AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230
							# Some instance variables
locals {
  ami_selection       = "minion" # master, minion, ...
}

# Rather than pass in the aws security group, we just look it up. This will
# probably be useful other places, as well.
data "aws_security_group" "typical-host" {
  name   = "typical-host"
  vpc_id = var.vpc_id
}

# Use the default EBS key
data "aws_kms_key" "ebs-key" {
  key_id = "alias/ebs_root_encrypt_decrypt"
}

#------------------------------------
# EC2 ASG 
#------------------------------------
# TODO: switch this to Launch Template for gp3 volume usage. 
# https://github.com/terraform-community-modules/tf_aws_asg_elb/issues/11
module "customer_portal_asg" {
  source  = "terraform-aws-modules/autoscaling/aws"
  version = "3.9.0"
  name = "customer-portal"

  lc_name = "customer-portal-lc"

  iam_instance_profile = aws_iam_instance_profile.portal_server_instance_profile.name
  image_id             = local.ami_map[local.ami_selection]
  instance_type        = var.instance_type
  security_groups      = [ data.aws_security_group.typical-host.id, aws_security_group.customer_portal.id ]
  user_data            = data.template_cloudinit_config.cloud-init.rendered
  key_name             = "msoc-build"
  ebs_optimized        = true
  target_group_arns    = [ aws_alb_target_group.portal.arn, ]

  root_block_device = [
      {
        volume_type = "gp2"
        volume_size = "100"
        delete_on_termination = true
        encrypted = true
        kms_key_id = data.aws_kms_key.ebs-key.arn
      },
  ]

    ebs_block_device = [
      {
        # swap
        device_name = "/dev/xvdm"
        #volume_size = xx
        delete_on_termination = true
        encrypted = true
        kms_key_id = data.aws_kms_key.ebs-key.arn
        # Snapshot IDs need to be grabbed from the ami, or it will replace every time. It's ugly.
        # This may prompt replacement when the AMI is updated.
        # See:
        #   https://github.com/hashicorp/terraform/issues/19958
        #   https://github.com/terraform-providers/terraform-provider-aws/issues/13118
        snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdm"].ebs.snapshot_id
      },
      {
        # /home
        device_name = "/dev/xvdn"
        # volume_size = xx
        delete_on_termination = true
        encrypted = true
        kms_key_id = data.aws_kms_key.ebs-key.arn
        snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdn"].ebs.snapshot_id
      },
      {
        # /var
        device_name = "/dev/xvdo"
        # volume_size = xx
        delete_on_termination = true
        encrypted = true
        kms_key_id = data.aws_kms_key.ebs-key.arn
        snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdo"].ebs.snapshot_id
      },
      {
        # /var/tmp
        device_name = "/dev/xvdp"
        # volume_size = xx
        delete_on_termination = true
        encrypted = true
        kms_key_id = data.aws_kms_key.ebs-key.arn
        snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdp"].ebs.snapshot_id
      },
      {
        # /var/log
        device_name = "/dev/xvdq"
        # volume_size = xx
        delete_on_termination = true
        encrypted = true
        kms_key_id = data.aws_kms_key.ebs-key.arn
        snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdq"].ebs.snapshot_id
      },
      {
        # /var/log/audit
        device_name = "/dev/xvdr"
        # volume_size = xx
        delete_on_termination = true
        encrypted = true
        kms_key_id = data.aws_kms_key.ebs-key.arn
        snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdr"].ebs.snapshot_id
      },
      {
        # /tmp
        device_name = "/dev/xvds"
        # volume_size = xx
        delete_on_termination = true
        encrypted = true
        kms_key_id = data.aws_kms_key.ebs-key.arn
        snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvds"].ebs.snapshot_id
      },
    ]


  # Auto scaling group
  asg_name                  = "customer-portal-asg"
  vpc_zone_identifier       = var.private_subnets
  health_check_type         = "EC2"
  min_size                  = 1
  max_size                  = 2
  desired_capacity          = 2
  wait_for_capacity_timeout = 0
  tags_as_map = merge(var.standard_tags, var.tags)
}


data "template_file" "cloud-init" {
  # Should these be in a common directory? I suspect they'd be reusable
  template = file("${path.module}/cloud-init/cloud-init.tpl")

  vars = {
    zone = var.dns_info["private"]["zone"]
    environment = var.environment
    salt_master  = var.salt_master
    proxy = var.proxy
    aws_partition = var.aws_partition
    aws_partition_alias = var.aws_partition_alias
    aws_region = var.aws_region
  }
}

# Render a multi-part cloud-init config making use of the part
# above, and other source files
data "template_cloudinit_config" "cloud-init" {
  gzip          = true
  base64_encode = true

  # Main cloud-config configuration file.
  part {
    filename     = "init.cfg"
    content_type = "text/cloud-config"
    content      = data.template_file.cloud-init.rendered
  }

  # Additional parts as needed
  #part {
  #  content_type = "text/x-shellscript"
  #  content      = "ffbaz"
  #}
}


#------------------------------------
# S3 Bucket  What is this used for? Uncomment if needed. 
#------------------------------------
# resource "aws_s3_bucket" "customer-portal" {
#   bucket = "dps-customer-portal-${terraform.workspace}"
#   acl    = "private"

#   tags = merge(var.standard_tags, var.tags, )
# }

#------------------------------------
# Security Groups
#------------------------------------

resource "aws_security_group" "customer_portal" {
  name        = "customer_portal_http_inbound_sg"
  description = "Allow Customer Portal HTTP Inbound From ALB"
  vpc_id      = var.vpc_id
}

resource "aws_security_group_rule" "customer_portal" {
  protocol                 = "tcp"
  type                     = "ingress"
  from_port                = 443
  to_port                  = 443
  security_group_id        = aws_security_group.customer_portal.id
  source_security_group_id = aws_security_group.customer_portal_alb.id
}

resource "aws_security_group_rule" "customer_portal_postgres_outbound" {
  type                     = "egress"
  from_port                = 5432
  to_port                  = 5432
  protocol                 = "tcp"
  security_group_id = aws_security_group.customer_portal.id
  source_security_group_id = aws_security_group.postgres.id
}

resource "aws_security_group_rule" "customer_portal_http_outbound" {
  type        = "egress"
  from_port   = 80
  to_port     = 80
  protocol    = "tcp"
  cidr_blocks = ["0.0.0.0/0"]
  security_group_id = aws_security_group.customer_portal.id
}

resource "aws_security_group_rule" "customer_portal_https_outbound" {
  type        = "egress"
  from_port   = 443
  to_port     = 443
  protocol    = "tcp"
  cidr_blocks = ["0.0.0.0/0"]
  security_group_id = aws_security_group.customer_portal.id
}

### Output environment ID for purposes
#output portal_env_id {
#  value = "${aws_elastic_beanstalk_environment.mdr-customer-portal-env.id}"
#}