Fix Ingress Gateway Consul registration (#65)

* Fix nomad service protocol registation * Use nat_public_ips for ECS cluster * Remove http proxy configs * Move retries to group level
hashicorp · Sep 18, 2022 · f831ade · f831ade
1 parent 59cbd51
commit f831ade
Show file tree

Hide file tree

Showing 29 changed files with 204 additions and 140 deletions.
diff --git a/examples/hcp-ec2-demo/main.tf b/examples/hcp-ec2-demo/main.tf
@@ -26,7 +26,7 @@ resource "hcp_hvn" "main" {
 
 module "aws_hcp_consul" {
   source  = "hashicorp/hcp-consul/aws"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   hvn             = hcp_hvn.main
   vpc_id          = module.vpc.vpc_id
@@ -54,7 +54,7 @@ resource "aws_key_pair" "hcp_ec2" {
   count = var.ssh ? 1 : 0
 
   public_key = tls_private_key.ssh.public_key_openssh
-  key_name   = "hcp-ec2-key"
+  key_name   = "hcp-ec2-key-${var.cluster_id}"
 }
 
 resource "local_file" "ssh_key" {
@@ -67,14 +67,14 @@ resource "local_file" "ssh_key" {
 
 module "aws_ec2_consul_client" {
   source  = "hashicorp/hcp-consul/aws//modules/hcp-ec2-client"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   allowed_http_cidr_blocks = ["0.0.0.0/0"]
   allowed_ssh_cidr_blocks  = ["0.0.0.0/0"]
   client_ca_file           = hcp_consul_cluster.main.consul_ca_file
   client_config_file       = hcp_consul_cluster.main.consul_config_file
   consul_version           = hcp_consul_cluster.main.consul_version
-  igw_id                   = module.vpc.igw_id
+  nat_public_ips           = module.vpc.nat_public_ips
   install_demo_app         = var.install_demo_app
   root_token               = hcp_consul_cluster_root_token.token.secret_id
   security_group_id        = module.aws_hcp_consul.security_group_id

diff --git a/examples/hcp-ecs-demo/main.tf b/examples/hcp-ecs-demo/main.tf
@@ -28,7 +28,7 @@ resource "hcp_hvn" "main" {
 
 module "aws_hcp_consul" {
   source  = "hashicorp/hcp-consul/aws"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   hvn             = hcp_hvn.main
   vpc_id          = module.vpc.vpc_id
@@ -49,7 +49,7 @@ resource "hcp_consul_cluster_root_token" "token" {
 
 module "aws_ecs_cluster" {
   source  = "hashicorp/hcp-consul/aws//modules/hcp-ecs-client"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   allowed_http_cidr_blocks = ["0.0.0.0/0"]
   allowed_ssh_cidr_blocks  = ["0.0.0.0/0"]
@@ -60,7 +60,7 @@ module "aws_ecs_cluster" {
   consul_url               = hcp_consul_cluster.main.consul_private_endpoint_url
   consul_version           = substr(hcp_consul_cluster.main.consul_version, 1, -1)
   datacenter               = hcp_consul_cluster.main.datacenter
-  igw_id                   = module.vpc.igw_id
+  nat_public_ips           = module.vpc.nat_public_ips
   private_subnet_ids       = module.vpc.private_subnets
   public_subnet_ids        = module.vpc.public_subnets
   region                   = var.vpc_region

diff --git a/examples/hcp-eks-demo/main.tf b/examples/hcp-eks-demo/main.tf
@@ -63,7 +63,7 @@ resource "hcp_hvn" "main" {
 
 module "aws_hcp_consul" {
   source  = "hashicorp/hcp-consul/aws"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   hvn                = hcp_hvn.main
   vpc_id             = module.vpc.vpc_id
@@ -85,7 +85,7 @@ resource "hcp_consul_cluster_root_token" "token" {
 
 module "eks_consul_client" {
   source  = "hashicorp/hcp-consul/aws//modules/hcp-eks-client"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   boostrap_acl_token    = hcp_consul_cluster_root_token.token.secret_id
   cluster_id            = hcp_consul_cluster.main.cluster_id
@@ -105,7 +105,7 @@ module "eks_consul_client" {
 module "demo_app" {
   count   = var.install_demo_app ? 1 : 0
   source  = "hashicorp/hcp-consul/aws//modules/k8s-demo-app"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   depends_on = [module.eks_consul_client]
 }
diff --git a/hcp-ui-templates/ec2-existing-vpc/main.tf b/hcp-ui-templates/ec2-existing-vpc/main.tf
@@ -45,7 +45,7 @@ resource "hcp_hvn" "main" {
 
 module "aws_hcp_consul" {
   source  = "hashicorp/hcp-consul/aws"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   hvn             = hcp_hvn.main
   vpc_id          = local.vpc_id
@@ -73,7 +73,7 @@ resource "aws_key_pair" "hcp_ec2" {
   count = local.ssh ? 1 : 0
 
   public_key = tls_private_key.ssh.public_key_openssh
-  key_name   = "hcp-ec2-key"
+  key_name   = "hcp-ec2-key-${local.cluster_id}"
 }
 
 resource "local_file" "ssh_key" {
@@ -86,14 +86,14 @@ resource "local_file" "ssh_key" {
 
 module "aws_ec2_consul_client" {
   source  = "hashicorp/hcp-consul/aws//modules/hcp-ec2-client"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   allowed_http_cidr_blocks = ["0.0.0.0/0"]
   allowed_ssh_cidr_blocks  = ["0.0.0.0/0"]
   client_ca_file           = hcp_consul_cluster.main.consul_ca_file
   client_config_file       = hcp_consul_cluster.main.consul_config_file
   consul_version           = hcp_consul_cluster.main.consul_version
-  igw_id                   = module.vpc.igw_id
+  nat_public_ips           = module.vpc.nat_public_ips
   install_demo_app         = local.install_demo_app
   root_token               = hcp_consul_cluster_root_token.token.secret_id
   security_group_id        = module.aws_hcp_consul.security_group_id

diff --git a/hcp-ui-templates/ec2/main.tf b/hcp-ui-templates/ec2/main.tf
@@ -60,7 +60,7 @@ resource "hcp_hvn" "main" {
 
 module "aws_hcp_consul" {
   source  = "hashicorp/hcp-consul/aws"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   hvn             = hcp_hvn.main
   vpc_id          = module.vpc.vpc_id
@@ -88,7 +88,7 @@ resource "aws_key_pair" "hcp_ec2" {
   count = local.ssh ? 1 : 0
 
   public_key = tls_private_key.ssh.public_key_openssh
-  key_name   = "hcp-ec2-key"
+  key_name   = "hcp-ec2-key-${local.cluster_id}"
 }
 
 resource "local_file" "ssh_key" {
@@ -101,14 +101,14 @@ resource "local_file" "ssh_key" {
 
 module "aws_ec2_consul_client" {
   source  = "hashicorp/hcp-consul/aws//modules/hcp-ec2-client"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   allowed_http_cidr_blocks = ["0.0.0.0/0"]
   allowed_ssh_cidr_blocks  = ["0.0.0.0/0"]
   client_ca_file           = hcp_consul_cluster.main.consul_ca_file
   client_config_file       = hcp_consul_cluster.main.consul_config_file
   consul_version           = hcp_consul_cluster.main.consul_version
-  igw_id                   = module.vpc.igw_id
+  nat_public_ips           = module.vpc.nat_public_ips
   install_demo_app         = local.install_demo_app
   root_token               = hcp_consul_cluster_root_token.token.secret_id
   security_group_id        = module.aws_hcp_consul.security_group_id

diff --git a/hcp-ui-templates/ecs-existing-vpc/main.tf b/hcp-ui-templates/ecs-existing-vpc/main.tf
@@ -45,7 +45,7 @@ resource "hcp_hvn" "main" {
 
 module "aws_hcp_consul" {
   source  = "hashicorp/hcp-consul/aws"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   hvn             = hcp_hvn.main
   vpc_id          = local.vpc_id
@@ -66,7 +66,7 @@ resource "hcp_consul_cluster_root_token" "token" {
 
 module "aws_ecs_cluster" {
   source  = "hashicorp/hcp-consul/aws//modules/hcp-ecs-client"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   allowed_http_cidr_blocks = ["0.0.0.0/0"]
   allowed_ssh_cidr_blocks  = ["0.0.0.0/0"]
@@ -77,7 +77,7 @@ module "aws_ecs_cluster" {
   consul_url               = hcp_consul_cluster.main.consul_private_endpoint_url
   consul_version           = substr(hcp_consul_cluster.main.consul_version, 1, -1)
   datacenter               = hcp_consul_cluster.main.datacenter
-  igw_id                   = module.vpc.igw_id
+  nat_public_ips           = module.vpc.nat_public_ips
   private_subnet_ids       = [local.private_subnet1, local.private_subnet2]
   public_subnet_ids        = [local.public_subnet1, local.public_subnet2]
   region                   = local.vpc_region

diff --git a/hcp-ui-templates/ecs/main.tf b/hcp-ui-templates/ecs/main.tf
@@ -60,7 +60,7 @@ resource "hcp_hvn" "main" {
 
 module "aws_hcp_consul" {
   source  = "hashicorp/hcp-consul/aws"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   hvn             = hcp_hvn.main
   vpc_id          = module.vpc.vpc_id
@@ -81,7 +81,7 @@ resource "hcp_consul_cluster_root_token" "token" {
 
 module "aws_ecs_cluster" {
   source  = "hashicorp/hcp-consul/aws//modules/hcp-ecs-client"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   allowed_http_cidr_blocks = ["0.0.0.0/0"]
   allowed_ssh_cidr_blocks  = ["0.0.0.0/0"]
@@ -92,7 +92,7 @@ module "aws_ecs_cluster" {
   consul_url               = hcp_consul_cluster.main.consul_private_endpoint_url
   consul_version           = substr(hcp_consul_cluster.main.consul_version, 1, -1)
   datacenter               = hcp_consul_cluster.main.datacenter
-  igw_id                   = module.vpc.igw_id
+  nat_public_ips           = module.vpc.nat_public_ips
   private_subnet_ids       = module.vpc.private_subnets
   public_subnet_ids        = module.vpc.public_subnets
   region                   = local.vpc_region

diff --git a/hcp-ui-templates/eks-existing-vpc/main.tf b/hcp-ui-templates/eks-existing-vpc/main.tf
@@ -109,7 +109,7 @@ resource "hcp_hvn" "main" {
 
 module "aws_hcp_consul" {
   source  = "hashicorp/hcp-consul/aws"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   hvn                = hcp_hvn.main
   vpc_id             = local.vpc_id
@@ -131,7 +131,7 @@ resource "hcp_consul_cluster_root_token" "token" {
 
 module "eks_consul_client" {
   source  = "hashicorp/hcp-consul/aws//modules/hcp-eks-client"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   boostrap_acl_token    = hcp_consul_cluster_root_token.token.secret_id
   cluster_id            = hcp_consul_cluster.main.cluster_id
@@ -151,7 +151,7 @@ module "eks_consul_client" {
 module "demo_app" {
   count   = local.install_demo_app ? 1 : 0
   source  = "hashicorp/hcp-consul/aws//modules/k8s-demo-app"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   depends_on = [module.eks_consul_client]
 }

diff --git a/hcp-ui-templates/eks/main.tf b/hcp-ui-templates/eks/main.tf
@@ -126,7 +126,7 @@ resource "hcp_hvn" "main" {
 
 module "aws_hcp_consul" {
   source  = "hashicorp/hcp-consul/aws"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   hvn                = hcp_hvn.main
   vpc_id             = module.vpc.vpc_id
@@ -148,7 +148,7 @@ resource "hcp_consul_cluster_root_token" "token" {
 
 module "eks_consul_client" {
   source  = "hashicorp/hcp-consul/aws//modules/hcp-eks-client"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   boostrap_acl_token    = hcp_consul_cluster_root_token.token.secret_id
   cluster_id            = hcp_consul_cluster.main.cluster_id
@@ -168,7 +168,7 @@ module "eks_consul_client" {
 module "demo_app" {
   count   = local.install_demo_app ? 1 : 0
   source  = "hashicorp/hcp-consul/aws//modules/k8s-demo-app"
-  version = "~> 0.8.7"
+  version = "~> 0.8.8"
 
   depends_on = [module.eks_consul_client]
 }

diff --git a/main.tf b/main.tf
@@ -68,7 +68,8 @@ data "aws_subnet" "selected" {
 }
 
 resource "hcp_hvn_route" "peering_route" {
-  count            = length(var.subnet_ids)
+  count = length(var.subnet_ids)
+
   hvn_link         = var.hvn.self_link
   hvn_route_id     = var.subnet_ids[count.index]
   destination_cidr = data.aws_subnet.selected[count.index].cidr_block
@@ -78,15 +79,17 @@ resource "hcp_hvn_route" "peering_route" {
 }
 
 resource "aws_route" "peering" {
-  count                     = length(var.route_table_ids)
+  count = length(var.route_table_ids)
+
   route_table_id            = var.route_table_ids[count.index]
   destination_cidr_block    = var.hvn.cidr_block
   vpc_peering_connection_id = aws_vpc_peering_connection_accepter.peer.vpc_peering_connection_id
 }
 
 # If a list of security_group_ids was provided, set rules on those.
 resource "aws_security_group_rule" "hcp_consul_existing_grp" {
-  count             = length(local.hcp_consul_security_groups)
+  count = length(local.hcp_consul_security_groups)
+
   description       = local.hcp_consul_security_groups[count.index].description
   protocol          = local.hcp_consul_security_groups[count.index].protocol
   security_group_id = local.hcp_consul_security_groups[count.index].security_group_id
@@ -98,15 +101,17 @@ resource "aws_security_group_rule" "hcp_consul_existing_grp" {
 
 # If no security_group_ids were provided, create a new security_group.
 resource "aws_security_group" "hcp_consul" {
-  count       = length(var.security_group_ids) == 0 ? 1 : 0
+  count = length(var.security_group_ids) == 0 ? 1 : 0
+
   name_prefix = "hcp_consul"
   description = "HCP Consul security group"
   vpc_id      = data.aws_vpc.selected.id
 }
 
 # If no security_group_ids were provided, use the new security_group.
-resource "aws_security_group_rule" "hcp_consul_new_grp" {
-  count             = length(var.security_group_ids) == 0 ? length(local.ingress_consul_rules) : 0
+resource "aws_security_group_rule" "allow_lan_consul_gossip" {
+  count = length(var.security_group_ids) == 0 ? length(local.ingress_consul_rules) : 0
+
   description       = local.ingress_consul_rules[count.index].description
   protocol          = local.ingress_consul_rules[count.index].protocol
   security_group_id = aws_security_group.hcp_consul[0].id

diff --git a/modules/hcp-ec2-client/intentions.tf b/modules/hcp-ec2-client/intentions.tf
@@ -1,4 +1,6 @@
 resource "consul_config_entry" "service_intentions_deny" {
+  count = var.install_demo_app ? 1 : 0
+
   name = "*"
   kind = "service-intentions"
 
@@ -13,6 +15,8 @@ resource "consul_config_entry" "service_intentions_deny" {
 }
 
 resource "consul_config_entry" "service_intentions_product_api" {
+  count = var.install_demo_app ? 1 : 0
+
   name = "product-api"
   kind = "service-intentions"
 
@@ -28,6 +32,8 @@ resource "consul_config_entry" "service_intentions_product_api" {
   })
 }
 resource "consul_config_entry" "service_intentions_frontend_publicapi" {
+  count = var.install_demo_app ? 1 : 0
+
   name = "public-api"
   kind = "service-intentions"
 
@@ -44,6 +50,8 @@ resource "consul_config_entry" "service_intentions_frontend_publicapi" {
 }
 
 resource "consul_config_entry" "service_intentions_ingress_frontend" {
+  count = var.install_demo_app ? 1 : 0
+
   name = "frontend"
   kind = "service-intentions"
 
@@ -60,6 +68,8 @@ resource "consul_config_entry" "service_intentions_ingress_frontend" {
 }
 
 resource "consul_config_entry" "service_intentions_product_db" {
+  count = var.install_demo_app ? 1 : 0
+
   name = "product-db"
   kind = "service-intentions"
 
@@ -76,6 +86,8 @@ resource "consul_config_entry" "service_intentions_product_db" {
 }
 
 resource "consul_config_entry" "service_intentions_payment_api" {
+  count = var.install_demo_app ? 1 : 0
+
   name = "payment-api"
   kind = "service-intentions"
 

diff --git a/modules/hcp-ec2-client/main.tf b/modules/hcp-ec2-client/main.tf
@@ -90,10 +90,8 @@ resource "aws_iam_instance_profile" "hcp_ec2" {
 
 # Create the Consul and Nomad client
 resource "aws_instance" "host" {
-  count = 1
-
   ami                         = data.aws_ami.ubuntu.id
-  associate_public_ip_address = length(var.igw_id) > 0
+  associate_public_ip_address = true
   iam_instance_profile        = length(aws_iam_instance_profile.hcp_ec2) >= 1 ? aws_iam_instance_profile.hcp_ec2[0].name : null
   instance_type               = "t3.medium"
   key_name                    = var.ssh_keyname
@@ -135,6 +133,7 @@ resource "aws_instance" "host" {
     prevent_destroy       = false
   }
 
+  depends_on = [var.nat_public_ips]
 }
 
 resource "random_id" "id" {