Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature nlb #11

Merged
merged 89 commits into from
Sep 3, 2018
Merged
Changes from 1 commit
Commits
Show all changes
89 commits
Select commit Hold shift + click to select a range
1d51915
remove commented out code
joshuamkite Aug 22, 2018
e7797b6
create network load balancer
joshuamkite Aug 25, 2018
f9d93cf
move locals to dedicated file
joshuamkite Aug 25, 2018
95cf133
move security group and rulesto separate file
joshuamkite Aug 25, 2018
08b0961
changes to accomodate network load balancer
joshuamkite Aug 25, 2018
8034f72
remove unused variables
joshuamkite Aug 25, 2018
6e989c3
update outputs for new resources
joshuamkite Aug 25, 2018
1c6cac1
update documentation
joshuamkite Aug 25, 2018
b342089
remove gitignore
joshuamkite Aug 25, 2018
cc24693
linting
joshuamkite Aug 25, 2018
e80adc5
conditional logic is conditional
joshuamkite Aug 25, 2018
63cc7df
taggy mctagface
joshuamkite Aug 25, 2018
d6a2718
cautionary note added to variables
joshuamkite Aug 25, 2018
1bc49ed
what's in a name
joshuamkite Aug 25, 2018
ced2c16
update documentation
joshuamkite Aug 26, 2018
08d7684
initial working versino
joshuamkite Aug 26, 2018
f7ee2d9
update documntation
joshuamkite Aug 26, 2018
a25bf26
update descriptions in security group
joshuamkite Aug 26, 2018
4cc6ab7
linting
joshuamkite Aug 26, 2018
a8467c4
rename load_balancer_service file
joshuamkite Aug 27, 2018
d8b9b18
create only single lb with conditional listeners
joshuamkite Aug 28, 2018
c6d878f
conditionally create host target group
joshuamkite Aug 28, 2018
6e16607
moved desktop run instructions to seperate file
joshuamkite Aug 28, 2018
6048e19
update documentation
joshuamkite Aug 28, 2018
17675b6
typos in descriptions
joshuamkite Aug 28, 2018
e564930
expand comments
joshuamkite Aug 28, 2018
298f404
update changelog
joshuamkite Aug 29, 2018
e93c73f
change variables prefix from elb to lb
joshuamkite Aug 29, 2018
77a3e2a
change variables prefix from elb to lb
joshuamkite Aug 29, 2018
ec3e075
change variables prefix from elb to lb, update descriptions
joshuamkite Aug 29, 2018
6ab41fd
change variables prefix from elb to lb, change route_53_record output…
joshuamkite Aug 29, 2018
4d37c46
change variables prefix from elb to lb, update descriptions
joshuamkite Aug 29, 2018
3f24764
remove commented out code
joshuamkite Aug 22, 2018
81117ff
create network load balancer
joshuamkite Aug 25, 2018
987b1ec
move locals to dedicated file
joshuamkite Aug 25, 2018
5936035
move security group and rulesto separate file
joshuamkite Aug 25, 2018
7eabd2b
changes to accomodate network load balancer
joshuamkite Aug 25, 2018
8f32973
remove unused variables
joshuamkite Aug 25, 2018
e1eba6e
update outputs for new resources
joshuamkite Aug 25, 2018
4869306
update documentation
joshuamkite Aug 25, 2018
9309b1d
remove gitignore
joshuamkite Aug 25, 2018
59ce403
linting
joshuamkite Aug 25, 2018
b83f201
conditional logic is conditional
joshuamkite Aug 25, 2018
b184296
taggy mctagface
joshuamkite Aug 25, 2018
9395366
cautionary note added to variables
joshuamkite Aug 25, 2018
5220cda
what's in a name
joshuamkite Aug 25, 2018
9bbf957
update documentation
joshuamkite Aug 26, 2018
6017aec
initial working versino
joshuamkite Aug 26, 2018
08b4d84
update documntation
joshuamkite Aug 26, 2018
37e68e0
update descriptions in security group
joshuamkite Aug 26, 2018
892d0d6
linting
joshuamkite Aug 26, 2018
0219021
rename load_balancer_service file
joshuamkite Aug 27, 2018
4d00de5
create only single lb with conditional listeners
joshuamkite Aug 28, 2018
7d0ba33
conditionally create host target group
joshuamkite Aug 28, 2018
f529986
moved desktop run instructions to seperate file
joshuamkite Aug 28, 2018
bc14f08
update documentation
joshuamkite Aug 28, 2018
9c7d851
typos in descriptions
joshuamkite Aug 28, 2018
1ddf3c6
expand comments
joshuamkite Aug 28, 2018
8b8acd5
update changelog
joshuamkite Aug 29, 2018
98b8c2c
change variables prefix from elb to lb
joshuamkite Aug 29, 2018
4cc0b39
change variables prefix from elb to lb
joshuamkite Aug 29, 2018
32a3705
change variables prefix from elb to lb, update descriptions
joshuamkite Aug 29, 2018
c950bb4
change variables prefix from elb to lb, change route_53_record output…
joshuamkite Aug 29, 2018
d920247
change variables prefix from elb to lb, update descriptions
joshuamkite Aug 29, 2018
b7450e3
update documentation
joshuamkite Aug 29, 2018
966d2f8
update Changelog
joshuamkite Aug 29, 2018
7c8bac8
merge conflicts
joshuamkite Aug 29, 2018
28bc842
correct output variable class
joshuamkite Aug 29, 2018
2d3dc4a
reverting dns output to string
joshuamkite Aug 29, 2018
4aec977
change lb name; correct comment
joshuamkite Aug 30, 2018
f8126ca
change lb naame; target group names
joshuamkite Aug 30, 2018
5403fd1
remove name from security group to allow upgrade
joshuamkite Aug 30, 2018
5ecf4c0
revert
joshuamkite Aug 30, 2018
ca67561
revert
joshuamkite Aug 30, 2018
66111cc
revert
joshuamkite Aug 30, 2018
2c0ca10
add revoke_rules_on_delete to security group
joshuamkite Aug 30, 2018
63fb4ab
change name to name_refix and add lifecycle rule to secuirty group
joshuamkite Aug 30, 2018
19ec224
return revoke_rules_on_delete
joshuamkite Aug 30, 2018
ca5f465
add empty security group for upgrade
joshuamkite Aug 30, 2018
0a862f7
typo
joshuamkite Aug 30, 2018
e6ac376
remove empty security group, change name_prefix to name
joshuamkite Aug 30, 2018
3113974
name_prefix again
joshuamkite Aug 30, 2018
8272f96
remove empty security group
joshuamkite Aug 30, 2018
177d191
typo filename, update changelog
joshuamkite Aug 30, 2018
702a25a
filenmae typo
joshuamkite Aug 30, 2018
36f2a84
change name to name_prefix and simplify for sg
joshuamkite Aug 30, 2018
5b57d45
update changelog
joshuamkite Aug 31, 2018
ce03c61
update readme
joshuamkite Sep 3, 2018
8f24ef6
typos
joshuamkite Sep 3, 2018
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
changes to accomodate network load balancer
  • Loading branch information
joshuamkite committed Aug 25, 2018
commit 08b0961ce16d73413b13d0976f8b034343884244
175 changes: 2 additions & 173 deletions main.tf
Original file line number Diff line number Diff line change
@@ -1,33 +1,12 @@
#Get aws account number
data "aws_caller_identity" "current" {}

#get aws region for use later in plan
data "aws_region" "current" {}

#get list of AWS Availability Zones which can be accessed by an AWS account within the region for use later in plan
data "aws_availability_zones" "available" {}

#get vpc data to whitelist internal CIDR range for Load Balanacer
data "aws_vpc" "main" {
id = "${var.vpc}"
}

##########################
#Create local for bastion hostname
##########################

locals {
bastion_vpc_name = "${var.bastion_vpc_name == "vpc_id" ? var.vpc : var.bastion_vpc_name}"
bastion_host_name = "${join("-", compact(list(var.environment_name, data.aws_region.current.name, local.bastion_vpc_name)))}"
}

##########################
#Create user-data for bastion ec2 instance
##########################
locals {
assume_role_yes = "${var.assume_role_arn != "" ? 1 : 0}"
assume_role_no = "${var.assume_role_arn == "" ? 1 : 0}"
}

data "template_file" "user_data_assume_role" {
count = "${local.assume_role_yes}"
Expand Down Expand Up @@ -78,117 +57,6 @@ data "template_cloudinit_config" "config" {
}
}

# ##################
# # security group for bastion_service
# ##################

resource "aws_security_group" "bastion_service" {
name = "${var.environment_name}-${data.aws_region.current.name}-${var.vpc}-bastion-service"
description = "Allow access from the SSH Load Balancer to the Bastion Host"

vpc_id = "${var.vpc}"
tags = "${var.tags}"
}

resource "aws_security_group" "bastion_lb" {
name = "${var.environment_name}-${data.aws_region.current.name}-${var.vpc}-bastion-lb"
description = "Allow access from the Internet to the SSH Load Balancer"

vpc_id = "${var.vpc}"
tags = "${var.tags}"
}

##################
# security group rules for bastion_service
##################

# Logic tests for security group rules

locals {
hostport_whitelisted = "${(join(",", var.cidr_blocks_whitelist_host) !="") }"
hostport_healthcheck = "${(var.elb_healthcheck_port == "2222")}"
}

# SSH access in from whitelist IP ranges to Load Balancer

resource "aws_security_group_rule" "lb_ssh_in" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = "${var.cidr_blocks_whitelist_service}"
security_group_id = "${aws_security_group.bastion_lb.id}"
}

# SSH access in from whitelist IP ranges to Load Balancer (for Bastion Host - conditional)

resource "aws_security_group_rule" "lb_ssh_in_cond" {
count = "${(local.hostport_whitelisted ? 1 : 0) }"
type = "ingress"
from_port = 2222
to_port = 2222
protocol = "tcp"
cidr_blocks = ["${var.cidr_blocks_whitelist_host}"]
security_group_id = "${aws_security_group.bastion_lb.id}"
}

# Access from Load Balancer to Bastion Host sshd for health check

resource "aws_security_group_rule" "lb_healthcheck_out" {
count = "${((local.hostport_healthcheck || local.hostport_whitelisted) ? 1 : 0) }"
type = "egress"
from_port = 2222
to_port = 2222
protocol = "tcp"
source_security_group_id = "${aws_security_group.bastion_service.id}"
security_group_id = "${aws_security_group.bastion_lb.id}"
}

# Access from Load Balancer to Bastion containers

resource "aws_security_group_rule" "lb_ssh_out" {
type = "egress"
from_port = 22
to_port = 22
protocol = "tcp"
security_group_id = "${aws_security_group.bastion_lb.id}"
source_security_group_id = "${aws_security_group.bastion_service.id}"
}

# SSH access in from Load Balancer to Bastion containers

resource "aws_security_group_rule" "service_ssh_in" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
source_security_group_id = "${aws_security_group.bastion_lb.id}"
security_group_id = "${aws_security_group.bastion_service.id}"
}

# SSH access in from Load Balancer to Bastion Host

resource "aws_security_group_rule" "host_ssh_in" {
count = "${((local.hostport_healthcheck || local.hostport_whitelisted) ? 1 : 0) }"
type = "ingress"
from_port = 2222
to_port = 2222
protocol = "tcp"
source_security_group_id = "${aws_security_group.bastion_lb.id}"
security_group_id = "${aws_security_group.bastion_service.id}"
}

# Permissive egress policy because we want users to be able to install their own packages

resource "aws_security_group_rule" "bastion_host_out" {
type = "egress"
from_port = 0
to_port = 65535
protocol = -1
security_group_id = "${aws_security_group.bastion_service.id}"
cidr_blocks = ["0.0.0.0/0"]
}

##########################
#Query for most recent AMI of type debian for use as host
##########################
Expand Down Expand Up @@ -264,6 +132,7 @@ resource "aws_autoscaling_group" "bastion-service-asg-local" {
launch_configuration = "${aws_launch_configuration.bastion-service-host-local.name}"
vpc_zone_identifier = ["${var.subnets_asg}"]
load_balancers = ["${aws_elb.bastion-service-elb.name}"]
target_group_arns = ["${aws_lb_target_group.bastion-service.arn}"]

lifecycle {
create_before_destroy = true
Expand Down Expand Up @@ -323,46 +192,6 @@ resource "aws_autoscaling_group" "bastion-service-asg-assume" {
]
}

#######################################################
# ELB section
#######################################################

resource "aws_elb" "bastion-service-elb" {
name = "bastion-${var.vpc}"

# Sadly can't use availabilty zones for classic load balancer - see https://github.com/terraform-providers/terraform-provider-aws/issues/1063
subnets = ["${var.subnets_elb}"]

security_groups = ["${aws_security_group.bastion_lb.id}"]

listener {
instance_port = 22
instance_protocol = "TCP"
lb_port = 22
lb_protocol = "TCP"
}

listener {
instance_port = 2222
instance_protocol = "TCP"
lb_port = 2222
lb_protocol = "TCP"
}

health_check {
healthy_threshold = "${var.elb_healthy_threshold}"
unhealthy_threshold = "${var.elb_unhealthy_threshold}"
timeout = "${var.elb_timeout}"
target = "TCP:${var.elb_healthcheck_port}"
interval = "${var.elb_interval}"
}

cross_zone_load_balancing = true
idle_timeout = "${var.elb_idle_timeout}"
connection_draining = true
connection_draining_timeout = 300
}

####################################################
# DNS Section
###################################################
Expand All @@ -374,7 +203,7 @@ resource "aws_route53_record" "bastion_service" {
type = "A"

alias {
name = "${aws_elb.bastion-service-elb.dns_name}"
name = "${aws_lb.bastion-service-elb.dns_name}"
zone_id = "${aws_elb.bastion-service-elb.zone_id}"
evaluate_target_health = true
}
Expand Down