diff --git a/infrastructure-provisioning/terraform/aws/main/main.tf b/infrastructure-provisioning/terraform/aws/main/main.tf index 43613d3ae2..11eea405b4 100644 --- a/infrastructure-provisioning/terraform/aws/main/main.tf +++ b/infrastructure-provisioning/terraform/aws/main/main.tf @@ -124,3 +124,20 @@ module "ami" { project_tag = "${var.project_tag}" notebook_name = "${var.notebook_name}" } + +module "endpoint" { + source = "../modules/endpoint" + service_base_name = var.service_base_name + region = var.region + zone = var.zone + product = var.product_name + subnet_cidr = var.subnet_cidr + endpoint_instance_shape = var.endpoint_instance_shape + key_name = var.key_name + ami = var.ami + vpc_id = var.vpc_id + subnet_id = var.subnet_id + network_type = var.network_type + vpc_cidr = var.vpc_cidr + endpoint_volume_size = var.endpoint_volume_size +} \ No newline at end of file diff --git a/infrastructure-provisioning/terraform/aws/main/variables.tf b/infrastructure-provisioning/terraform/aws/main/variables.tf index d8b72c3c22..0a9cb5466b 100644 --- a/infrastructure-provisioning/terraform/aws/main/variables.tf +++ b/infrastructure-provisioning/terraform/aws/main/variables.tf @@ -157,4 +157,16 @@ variable "bid_price" { variable "source_instance_id" { default = "" -} \ No newline at end of file +} + +variable "endpoint_instance_shape" { + default = "t2.medium" +} + +variable "network_type" { + default = "public" +} + +variable "endpoint_volume_size" { + default = "30" +} diff --git a/infrastructure-provisioning/terraform/aws/modules/endpoint/README.md b/infrastructure-provisioning/terraform/aws/modules/endpoint/README.md new file mode 100644 index 0000000000..a661513213 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/endpoint/README.md @@ -0,0 +1,18 @@ +# Terraform module for deploying DLab Endpoint instance + +List of variables which should be provided: + +| Variable | Type | Description/Value | +|--------------------------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------| +| service\_base\_name | string | Any infrastructure value (should be unique if multiple SSN’s have been deployed before). Should be same as on ssn | +| vpc\_id | string | ID of AWS VPC if you already have VPC created. | +| vpc\_cidr | string | CIDR for VPC creation. Conflicts with _vpc\_id_. Default: 172.31.0.0/16 | +| subnet\_id | string | ID of AWS Subnet if you already have subnet created. | +| subnet\_cidr | string | CIDR for Subnet creation. Conflicts with _subnet\_id_. Default: 172.31.0.0/24 | +| ami | string | **Required** ID of EC2 AMI. Default ubuntu 18.04.1 (debian os): "ami-08692d171e3cf02d6" (aws ami: 258751437250/ami-ubuntu-18.04-1.13.0-00-1543963388| +| key\_name | string | **Required** Name of EC2 Key pair. (Existed on AWS account) | +| region | string | Name of AWS region. Default: us-west-2 | +| zone | string | Name of AWS zone. Default: a | +| endpoint\_volume\_size | int | Size of root volume in GB. Default: 30 | +| network\_type | string | Type of created network (if network is not existed and require creation) for endpoint. Default: public | +| endpoint\_instance\_shape| string | Instance shape of Endpoint. Default: t2.medium | \ No newline at end of file diff --git a/infrastructure-provisioning/terraform/aws/modules/endpoint/files/assume-policy.json b/infrastructure-provisioning/terraform/aws/modules/endpoint/files/assume-policy.json new file mode 100644 index 0000000000..680b6f8284 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/endpoint/files/assume-policy.json @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "Service": "ec2.amazonaws.com" + }, + "Effect": "Allow", + "Sid": "" + } + ] +} \ No newline at end of file diff --git a/infrastructure-provisioning/terraform/aws/modules/endpoint/files/endpoint-policy.json b/infrastructure-provisioning/terraform/aws/modules/endpoint/files/endpoint-policy.json new file mode 100644 index 0000000000..74e3412c84 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/endpoint/files/endpoint-policy.json @@ -0,0 +1,95 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "iam:CreatePolicy", + "iam:AttachRolePolicy", + "iam:DetachRolePolicy", + "iam:DeletePolicy", + "iam:DeleteRolePolicy", + "iam:GetRolePolicy", + "iam:GetPolicy", + "iam:GetUser", + "iam:ListUsers", + "iam:ListAccessKeys", + "iam:ListUserPolicies", + "iam:ListAttachedRolePolicies", + "iam:ListPolicies", + "iam:ListRolePolicies", + "iam:ListRoles", + "iam:CreateRole", + "iam:CreateInstanceProfile", + "iam:PutRolePolicy", + "iam:AddRoleToInstanceProfile", + "iam:PassRole", + "iam:GetInstanceProfile", + "iam:ListInstanceProfilesForRole", + "iam:RemoveRoleFromInstanceProfile", + "iam:DeleteInstanceProfile", + "iam:ListInstanceProfiles", + "iam:DeleteRole", + "iam:GetRole" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DeleteRouteTable", + "ec2:DeleteSubnet", + "ec2:DeleteTags", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "ec2:DescribeInstanceStatus", + "ec2:ModifyInstanceAttribute", + "ec2:RevokeSecurityGroupIngress", + "ec2:DescribeImages", + "ec2:CreateTags", + "ec2:DescribeRouteTables", + "ec2:CreateRouteTable", + "ec2:AssociateRouteTable", + "ec2:DescribeVpcEndpoints", + "ec2:CreateVpcEndpoint", + "ec2:ModifyVpcEndpoint", + "ec2:DescribeInstances", + "ec2:RunInstances", + "ec2:DescribeAddresses", + "ec2:AllocateAddress", + "ec2:AssociateAddress", + "ec2:DisassociateAddress", + "ec2:ReleaseAddress", + "ec2:TerminateInstances", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:DescribeSecurityGroups", + "ec2:CreateSecurityGroup", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupEgress" + + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "s3:GetBucketLocation", + "s3:PutBucketPolicy", + "s3:GetBucketPolicy", + "s3:DeleteBucket", + "s3:DeleteObject", + "s3:GetObject", + "s3:ListBucket", + "s3:PutEncryptionConfiguration", + "s3:ListAllMyBuckets", + "s3:CreateBucket", + "s3:PutBucketTagging", + "s3:GetBucketTagging" + ], + "Effect": "Allow", + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/infrastructure-provisioning/terraform/aws/modules/endpoint/iam.tf b/infrastructure-provisioning/terraform/aws/modules/endpoint/iam.tf new file mode 100644 index 0000000000..3500486580 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/endpoint/iam.tf @@ -0,0 +1,55 @@ +# ***************************************************************************** +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# ****************************************************************************** + +locals { + role_name = "${var.service_base_name}-endpoint-role" + role_profile = "${var.service_base_name}-endpoint-profile" + policy_name = "${var.service_base_name}-endpoint-policy" +} + +data "template_file" "endpoint_policy" { + template = file("../modules/endpoint/files/endpoint-policy.json") +} + +resource "aws_iam_role" "endpoint_role" { + name = local.role_name + assume_role_policy = file("../modules/endpoint/files/assume-policy.json") + tags = { + product = "${var.product}" + Name = "${local.role_name}" + "${var.service_base_name}-Tag" = "${local.role_name}" + } +} + +resource "aws_iam_instance_profile" "endpoint_profile" { + name = local.role_profile + role = aws_iam_role.endpoint_role.name +} + +resource "aws_iam_policy" "endpoint_policy" { + name = local.policy_name + policy = data.template_file.endpoint_policy.rendered +} + +resource "aws_iam_role_policy_attachment" "endpoint_policy_attach" { + role = aws_iam_role.endpoint_role.name + policy_arn = aws_iam_policy.endpoint_policy.arn +} diff --git a/infrastructure-provisioning/terraform/aws/modules/endpoint/instance.tf b/infrastructure-provisioning/terraform/aws/modules/endpoint/instance.tf new file mode 100644 index 0000000000..2c383f4381 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/endpoint/instance.tf @@ -0,0 +1,63 @@ +# ***************************************************************************** +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# ****************************************************************************** + +locals { + ec2_name = "${var.service_base_name}-endpoint" + eip_name = "${var.service_base_name}-endpoint-EIP" +} + + +resource "aws_instance" "endpoint" { + ami = var.ami + instance_type = var.endpoint_instance_shape + key_name = var.key_name + subnet_id = data.aws_subnet.data_subnet.id + security_groups = ["${aws_security_group.endpoint_sec_group.id}"] + root_block_device { + volume_type = "gp2" + volume_size = var.endpoint_volume_size + delete_on_termination = true + } + tags = { + Name = "${local.ec2_name}" + "${var.service_base_name}-Tag" = "${local.ec2_name}" + product = "${var.product}" + "user:tag" = "${var.service_base_name}:${local.ec2_name}" + } +} + +resource "aws_eip" "e_ip" { + instance = aws_instance.endpoint.id + vpc = true + tags = { + Name = "${local.eip_name}" + "${var.service_base_name}-Tag" = "${local.eip_name}" + product = "${var.product}" + "user:tag" = "${var.service_base_name}:${local.eip_name}" + } + count = var.network_type == "public" ? 1 : 0 +} + +resource "aws_eip_association" "e_ip_assoc" { + instance_id = aws_instance.endpoint.id + allocation_id = aws_eip.e_ip.0.id + count = var.network_type == "public" ? 1 : 0 +} diff --git a/infrastructure-provisioning/terraform/aws/modules/endpoint/network.tf b/infrastructure-provisioning/terraform/aws/modules/endpoint/network.tf new file mode 100644 index 0000000000..ca345b3579 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/endpoint/network.tf @@ -0,0 +1,111 @@ +# ***************************************************************************** +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# ****************************************************************************** + +locals { + subnet_name = "${var.service_base_name}-subnet" + sg_name = "${var.service_base_name}-sg" +} + + +resource "aws_vpc" "vpc_create" { + cidr_block = var.vpc_cidr + count = var.vpc_id == "" ? 1 : 0 + instance_tenancy = "default" + enable_dns_hostnames = true + enable_dns_support = true + tags = { + Name = "${var.service_base_name}-endpoint-vpc" + } +} + +data "aws_vpc" "data_vpc" { + id = var.vpc_id == "" ? aws_vpc.vpc_create.0.id : var.vpc_id +} + +resource "aws_internet_gateway" "gw" { + vpc_id = aws_vpc.vpc_create.0.id + count = var.vpc_id == "" ? 1 : 0 + tags = { + Name = "${var.service_base_name}-endpoint-vpc" + } +} + +resource "aws_subnet" "endpoint_subnet" { + vpc_id = aws_vpc.vpc_create.0.id + cidr_block = var.subnet_cidr + availability_zone = "${var.region}${var.zone}" + tags = { + Name = "${local.subnet_name}" + "${var.service_base_name}-Tag" = "${local.subnet_name}" + product = "${var.product}" + "user:tag" = "${var.service_base_name}:${local.subnet_name}" + } + count = var.vpc_id == "" ? 1 : 0 +} + +data "aws_subnet" "data_subnet" { + id = var.subnet_id == "" ? aws_subnet.endpoint_subnet.0.id : var.subnet_id +} + +resource "aws_route" "route" { + count = var.vpc_id == "" ? 1 : 0 + route_table_id = aws_vpc.vpc_create.0.main_route_table_id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.gw.0.id +} + +resource "aws_security_group" "endpoint_sec_group" { + name = "endpoint_sec_group" + vpc_id = data.aws_vpc.data_vpc.id + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 8084 + to_port = 8084 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 8085 + to_port = 8085 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${local.sg_name}" + product = "${var.product}" + "user:tag" = "${var.service_base_name}:${local.sg_name}" + } +} diff --git a/infrastructure-provisioning/terraform/aws/modules/endpoint/variables.tf b/infrastructure-provisioning/terraform/aws/modules/endpoint/variables.tf new file mode 100644 index 0000000000..d9a755726c --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/endpoint/variables.tf @@ -0,0 +1,46 @@ +# ***************************************************************************** +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# ****************************************************************************** + +variable "service_base_name" {} + +variable "region" {} + +variable "zone" {} + +variable "product" {} + +variable "subnet_cidr" {} + +variable "endpoint_instance_shape" {} + +variable "key_name" {} + +variable "ami" {} + +variable "vpc_id" {} + +variable "subnet_id" {} + +variable "network_type" {} + +variable "vpc_cidr" {} + +variable "endpoint_volume_size" {} \ No newline at end of file