-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathmain.tf
107 lines (90 loc) · 3.86 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# provider block required with Schematics to set VPC region
terraform {
required_version = "> 1.0"
required_providers {
ibm = {
source = "IBM-Cloud/ibm"
version = "~> 1.26"
}
}
}
provider "ibm" {
region = var.ibm_region
}
data "ibm_resource_group" "all_rg" {
name = var.resource_group_name
}
locals {
generation = 2
frontend_count = 1
}
##################################################################################################
# Select CIDRs allowed to access bastion host
# When running under Schematics allowed ingress CIDRs are set to only allow access from Schematics
# for use with Remote-exec and Redhat Ansible
# When running under Terraform local execution ingress is set to 0.0.0.0/0
# Access CIDRs are overridden if user_bastion_ingress_cidr is set to anything other than "0.0.0.0/0"
##################################################################################################
data "external" "env" { program = ["jq", "-n", "env"] }
locals {
region = lookup(data.external.env.result, "TF_VAR_SCHEMATICSLOCATION", "")
geo = substr(local.region, 0, 2)
schematics_ssh_access_map = {
us = ["169.44.0.0/14", "169.60.0.0/14", "150.238.230.128/27"],
eu = ["158.175.0.0/16", "158.176.0.0/15", "141.125.75.80/28", "161.156.139.192/28", "149.81.103.128/28", "159.122.111.224/27"],
}
schematics_ssh_access = lookup(local.schematics_ssh_access_map, local.geo, ["0.0.0.0/0"])
bastion_ingress_cidr = var.ssh_source_cidr_override[0] != "0.0.0.0/0" ? var.ssh_source_cidr_override : local.schematics_ssh_access
}
module "vpc" {
source = "./vpc"
ibm_region = var.ibm_region
resource_group_name = var.resource_group_name
generation = local.generation
unique_id = var.vpc_name
frontend_count = local.frontend_count
frontend_cidr_blocks = local.frontend_cidr_blocks
}
locals {
# bastion_cidr_blocks = [cidrsubnet(var.bastion_cidr, 4, 0), cidrsubnet(var.bastion_cidr, 4, 2), cidrsubnet(var.bastion_cidr, 4, 4)]
frontend_cidr_blocks = [cidrsubnet(var.frontend_cidr, 4, 0), cidrsubnet(var.frontend_cidr, 4, 2), cidrsubnet(var.frontend_cidr, 4, 4)]
}
# Create single zone bastion
module "bastion" {
source = "./bastionmodule"
ibm_region = var.ibm_region
bastion_count = 1
unique_id = var.vpc_name
ibm_is_vpc_id = module.vpc.vpc_id
ibm_is_resource_group_id = data.ibm_resource_group.all_rg.id
bastion_cidr = var.bastion_cidr
ssh_source_cidr_blocks = local.bastion_ingress_cidr
destination_cidr_blocks = [var.frontend_cidr]
destination_sgs = [module.frontend.security_group_id]
# destination_sg = [module.frontend.security_group_id, module.backend.security_group_id]
# vsi_profile = "cx2-2x4"
# image_name = "ibm-centos-7-6-minimal-amd64-1"
ssh_key_id = data.ibm_is_ssh_key.sshkey.id
}
module "frontend" {
source = "./frontendmodule"
ibm_region = var.ibm_region
unique_id = var.vpc_name
ibm_is_vpc_id = module.vpc.vpc_id
ibm_is_resource_group_id = data.ibm_resource_group.all_rg.id
frontend_count = local.frontend_count
profile = var.profile
ibm_is_image_id = data.ibm_is_image.os.id
ibm_is_ssh_key_id = data.ibm_is_ssh_key.sshkey.id
subnet_ids = module.vpc.frontend_subnet_ids
bastion_remote_sg_id = module.bastion.security_group_id
bastion_subnet_CIDR = var.bastion_cidr
pub_repo_egress_cidr = local.pub_repo_egress_cidr
}
module "accesscheck" {
source = "./accesscheck"
ssh_accesscheck = var.ssh_accesscheck
ssh_private_key = var.ssh_private_key
bastion_host = module.bastion.bastion_ip_addresses[0]
target_hosts = module.frontend.primary_ipv4_address
}