# Some instance variables locals { ami_selection = "minion" # master, minion, ... } # Rather than pass in the aws security group, we just look it up. This will # probably be useful other places, as well. data "aws_security_group" "typical-host" { name = "typical-host" vpc_id = var.vpc_id } # Use the default EBS key data "aws_kms_key" "ebs-key" { key_id = "alias/ebs_root_encrypt_decrypt" } resource "aws_network_interface" "instance" { subnet_id = var.subnets[0] security_groups = [data.aws_security_group.typical-host.id, aws_security_group.proxy_server_security_group.id] description = var.instance_name tags = merge(local.standard_tags, var.tags, { Name = var.instance_name }) } resource "aws_eip" "instance" { # checkov:skip=CKV2_AWS_19: EIPs are attached to VPC vpc = true tags = merge(local.standard_tags, var.tags, { Name = var.instance_name }) } resource "aws_eip_association" "instance" { network_interface_id = aws_network_interface.instance.id allocation_id = aws_eip.instance.id } resource "aws_instance" "instance" { #availability_zone = var.azs[count.index % 2] tenancy = "default" ebs_optimized = true disable_api_termination = var.instance_termination_protection instance_initiated_shutdown_behavior = "stop" instance_type = var.environment == "prod" ? "t3a.medium" : "t3a.xlarge" # TODO: Prod should be bigger than test key_name = "msoc-build" monitoring = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time iam_instance_profile = "msoc-default-instance-profile" metadata_options { http_endpoint = "enabled" # checkov:skip=CKV_AWS_79:see tfsec explanation # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668 http_tokens = "optional" } ami = local.ami_map[local.ami_selection] # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id. # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then # that could be removed. lifecycle { ignore_changes = [ami, key_name, user_data, ebs_block_device] } # These device definitions are optional, but added for clarity. root_block_device { volume_type = "gp2" #volume_size = "60" delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn } ebs_block_device { # swap device_name = "/dev/xvdm" #volume_size = 48 delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn # Snapshot IDs need to be grabbed from the ami, or it will replace every time. It's ugly. # This may prompt replacement when the AMI is updated. # See: # https://github.com/hashicorp/terraform/issues/19958 # https://github.com/terraform-providers/terraform-provider-aws/issues/13118 snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdm"].ebs.snapshot_id } ebs_block_device { # /home device_name = "/dev/xvdn" # volume_size = xx delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdn"].ebs.snapshot_id } ebs_block_device { # /var device_name = "/dev/xvdo" # volume_size = xx delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdo"].ebs.snapshot_id } ebs_block_device { # /var/tmp device_name = "/dev/xvdp" # volume_size = xx delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdp"].ebs.snapshot_id } ebs_block_device { # /var/log device_name = "/dev/xvdq" volume_size = 30 delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdq"].ebs.snapshot_id } ebs_block_device { # /var/log/audit device_name = "/dev/xvdr" # volume_size = xx delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdr"].ebs.snapshot_id } ebs_block_device { # /tmp device_name = "/dev/xvds" # volume_size = xx delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvds"].ebs.snapshot_id } network_interface { device_index = 0 network_interface_id = aws_network_interface.instance.id } user_data = data.template_cloudinit_config.cloud_init_config.rendered tags = merge(local.standard_tags, var.tags, { Name = var.instance_name }) volume_tags = merge(local.standard_tags, var.tags, { Name = var.instance_name }) } module "private_dns_record" { source = "../../submodules/dns/private_A_record" name = var.instance_name ip_addresses = [aws_instance.instance.private_ip] dns_info = var.dns_info reverse_enabled = var.reverse_enabled providers = { aws.c2 = aws.c2 } } module "public_dns_record" { source = "../../submodules/dns/public_A_record" name = var.instance_name ip_addresses = [aws_eip.instance.public_ip] dns_info = var.dns_info providers = { aws.mdr-common-services-commercial = aws.mdr-common-services-commercial } } # Render a multi-part cloud-init config making use of the part # above, and other source files data "template_cloudinit_config" "cloud_init_config" { gzip = true base64_encode = true # Main cloud-config configuration file. part { filename = "init.cfg" content_type = "text/cloud-config" content = templatefile("${path.module}/cloud-init/cloud-init.tpl", { hostname = var.instance_name fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}" environment = var.environment salt_master = local.salt_master proxy = local.proxy aws_partition = var.aws_partition aws_partition_alias = var.aws_partition_alias aws_region = var.aws_region } ) } } #---------------------------------------------------------------------------- # Proxy Server Security Group #---------------------------------------------------------------------------- resource "aws_security_group" "proxy_server_security_group" { name = "proxy_server_security_group" description = "Security Group for the Proxy Server(s)" vpc_id = var.vpc_id tags = merge(local.standard_tags, var.tags) } #---------------------------------------------------------------------------- # Egress #---------------------------------------------------------------------------- resource "aws_security_group_rule" "http-out" { description = "Proxy allowed HTTP anywhere" type = "egress" from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr security_group_id = aws_security_group.proxy_server_security_group.id } resource "aws_security_group_rule" "https-out" { type = "egress" description = "HTTPS - Outbound - For endpoints and troubleshooting" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr security_group_id = aws_security_group.proxy_server_security_group.id } #---------------------------------------------------------------------------- # Ingress #---------------------------------------------------------------------------- resource "aws_security_group_rule" "proxy-in" { type = "ingress" description = "Proxy Inbound HTTP" from_port = "80" to_port = "80" protocol = "tcp" cidr_blocks = ["10.0.0.0/8"] security_group_id = aws_security_group.proxy_server_security_group.id } resource "aws_security_group_rule" "proxy-in-https" { type = "ingress" description = "Proxy Inbound HTTPS" from_port = "443" to_port = "443" protocol = "tcp" cidr_blocks = ["10.0.0.0/8"] security_group_id = aws_security_group.proxy_server_security_group.id }