| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256 |
- # Some instance variables
- locals {
- instance_name_worker = "${var.prefix}-alsi-worker"
- splunk_vpc_cidrs = toset(concat([var.vpc_cidr], local.cidr_map["vpc-private-services"]))
- data_sources = toset(concat(tolist(local.splunk_vpc_cidrs), local.splunk_data_sources))
- }
- resource "aws_network_interface" "worker" {
- count = local.alsi_workers
- subnet_id = var.subnets[count.index % length(var.subnets)] # evenly distributed across subnets
- security_groups = [data.aws_security_group.typical-host.id, aws_security_group.alsi_worker_security_group.id]
- description = "${local.instance_name_worker}-${count.index}"
- tags = merge(local.standard_tags,
- var.tags,
- {
- Name = "${local.instance_name_worker}-${count.index}",
- instance_num = count.index,
- instance_count = local.alsi_workers
- }
- )
- }
- resource "aws_instance" "worker" {
- count = local.alsi_workers
- #availability_zone = var.azs[count.index % 2] # automatically determined by the network interface
- tenancy = "default"
- ebs_optimized = true
- disable_api_termination = var.instance_termination_protection
- instance_initiated_shutdown_behavior = "stop"
- instance_type = local.instance_types["alsi-worker"]
- key_name = "msoc-build"
- monitoring = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
- iam_instance_profile = "msoc-default-instance-profile"
- metadata_options {
- http_endpoint = "enabled"
- # checkov:skip=CKV_AWS_79:see tfsec explanation
- # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
- http_tokens = "optional"
- }
- ami = local.ami_map[local.ami_selection]
- # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
- # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
- # that could be removed.
- lifecycle { ignore_changes = [ami, key_name, user_data, ebs_block_device] }
- # These device definitions are optional, but added for clarity.
- root_block_device {
- volume_type = "gp3"
- #volume_size = Override via var?
- delete_on_termination = true
- encrypted = true
- kms_key_id = data.aws_kms_key.ebs-key.arn
- }
- network_interface {
- device_index = 0
- network_interface_id = aws_network_interface.worker[count.index].id
- }
- user_data = data.template_cloudinit_config.cloud-init-worker[count.index].rendered
- tags = merge(local.standard_tags,
- var.tags,
- {
- Name = "${local.instance_name_worker}-${count.index}",
- instance_num = count.index,
- instance_count = local.alsi_workers
- }
- )
- volume_tags = merge(local.standard_tags,
- var.tags,
- {
- Name = "${local.instance_name_worker}-${count.index}",
- instance_num = count.index,
- instance_count = local.alsi_workers
- }
- )
- }
- module "private_dns_record_worker" {
- count = local.alsi_workers
- source = "../../../submodules/dns/private_A_record"
- name = "${local.instance_name_worker}-${count.index}"
- ip_addresses = [aws_instance.worker[count.index].private_ip]
- dns_info = var.dns_info
- reverse_enabled = var.reverse_enabled
- providers = {
- aws.c2 = aws.c2
- }
- }
- # Render a multi-part cloud-init config making use of the part
- # above, and other source files
- data "template_cloudinit_config" "cloud-init-worker" {
- count = local.alsi_workers
- gzip = true
- base64_encode = true
- # Main cloud-config configuration file.
- part {
- filename = "init.cfg"
- content_type = "text/cloud-config"
- content = templatefile("${path.module}/cloud-init/cloud-init.tpl",
- {
- hostname = "${local.instance_name_worker}-${count.index}"
- fqdn = "${local.instance_name_worker}-${count.index}.${var.dns_info["private"]["zone"]}"
- splunk_prefix = var.prefix
- environment = var.environment
- salt_master = local.salt_master
- proxy = local.proxy
- aws_partition = var.aws_partition
- aws_partition_alias = var.aws_partition_alias
- aws_region = var.aws_region
- }
- )
- }
- }
- ## ALSI Worker
- #
- # Summary:
- # Ingress:
- # 9000 - From ALBs
- # 9000 - From vpc-access
- # 8088 - From alb_hec
- # 9200 - From alb_elastic
- # 8088 - From alb_splunk_hec
- #
- # Egress:
- # 4200 - To master
- # 9997 - To Splunk
- resource "aws_security_group" "alsi_worker_security_group" {
- name_prefix = "${var.prefix}_alsi_worker_security_group" # name prefix and livecycle allow for smooth updates
- lifecycle { create_before_destroy = true } # handle updates gracefully
- description = "Security Group for Aggregated Log Source Ingestion"
- vpc_id = var.vpc_id
- tags = merge(local.standard_tags, var.tags)
- }
- #----------------------------------------------------------------------------
- # INGRESS
- #----------------------------------------------------------------------------
- resource "aws_security_group_rule" "alsi_worker_alb_elastic1" {
- description = "Health Check"
- type = "ingress"
- from_port = 9000
- to_port = 9000
- protocol = "tcp"
- source_security_group_id = aws_security_group.alsi-alb-elastic-sg.id
- security_group_id = aws_security_group.alsi_worker_security_group.id
- }
- resource "aws_security_group_rule" "alsi_worker_alb_elastic2" {
- description = "Data Stream"
- type = "ingress"
- from_port = 9200
- to_port = 9200
- protocol = "tcp"
- source_security_group_id = aws_security_group.alsi-alb-elastic-sg.id
- security_group_id = aws_security_group.alsi_worker_security_group.id
- }
- # TODO: Repeat top 2 for HEC and S2S forwarders
- resource "aws_security_group_rule" "alsi_worker_vpn_in1" {
- description = "Web access from VPN"
- type = "ingress"
- from_port = 9000
- to_port = 9000
- protocol = "tcp"
- cidr_blocks = local.cidr_map["vpc-access"]
- security_group_id = aws_security_group.alsi_worker_security_group.id
- }
- resource "aws_security_group_rule" "alsi_worker_vpn_in2" {
- description = "Web access from VPN"
- type = "ingress"
- from_port = 9200
- to_port = 9200
- protocol = "tcp"
- cidr_blocks = local.cidr_map["vpc-access"]
- security_group_id = aws_security_group.alsi_worker_security_group.id
- }
- resource "aws_security_group_rule" "alsi_worker_vpn_in3" {
- description = "Splunk access from VPN"
- type = "ingress"
- from_port = 9997
- to_port = 9998
- protocol = "tcp"
- cidr_blocks = local.cidr_map["vpc-access"]
- security_group_id = aws_security_group.alsi_worker_security_group.id
- }
- resource "aws_security_group_rule" "alsi_worker_vpn_in4" {
- description = "HEC access from VPN"
- type = "ingress"
- from_port = 8088
- to_port = 8088
- protocol = "tcp"
- cidr_blocks = local.cidr_map["vpc-access"]
- security_group_id = aws_security_group.alsi_worker_security_group.id
- }
- resource "aws_security_group_rule" "alsi_worker_external_in" {
- # NLB requires the security group to allow access
- description = "Splunk access via NLB"
- count = local.alsi_splunk_nlb ? 1 : 0
- type = "ingress"
- from_port = 9997
- to_port = 9998
- protocol = "tcp"
- cidr_blocks = local.data_sources
- security_group_id = aws_security_group.alsi_worker_security_group.id
- }
- resource "aws_security_group_rule" "alsi_worker_hec_in" {
- description = "HEC access from Customer"
- type = "ingress"
- from_port = 8088
- to_port = 8088
- protocol = "tcp"
- cidr_blocks = local.data_sources
- security_group_id = aws_security_group.alsi_worker_security_group.id
- }
- #----------------------------------------------------------------------------
- # EGRESS
- #----------------------------------------------------------------------------
- resource "aws_security_group_rule" "alsi-interconnections" {
- description = "Cribl Replication"
- type = "egress"
- from_port = 4200
- to_port = 4200
- protocol = "tcp"
- source_security_group_id = aws_security_group.alsi_master_security_group.id
- security_group_id = aws_security_group.alsi_worker_security_group.id
- }
- resource "aws_security_group_rule" "alsi-worker-splunk-mgmt" {
- description = "Management Access"
- type = "egress"
- from_port = 8089
- to_port = 8089
- protocol = "tcp"
- cidr_blocks = [var.vpc_cidr]
- security_group_id = aws_security_group.alsi_worker_security_group.id
- }
- resource "aws_security_group_rule" "alsi-worker-splunk-data" {
- description = "Management Access"
- type = "egress"
- from_port = 9997
- to_port = 9998
- protocol = "tcp"
- cidr_blocks = [var.vpc_cidr]
- security_group_id = aws_security_group.alsi_worker_security_group.id
- }
|
