# Some instance variables locals { instance_name_worker = "${var.prefix}-alsi-worker" } resource "aws_network_interface" "worker" { count = local.alsi_workers subnet_id = var.subnets[count.index % length(var.subnets)] # evenly distributed across subnets security_groups = [data.aws_security_group.typical-host.id, aws_security_group.alsi_worker_security_group.id] description = "${local.instance_name_worker}-${count.index}" tags = merge(local.standard_tags, var.tags, { Name = "${local.instance_name_worker}-${count.index}", instance_num = count.index, instance_count = local.alsi_workers } ) } resource "aws_instance" "worker" { count = local.alsi_workers #availability_zone = var.azs[count.index % 2] # automatically determined by the network interface tenancy = "default" ebs_optimized = true disable_api_termination = var.instance_termination_protection instance_initiated_shutdown_behavior = "stop" instance_type = local.instance_types["alsi-worker"] key_name = "msoc-build" monitoring = false iam_instance_profile = "msoc-default-instance-profile" ami = local.ami_map[local.ami_selection] # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id. # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then # that could be removed. lifecycle { ignore_changes = [ami, key_name, user_data, ebs_block_device] } # These device definitions are optional, but added for clarity. root_block_device { volume_type = "gp2" #volume_size = Override via var? delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn } network_interface { device_index = 0 network_interface_id = aws_network_interface.worker[count.index].id } user_data = data.template_cloudinit_config.cloud-init-worker[count.index].rendered tags = merge(local.standard_tags, var.tags, { Name = "${local.instance_name_worker}-${count.index}", instance_num = count.index, instance_count = local.alsi_workers } ) volume_tags = merge(local.standard_tags, var.tags, { Name = "${local.instance_name_worker}-${count.index}", instance_num = count.index, instance_count = local.alsi_workers } ) } module "private_dns_record_worker" { count = local.alsi_workers source = "../../../submodules/dns/private_A_record" name = "${local.instance_name_worker}-${count.index}" ip_addresses = [aws_instance.worker[count.index].private_ip] dns_info = var.dns_info reverse_enabled = var.reverse_enabled providers = { aws.c2 = aws.c2 } } # Render a multi-part cloud-init config making use of the part # above, and other source files data "template_cloudinit_config" "cloud-init-worker" { count = local.alsi_workers gzip = true base64_encode = true # Main cloud-config configuration file. part { filename = "init.cfg" content_type = "text/cloud-config" content = templatefile("${path.module}/cloud-init/cloud-init.tpl", { hostname = "${local.instance_name_worker}-${count.index}" fqdn = "${local.instance_name_worker}-${count.index}.${var.dns_info["private"]["zone"]}" splunk_prefix = var.prefix environment = var.environment salt_master = local.salt_master proxy = local.proxy aws_partition = var.aws_partition aws_partition_alias = var.aws_partition_alias aws_region = var.aws_region } ) } } ## ALSI Worker # # Summary: # Ingress: # 9000 - From ALBs # 9000 - From vpc-access # 8088 - From alb_hec # 9200 - From alb_elastic # 8088 - From alb_splunk_hec # # Egress: # 4200 - To master # 9997 - To Splunk resource "aws_security_group" "alsi_worker_security_group" { name_prefix = "${var.prefix}_alsi_worker_security_group" # name prefix and livecycle allow for smooth updates lifecycle { create_before_destroy = true } # handle updates gracefully description = "Security Group for Aggregated Log Source Ingestion" vpc_id = var.vpc_id tags = merge(local.standard_tags, var.tags) } # Ingress resource "aws_security_group_rule" "alsi_worker_alb_elastic1" { description = "Health Check" type = "ingress" from_port = 9000 to_port = 9000 protocol = "tcp" source_security_group_id = aws_security_group.alsi-alb-elastic-sg.id security_group_id = aws_security_group.alsi_worker_security_group.id } resource "aws_security_group_rule" "alsi_worker_alb_elastic2" { description = "Data Stream" type = "ingress" from_port = 9200 to_port = 9200 protocol = "tcp" source_security_group_id = aws_security_group.alsi-alb-elastic-sg.id security_group_id = aws_security_group.alsi_worker_security_group.id } # TODO: Repeat top 2 for HEC and S2S forwarders resource "aws_security_group_rule" "alsi_worker_vpn_in1" { description = "Web access" type = "ingress" from_port = 9000 to_port = 9000 protocol = "tcp" cidr_blocks = local.cidr_map["vpc-access"] security_group_id = aws_security_group.alsi_worker_security_group.id } resource "aws_security_group_rule" "alsi_worker_vpn_in2" { description = "Web access" type = "ingress" from_port = 9200 to_port = 9200 protocol = "tcp" cidr_blocks = local.cidr_map["vpc-access"] security_group_id = aws_security_group.alsi_worker_security_group.id } resource "aws_security_group_rule" "alsi_worker_vpn_in3" { description = "Test Splunk access" type = "ingress" from_port = 9997 to_port = 9998 protocol = "tcp" cidr_blocks = local.cidr_map["vpc-access"] security_group_id = aws_security_group.alsi_worker_security_group.id } resource "aws_security_group_rule" "alsi_worker_vpn_in4" { description = "Test HEC access" type = "ingress" from_port = 8088 to_port = 8088 protocol = "tcp" cidr_blocks = local.cidr_map["vpc-access"] security_group_id = aws_security_group.alsi_worker_security_group.id } resource "aws_security_group_rule" "alsi_worker_external_in" { # NLB requires the security group to allow access count = local.alsi_splunk_nlb ? 1 : 0 type = "ingress" from_port = 9997 to_port = 9998 protocol = "tcp" cidr_blocks = toset(concat(local.cidr_map["vpc-access"], local.trusted_ips, local.splunk_data_sources)) security_group_id = aws_security_group.alsi-alb-hec-sg.id } # Egress resource "aws_security_group_rule" "alsi-interconnections" { description = "cribl replication" type = "egress" from_port = 4200 to_port = 4200 protocol = "tcp" source_security_group_id = aws_security_group.alsi_master_security_group.id security_group_id = aws_security_group.alsi_worker_security_group.id } resource "aws_security_group_rule" "alsi-worker-splunk-mgmt" { description = "Management Access" type = "egress" from_port = 8089 to_port = 8089 protocol = "tcp" cidr_blocks = [var.vpc_cidr] security_group_id = aws_security_group.alsi_worker_security_group.id } resource "aws_security_group_rule" "alsi-worker-splunk-data" { description = "Management Access" type = "egress" from_port = 9997 to_port = 9998 protocol = "tcp" cidr_blocks = [var.vpc_cidr] security_group_id = aws_security_group.alsi_worker_security_group.id }