AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260
							locals {
  ami_selection = "minion" # master, minion, ...
  instance_name = "${var.instance_prefix}-${var.instance_number}"
}

# Rather than pass in the aws security group, we just look it up. This will
# probably be useful other places, as well.
data "aws_security_group" "typical-host" {
  name   = "typical-host"
  vpc_id = var.vpc_id
}

data "aws_kms_key" "ebs-key" {
  key_id = "alias/ebs_root_encrypt_decrypt"
}

resource "aws_network_interface" "instance" {
  subnet_id       = var.subnet_id
  security_groups = [data.aws_security_group.typical-host.id, aws_security_group.dns_security_group.id]
  description     = local.instance_name
  tags            = merge(local.standard_tags, var.tags, { Name = local.instance_name })
}

resource "aws_eip" "instance" {
	# checkov:skip=CKV2_AWS_19: EIPs are attached to VPC
  vpc  = true
  tags = merge(local.standard_tags, var.tags, { Name = local.instance_name })
}

resource "aws_eip_association" "instance" {
  network_interface_id = aws_network_interface.instance.id
  allocation_id        = aws_eip.instance.id
}

resource "aws_instance" "instance" {
  #availability_zone = var.azs[count.index % 2]
  tenancy                              = "default"
  ebs_optimized                        = true
  disable_api_termination              = var.instance_termination_protection
  instance_initiated_shutdown_behavior = "stop"
  instance_type                        = "t3a.xlarge"
  key_name                             = var.resolver_instance_key_name
  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
  iam_instance_profile                 = "msoc-default-instance-profile"

  metadata_options {
    http_endpoint = "enabled"
    # checkov:skip=CKV_AWS_79:see tfsec explanation
    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
    http_tokens   = "optional"
  }

  ami = local.ami_map["minion"]
  lifecycle { ignore_changes = [ami, key_name, user_data, ebs_block_device] }

  root_block_device {
    volume_type           = "gp3"
    volume_size           = 10
    delete_on_termination = true
    encrypted             = true
    kms_key_id            = data.aws_kms_key.ebs-key.arn
  }

  ebs_block_device {
    # swap
    device_name           = "/dev/xvdm"
    volume_size           = 8
    volume_type           = "gp3"
    delete_on_termination = true
    encrypted             = true
    kms_key_id            = data.aws_kms_key.ebs-key.arn
    # Snapshot IDs need to be grabbed from the ami, or it will replace every time. It's ugly.
    # This may prompt replacement when the AMI is updated.
    # See:
    #   https://github.com/hashicorp/terraform/issues/19958
    #   https://github.com/terraform-providers/terraform-provider-aws/issues/13118
    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdm"].ebs.snapshot_id
  }
  ebs_block_device {
    # /home
    device_name           = "/dev/xvdn"
    volume_size           = 8
    volume_type           = "gp3"
    delete_on_termination = true
    encrypted             = true
    kms_key_id            = data.aws_kms_key.ebs-key.arn
    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvdn"].ebs.snapshot_id
  }
  ebs_block_device {
    # /var
    device_name           = "/dev/xvdo"
    volume_size           = 4
    volume_type           = "gp3"
    delete_on_termination = true
    encrypted             = true
    kms_key_id            = data.aws_kms_key.ebs-key.arn
    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvdo"].ebs.snapshot_id
  }
  ebs_block_device {
    # /var/tmp
    device_name           = "/dev/xvdp"
    volume_size           = 4
    volume_type           = "gp3"
    delete_on_termination = true
    encrypted             = true
    kms_key_id            = data.aws_kms_key.ebs-key.arn
    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvdp"].ebs.snapshot_id
  }
  ebs_block_device {
    # /var/log
    device_name           = "/dev/xvdq"
    volume_size           = 8
    volume_type           = "gp3"
    delete_on_termination = true
    encrypted             = true
    kms_key_id            = data.aws_kms_key.ebs-key.arn
    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvdq"].ebs.snapshot_id
  }
  ebs_block_device {
    # /var/log/audit
    device_name           = "/dev/xvdr"
    volume_size           = 8
    volume_type           = "gp3"
    delete_on_termination = true
    encrypted             = true
    kms_key_id            = data.aws_kms_key.ebs-key.arn
    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvdr"].ebs.snapshot_id
  }
  ebs_block_device {
    # /tmp
    device_name           = "/dev/xvds"
    volume_size           = 4
    volume_type           = "gp3"
    delete_on_termination = true
    encrypted             = true
    kms_key_id            = data.aws_kms_key.ebs-key.arn
    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvds"].ebs.snapshot_id
  }

  network_interface {
    device_index         = 0
    network_interface_id = aws_network_interface.instance.id
  }

  user_data = data.template_cloudinit_config.cloud-init.rendered
  tags      = merge(local.standard_tags, var.tags, var.instance_tags, { Name = local.instance_name })
}

module "private_dns_record" {
  source = "../../../submodules/dns/private_A_record"

  name            = local.instance_name
  ip_addresses    = [aws_instance.instance.private_ip]
  dns_info        = var.dns_info
  reverse_enabled = var.reverse_enabled

  providers = {
    aws.c2 = aws.c2
  }
}

module "public_dns_record" {
  source = "../../../submodules/dns/public_A_record"

  name         = local.instance_name
  ip_addresses = [aws_eip.instance.public_ip]
  dns_info     = var.dns_info

  providers = {
    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
  }
}

# Render a multi-part cloud-init config making use of the part
# above, and other source files
data "template_cloudinit_config" "cloud-init" {
  gzip          = true
  base64_encode = true

  # Main cloud-config configuration file.
  part {
    filename     = "init.cfg"
    content_type = "text/cloud-config"
    content = templatefile("${path.module}/cloud-init/cloud-init.tpl",
      {
        hostname    = local.instance_name
        fqdn        = "${local.instance_name}.${var.dns_info["private"]["zone"]}"
        environment = var.environment
        # can't use the DNS name like we would most places, because this is the DNS server
        saltmaster          = var.environment == "test" ? "10.20.2.32" : "10.40.2.106"
        proxy               = local.proxy_ip
        aws_partition       = var.aws_partition
        aws_partition_alias = var.aws_partition_alias
        aws_region          = var.aws_region
      }
    )
  }

  # Additional parts as needed
  #part {
  #  content_type = "text/x-shellscript"
  #  content      = "ffbaz"
  #}
}

#----------------------------------------------------------------------------
# DNS Security Group
#----------------------------------------------------------------------------
resource "aws_security_group" "dns_security_group" {
  name        = "dns_security_group_${var.instance_number}"
  description = "DNS Security Group"
  vpc_id      = var.vpc_id
  tags        = merge(local.standard_tags, var.tags)
}

#----------------------------------------------------------------------------
# INGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "dns-tcp" {
  type              = "ingress"
  description       = "DNS - Inbound TCP"
  from_port         = 53
  to_port           = 53
  protocol          = "tcp"
  cidr_blocks       = ["10.0.0.0/8"]
  security_group_id = aws_security_group.dns_security_group.id
}

resource "aws_security_group_rule" "dns-udp" {
  type              = "ingress"
  description       = "DNS - Inbound UDP"
  from_port         = 53
  to_port           = 53
  protocol          = "udp"
  cidr_blocks       = ["10.0.0.0/8"]
  security_group_id = aws_security_group.dns_security_group.id
}

#----------------------------------------------------------------------------
# EGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "dns_outbound_tcp" {
  type              = "egress"
  description       = "DNS - Outbound TCP"
  from_port         = 53
  to_port           = 53
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
  security_group_id = aws_security_group.dns_security_group.id
}

resource "aws_security_group_rule" "dns_outbound_udp" {
  type              = "egress"
  description       = "DNS - Outbound UDP"
  from_port         = 53
  to_port           = 53
  protocol          = "udp"
  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
  security_group_id = aws_security_group.dns_security_group.id
}