From 70a0580dba632165598aee3f713cff02ab544943 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Mon, 5 Oct 2020 14:47:05 +0000 Subject: [PATCH] Creating a VPC is now the default behavior. --- README.md | 17 ++++----- create_eks_cluster.tf | 6 ++-- create_http_website.tf | 54 +++++++++++++++++++++++------ create_mysql_datasource.tf | 71 ++++++++++++++++++++++++++++---------- create_sdm_roles.tf | 22 ++++++------ create_vpc.tf | 28 +++++++++++++++ create_windows_server.tf | 14 ++++---- variables.tf | 29 ++++++---------- 8 files changed, 162 insertions(+), 79 deletions(-) create mode 100644 create_vpc.tf diff --git a/README.md b/README.md index 64240b2..e6bcca3 100644 --- a/README.md +++ b/README.md @@ -74,19 +74,13 @@ This install option creates only the default resources: sdm gateways, ssh, mysql module "strongdm_onboarding" { source = "strongdm/onboarding/sdm" - # Prefix will be added to resource names prefix = "foo" - # List of existing users to grant resources to - # NOTE: An error will occur if these users are already assigned to a role in strongDM + # Grant yourself access to the resources + # This account should currently be in NO ROLE in the Admin UI. grant_to_existing_users = [ "admin@example.com", ] - - # New accounts to create with access to all resources - admin_users = [ - "admin1@example.com", - ] } ``` @@ -115,10 +109,11 @@ module "strongdm_onboarding" { create_kibana = true # Gateways take approximately 5 min create_strongdm_gateways = true + + # VPC creation takes approximately 5 min + # If set to false the default VPC will be used instead + create_vpc = true - # Leave variables set to null to create resources in default VPC. - vpc_id = null - subnet_ids = null # List of existing users to grant resources to # NOTE: An error will occur if these users are already assigned to a role in strongDM diff --git a/create_eks_cluster.tf b/create_eks_cluster.tf index 31727d3..6a0b66a 100644 --- a/create_eks_cluster.tf +++ b/create_eks_cluster.tf @@ -25,7 +25,7 @@ module "eks_cluster" { worker_groups = [ { instance_type = "t3.small" - asg_max_size = 2 + asg_max_size = 1 } ] providers = { @@ -122,7 +122,7 @@ resource "sdm_resource" "k8s_eks_data_eks" { } } resource "sdm_role_grant" "admin_grant_eks" { - count = var.create_eks ? 1 : 0 - role_id = sdm_role.admins.id + count = var.create_eks ? 1 : 0 + role_id = sdm_role.admins.id resource_id = sdm_resource.k8s_eks_data_eks[0].id } \ No newline at end of file diff --git a/create_http_website.tf b/create_http_website.tf index 1eec336..db37450 100644 --- a/create_http_website.tf +++ b/create_http_website.tf @@ -2,7 +2,7 @@ # Create an EC2 instance # ---------------------------------------------------------------------------- # data "aws_ami" "amazon_linux_2" { - count = var.create_http ? 1 : 0 + count = var.create_http || var.create_ssh ? 1 : 0 most_recent = true owners = ["amazon"] filter { @@ -10,12 +10,46 @@ data "aws_ami" "amazon_linux_2" { values = ["amzn2-ami-hvm*"] } } +resource "aws_security_group" "web_page" { + count = var.create_http || var.create_ssh ? 1 : 0 + name_prefix = "${var.prefix}-web-page" + description = "allow inbound from strongDM gateway" + vpc_id = local.vpc_id + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = merge({ Name = "${var.prefix}-http" }, local.default_tags, var.tags) +} +resource "aws_security_group_rule" "allow_80" { + count = var.create_http ? 1 : 0 + type = "ingress" + from_port = 80 + to_port = 80 + protocol = "tcp" + source_security_group_id = module.sdm.gateway_security_group_id + security_group_id = aws_security_group.web_page[0].id +} +resource "aws_security_group_rule" "allow_http_ssh" { + count = var.create_ssh ? 1 : 0 + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + source_security_group_id = module.sdm.gateway_security_group_id + security_group_id = aws_security_group.web_page[0].id +} resource "aws_instance" "web_page" { count = var.create_http || var.create_ssh ? 1 : 0 ami = data.aws_ami.amazon_linux_2[0].id instance_type = "t3.micro" - subnet_id = local.subnet_ids[1] + subnet_id = local.subnet_ids[1] + vpc_security_group_ids = [aws_security_group.web_page[0].id] # Configures a simple HTTP web page user_data = <<-EOF @@ -53,7 +87,7 @@ resource "sdm_resource" "web_page" { count = var.create_http ? 1 : 0 http_no_auth { name = "${var.prefix}-http" - url = "http://${aws_instance.web_page[0].private_dns}" + url = "http://${aws_instance.web_page[0].private_ip}" default_path = "/phpinfo.php" healthcheck_path = "/phpinfo.php" subdomain = "simple-web-page" @@ -62,13 +96,13 @@ resource "sdm_resource" "web_page" { } } resource "sdm_role_grant" "admin_grant_web_page" { - count = var.create_http ? 1 : 0 - role_id = sdm_role.admins.id + count = var.create_http ? 1 : 0 + role_id = sdm_role.admins.id resource_id = sdm_resource.web_page[0].id } resource "sdm_role_grant" "read_only_grant_web_page" { - count = var.create_http ? 1 : 0 - role_id = sdm_role.read_only.id + count = var.create_http ? 1 : 0 + role_id = sdm_role.read_only.id resource_id = sdm_resource.web_page[0].id } # ---------------------------------------------------------------------------- # @@ -80,13 +114,13 @@ resource "sdm_resource" "ssh_ec2" { # dependant on https://github.com/strongdm/issues/issues/1701 name = "${var.prefix}-ssh-amzn2" username = "ec2-user" - hostname = aws_instance.web_page[0].private_dns + hostname = aws_instance.web_page[0].private_ip port = 22 tags = merge({ Name = "${var.prefix}-http" }, local.default_tags, var.tags) } } resource "sdm_role_grant" "admin_grant_ssh_ec2" { - count = var.create_ssh ? 1 : 0 - role_id = sdm_role.admins.id + count = var.create_ssh ? 1 : 0 + role_id = sdm_role.admins.id resource_id = sdm_resource.ssh_ec2[0].id } \ No newline at end of file diff --git a/create_mysql_datasource.tf b/create_mysql_datasource.tf index 93f7618..ae8d7d7 100644 --- a/create_mysql_datasource.tf +++ b/create_mysql_datasource.tf @@ -2,10 +2,10 @@ # Local variables to create mysql database # ---------------------------------------------------------------------------- # locals { - username = "strongdmadmin" - username_ro = "strongdmreadonly" - mysql_pw = "strongdmpassword123!@#" - database = "strongdmdb" + username = "strongdmadmin" + username_ro = "strongdmreadonly" + mysql_pw = "strongdmpassword123!@#" + database = "strongdmdb" mysql_user_data = <<-USERDATA #!/bin/bash @@ -46,22 +46,57 @@ locals { # Create EC2 instance with mysql bootstrap script # ---------------------------------------------------------------------------- # data "aws_ami" "ubuntu" { - count = var.create_mysql ? 1 : 0 + count = var.create_mysql || var.create_ssh ? 1 : 0 most_recent = true - owners = ["099720109477"] # Canonical + owners = ["099720109477"] # Canonical filter { - name = "name" - values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"] + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"] } } +resource "aws_security_group" "mysql" { + count = var.create_mysql || var.create_ssh ? 1 : 0 + name_prefix = "${var.prefix}-mysql" + description = "allow inbound from strongDM gateway" + vpc_id = local.vpc_id + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = merge({ Name = "${var.prefix}-mysql" }, local.default_tags, var.tags) +} +resource "aws_security_group_rule" "allow_mysql" { + count = var.create_mysql ? 1 : 0 + type = "ingress" + from_port = 3306 + to_port = 3306 + protocol = "tcp" + source_security_group_id = module.sdm.gateway_security_group_id + security_group_id = aws_security_group.mysql[0].id +} +resource "aws_security_group_rule" "allow_mysql_ssh" { + count = var.create_ssh ? 1 : 0 + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + source_security_group_id = module.sdm.gateway_security_group_id + security_group_id = aws_security_group.mysql[0].id +} resource "aws_instance" "mysql" { count = var.create_mysql || var.create_ssh ? 1 : 0 ami = data.aws_ami.ubuntu[0].id instance_type = "t3.small" + vpc_security_group_ids = [aws_security_group.mysql[0].id] + subnet_id = local.subnet_ids[0] - + user_data = local.mysql_user_data tags = merge({ Name = "${var.prefix}-mysql" }, local.default_tags, var.tags) @@ -74,7 +109,7 @@ resource "sdm_resource" "mysql_admin" { count = var.create_mysql ? 1 : 0 mysql { name = "${var.prefix}-mysql-admin" - hostname = aws_instance.mysql[0].private_dns + hostname = aws_instance.mysql[0].private_ip database = local.database username = local.username password = local.mysql_pw @@ -84,15 +119,15 @@ resource "sdm_resource" "mysql_admin" { } } resource "sdm_role_grant" "admin_grant_mysql_admin" { - count = var.create_mysql ? 1 : 0 - role_id = sdm_role.admins.id + count = var.create_mysql ? 1 : 0 + role_id = sdm_role.admins.id resource_id = sdm_resource.mysql_admin[0].id } resource "sdm_resource" "mysql_ro" { count = var.create_mysql ? 1 : 0 mysql { name = "${var.prefix}-mysql-read-only" - hostname = aws_instance.mysql[0].private_dns + hostname = aws_instance.mysql[0].private_ip database = local.database username = local.username_ro password = local.mysql_pw @@ -102,8 +137,8 @@ resource "sdm_resource" "mysql_ro" { } } resource "sdm_role_grant" "read_only_grant_mysql_ro" { - count = var.create_mysql ? 1 : 0 - role_id = sdm_role.read_only.id + count = var.create_mysql ? 1 : 0 + role_id = sdm_role.read_only.id resource_id = sdm_resource.mysql_ro[0].id } # ---------------------------------------------------------------------------- # @@ -115,13 +150,13 @@ resource "sdm_resource" "mysql_ssh" { # dependant on https://github.com/strongdm/issues/issues/1701 name = "${var.prefix}-ssh-ubuntu" username = "ubuntu" - hostname = aws_instance.mysql[0].private_dns + hostname = aws_instance.mysql[0].private_ip port = 22 tags = merge({ Name = "${var.prefix}-mysql-ssh" }, local.default_tags, var.tags) } } resource "sdm_role_grant" "admin_grant_mysql_ssh" { - count = var.create_ssh ? 1 : 0 - role_id = sdm_role.admins.id + count = var.create_ssh ? 1 : 0 + role_id = sdm_role.admins.id resource_id = sdm_resource.mysql_ssh[0].id } \ No newline at end of file diff --git a/create_sdm_roles.tf b/create_sdm_roles.tf index 6afe1c0..9662059 100644 --- a/create_sdm_roles.tf +++ b/create_sdm_roles.tf @@ -8,27 +8,27 @@ resource "sdm_account" "admin_users" { count = length(var.admin_users) user { first_name = split("@", var.admin_users[count.index])[0] - last_name = split("@", var.admin_users[count.index])[0] - email = var.admin_users[count.index] + last_name = "Onboarding" + email = var.admin_users[count.index] } } resource "sdm_account_attachment" "admin_attachment" { - count = length(var.admin_users) + count = length(var.admin_users) account_id = sdm_account.admin_users[count.index].id - role_id = sdm_role.admins.id + role_id = sdm_role.admins.id } # ---------------------------------------------------------------------------- # # Add existing users to admin role # ---------------------------------------------------------------------------- # data "sdm_account" "existing_users" { count = length(var.grant_to_existing_users) - type = "user" + type = "user" email = var.grant_to_existing_users[count.index] } resource "sdm_account_attachment" "existing_users" { - count = length(var.grant_to_existing_users) + count = length(var.grant_to_existing_users) account_id = element(data.sdm_account.existing_users[count.index].ids, 0) - role_id = sdm_role.admins.id + role_id = sdm_role.admins.id } # ---------------------------------------------------------------------------- # @@ -41,12 +41,12 @@ resource "sdm_account" "read_only_users" { count = length(var.read_only_users) user { first_name = split("@", var.read_only_users[count.index])[0] - last_name = split("@", var.read_only_users[count.index])[0] - email = var.read_only_users[count.index] + last_name = split("@", var.read_only_users[count.index])[0] + email = var.read_only_users[count.index] } } resource "sdm_account_attachment" "read_only_attachment" { - count = length(var.read_only_users) + count = length(var.read_only_users) account_id = sdm_account.read_only_users[count.index].id - role_id = sdm_role.read_only.id + role_id = sdm_role.read_only.id } diff --git a/create_vpc.tf b/create_vpc.tf new file mode 100644 index 0000000..76956e4 --- /dev/null +++ b/create_vpc.tf @@ -0,0 +1,28 @@ + +data "aws_availability_zones" "available" { + state = "available" +} +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + + create_vpc = var.create_vpc + + name = "${var.prefix}-vpc" + cidr = "10.0.0.0/16" + + + + azs = [ + data.aws_availability_zones.available.names[0], + data.aws_availability_zones.available.names[1], + data.aws_availability_zones.available.names[2], + ] + private_subnets = ["10.0.100.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + tags = merge( + { Name = "${var.prefix}-vpc" }, + local.default_tags, + var.tags, + ) +} diff --git a/create_windows_server.tf b/create_windows_server.tf index a4d9d8f..42911a9 100644 --- a/create_windows_server.tf +++ b/create_windows_server.tf @@ -17,15 +17,15 @@ resource "aws_key_pair" "windows_key" { # ---------------------------------------------------------------------------- # resource "aws_security_group" "windows_server" { count = var.create_rdp ? 1 : 0 - name = "${var.prefix}-terraform-security-group" + name_prefix = "${var.prefix}-windows-server" description = "allows 3389" vpc_id = local.vpc_id ingress { - from_port = 3389 - to_port = 3389 - protocol = "tcp" - cidr_blocks = [local.vpc_cidr_block] + from_port = 3389 + to_port = 3389 + protocol = "tcp" + security_groups = [module.sdm.gateway_security_group_id] } egress { from_port = 0 @@ -76,7 +76,7 @@ resource "sdm_resource" "windows_server" { } } resource "sdm_role_grant" "admin_grant_windows_server" { - count = var.create_rdp ? 1 : 0 - role_id = sdm_role.admins.id + count = var.create_rdp ? 1 : 0 + role_id = sdm_role.admins.id resource_id = sdm_resource.windows_server[0].id } diff --git a/variables.tf b/variables.tf index 9cd43ed..ab2951a 100644 --- a/variables.tf +++ b/variables.tf @@ -43,15 +43,10 @@ variable create_strongdm_gateways { default = true description = "Set to true to create a pair of strongDM gateways" } -variable vpc_id { - type = string - default = null - description = "Specify a VPC, or leave blank to use the default VPC." -} -variable subnet_ids { - type = list(string) - default = null - description = "Required when using vpc_id: Specify at least 2 subnets in a list." +variable create_vpc { + type = bool + default = true + description = "Set to true to create a VPC to container the resources in this module" } variable grant_to_existing_users { type = list(string) @@ -69,24 +64,20 @@ variable read_only_users { description = "A list of email addresses that will receive read only access." } # ---------------------------------------------------------------------------- # -# These data-sources gather the necessary VPC information if a VPC ID is not provided +# These data-sources gather the necessary VPC information if create VPC is not specified # ---------------------------------------------------------------------------- # data "aws_vpc" "default" { - count = (var.vpc_id == null) && (var.subnet_ids == null) ? 1 : 0 + count = var.create_vpc ? 0 : 1 default = true } -data "aws_vpc" "selected" { - count = (var.vpc_id != null) && (var.subnet_ids != null) ? 1 : 0 - id = var.vpc_id -} data "aws_subnet_ids" "subnets" { - count = (var.vpc_id == null) && (var.subnet_ids == null) ? 1 : 0 + count = var.create_vpc ? 0 : 1 vpc_id = data.aws_vpc.default[0].id } locals { - vpc_id = var.vpc_id != null ? var.vpc_id : data.aws_vpc.default[0].id - vpc_cidr_block = var.vpc_id != null ? data.aws_vpc.selected[0].cidr_block : data.aws_vpc.default[0].cidr_block - subnet_ids = var.subnet_ids != null ? var.subnet_ids : sort(data.aws_subnet_ids.subnets[0].ids) + vpc_id = var.create_vpc ? module.vpc.vpc_id : data.aws_vpc.default[0].id + vpc_cidr_block = var.create_vpc ? module.vpc.vpc_cidr_block : data.aws_vpc.default[0].cidr_block + subnet_ids = var.create_vpc ? module.vpc.public_subnets : sort(data.aws_subnet_ids.subnets[0].ids) default_tags = { CreatedBy = "strongDM-Onboarding" } } # ---------------------------------------------------------------------------- #