AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147
							data "aws_security_group" "typical-host" {
  name   = "typical-host"
  vpc_id = var.vpc_id
}

# Use the default EBS key
data "aws_kms_key" "ebs-key" {
  key_id = "alias/ebs_root_encrypt_decrypt"
}

data "aws_subnet" "private_subnet" {
  id = var.private_subnets[0]
}

resource "random_password" "password" {
  keepers          = {
    "version": 1 # increment to change the password
    # n.b. you could add other stuff to make this change automatically, e.g.
    # "instance_type": var.instance_type
    # Would then change this password every time the instance type changes.
  }
  length           = 32
  special          = false
  min_lower = 1
  min_numeric = 1
  min_upper = 1
  min_special = 0
  #override_special = "~!%^()-_+"
}

resource "aws_network_interface" "management" {
  subnet_id = var.private_subnets[0]
  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.inside.id ]
  description = var.instance_name
  tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
}

resource "aws_network_interface" "outside" {
  subnet_id = var.public_subnets[0]
  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.outside.id ]
  description = var.instance_name
  tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
}

resource "aws_network_interface" "inside" {
  subnet_id = var.private_subnets[0]
  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.inside.id ]
  description = var.instance_name
  tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
}

resource "aws_eip" "outside" {
  vpc = true
  tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
}

resource "aws_eip_association" "outside" {
  network_interface_id = aws_network_interface.outside.id
  allocation_id = aws_eip.outside.id
}

resource "aws_instance" "instance" {
  #availability_zone = var.azs[count.index % 2]
  tenancy = "default"
  ebs_optimized = true
  disable_api_termination = var.instance_termination_protection
  instance_initiated_shutdown_behavior = "stop"
  instance_type = var.instance_type
  key_name = "msoc-build"
  monitoring = false
  iam_instance_profile = "msoc-default-instance-profile"

  ami = "ami-04fe5af2dfd9c9d5e" # not quite sure how to determine other than to launch one
  # Owner: 
  # AMI Alias: /aws/service/marketplace/prod-bm2yu6zogql5s/9.15.1.15
  # Product Code: 80uds1joqwlz35hw1lx5h1bcc
  # Release Notes: https://www.cisco.com/c/en/us/support/security/asa-firepower-services/products-release-notes-list.html
  #
  # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
  # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
  # that could be removed.
  lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }

  network_interface {
    network_interface_id = aws_network_interface.management.id
    device_index         = 0
  }

  network_interface {
    network_interface_id = aws_network_interface.outside.id
    device_index         = 1
  }

  network_interface {
    network_interface_id = aws_network_interface.inside.id
    device_index         = 2
  }

  user_data = templatefile("${path.module}/files/userdata.tpl",
    {
      "hostname" = var.instance_name,
      "VPNPoolFrom1" = "172.16.32.15",
      "VPNPoolTo1" = "172.16.32.200",
      "VPNPoolMask1" = "255.255.255.0",
      "VPNUser" = "admin",
      "VPNPassword" = random_password.password.result,
      "dns1" = var.dns_servers[0],
      "dns2" = var.dns_servers[1],
      "PrivateSubnet1CIDR" = data.aws_subnet.private_subnet.cidr_block
      "PrivateSubnet1GW" = cidrhost(data.aws_subnet.private_subnet.cidr_block,1),
      "PrivateSubnet1Pool" = cidrhost(data.aws_subnet.private_subnet.cidr_block,0),
      "PrivateSubnet1Mask" = cidrnetmask(data.aws_subnet.private_subnet.cidr_block)
      #"PrivateSubnet1CIDR" = var.private_cidr[0],
      #"PrivateSubnet1GW" = cidrhost(var.private_cidr[0], 1),
      #"PrivateSubnet1Pool" = cidrhost(var.private_cidr[0], 0),
      #"PrivateSubnet1Mask" = cidrnetmask(var.private_cidr[0])
    }  
  )

  tags = merge( var.standard_tags, var.tags, var.instance_tags, { Name = var.instance_name })
  volume_tags = merge( var.standard_tags, var.tags, { Name = var.instance_name })
}

module "private_dns_record" {
  source = "../../submodules/dns/private_A_record"

  name = var.instance_name
  ip_addresses = [ aws_network_interface.management.private_ip ]
  dns_info = var.dns_info
  reverse_enabled = true

  providers = {
    aws.c2 = aws.c2
  }
}

module "public_dns_record" {
  source = "../../submodules/dns/public_A_record"

  name = var.instance_name
  ip_addresses = [ aws_eip.outside.public_ip ]
  dns_info = var.dns_info

  providers = {
    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
  }
}