Home Esplora Aiuto
Registrati Accedi
AFS
/
xdr-terraform-modules
2
0
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Albero (Tree): f9fb66fa14
Rami (Branch) Tag
xdr-terraform-m...
/
base
/
splunk_servers
/
alsi
/
main.tf

main.tf 5.9 KB
Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191 
  1. # Some instance variables
    2. 

  2. locals {
    3. 

  3.   ami_selection = "minion" # master, minion, ...
    4. 

  4.   instance_name = "${ var.prefix }-alsi"
    5. 

  5.   is_moose = length(regexall("moose", var.prefix)) > 0 ? true : false
    6. 

  6. }
    7. 

  7. 

  8. # Rather than pass in the aws security group, we just look it up.
    9. 

  9. data "aws_security_group" "typical-host" {
    10. 

  10.   name   = "typical-host"
    11. 

  11.   vpc_id = var.vpc_id
    12. 

  12. }
    13. 

  13. 

  14. # Use the default EBS key
    15. 

  15. data "aws_kms_key" "ebs-key" {
    16. 

  16.   key_id = "alias/ebs_root_encrypt_decrypt"
    17. 

  17. }
    18. 

  18. 

  19. resource "aws_network_interface" "instance" {
    20. 

  20.   count = var.alsi_count
    21. 

  21.   subnet_id = var.subnets[ count.index % length(var.subnets) ] # evenly distributed across subnets
    22. 

  22.   security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.alsi_security_group.id ]
    23. 

  23.   description = "${local.instance_name}-${count.index}"
    24. 

  24.   tags = merge( var.standard_tags, 
    25. 

  25.                 var.tags, 
    26. 

  26.                 { 
    27. 

  27.                   Name = "${local.instance_name}-${count.index}", 
    28. 

  28.                   instance_num = count.index, 
    29. 

  29.                   instance_count = var.alsi_count 
    30. 

  30.                 }
    31. 

  31.               )
    32. 

  32. }
    33. 

  33. 

  34. resource "aws_instance" "instance" {
    35. 

  35.   count = var.alsi_count
    36. 

  36.   #availability_zone = var.azs[count.index % 2] # automatically determined by the network interface
    37. 

  37.   tenancy = "default"
    38. 

  38.   ebs_optimized = true
    39. 

  39.   disable_api_termination = var.instance_termination_protection
    40. 

  40.   instance_initiated_shutdown_behavior = "stop"
    41. 

  41.   instance_type = var.instance_type
    42. 

  42.   key_name = "msoc-build"
    43. 

  43.   monitoring = false
    44. 

  44.   iam_instance_profile = "msoc-default-instance-profile"
    45. 

  45. 

  46.   ami = local.ami_map[local.ami_selection]
    47. 

  47.   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
    48. 

  48.   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
    49. 

  49.   # that could be removed.
    50. 

  50.   lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }
    51. 

  51. 

  52.   # These device definitions are optional, but added for clarity.
    53. 

  53.   root_block_device {
    54. 

  54.     volume_type = "gp2"
    55. 

  55.     #volume_size = Override via var?
    56. 

  56.     delete_on_termination = true
    57. 

  57.     encrypted = true
    58. 

  58.     kms_key_id = data.aws_kms_key.ebs-key.arn
    59. 

  59.   }
    60. 

  60. 

  61.   network_interface {
    62. 

  62.     device_index = 0
    63. 

  63.     network_interface_id = aws_network_interface.instance[count.index].id
    64. 

  64.   }
    65. 

  65. 

  66.   user_data = data.template_cloudinit_config.cloud-init[count.index].rendered
    67. 

  67.   tags = merge( var.standard_tags, 
    68. 

  68.                 var.tags, 
    69. 

  69.                 { 
    70. 

  70.                   Name = "${local.instance_name}-${count.index}", 
    71. 

  71.                   instance_num = count.index, 
    72. 

  72.                   instance_count = var.alsi_count 
    73. 

  73.                 }
    74. 

  74.               )
    75. 

  75.   volume_tags = merge( var.standard_tags, 
    76. 

  76.                 var.tags, 
    77. 

  77.                 { 
    78. 

  78.                   Name = "${local.instance_name}-${count.index}", 
    79. 

  79.                   instance_num = count.index, 
    80. 

  80.                   instance_count = var.alsi_count 
    81. 

  81.                 }
    82. 

  82.               )
    83. 

  83. }
    84. 

  84. 

  85. module "private_dns_record" {
    86. 

  86.   count = var.alsi_count
    87. 

  87.   source = "../../../submodules/dns/private_A_record"
    88. 

  88. 

  89.   name = "${local.instance_name}-${count.index}"
    90. 

  90.   ip_addresses = [ aws_instance.instance[count.index].private_ip ]
    91. 

  91.   dns_info = var.dns_info
    92. 

  92.   reverse_enabled = var.reverse_enabled
    93. 

  93. 

  94.   providers = {
    95. 

  95.     aws.c2 = aws.c2
    96. 

  96.   }
    97. 

  97. }
    98. 

  98. 

  99. data "template_file" "cloud-init" {
    100. 

  100.   count = var.alsi_count
    101. 

  101. 

  102.   # Should these be in a common directory? I suspect they'd be reusable
    103. 

  103.   template = file("${path.module}/cloud-init/cloud-init.tpl")
    104. 

  104. 

  105.   vars = {
    106. 

  106.     hostname = "${local.instance_name}-${count.index}"
    107. 

  107.     fqdn = "${local.instance_name}-${count.index}.${var.dns_info["private"]["zone"]}"
    108. 

  108.     splunk_prefix = var.prefix
    109. 

  109.     environment = var.environment
    110. 

  110.     salt_master  = var.salt_master
    111. 

  111.     proxy = var.proxy
    112. 

  112.     aws_partition = var.aws_partition
    113. 

  113.     aws_partition_alias = var.aws_partition_alias
    114. 

  114.     aws_region = var.aws_region
    115. 

  115.   }
    116. 

  116. }
    117. 

  117. 

  118. # Render a multi-part cloud-init config making use of the part
    119. 

  119. # above, and other source files
    120. 

  120. data "template_cloudinit_config" "cloud-init" {
    121. 

  121.   count         = var.alsi_count
    122. 

  122.   gzip          = true
    123. 

  123.   base64_encode = true
    124. 

  124. 

  125.   # Main cloud-config configuration file.
    126. 

  126.   part {
    127. 

  127.     filename     = "init.cfg"
    128. 

  128.     content_type = "text/cloud-config"
    129. 

  129.     content      = data.template_file.cloud-init[count.index].rendered
    130. 

  130.   }
    131. 

  131. }
    132. 

  132. 

  133. ## ALSI
    134. 

  134. #
    135. 

  135. # Summary:
    136. 

  136. #   Ingress:
    137. 

  137. #     443 - from ALB
    138. 

  138. #     443 - From vpc-access
    139. 

  139. #
    140. 

  140. #   Egress:
    141. 

  141. #     8089 - To Splunk
    142. 

  142. #     9997 - To Splunk
    143. 

  143. resource "aws_security_group" "alsi_security_group" {
    144. 

  144.   name_prefix = "${ var.prefix }_alsi_security_group" # name prefix and livecycle allow for smooth updates
    145. 

  145.   lifecycle { create_before_destroy = true } # handle updates gracefully
    146. 

  146.   description = "Security Group for Aggregated Log Source Ingestion"
    147. 

  147.   vpc_id = var.vpc_id
    148. 

  148.   tags = merge(var.standard_tags, var.tags)
    149. 

  149. }
    150. 

  150. 

  151. # Ingress
    152. 

  152. resource "aws_security_group_rule" "alsi-alb-web-in" {
    153. 

  153.   description       = "Web access"
    154. 

  154.   type              = "ingress"
    155. 

  155.   from_port         = 443
    156. 

  156.   to_port           = 443
    157. 

  157.   protocol          = "tcp"
    158. 

  158.   source_security_group_id = aws_security_group.alsi-alb-sg.id
    159. 

  159.   security_group_id = aws_security_group.alsi_security_group.id
    160. 

  160. }
    161. 

  161. 

  162. resource "aws_security_group_rule" "alsi-access-web-in" {
    163. 

  163.   description       = "Web access"
    164. 

  164.   type              = "ingress"
    165. 

  165.   from_port         = 443
    166. 

  166.   to_port           = 443
    167. 

  167.   protocol          = "tcp"
    168. 

  168.   cidr_blocks       = var.cidr_map["vpc-access"]
    169. 

  169.   security_group_id = aws_security_group.alsi_security_group.id
    170. 

  170. }
    171. 

  171. 

  172. # Egress
    173. 

  173. resource "aws_security_group_rule" "splunk-mgmt" {
    174. 

  174.   description       = "Management Access"
    175. 

  175.   type              = "egress"
    176. 

  176.   from_port         = 8089
    177. 

  177.   to_port           = 8089
    178. 

  178.   protocol          = "tcp"
    179. 

  179.   cidr_blocks       = [ var.vpc_cidr ]
    180. 

  180.   security_group_id = aws_security_group.alsi_security_group.id
    181. 

  181. } 
    182. 

  182. 

  183. resource "aws_security_group_rule" "splunk-data" {
    184. 

  184.   description       = "Management Access"
    185. 

  185.   type              = "egress"
    186. 

  186.   from_port         = 9997
    187. 

  187.   to_port           = 9998
    188. 

  188.   protocol          = "tcp"
    189. 

  189.   cidr_blocks       = [ var.vpc_cidr ]
    190. 

  190.   security_group_id = aws_security_group.alsi_security_group.id
    191. 

  191. }
    192.