# Some instance variables locals { ami_selection = "minion" # master, minion, ... instance_name = var.instance_name != "" ? var.instance_name : "${var.prefix}-splunk-cust-sh" alb_name = "${var.prefix}-splunk-cust-sh" dns_short_name = "search.${var.prefix}" auth_short_name = "search-auth.${var.prefix}" } # Rather than pass in the aws security group, we just look it up. This will # probably be useful other places, as well. data "aws_security_group" "typical-host" { name = "typical-host" vpc_id = var.vpc_id } # Use the default EBS key data "aws_kms_key" "ebs-key" { key_id = "alias/ebs_root_encrypt_decrypt" } resource "aws_network_interface" "instance" { subnet_id = var.public_subnets[0] security_groups = [data.aws_security_group.typical-host.id, aws_security_group.searchhead_security_group.id] description = local.instance_name tags = merge(local.standard_tags, var.tags, { Name = local.instance_name }) } resource "aws_instance" "instance" { #availability_zone = var.azs[count.index % 2] tenancy = "default" ebs_optimized = true disable_api_termination = var.instance_termination_protection instance_initiated_shutdown_behavior = "stop" instance_type = local.instance_type key_name = "msoc-build" monitoring = false iam_instance_profile = module.instance_profile.profile_id metadata_options { http_tokens = "optional" # tfsec:ignore:aws-ec2-enforce-http-token-imds Splunk uses v1 by default. MSOCI-2150 } ami = local.ami_map[local.ami_selection] # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id. # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then # that could be removed. lifecycle { ignore_changes = [ami, key_name, user_data, ebs_block_device] } # These device definitions are optional, but added for clarity. root_block_device { volume_type = "gp3" volume_size = local.volume_sizes["/"] delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn } ebs_block_device { # /opt/splunk # Note: Not in AMI device_name = "/dev/xvdf" volume_type = "gp3" volume_size = local.volume_sizes["/opt/splunk"] delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn } ebs_block_device { # swap device_name = "/dev/xvdm" volume_type = "gp3" volume_size = local.volume_sizes["swap"] delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn # Snapshot IDs need to be grabbed from the ami, or it will replace every time. It's ugly. # This may prompt replacement when the AMI is updated. # See: # https://github.com/hashicorp/terraform/issues/19958 # https://github.com/terraform-providers/terraform-provider-aws/issues/13118 snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdm"].ebs.snapshot_id } ebs_block_device { # /home device_name = "/dev/xvdn" volume_type = "gp3" volume_size = local.volume_sizes["/home"] delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdn"].ebs.snapshot_id } ebs_block_device { # /var device_name = "/dev/xvdo" volume_type = "gp3" volume_size = local.volume_sizes["/var"] delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdo"].ebs.snapshot_id } ebs_block_device { # /var/tmp device_name = "/dev/xvdp" volume_type = "gp3" volume_size = local.volume_sizes["/var/tmp"] delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdp"].ebs.snapshot_id } ebs_block_device { # /var/log device_name = "/dev/xvdq" volume_type = "gp3" volume_size = local.volume_sizes["/var/log"] delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdq"].ebs.snapshot_id } ebs_block_device { # /var/log/audit device_name = "/dev/xvdr" volume_type = "gp3" volume_size = local.volume_sizes["/var/log/audit"] delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdr"].ebs.snapshot_id } ebs_block_device { # /tmp device_name = "/dev/xvds" volume_type = "gp3" volume_size = local.volume_sizes["/tmp"] delete_on_termination = true encrypted = true kms_key_id = data.aws_kms_key.ebs-key.arn snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvds"].ebs.snapshot_id } network_interface { device_index = 0 network_interface_id = aws_network_interface.instance.id } user_data = data.template_cloudinit_config.cloud-init.rendered tags = merge(local.standard_tags, var.tags, { Name = local.instance_name }) volume_tags = merge(local.standard_tags, var.tags, { Name = local.instance_name }) } module "private_dns_record" { source = "../../../submodules/dns/private_A_record" name = local.instance_name ip_addresses = [aws_instance.instance.private_ip] dns_info = var.dns_info reverse_enabled = var.reverse_enabled providers = { aws.c2 = aws.c2 } } # Render a multi-part cloud-init config making use of the part # above, and other source files data "template_cloudinit_config" "cloud-init" { gzip = true base64_encode = true # Main cloud-config configuration file. part { filename = "init.cfg" content_type = "text/cloud-config" content = templatefile("${path.module}/cloud-init/cloud-init.tpl", { hostname = local.instance_name fqdn = "${local.instance_name}.${var.dns_info["private"]["zone"]}" splunk_prefix = var.prefix environment = var.environment salt_master = local.salt_master proxy = local.proxy aws_partition = var.aws_partition aws_partition_alias = var.aws_partition_alias aws_region = var.aws_region } ) } # mount /dev/xvdf at /opt/splunk part { content_type = "text/cloud-boothook" content = file("${path.module}/cloud-init/opt_splunk.boothook") } } ## Searchhead # # Summary: # Ingress: # tcp/8000 - Splunk Web - vpc-access, Phantom # tcp/8000 - Splunk Web - Entire VPC # tcp/8089 - Splunk API - vpc-access, Phantom # tcp/8089 - Splunk API + IDX Discovery - Entire VPC # tcp/9997-9998 - Splunk Data - Entire VPC # # Ingress: # tcp/8089 - Splunk Web - vpc-system-services (for salt inventory and portal lambda) # # Egress: # tcp/8089 - Splunk API + IDX Discovery - Entire VPC resource "aws_security_group" "searchhead_security_group" { name = "${var.prefix}_customer_searchhead_security_group" description = "Security Group for Splunk Customer Searchhead Instance(s)" vpc_id = var.vpc_id tags = merge(local.standard_tags, var.tags) } #---------------------------------------------------------------------------- # INGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "splunk-web-in" { type = "ingress" description = "Splunk Web - Inbound access" from_port = 8000 to_port = 8000 protocol = "tcp" cidr_blocks = toset(concat(local.cidr_map["vpc-access"], local.cidr_map["vpc-private-services"], [var.vpc_cidr], )) security_group_id = aws_security_group.searchhead_security_group.id } resource "aws_security_group_rule" "splunk-auth-in" { type = "ingress" description = "Splunk Auth - Inbound Web access" from_port = 10000 to_port = 10000 protocol = "tcp" cidr_blocks = toset(concat(local.cidr_map["vpc-access"], local.cidr_map["vpc-private-services"], [var.vpc_cidr], )) security_group_id = aws_security_group.searchhead_security_group.id } resource "aws_security_group_rule" "splunk-api-in" { type = "ingress" description = "Splunk API - Inbound" from_port = 8089 to_port = 8089 protocol = "tcp" cidr_blocks = toset(concat(local.cidr_map["vpc-access"], local.cidr_map["vpc-private-services"], local.cidr_map["vpc-splunk"], # MC [var.vpc_cidr], local.cidr_map["vpc-system-services"], # for salt inventory and Portal lambda )) security_group_id = aws_security_group.searchhead_security_group.id } #---------------------------------------------------------------------------- # EGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "splunk-api-out" { type = "egress" description = "Splunk API - Outbound to talk to indexers" from_port = 8089 to_port = 8089 protocol = "tcp" cidr_blocks = [var.vpc_cidr] security_group_id = aws_security_group.searchhead_security_group.id } resource "aws_security_group_rule" "splunk-data-out" { type = "egress" description = "Splunk Data - Outbound to talk to own indexers" from_port = 9997 to_port = 9998 protocol = "tcp" cidr_blocks = [var.vpc_cidr] security_group_id = aws_security_group.searchhead_security_group.id }