diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..cd9ed4a --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,15 @@ +# Deltron CHANGELOG + +## 1.0.0 (06-28-2017) + +## Features & Enhancements + +This release focuses on making deltron even easier to use and includes some minor refactors. + +- Pin to Terraform 0.9.9. +- Use the built in ~/.aws/credentials file by default. You can still set a profile using ${var.aws_profile} +- Generate a 4 byte random id that we add to tags in case you want to spin up multiple automate clusters. +- Move security rules into a separate file. +- Use high performance centos images. +- Automate calculate subnet from vpc. We pick the first one available. +- Move to using a built in installer for chef server. \ No newline at end of file diff --git a/files/installer.sh b/files/installer.sh new file mode 100644 index 0000000..0e85b8f --- /dev/null +++ b/files/installer.sh @@ -0,0 +1,126 @@ +#!/bin/bash + +# +# Please provide an IP/FQDN for your chef server: domain.com +# +# Hab package? +# + +usage=" +This is an installer for Chef. It will install Chef Server, Chef Automate, and a build node for Automate.\n +It will install the Chef server on the system you run this script from.\n + +You must specify the following options:\n + +-c|--chef-server-fqdn REQUIRED: The FQDN you want the Chef Server configured to use.\n +-a|--chef-automate-fqdn The FQDN of the Chef Automate server.\n +-b|--build-node-fqdn The FQDN of the build node.\n +-u|--user The ssh username we'll use to connect to other systems.\n +-p|--password The ssh password we'll use to connect to other systems.\n +-i|--install-dir The directory to use for the installer. +-cs-source|--chef-services-source The source for the chef-services cookbook + +If only -c is specified the local system will be configured with a Chef Server install. \n +" + +if [ $# -eq 0 ]; then + echo -e $usage + exit 1 +fi + +while [[ $# -gt 0 ]] +do +key="$1" +case $key in + -c|--chef-server-fqdn) + CHEF_SERVER_FQDN="$2" + shift # past argument + ;; + -a|--chef-automate-fqdn) + CHEF_AUTOMATE_FQDN="$2" + shift # past argument + ;; + -b|--build-node-fqdn) + CHEF_BUILD_FQDN="$2" + shift # past argument + ;; + -u|--user) + CHEF_USER="$2" + shift + ;; + -p|--password) + CHEF_PW="$2" + shift + ;; + -i|--install-dir) + INSTALL_DIR="$2" + shift + ;; + -cs-source|--chef-services-source) + CHEF_SERVICES_SOURCE="$2" + shift + ;; + -h|--help) + echo -e $usage + exit 0 + ;; + *) + echo "Unknown option $1" + echo -e $usage + exit 1 + ;; +esac +shift # past argument or value +done + +# ---------- Chef Server ---------- +# ->install Chef +if [ -z "$INSTALL_DIR" ]; then + INSTALL_DIR=/tmp +fi + +mkdir -p $INSTALL_DIR/chef_installer/.chef/cache/ +cd $INSTALL_DIR/chef_installer +if [ ! -d "/opt/chefdk" ]; then + curl -LO https://omnitruck.chef.io/install.sh && sudo bash ./install.sh -P chefdk -d $INSTALL_DIR/chef_installer && rm install.sh +fi + +# write out Berksfile of install cookbooks +cat << EOF > $INSTALL_DIR/chef_installer/Berksfile +source 'https://supermarket.chef.io' + +cookbook 'chef-services', git: 'https://github.com/itmustbejj/chef-services.git', branch: 'deltron-changes' +cookbook 'chef-ingredient', git: 'https://github.com/itmustbejj/chef-ingredient', branch: 'debug-branch' +cookbook 'elasticsearch', git: 'https://github.com/elastic/cookbook-elasticsearch', branch: '2.x.x' +cookbook 'java' +cookbook 'sysctl' +cookbook 'backend_search_cluster', git: 'https://github.com/itmustbejj/backend_search_cluster' +cookbook 'audit' +cookbook 'chef-client' +EOF + +export PATH=/opt/chefdk/gitbin:$PATH + +# download cookbooks for install +berks install +berks update +berks vendor cookbooks/ + +# write config and build chef-server +echo -e "{\"chef_server\": {\"fqdn\":\"$CHEF_SERVER_FQDN\",\"install_dir\":\"$INSTALL_DIR\"}}" > attributes.json +chef-client -z -j attributes.json --config-option file_cache_path=$INSTALL_DIR -r 'recipe[chef-services::chef-server]' + +# upload cookbooks from chef-server to itself +berks upload --no-ssl-verify + +# ---------- All others ----------- +# -> automate,chef-builder1,chef-builder2,chef-builder3,supermarket,compliance.domain.com +# --> bootstrap with correct runlist + +if [ ! -z $CHEF_AUTOMATE_FQDN ]; then + knife bootstrap $CHEF_AUTOMATE_FQDN -N $CHEF_AUTOMATE_FQDN -x $CHEF_USER -P $CHEF_PW --sudo -r "role[patch],recipe[chef-services::delivery]" -j "{\"chef_server\":{\"fqdn\":\"$CHEF_SERVER_FQDN\"},\"chef_automate\":{\"fqdn\":\"$CHEF_AUTOMATE_FQDN\"}}" -E delivered -y --node-ssl-verify-mode none +fi + +if [ ! -z $CHEF_BUILD_FQDN ]; then + knife bootstrap $CHEF_BUILD_FQDN -N $CHEF_BUILD_FQDN -x $CHEF_USER -P $CHEF_PW --sudo -r "role[patch],recipe[chef-services::install_build_nodes]" -j "{\"chef_server\":{\"fqdn\":\"$CHEF_SERVER_FQDN\"},\"chef_automate\":{\"fqdn\":\"$CHEF_AUTOMATE_FQDN\"},\"tags\":\"delivery-build-node\"}" -E delivered -y --node-ssl-verify-mode none +fi diff --git a/main.tf b/main.tf index bdc5373..8092b3d 100644 --- a/main.tf +++ b/main.tf @@ -1,230 +1,53 @@ terraform { - required_version = "0.9.8" + required_version = "0.9.9" } provider "aws" { - access_key = "${var.aws_access_key_id}" - secret_key = "${var.aws_secret_access_key}" - region = "${var.aws_default_region}" + region = "${var.aws_region}" + profile = "${var.aws_profile}" // uses ~/.aws/credentials by default } -resource "aws_security_group" "chef_server" { - name = "chef_server_${var.automate_instance_id}" - description = "Terraform Automate Chef Server" - vpc_id = "${var.automate_vpc}" - - tags { - Name = "${var.automate_tag}_chef_server_security_group" - X-Dept = "${var.tag_dept}" - X-Contact = "${var.tag_contact}" - } -} - -# SSH - all -resource "aws_security_group_rule" "ingress_chef_server_allow_22_tcp_all" { - type = "ingress" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.chef_server.id}" -} - -# HTTP (nginx) -resource "aws_security_group_rule" "ingress_chef_server_allow_80_tcp" { - type = "ingress" - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.chef_server.id}" +resource "random_id" "automate_instance_id" { + byte_length = 4 } -# HTTPS (nginx) -resource "aws_security_group_rule" "ingress_chef_server_allow_443_tcp" { - type = "ingress" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.chef_server.id}" -} - -# opscode push-jobs -resource "aws_security_group_rule" "ingress_chef_server_allow_10000-10003_tcp" { - type = "ingress" - from_port = 10000 - to_port = 10003 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.chef_server.id}" -} - -# Allow all Chef -resource "aws_security_group_rule" "ingress_chef_server_allow_all_chef_automate" { - type = "ingress" - from_port = 0 - to_port = 0 - protocol = "-1" - source_security_group_id = "${aws_security_group.chef_automate.id}" - security_group_id = "${aws_security_group.chef_server.id}" -} - -# Egress: ALL -resource "aws_security_group_rule" "egress_chef_server_allow_0-65535_all" { - type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.chef_server.id}" -} - -resource "aws_security_group" "chef_automate" { - name = "chef_automate_${var.automate_instance_id}" - description = "Terraform Chef Automate Server" - vpc_id = "${var.automate_vpc}" - - tags { - Name = "${var.automate_tag}_chef_automate_security_group" - X-Dept = "${var.tag_dept}" - X-Contact = "${var.tag_contact}" - } -} - -# SSH - all -resource "aws_security_group_rule" "ingress_chef_automate_allow_22_tcp_all" { - type = "ingress" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.chef_automate.id}" -} - -# HTTP -resource "aws_security_group_rule" "ingress_chef_automate_allow_80_tcp" { - type = "ingress" - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.chef_automate.id}" -} - -# HTTPS -resource "aws_security_group_rule" "ingress_chef_automate_allow_443_tcp" { - type = "ingress" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.chef_automate.id}" -} - -# Automate GIT -resource "aws_security_group_rule" "ingress_chef_automate_allow_8989_tcp" { - type = "ingress" - from_port = 8989 - to_port = 8989 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.chef_automate.id}" -} - -# Allow all Chef Server -resource "aws_security_group_rule" "ingress_chef_automate_allow_all_chef_server" { - type = "ingress" - from_port = 0 - to_port = 0 - protocol = "-1" - source_security_group_id = "${aws_security_group.chef_server.id}" - security_group_id = "${aws_security_group.chef_automate.id}" -} - -# Egress: ALL -resource "aws_security_group_rule" "egress_chef_automate_allow_0-65535_all" { - type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.chef_automate.id}" -} - -resource "aws_security_group" "build_nodes" { - name = "build_nodes_${var.automate_instance_id}" - description = "Terraform Build Nodes" - vpc_id = "${var.automate_vpc}" - - tags { - Name = "${var.automate_tag}_build_nodes_security_group" - X-Dept = "${var.tag_dept}" - X-Contact = "${var.tag_contact}" - } -} - -# Egress: ALL -resource "aws_security_group_rule" "egress_build_nodes_allow_0-65535_all" { - type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.build_nodes.id}" -} - -# SSH - all -resource "aws_security_group_rule" "ingress_build_nodes_allow_22_tcp_all" { - type = "ingress" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.build_nodes.id}" -} - -# Allow all Chef Automate -resource "aws_security_group_rule" "ingress_build_nodes_allow_all_chef_server" { - type = "ingress" - from_port = 0 - to_port = 0 - protocol = "-1" - source_security_group_id = "${aws_security_group.chef_automate.id}" - security_group_id = "${aws_security_group.build_nodes.id}" +data "aws_subnet_ids" "automate" { + vpc_id = "${var.automate_vpc}" } # Chef Server resource "aws_instance" "chef_server" { connection { - user = "${var.aws_ami_user}" - private_key = "${file(".keys/${var.aws_key_pair_name}.pem")}" + user = "${var.aws_ami_user}" + private_key = "${file("${var.aws_key_pair_file}")}" } - ami = "${var.aws_ami_rhel}" - instance_type = "${var.aws_instance_type}" - key_name = "${var.aws_key_pair_name}" - subnet_id = "${var.automate_subnet}" + ami = "${var.aws_ami_rhel}" + instance_type = "${var.aws_instance_type}" + key_name = "${var.aws_key_pair_name}" + subnet_id = "${data.aws_subnet_ids.automate.ids[1]}" vpc_security_group_ids = ["${aws_security_group.chef_server.id}"] - ebs_optimized = true + associate_public_ip_address = true + ebs_optimized = true root_block_device { delete_on_termination = true - volume_size = 20 - volume_type = "gp2" + volume_size = 20 + volume_type = "gp2" + #iops = 1000 } ebs_block_device { - device_name = "/dev/sdb" - volume_type = "io1" - iops = 5000 # iops = volume_size * 50 - volume_size = 100 + device_name = "/dev/sdb" + volume_type = "io1" + iops = 5000 # iops = volume_size * 50 + volume_size = 100 delete_on_termination = true } tags { - Name = "${format("${var.automate_tag}_chef_server_%02d_${var.automate_instance_id}", count.index + 1)}" + Name = "${format("${var.tag_automate}_${random_id.automate_instance_id.hex}_chef_server_%02d", count.index + 1)}" X-Dept = "${var.tag_dept}" X-Contact = "${var.tag_contact}" } @@ -237,22 +60,30 @@ resource "aws_instance" "chef_server" { # mount the EBS volume provisioner "file" { - source = "mount_data_volume" + source = "mount_data_volume" destination = "/tmp/mount_data_volume" } + provisioner "remote-exec" { inline = [ - "sudo bash -ex /tmp/mount_data_volume" + "sudo bash -ex /tmp/mount_data_volume", ] } + provisioner "file" { - source = ".chef/delivery-validator.pub" + source = ".chef/delivery-validator.pub" destination = "/tmp/pre-delivery-validator.pub" } + + provisioner "file" { + source = "files/installer.sh" + destination = "/tmp/installer.sh" + } + provisioner "remote-exec" { inline = [ - "curl -L http://chef-installer.chameleon-development.ca -o installer.sh && sudo SVWAIT=30 bash ./installer.sh -c ${aws_instance.chef_server.public_dns}", - "sudo chef-server-ctl add-client-key delivery delivery-validator --public-key-path /tmp/pre-delivery-validator.pub" + "sudo SVWAIT=30 bash /tmp/installer.sh -c ${aws_instance.chef_server.public_dns}", + "sudo chef-server-ctl add-client-key delivery delivery-validator --public-key-path /tmp/pre-delivery-validator.pub", ] } } @@ -262,40 +93,42 @@ data "template_file" "delivery_validator" { vars { delivery_validator = "${file(".chef/delivery-validator.pem")}" } - template = "$${delivery_validator}" + + template = "$${delivery_validator}" depends_on = ["aws_instance.chef_server"] } resource "aws_instance" "chef_automate" { connection { - user = "${var.aws_ami_user}" - private_key = "${file(".keys/${var.aws_key_pair_name}.pem")}" + user = "${var.aws_ami_user}" + private_key = "${file("${var.aws_key_pair_file}")}" } - ami = "${var.aws_ami_rhel}" - instance_type = "${var.aws_instance_type}" - key_name = "${var.aws_key_pair_name}" - subnet_id = "${var.automate_subnet}" + ami = "${var.aws_ami_rhel}" + instance_type = "${var.aws_instance_type}" + key_name = "${var.aws_key_pair_name}" + subnet_id = "${data.aws_subnet_ids.automate.ids[1]}" vpc_security_group_ids = ["${aws_security_group.chef_automate.id}"] - ebs_optimized = true + ebs_optimized = true root_block_device { delete_on_termination = true - volume_size = 20 - volume_type = "gp2" + volume_size = 20 + volume_type = "gp2" + #iops = 1000 } ebs_block_device { - device_name = "/dev/sdb" - volume_type = "io1" - iops = 5000 # iops = volume_size * 50 - volume_size = 100 + device_name = "/dev/sdb" + volume_type = "io1" + iops = 5000 # iops = volume_size * 50 + volume_size = 100 delete_on_termination = true } tags { - Name = "${format("${var.automate_tag}_chef_automate_%02d_${var.automate_instance_id}", count.index + 1)}" + Name = "${format("${var.tag_automate}_${random_id.automate_instance_id.hex}_chef_automate_%02d", count.index + 1)}" X-Dept = "${var.tag_dept}" X-Contact = "${var.tag_contact}" } @@ -305,18 +138,19 @@ resource "aws_instance" "chef_automate" { provisioner "remote-exec" { inline = [ "sudo hostnamectl set-hostname ${aws_instance.chef_automate.public_dns}", - "sudo mkdir /etc/chef/" + "sudo mkdir /etc/chef/", ] } # mount the EBS volume provisioner "file" { - source = "mount_data_volume" + source = "mount_data_volume" destination = "/tmp/mount_data_volume" } + provisioner "remote-exec" { inline = [ - "sudo bash -ex /tmp/mount_data_volume" + "sudo bash -ex /tmp/mount_data_volume", ] } @@ -325,7 +159,7 @@ resource "aws_instance" "chef_automate" { destination = "~/chef_automate.license" } - provisioner "chef" { + provisioner "chef" { attributes_json = <<-EOF { "tags": "automate_server", @@ -337,49 +171,50 @@ resource "aws_instance" "chef_automate" { } } EOF - environment = "_default" + + environment = "_default" fetch_chef_certificates = true - run_list = ["chef-services::delivery"] - node_name = "${aws_instance.chef_automate.public_dns}" - server_url = "https://${aws_instance.chef_server.public_dns}/organizations/delivery" - user_name = "delivery-validator" - user_key = "${data.template_file.delivery_validator.rendered}" - client_options = ["trusted_certs_dir = '/etc/chef/trusted_certs'"] + run_list = ["chef-services::delivery"] + node_name = "${aws_instance.chef_automate.public_dns}" + server_url = "https://${aws_instance.chef_server.public_dns}/organizations/delivery" + user_name = "delivery-validator" + user_key = "${data.template_file.delivery_validator.rendered}" + client_options = ["trusted_certs_dir = '/etc/chef/trusted_certs'"] } + provisioner "local-exec" { - command = "scp -oStrictHostKeyChecking=no -i .keys/${var.aws_key_pair_name}.pem ${var.aws_ami_user}@${aws_instance.chef_automate.public_dns}:/tmp/test.creds ./" + command = "scp -oStrictHostKeyChecking=no -i ${var.aws_key_pair_file} ${var.aws_ami_user}@${aws_instance.chef_automate.public_dns}:/tmp/test.creds ./" } } - resource "aws_instance" "build_nodes" { connection { - user = "${var.aws_ami_user}" - private_key = "${file(".keys/${var.aws_key_pair_name}.pem")}" + user = "${var.aws_ami_user}" + private_key = "${file("${var.aws_key_pair_file}")}" } - ami = "${var.aws_ami_rhel}" - instance_type = "${var.aws_build_node_instance_type}" - key_name = "${var.aws_key_pair_name}" - subnet_id = "${var.automate_subnet}" + ami = "${var.aws_ami_rhel}" + instance_type = "t2.medium" + key_name = "${var.aws_key_pair_name}" + subnet_id = "${data.aws_subnet_ids.automate.ids[1]}" vpc_security_group_ids = ["${aws_security_group.build_nodes.id}"] - ebs_optimized = false - count = 3 + ebs_optimized = false + count = 3 root_block_device { delete_on_termination = true - volume_size = 100 - volume_type = "gp2" + volume_size = 100 + volume_type = "gp2" } tags { - Name = "${format("${var.automate_tag}_build_node_%02d_${var.automate_instance_id}", count.index + 1)}" + Name = "${format("${var.tag_automate}_build_node_%02d_${random_id.automate_instance_id.hex}", count.index + 1)}" X-Dept = "${var.tag_dept}" X-Contact = "${var.tag_contact}" } - provisioner "chef" { - attributes_json = <<-EOF + provisioner "chef" { + attributes_json = <<-EOF { "tags": "delivery-build-node", "chef_automate": { @@ -390,13 +225,14 @@ resource "aws_instance" "build_nodes" { } } EOF - environment = "_default" - node_name = "build-node-${count.index + 1}" - fetch_chef_certificates = true - run_list = ["chef-services::install_build_nodes"] - server_url = "https://${aws_instance.chef_server.public_dns}/organizations/delivery" - user_name = "delivery-validator" - user_key = "${data.template_file.delivery_validator.rendered}" - client_options = ["trusted_certs_dir '/etc/chef/trusted_certs'"] - } + + environment = "_default" + node_name = "build-node-${count.index + 1}" + fetch_chef_certificates = true + run_list = ["chef-services::install_build_nodes"] + server_url = "https://${aws_instance.chef_server.public_dns}/organizations/delivery" + user_name = "delivery-validator" + user_key = "${data.template_file.delivery_validator.rendered}" + client_options = ["trusted_certs_dir '/etc/chef/trusted_certs'"] + } } diff --git a/security.tf b/security.tf new file mode 100644 index 0000000..c64acef --- /dev/null +++ b/security.tf @@ -0,0 +1,225 @@ +resource "aws_security_group" "chef_server" { + name = "chef_server_${random_id.automate_instance_id.hex}" + description = "Terraform Automate Chef Server" + vpc_id = "${var.automate_vpc}" + + tags { + Name = "${var.tag_automate}_chef_server_security_group_${random_id.automate_instance_id.hex}" + X-Dept = "${var.tag_dept}" + X-Contact = "${var.tag_contact}" + } +} + +# SSH - all +resource "aws_security_group_rule" "ingress_chef_server_allow_22_tcp_all" { + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = "${aws_security_group.chef_server.id}" +} + +# HTTP (nginx) +resource "aws_security_group_rule" "ingress_chef_server_allow_80_tcp" { + type = "ingress" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = "${aws_security_group.chef_server.id}" +} + +# HTTPS (nginx) +resource "aws_security_group_rule" "ingress_chef_server_allow_443_tcp" { + type = "ingress" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = "${aws_security_group.chef_server.id}" +} + +# opscode push-jobs +resource "aws_security_group_rule" "ingress_chef_server_allow_10000-10003_tcp" { + type = "ingress" + from_port = 10000 + to_port = 10003 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = "${aws_security_group.chef_server.id}" +} + +# Allow all Chef +resource "aws_security_group_rule" "ingress_chef_server_allow_all_chef_automate" { + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + source_security_group_id = "${aws_security_group.chef_automate.id}" + security_group_id = "${aws_security_group.chef_server.id}" +} + +# Egress: ALL +resource "aws_security_group_rule" "egress_chef_server_allow_0-65535_all" { + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = "${aws_security_group.chef_server.id}" +} + +resource "aws_security_group" "chef_automate" { + name = "chef_automate_${random_id.automate_instance_id.hex}" + description = "Terraform Chef Automate Server" + vpc_id = "${var.automate_vpc}" + + tags { + Name = "${var.tag_automate}_chef_automate_security_group" + X-Dept = "${var.tag_dept}" + X-Contact = "${var.tag_contact}" + } +} + +# SSH - all +resource "aws_security_group_rule" "ingress_chef_automate_allow_22_tcp_all" { + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = "${aws_security_group.chef_automate.id}" +} + +# HTTP +resource "aws_security_group_rule" "ingress_chef_automate_allow_80_tcp" { + type = "ingress" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = "${aws_security_group.chef_automate.id}" +} + +# HTTPS +resource "aws_security_group_rule" "ingress_chef_automate_allow_443_tcp" { + type = "ingress" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = "${aws_security_group.chef_automate.id}" +} + +# Automate GIT +resource "aws_security_group_rule" "ingress_chef_automate_allow_8989_tcp" { + type = "ingress" + from_port = 8989 + to_port = 8989 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = "${aws_security_group.chef_automate.id}" +} + +# Allow etcd communication +resource "aws_security_group_rule" "ingress_chef_automate_allow_2379_tcp" { + type = "ingress" + from_port = 2379 + to_port = 2380 + protocol = "tcp" + security_group_id = "${aws_security_group.chef_automate.id}" + source_security_group_id = "${aws_security_group.chef_automate.id}" +} + +# Allow elasticsearch clients +resource "aws_security_group_rule" "ingress_chef_automate_allow_9200_to_9400_tcp" { + type = "ingress" + from_port = 9200 + to_port = 9400 + protocol = "tcp" + security_group_id = "${aws_security_group.chef_automate.id}" + source_security_group_id = "${aws_security_group.chef_automate.id}" +} + +# Allow postgres connections +resource "aws_security_group_rule" "ingress_chef_automate_allow_5432_tcp" { + type = "ingress" + from_port = 5432 + to_port = 5432 + protocol = "tcp" + security_group_id = "${aws_security_group.chef_automate.id}" + source_security_group_id = "${aws_security_group.chef_automate.id}" +} + +# Allow leaderel connections +resource "aws_security_group_rule" "ingress_chef_automate_allow_7331_tcp" { + type = "ingress" + from_port = 7331 + to_port = 7331 + protocol = "tcp" + security_group_id = "${aws_security_group.chef_automate.id}" + source_security_group_id = "${aws_security_group.chef_automate.id}" +} + +# Allow all Chef Server +resource "aws_security_group_rule" "ingress_chef_automate_allow_all_chef_server" { + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + source_security_group_id = "${aws_security_group.chef_server.id}" + security_group_id = "${aws_security_group.chef_automate.id}" +} + +# Egress: ALL +resource "aws_security_group_rule" "egress_chef_automate_allow_0-65535_all" { + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = "${aws_security_group.chef_automate.id}" +} + +resource "aws_security_group" "build_nodes" { + name = "build_nodes_${random_id.automate_instance_id.hex}" + description = "Terraform Build Nodes" + vpc_id = "${var.automate_vpc}" + + tags { + Name = "${var.tag_automate}_build_nodes_security_group" + X-Dept = "${var.tag_dept}" + X-Contact = "${var.tag_contact}" + } +} + +# Egress: ALL +resource "aws_security_group_rule" "egress_build_nodes_allow_0-65535_all" { + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = "${aws_security_group.build_nodes.id}" +} + +# SSH - all +resource "aws_security_group_rule" "ingress_build_nodes_allow_22_tcp_all" { + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = "${aws_security_group.build_nodes.id}" +} + +# Allow all Chef Automate +resource "aws_security_group_rule" "ingress_build_nodes_allow_all_chef_server" { + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + source_security_group_id = "${aws_security_group.chef_automate.id}" + security_group_id = "${aws_security_group.build_nodes.id}" +} diff --git a/variables.tf b/variables.tf index 0222afe..e0aab82 100644 --- a/variables.tf +++ b/variables.tf @@ -1,3 +1,13 @@ +variable "aws_region" {} + +variable "aws_profile" { + default = "default" +} + +variable "aws_key_pair_name" {} + +variable "aws_key_pair_file" {} + variable "chef-delivery-enterprise" { default = "terraform" } @@ -6,21 +16,19 @@ variable "chef-server-organization" { default = "terraform" } -variable "aws_access_key_id" {} - -variable "aws_secret_access_key" {} - -variable "aws_key_pair_name" {} -variable "aws_default_region" {} - variable "automate_vpc" {} -variable "automate_subnet" {} +variable "tag_automate" { + default = "terraform_automate" +} -variable "automate_tag" { default = "terraform_automate" } +variable "tag_dept" { + default = "example_department" +} -# unique identifier for this instance of Chef Automate -variable "automate_instance_id" { default = "override_me" } +variable "tag_contact" { + default = "example_human" +} variable "aws_build_node_instance_type" { default = "t2.medium" @@ -29,17 +37,11 @@ variable "aws_build_node_instance_type" { variable "aws_instance_type" { default = "m4.xlarge" } + variable "aws_ami_user" { default = "centos" } -variable "tag_dept" {} - -variable "tag_contact" {} - -# High performance CentOS 7.2 AMIs published here: -# us-east-1: ami-a2f1aeb5 -# us-west-1: ami-4895de28 -# us-west-2: ami-e6963186 - -variable "aws_ami_rhel" { default = "ami-e6963186" } +variable "aws_ami_rhel" { + default = "ami-e6963186" +}