvdq"
+    volume_type = "gp3"
     # volume_size = xx
     delete_on_termination = true
     encrypted = true
@@ -105,6 +110,7 @@ resource "aws_instance" "instance" {
   ebs_block_device {
     # /var/log/audit
     device_name = "/dev/xvdr"
+    volume_type = "gp3"
     # volume_size = xx
     delete_on_termination = true
     encrypted = true
@@ -114,6 +120,7 @@ resource "aws_instance" "instance" {
   ebs_block_device {
     # /tmp
     device_name = "/dev/xvds"
+    volume_type = "gp3"
     # volume_size = xx
     delete_on_termination = true
     encrypted = true
@@ -144,18 +151,6 @@ module "private_dns_record" {
   }
 }
 
-module "public_dns_record" {
-  source = "../../submodules/dns/public_A_record"
-
-  name = var.instance_name
-  ip_addresses = [ aws_eip.instance.public_ip ]
-  dns_info = var.dns_info
-
-  providers = {
-    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
-  }
-}
-
 #The Cloud init data is to prepare the instance for use. 
 data "template_file" "cloud_init" {
   # Should these be in a common directory? I suspect they'd be reusable

base/teleport-single-instance/nlb.tf

@@ -0,0 +1,115 @@
+resource "aws_lb" "nlb" {
+  name               = "${var.instance_name}-nlb"
+  internal           = false
+  load_balancer_type = "network"
+  # Not supported for NLB
+  #security_groups    = [aws_security_group.nlb-sg.id]
+  # Note, changing subnets results in recreation of the resource
+  subnets            = var.subnets
+  enable_cross_zone_load_balancing = true
+
+  access_logs {
+    bucket  = "xdr-elb-${ var.environment }"
+    enabled = true
+  }
+
+  tags = merge(var.standard_tags, var.tags)
+}
+
+#########################
+# Listeners
+resource "aws_lb_listener" "nlb-listener-3023" {
+  load_balancer_arn = aws_lb.nlb.arn
+  port              = "3023"
+  protocol          = "TCP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.nlb-target-3023.arn
+  }
+}
+
+resource "aws_lb_listener" "nlb-listener-3024" {
+  load_balancer_arn = aws_lb.nlb.arn
+  port              = "3024"
+  protocol          = "TCP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.nlb-target-3024.arn
+  }
+}
+
+resource "aws_lb_listener" "nlb-listener-3026" {
+  load_balancer_arn = aws_lb.nlb.arn
+  port              = "3026"
+  protocol          = "TCP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.nlb-target-3026.arn
+  }
+}
+
+
+#########################
+# Targets
+resource "aws_lb_target_group" "nlb-target-3023" {
+  name     = "${var.instance_name}-nlb-target-3023"
+  port     = 3023
+  protocol = "TCP"
+  target_type = "instance"
+  vpc_id   = var.vpc_id
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_lb_target_group_attachment" "nlb-target-3023-instance" {
+  target_group_arn = aws_lb_target_group.nlb-target-3023.arn
+  target_id        = aws_instance.instance.id
+  port             = 3023
+}
+
+resource "aws_lb_target_group" "nlb-target-3024" {
+  name     = "${var.instance_name}-nlb-target-3024"
+  port     = 3024
+  protocol = "TCP"
+  target_type = "instance"
+  vpc_id   = var.vpc_id
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_lb_target_group_attachment" "nlb-target-3024-instance" {
+  target_group_arn = aws_lb_target_group.nlb-target-3024.arn
+  target_id        = aws_instance.instance.id
+  port             = 3024
+}
+
+resource "aws_lb_target_group" "nlb-target-3026" {
+  name     = "${var.instance_name}-nlb-target-3026"
+  port     = 3026
+  protocol = "TCP"
+  target_type = "instance"
+  vpc_id   = var.vpc_id
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_lb_target_group_attachment" "nlb-target-3026-instance" {
+  target_group_arn = aws_lb_target_group.nlb-target-3026.arn
+  target_id        = aws_instance.instance.id
+  port             = 3026
+}
+
+#########################
+# DNS Entry
+module "public_dns_record_for_nlb" {
+  source = "../../submodules/dns/public_ALIAS_record"
+
+  name = "${var.instance_name}-nlb"
+  target_dns_name = aws_lb.nlb.dns_name
+  target_zone_id  = aws_lb.nlb.zone_id
+  dns_info = var.dns_info
+
+  providers = {
+    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
+  }
+}

base/teleport-single-instance/security-groups.tf

@@ -13,41 +13,41 @@ resource "aws_security_group" "instance" {
 }
 
 resource "aws_security_group_rule" "instance-http-in" {
-  description = "HTTP in - used for letsencrypt certbot"
+  description = "Web Interface from ALB"
   type = "ingress"
-  from_port = "80"
-  to_port = "80"
-  protocol = "tcp"
-  cidr_blocks = [ "0.0.0.0/0" ]
-  security_group_id = aws_security_group.instance.id
-}
-
-resource "aws_security_group_rule" "instance-teleport-in" {
-  description = "Teleport"
-  type = "ingress"
-  from_port = "3023"
-  to_port = "3025"
+  from_port = "3080"
+  to_port = "3080"
   protocol = "tcp"
-  cidr_blocks = [ "10.0.0.0/8" ]
+  source_security_group_id = aws_security_group.alb_server_external.id
   security_group_id = aws_security_group.instance.id
 }
 
-resource "aws_security_group_rule" "instance-teleport-auth-in" {
-  description = "Teleport"
+resource "aws_security_group_rule" "instance-teleport-in-3023-3024" {
+  description = "Teleport Proprietary Ports via NLB"
   type = "ingress"
   from_port = "3023"
-  to_port = "3023"
+  to_port = "3024"
   protocol = "tcp"
   cidr_blocks = [ "0.0.0.0/0" ]
   security_group_id = aws_security_group.instance.id
 }
 
-resource "aws_security_group_rule" "instance-teleport-proxy-in" {
-  description = "Teleport - Proxy web server"
+resource "aws_security_group_rule" "instance-teleport-in-3026" {
+  description = "Teleport Proprietary Ports via NLB"
   type = "ingress"
-  from_port = "3080"
-  to_port = "3080"
+  from_port = "3026"
+  to_port = "3026"
   protocol = "tcp"
   cidr_blocks = [ "0.0.0.0/0" ]
   security_group_id = aws_security_group.instance.id
 }
+
+#resource "aws_security_group_rule" "instance-teleport-proxy-in" {
+#  description = "Teleport - Proxy web server"
+#  type = "ingress"
+#  from_port = "3080"
+#  to_port = "3080"
+#  protocol = "tcp"
+#  cidr_blocks = [ "0.0.0.0/0" ]
+#  security_group_id = aws_security_group.instance.id
+#}