AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163
							# Some instance variables
locals {
  instance_name_master = "${ var.prefix }-alsi-master"
}

resource "aws_network_interface" "master" {
  subnet_id = var.subnets[0]
  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.alsi_master_security_group.id ]
  description = local.instance_name_master
  tags = merge( var.standard_tags, 
                var.tags, 
                { Name = local.instance_name_master }
              )
}

resource "aws_instance" "master" {
  tenancy = "default"
  ebs_optimized = true
  disable_api_termination = var.instance_termination_protection
  instance_initiated_shutdown_behavior = "stop"
  instance_type = var.instance_types["alsi-master"]
  key_name = "msoc-build"
  monitoring = false
  iam_instance_profile = "msoc-default-instance-profile"

  ami = local.ami_map[local.ami_selection]
  # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
  # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
  # that could be removed.
  lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }

  # These device definitions are optional, but added for clarity.
  root_block_device {
    volume_type = "gp2"
    #volume_size = Override via var?
    delete_on_termination = true
    encrypted = true
    kms_key_id = data.aws_kms_key.ebs-key.arn
  }

  network_interface {
    device_index = 0
    network_interface_id = aws_network_interface.master.id
  }

  user_data = data.template_cloudinit_config.cloud-init-master.rendered
  tags = merge( var.standard_tags, 
                var.tags, 
                { Name = local.instance_name_master, }
              )
  volume_tags = merge( var.standard_tags, 
                var.tags, 
                { Name = local.instance_name_master, }
              )
}

module "private_dns_record_master" {
  source = "../../../submodules/dns/private_A_record"

  name = local.instance_name_master
  ip_addresses = [ aws_instance.master.private_ip ]
  dns_info = var.dns_info
  reverse_enabled = var.reverse_enabled

  providers = {
    aws.c2 = aws.c2
  }
}

# Render a multi-part cloud-init config making use of the part
# above, and other source files
data "template_cloudinit_config" "cloud-init-master" {
  gzip          = true
  base64_encode = true

  # Main cloud-config configuration file.
  part {
    filename     = "init.cfg"
    content_type = "text/cloud-config"
    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
      {
        hostname = local.instance_name_master
        fqdn = "${local.instance_name_master}.${var.dns_info["private"]["zone"]}"
        splunk_prefix = var.prefix
        environment = var.environment
        salt_master  = var.salt_master
        proxy = var.proxy
        aws_partition = var.aws_partition
        aws_partition_alias = var.aws_partition_alias
        aws_region = var.aws_region
      }
    )
  }
}

## Master
#
# Summary:
#   Ingress:
#     9000 - From private ALB
#     9000 - From vpc-access
#
#   Egress:
#     9997/9998 - To Splunk
resource "aws_security_group" "alsi_master_security_group" {
  name_prefix = "${ var.prefix }_alsi_master_security_group" # name prefix and livecycle allow for smooth updates
  lifecycle { create_before_destroy = true } # handle updates gracefully
  description = "Security Group for Aggregated Log Source Ingestion"
  vpc_id = var.vpc_id
  tags = merge(var.standard_tags, var.tags)
}

# Ingress
resource "aws_security_group_rule" "alsi-master-alb-web-in" {
  description       = "Web access"
  type              = "ingress"
  from_port         = 9000
  to_port           = 9000
  protocol          = "tcp"
  source_security_group_id = aws_security_group.alsi-master-alb-sg.id
  security_group_id = aws_security_group.alsi_master_security_group.id
}

resource "aws_security_group_rule" "alsi-master-vpn-web-in" {
  description       = "Web access"
  type              = "ingress"
  from_port         = 9000
  to_port           = 9000
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["vpc-access"]
  security_group_id = aws_security_group.alsi_master_security_group.id
}

resource "aws_security_group_rule" "alsi-master-interconnections" {
  description       = "Cribl Replication"
  type              = "ingress"
  from_port         = 4200
  to_port           = 4200
  protocol          = "tcp"
  source_security_group_id = aws_security_group.alsi_worker_security_group.id
  security_group_id = aws_security_group.alsi_master_security_group.id
}

# Egress
resource "aws_security_group_rule" "alsi-master-splunk-mgmt" {
  description       = "Management Access"
  type              = "egress"
  from_port         = 8089
  to_port           = 8089
  protocol          = "tcp"
  cidr_blocks       = [ var.vpc_cidr ]
  security_group_id = aws_security_group.alsi_master_security_group.id
} 

resource "aws_security_group_rule" "alsi-master-splunk-data" {
  description       = "Management Access"
  type              = "egress"
  from_port         = 9997
  to_port           = 9998
  protocol          = "tcp"
  cidr_blocks       = [ var.vpc_cidr ]
  security_group_id = aws_security_group.alsi_master_security_group.id
}