add ELB provisioning and clean up security groups

asulibraries · Feb 28, 2020 · f728015 · f728015
1 parent 1f2cc46
commit f728015
Showing 1 changed file with 113 additions and 79 deletions.
diff --git a/aws_create_multiple_ec2.yml b/aws_create_multiple_ec2.yml
@@ -12,6 +12,7 @@
     - aws_keys.yml
     - inventory/stage/group_vars/all/passwords.yml
   tasks:
+
     - name: get the webserver IP
       ec2_instance_facts:
         aws_secret_key: "{{ aws_secret_key }}"
@@ -77,6 +78,44 @@
       with_items: "{{ services_instances.instances }}"
       retries: 5
 
+    - name: check for elb security group
+      ec2_group_facts:
+        region: "{{ region }}"
+        aws_secret_key: "{{ aws_secret_key }}"
+        aws_access_key: "{{ aws_access_key }}"
+        filters:
+          "group-name": islandora-elb
+      register: elb_security_group
+
+    - name: create elb security group
+      ec2_group:
+        region: "{{ region }}"
+        aws_secret_key: "{{ aws_secret_key }}"
+        aws_access_key: "{{ aws_access_key }}"
+        description: "security group for islandora elb"
+        name: islandora-elb
+        vpc_id: vpc-01f9ed4702108fef0
+        rules_egress:
+          - proto: all
+            cidr_ip: 0.0.0.0/0
+            cidr_ipv6: ::/0
+        rules:
+          - proto: tcp
+            ports:
+              - 80
+              - 8000
+              - 443
+            cidr_ip:
+              - 172.31.16.0/20 #ASU VPN 1
+              - 172.31.32.0/20 #ASU VPN 2
+              - 149.169.0.0/16 #ASU PUBLIC 1
+              - 129.219.0.0/16 #ASU PUBLIC 2
+              - 209.147.128.0/18 #ASU PUBLIC 3
+              - 10.192.36.25/32 #private IP
+              - 10.192.36.190/32 #private IP
+              - 35.166.140.245/32 #services public IP
+      register: elb_security_group
+
     - name: check for webserver security group
       ec2_group_facts:
         region: "{{ region }}"
@@ -100,20 +139,20 @@
             cidr_ipv6: ::/0
         rules:
           - proto: tcp
-            from_port: 80
-            to_port: 80
-            cidr_ip: 0.0.0.0/0
-            cidr_ipv6: ::/0
-          - proto: tcp
-            from_port: 8000
-            to_port: 8000
-            cidr_ip: 0.0.0.0/0
-            cidr_ipv6: ::/0
-          - proto: tcp
-            from_port: 443
-            to_port: 443
-            cidr_ip: 0.0.0.0/0
-            cidr_ipv6: ::/0
+            ports:
+              - 80
+              - 8000
+              - 443
+            cidr_ip:
+              - 172.31.16.0/20 #ASU VPN 1
+              - 172.31.32.0/20 #ASU VPN 2
+              - 149.169.0.0/16 #ASU PUBLIC 1
+              - 129.219.0.0/16 #ASU PUBLIC 2
+              - 209.147.128.0/18 #ASU PUBLIC 3
+              - 10.192.36.25/32 #private IP
+              - 10.192.36.190/32 #private IP
+              - 35.166.140.245/32 #services public IP
+            group_id: "{{ elb_security_group.group_id }}"
           - proto: tcp
             from_port: 3306
             to_port: 3306
@@ -133,6 +172,46 @@
           - "{{ security_group }}"
       with_items: "{{ webserver_instances.instances }}"
 
+    - name: create ELB target group
+      elb_target_group:
+        name: islandora-webserver-target
+        protocol: http
+        port: 80
+        state: present
+        region: "{{ region }}"
+        aws_secret_key: "{{ aws_secret_key }}"
+        aws_access_key: "{{ aws_access_key }}"
+        vpc_id: vpc-01f9ed4702108fef0
+        health_check_path: /
+        successful_response_codes: "200"
+        targets:
+          - Id: "{{ item.instance_id }}"
+            Port: 80
+      with_items: "{{ webserver_instances.instances }}"
+      register: elb_target_group
+
+    - name: create ELB
+      elb_application_lb:
+        name: "islandora-webserver-elb"
+        state: present
+        aws_secret_key: "{{ aws_secret_key }}"
+        aws_access_key: "{{ aws_access_key }}"
+        region: "{{ region }}"
+        subnets:
+          - subnet-02b1343bf83ae6322
+          - subnet-0a175a933a579e7ea
+        security_groups:
+          - "{{ elb_security_group.group_id }}"
+        listeners:
+          - Protocol: HTTP # options are http, https, ssl, tcp
+            Port: 80
+            # SslPolicy: ELBSecurityPolicy-2016-08
+            # Certificates: # The ARN of the certificate (only one certficate ARN should be provided)
+            #   - CertificateArn: "arn:aws:acm:us-west-2:380105785187:certificate/bfd85bd1-8ca5-4ba4-9b76-04da628e4725"
+            DefaultActions:
+              - Type: forward # Required.
+                TargetGroupName: "{{ elb_target_group.results[0].target_group_name }}"
+
     - name: check for services security group
       ec2_group_facts:
         region: "{{ region }}"
@@ -142,12 +221,7 @@
           "group-name": islandora-services
       register: services_security_group
 
-    # TODO LOCK THIS SERVER DOWN SIGNIFICANTLY MORE
-    # 172.31.16.0/20 ASU VPN 1
-    # 172.31.32.0/20 ASU VPN 2
-    # 149.169.0.0/16 ASU PUBLIC 1
-    # 129.219.0.0/16 ASU PUBLIC 2
-    # 209.147.128.0/18 ASU PUBLIC 3
+    # TODO LOCK THIS FOR SSH
     # SSH port 22 should be set to
     # 10.192.0.0/16 ASULIB
     # both vpns
@@ -167,44 +241,27 @@
             cidr_ipv6: ::/0
         rules:
           - proto: tcp
-            from_port: 80
-            to_port: 80
-            cidr_ip: 0.0.0.0/0
-            cidr_ipv6: ::/0
-          - proto: tcp
-            from_port: 8080
-            to_port: 8080
-            cidr_ip: 0.0.0.0/0
-            cidr_ipv6: ::/0
-          - proto: tcp
-            from_port: 443
-            to_port: 443
-            cidr_ip: 0.0.0.0/0
-            cidr_ipv6: ::/0
+            ports:
+              - 80
+              - 8080
+              - 443
+              - 8161
+              - 61613
+              - 61616
+              - 8983
+            cidr_ip:
+              - 172.31.16.0/20 #ASU VPN 1
+              - 172.31.32.0/20 #ASU VPN 2
+              - 149.169.0.0/16 #ASU PUBLIC 1
+              - 129.219.0.0/16 #ASU PUBLIC 2
+              - 209.147.128.0/18 #ASU PUBLIC 3
+              - 10.192.36.25/32 #private IP services
+              - 10.192.36.190/32 #private IP
+              - 35.163.77.215/32 #webserver IP
           - proto: tcp
             from_port: 3306
             to_port: 3306
             cidr_ip: 10.192.36.190/32
-          - proto: tcp
-            from_port: 8161
-            to_port: 8161
-            cidr_ip: 0.0.0.0/0
-            cidr_ipv6: ::/0
-          - proto: tcp
-            from_port: 61613
-            to_port: 61613
-            cidr_ip: 0.0.0.0/0
-            cidr_ipv6: ::/0
-          - proto: tcp
-            from_port: 61616
-            to_port: 61616
-            cidr_ip: 0.0.0.0/0
-            cidr_ipv6: ::/0
-          - proto: tcp
-            from_port: 8983
-            to_port: 8983
-            cidr_ip: 0.0.0.0/0
-            cidr_ipv6: ::/0
       register: services_security_group
 
     - name: assign services security group
@@ -300,31 +357,8 @@
         tags:
           Application: islandora
       when: matomo_rds_instance.instances|length < 1
-  # ELB
-    # - name: create ELB
-    #   elb_lb:
-    #     name: "islandora-webserver-elb"
-    #     state: present
-    #     aws_secret_key: "{{ aws_secret_key }}"
-    #     aws_access_key: "{{ aws_access_key }}"
-    #     region: "{{ region }}"
-    #     zones:
-    #       - us-west-1a
-    #       - us-west-1b
-    #     instance_ids:
-    #       - "{{ item.instance_id }}"
-    #     listeners:
-    #       - protocol: http # options are http, https, ssl, tcp
-    #         load_balancer_port: 80
-    #         instance_port: 80
-    #         proxy_protocol: True
-    #       - protocol: https
-    #         load_balancer_port: 443
-    #         instance_protocol: http # optional, defaults to value of protocol setting
-    #         instance_port: 80
-    #         # ssl certificate required for https or ssl
-    #         ssl_certificate_id: "arn:aws:acm:us-west-2:380105785187:certificate/bfd85bd1-8ca5-4ba4-9b76-04da628e4725"
-    #   loop: webserver_instances
+
+