Creating a VPC is now the default behavior.

strongdm · Oct 5, 2020 · 70a0580 · 70a0580
1 parent e005f65
commit 70a0580
Show file tree

Hide file tree

Showing 8 changed files with 162 additions and 79 deletions.
diff --git a/README.md b/README.md
@@ -74,19 +74,13 @@ This install option creates only the default resources: sdm gateways, ssh, mysql
 module "strongdm_onboarding" {
   source = "strongdm/onboarding/sdm"
 
-  # Prefix will be added to resource names
   prefix = "foo"
 
-  # List of existing users to grant resources to
-  # NOTE: An error will occur if these users are already assigned to a role in strongDM
+  # Grant yourself access to the resources
+  # This account should currently be in NO ROLE in the Admin UI.
   grant_to_existing_users = [
     "[email protected]",
   ]
-
-  # New accounts to create with access to all resources
-  admin_users = [
-    "[email protected]",
-  ]
 }
 ```
 
@@ -115,10 +109,11 @@ module "strongdm_onboarding" {
   create_kibana            = true
   # Gateways take approximately 5 min
   create_strongdm_gateways = true
+  
+  # VPC creation takes approximately 5 min
+  # If set to false the default VPC will be used instead
+  create_vpc = true
 
-  # Leave variables set to null to create resources in default VPC.
-  vpc_id     = null
-  subnet_ids = null
 
   # List of existing users to grant resources to
   # NOTE: An error will occur if these users are already assigned to a role in strongDM

diff --git a/create_eks_cluster.tf b/create_eks_cluster.tf
@@ -25,7 +25,7 @@ module "eks_cluster" {
   worker_groups = [
     {
       instance_type = "t3.small"
-      asg_max_size  = 2
+      asg_max_size  = 1
     }
   ]
   providers = {
@@ -122,7 +122,7 @@ resource "sdm_resource" "k8s_eks_data_eks" {
   }
 }
 resource "sdm_role_grant" "admin_grant_eks" {
-  count = var.create_eks ? 1 : 0
-  role_id = sdm_role.admins.id
+  count       = var.create_eks ? 1 : 0
+  role_id     = sdm_role.admins.id
   resource_id = sdm_resource.k8s_eks_data_eks[0].id
 }
diff --git a/create_http_website.tf b/create_http_website.tf
@@ -2,20 +2,54 @@
 # Create an EC2 instance
 # ---------------------------------------------------------------------------- #
 data "aws_ami" "amazon_linux_2" {
-  count       = var.create_http ? 1 : 0
+  count       = var.create_http || var.create_ssh ? 1 : 0
   most_recent = true
   owners      = ["amazon"]
   filter {
     name   = "name"
     values = ["amzn2-ami-hvm*"]
   }
 }
+resource "aws_security_group" "web_page" {
+  count       = var.create_http || var.create_ssh ? 1 : 0
+  name_prefix = "${var.prefix}-web-page"
+  description = "allow inbound from strongDM gateway"
+  vpc_id      = local.vpc_id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge({ Name = "${var.prefix}-http" }, local.default_tags, var.tags)
+}
+resource "aws_security_group_rule" "allow_80" {
+  count                    = var.create_http ? 1 : 0
+  type                     = "ingress"
+  from_port                = 80
+  to_port                  = 80
+  protocol                 = "tcp"
+  source_security_group_id = module.sdm.gateway_security_group_id
+  security_group_id        = aws_security_group.web_page[0].id
+}
+resource "aws_security_group_rule" "allow_http_ssh" {
+  count                    = var.create_ssh ? 1 : 0
+  type                     = "ingress"
+  from_port                = 22
+  to_port                  = 22
+  protocol                 = "tcp"
+  source_security_group_id = module.sdm.gateway_security_group_id
+  security_group_id        = aws_security_group.web_page[0].id
+}
 resource "aws_instance" "web_page" {
   count         = var.create_http || var.create_ssh ? 1 : 0
   ami           = data.aws_ami.amazon_linux_2[0].id
   instance_type = "t3.micro"
 
-  subnet_id = local.subnet_ids[1]
+  subnet_id              = local.subnet_ids[1]
+  vpc_security_group_ids = [aws_security_group.web_page[0].id]
 
   # Configures a simple HTTP web page 
   user_data = <<-EOF
@@ -53,7 +87,7 @@ resource "sdm_resource" "web_page" {
   count = var.create_http ? 1 : 0
   http_no_auth {
     name             = "${var.prefix}-http"
-    url              = "http://${aws_instance.web_page[0].private_dns}"
+    url              = "http://${aws_instance.web_page[0].private_ip}"
     default_path     = "/phpinfo.php"
     healthcheck_path = "/phpinfo.php"
     subdomain        = "simple-web-page"
@@ -62,13 +96,13 @@ resource "sdm_resource" "web_page" {
   }
 }
 resource "sdm_role_grant" "admin_grant_web_page" {
-  count = var.create_http ? 1 : 0
-  role_id = sdm_role.admins.id
+  count       = var.create_http ? 1 : 0
+  role_id     = sdm_role.admins.id
   resource_id = sdm_resource.web_page[0].id
 }
 resource "sdm_role_grant" "read_only_grant_web_page" {
-  count = var.create_http ? 1 : 0
-  role_id = sdm_role.read_only.id
+  count       = var.create_http ? 1 : 0
+  role_id     = sdm_role.read_only.id
   resource_id = sdm_resource.web_page[0].id
 }
 # ---------------------------------------------------------------------------- #
@@ -80,13 +114,13 @@ resource "sdm_resource" "ssh_ec2" {
     # dependant on https://github.com/strongdm/issues/issues/1701
     name     = "${var.prefix}-ssh-amzn2"
     username = "ec2-user"
-    hostname = aws_instance.web_page[0].private_dns
+    hostname = aws_instance.web_page[0].private_ip
     port     = 22
     tags     = merge({ Name = "${var.prefix}-http" }, local.default_tags, var.tags)
   }
 }
 resource "sdm_role_grant" "admin_grant_ssh_ec2" {
-  count = var.create_ssh ? 1 : 0
-  role_id = sdm_role.admins.id
+  count       = var.create_ssh ? 1 : 0
+  role_id     = sdm_role.admins.id
   resource_id = sdm_resource.ssh_ec2[0].id
 }
diff --git a/create_mysql_datasource.tf b/create_mysql_datasource.tf
@@ -2,10 +2,10 @@
 # Local variables to create mysql database
 # ---------------------------------------------------------------------------- #
 locals {
-  username    = "strongdmadmin"
-  username_ro = "strongdmreadonly"
-  mysql_pw    = "strongdmpassword123!@#"
-  database    = "strongdmdb"
+  username        = "strongdmadmin"
+  username_ro     = "strongdmreadonly"
+  mysql_pw        = "strongdmpassword123!@#"
+  database        = "strongdmdb"
   mysql_user_data = <<-USERDATA
   #!/bin/bash
 
@@ -46,22 +46,57 @@ locals {
 # Create EC2 instance with mysql bootstrap script
 # ---------------------------------------------------------------------------- #
 data "aws_ami" "ubuntu" {
-  count         = var.create_mysql ? 1 : 0
+  count       = var.create_mysql || var.create_ssh ? 1 : 0
   most_recent = true
-  owners = ["099720109477"] # Canonical
+  owners      = ["099720109477"] # Canonical
 
   filter {
-      name   = "name"
-      values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
   }
 }
+resource "aws_security_group" "mysql" {
+  count       = var.create_mysql || var.create_ssh ? 1 : 0
+  name_prefix = "${var.prefix}-mysql"
+  description = "allow inbound from strongDM gateway"
+  vpc_id      = local.vpc_id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge({ Name = "${var.prefix}-mysql" }, local.default_tags, var.tags)
+}
+resource "aws_security_group_rule" "allow_mysql" {
+  count                    = var.create_mysql ? 1 : 0
+  type                     = "ingress"
+  from_port                = 3306
+  to_port                  = 3306
+  protocol                 = "tcp"
+  source_security_group_id = module.sdm.gateway_security_group_id
+  security_group_id        = aws_security_group.mysql[0].id
+}
+resource "aws_security_group_rule" "allow_mysql_ssh" {
+  count                    = var.create_ssh ? 1 : 0
+  type                     = "ingress"
+  from_port                = 22
+  to_port                  = 22
+  protocol                 = "tcp"
+  source_security_group_id = module.sdm.gateway_security_group_id
+  security_group_id        = aws_security_group.mysql[0].id
+}
 resource "aws_instance" "mysql" {
   count         = var.create_mysql || var.create_ssh ? 1 : 0
   ami           = data.aws_ami.ubuntu[0].id
   instance_type = "t3.small"
 
+  vpc_security_group_ids = [aws_security_group.mysql[0].id]
+
   subnet_id = local.subnet_ids[0]
-  
+
   user_data = local.mysql_user_data
 
   tags = merge({ Name = "${var.prefix}-mysql" }, local.default_tags, var.tags)
@@ -74,7 +109,7 @@ resource "sdm_resource" "mysql_admin" {
   count = var.create_mysql ? 1 : 0
   mysql {
     name     = "${var.prefix}-mysql-admin"
-    hostname = aws_instance.mysql[0].private_dns
+    hostname = aws_instance.mysql[0].private_ip
     database = local.database
     username = local.username
     password = local.mysql_pw
@@ -84,15 +119,15 @@ resource "sdm_resource" "mysql_admin" {
   }
 }
 resource "sdm_role_grant" "admin_grant_mysql_admin" {
-  count = var.create_mysql ? 1 : 0
-  role_id = sdm_role.admins.id
+  count       = var.create_mysql ? 1 : 0
+  role_id     = sdm_role.admins.id
   resource_id = sdm_resource.mysql_admin[0].id
 }
 resource "sdm_resource" "mysql_ro" {
   count = var.create_mysql ? 1 : 0
   mysql {
     name     = "${var.prefix}-mysql-read-only"
-    hostname = aws_instance.mysql[0].private_dns
+    hostname = aws_instance.mysql[0].private_ip
     database = local.database
     username = local.username_ro
     password = local.mysql_pw
@@ -102,8 +137,8 @@ resource "sdm_resource" "mysql_ro" {
   }
 }
 resource "sdm_role_grant" "read_only_grant_mysql_ro" {
-  count = var.create_mysql ? 1 : 0
-  role_id = sdm_role.read_only.id
+  count       = var.create_mysql ? 1 : 0
+  role_id     = sdm_role.read_only.id
   resource_id = sdm_resource.mysql_ro[0].id
 }
 # ---------------------------------------------------------------------------- #
@@ -115,13 +150,13 @@ resource "sdm_resource" "mysql_ssh" {
     # dependant on https://github.com/strongdm/issues/issues/1701
     name     = "${var.prefix}-ssh-ubuntu"
     username = "ubuntu"
-    hostname = aws_instance.mysql[0].private_dns
+    hostname = aws_instance.mysql[0].private_ip
     port     = 22
     tags     = merge({ Name = "${var.prefix}-mysql-ssh" }, local.default_tags, var.tags)
   }
 }
 resource "sdm_role_grant" "admin_grant_mysql_ssh" {
-  count = var.create_ssh ? 1 : 0
-  role_id = sdm_role.admins.id
+  count       = var.create_ssh ? 1 : 0
+  role_id     = sdm_role.admins.id
   resource_id = sdm_resource.mysql_ssh[0].id
 }
diff --git a/create_sdm_roles.tf b/create_sdm_roles.tf
@@ -8,27 +8,27 @@ resource "sdm_account" "admin_users" {
   count = length(var.admin_users)
   user {
     first_name = split("@", var.admin_users[count.index])[0]
-    last_name = split("@", var.admin_users[count.index])[0]
-    email = var.admin_users[count.index]
+    last_name  = "Onboarding"
+    email      = var.admin_users[count.index]
   }
 }
 resource "sdm_account_attachment" "admin_attachment" {
-  count = length(var.admin_users)
+  count      = length(var.admin_users)
   account_id = sdm_account.admin_users[count.index].id
-  role_id = sdm_role.admins.id
+  role_id    = sdm_role.admins.id
 }
 # ---------------------------------------------------------------------------- #
 # Add existing users to admin role
 # ---------------------------------------------------------------------------- #
 data "sdm_account" "existing_users" {
   count = length(var.grant_to_existing_users)
-  type = "user"
+  type  = "user"
   email = var.grant_to_existing_users[count.index]
 }
 resource "sdm_account_attachment" "existing_users" {
-  count = length(var.grant_to_existing_users)
+  count      = length(var.grant_to_existing_users)
   account_id = element(data.sdm_account.existing_users[count.index].ids, 0)
-  role_id = sdm_role.admins.id
+  role_id    = sdm_role.admins.id
 }
 
 # ---------------------------------------------------------------------------- #
@@ -41,12 +41,12 @@ resource "sdm_account" "read_only_users" {
   count = length(var.read_only_users)
   user {
     first_name = split("@", var.read_only_users[count.index])[0]
-    last_name = split("@", var.read_only_users[count.index])[0]
-    email = var.read_only_users[count.index]
+    last_name  = split("@", var.read_only_users[count.index])[0]
+    email      = var.read_only_users[count.index]
   }
 }
 resource "sdm_account_attachment" "read_only_attachment" {
-  count = length(var.read_only_users) 
+  count      = length(var.read_only_users)
   account_id = sdm_account.read_only_users[count.index].id
-  role_id = sdm_role.read_only.id
+  role_id    = sdm_role.read_only.id
 }
diff --git a/create_vpc.tf b/create_vpc.tf
@@ -0,0 +1,28 @@
+
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+module "vpc" {
+  source = "terraform-aws-modules/vpc/aws"
+
+  create_vpc = var.create_vpc
+
+  name = "${var.prefix}-vpc"
+  cidr = "10.0.0.0/16"
+
+
+
+  azs = [
+    data.aws_availability_zones.available.names[0],
+    data.aws_availability_zones.available.names[1],
+    data.aws_availability_zones.available.names[2],
+  ]
+  private_subnets = ["10.0.100.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+  tags = merge(
+    { Name = "${var.prefix}-vpc" },
+    local.default_tags,
+    var.tags,
+  )
+}