Permalink
Browse files

Create a management domain in app-prod-pdx

VPC endpoints should only exist once per VPC. SSM Endpoint needs to be
exposed to packer builder and app backends. Create a new network segment
called management where shared infrastructure can live.

S3 and SSM VPC endpoints are provisioned in management private subnets.
SSM endpoint is wrapped in its own security group. Prefix list and
security group are exposed from network module.
  • Loading branch information...
lopopolo committed Nov 12, 2018
1 parent d9bea25 commit 1a6b56247094faaaa57b40fbc5507994a65f53c5
@@ -15,6 +15,11 @@
"vpc_id": "{{user `build_vpc_id`}}",
"subnet_id": "{{user `build_subnet_id`}}",
"iam_instance_profile": "{{user `build_instance_profile`}}",
"security_group_filter": {
"filters": {
"tag:Class": "management"
}
},
"source_ami_filter": {
"filters": {
"virtualization-type": "hvm",
@@ -54,7 +54,7 @@ def ami(ctx):
load_dotenv()
vpc = terraform_output(ctx, module="network", prop="vpc_id")
subnet = random.choice(
terraform_output(ctx, module="network.public_subnet", prop="subnet_ids").split(",")
terraform_output(ctx, module="network.management", prop="build_subnet_ids").split(",")
)
instance_profile = terraform_output(ctx, module="base", prop="app_instance_profile")
os.environ.setdefault("BUILD_VPC_ID", vpc)
@@ -59,6 +59,7 @@ module "backend" {

iam_instance_profile = "${module.base.app_instance_profile}"
s3_endpoint_prefix_list_id = "${module.network.s3_endpoint_prefix_list_id}"
ssm_security_group_id = "${module.network.ssm_security_group_id}"

mysql_port = "${module.mysql.port}"
mysql_security_group_id = "${module.mysql.security_group_id}"

This file was deleted.

Oops, something went wrong.
@@ -0,0 +1,155 @@
variable "name" {}

variable "vpc_id" {}
variable "azs" {}
variable "internet_gateway_id" {}
variable "egress_gateway_id" {}

variable "s3_route_tables" {
type = "list"
}

module "tier" {
source = "../subnet_tier"
}

module "public_subnet" {
source = "../public_subnet"

name = "${var.name}-public"
vpc_id = "${var.vpc_id}"
azs = "${var.azs}"

subnet_tier = "${module.tier.management_public}"
internet_gateway_id = "${var.internet_gateway_id}"
egress_gateway_id = "${var.egress_gateway_id}"
}

module "private_subnet" {
source = "../private_subnet"

name = "${var.name}-private"
vpc_id = "${var.vpc_id}"
azs = "${var.azs}"

subnet_tier = "${module.tier.management_private}"
nat_enabled = "false"
nat_gateway_ids = ""
egress_gateway_id = "${var.egress_gateway_id}"
}

resource "aws_security_group" "this" {
name_prefix = "management-sg-"
description = "Management Domain Security Group"
vpc_id = "${var.vpc_id}"

egress {
from_port = 80
to_port = 80
protocol = "tcp"
security_groups = ["${aws_security_group.ssm.id}"]
}

egress {
from_port = 443
to_port = 443
protocol = "tcp"
security_groups = ["${aws_security_group.ssm.id}"]
}

egress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}

egress {
from_port = 80
to_port = 80
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}

egress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}

egress {
from_port = 443
to_port = 443
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}

ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}

ingress {
from_port = 22
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}

tags {
Class = "management"
}
}

data "aws_vpc_endpoint_service" "s3" {
service = "s3"
}

resource "aws_vpc_endpoint" "s3" {
vpc_id = "${var.vpc_id}"
service_name = "${data.aws_vpc_endpoint_service.s3.service_name}"
route_table_ids = ["${concat(var.s3_route_tables, module.public_subnet.route_table, module.private_subnet.route_table)}"]
}

data "aws_vpc_endpoint_service" "ssm" {
service = "ssm"
}

resource "aws_security_group" "ssm" {
name_prefix = "ssm-sg-"
description = "SSM VPC Endpoint Security Group"
vpc_id = "${var.vpc_id}"
}

resource "aws_security_group_rule" "ssm_endpoint_from_management" {
type = "ingress"
protocol = "-1"
from_port = 0
to_port = 0
security_group_id = "${aws_security_group.ssm.id}"
source_security_group_id = "${aws_security_group.this.id}"
}

resource "aws_vpc_endpoint" "ssm" {
vpc_id = "${var.vpc_id}"
service_name = "${data.aws_vpc_endpoint_service.ssm.service_name}"
vpc_endpoint_type = "Interface"
subnet_ids = ["${module.private_subnet.subnet_ids}"]
security_group_ids = ["${aws_security_group.ssm.id}"]
private_dns_enabled = true
}

output "s3_endpoint_prefix_list_id" {
value = "${aws_vpc_endpoint.s3.prefix_list_id}"
}

output "ssm_security_group_id" {
value = "${aws_security_group.ssm.id}"
}

output "build_subnet_ids" {
value = "${join(",", module.public_subnet.subnet_ids)}"
}
@@ -27,8 +27,9 @@ module "public_subnet" {
vpc_id = "${module.vpc.vpc_id}"
azs = "${var.azs}"

subnet_tier = "${module.tier.public}"
egress_gateway_id = "${module.vpc.egress_gateway_id}"
subnet_tier = "${module.tier.public}"
internet_gateway_id = "${module.vpc.internet_gateway_id}"
egress_gateway_id = "${module.vpc.egress_gateway_id}"
}

module "private_subnet" {
@@ -53,16 +54,19 @@ module "nat" {
public_subnet_tier = "${module.public_subnet.tier}"
}

module "endpoints" {
source = "./endpoints"
module "management" {
source = "./management"

name = "${var.name}-management"
vpc_id = "${module.vpc.vpc_id}"
private_subnet_tier = "${module.private_subnet.tier}"
azs = "${var.azs}"
internet_gateway_id = "${module.vpc.internet_gateway_id}"
egress_gateway_id = "${module.vpc.egress_gateway_id}"
s3_route_tables = "${concat(module.public_subnet.route_table, module.private_subnet.route_table)}"
}

resource "aws_network_acl" "acl" {
vpc_id = "${module.vpc.vpc_id}"
subnet_ids = ["${concat(split(",", module.public_subnet.subnet_ids), split(",", module.private_subnet.subnet_ids))}"]
vpc_id = "${module.vpc.vpc_id}"

ingress {
protocol = "-1"
@@ -134,5 +138,9 @@ output "nat_gateway_ids" {

# VPC Endpoints
output "s3_endpoint_prefix_list_id" {
value = "${module.endpoints.s3_endpoint_prefix_list_id}"
value = "${module.management.s3_endpoint_prefix_list_id}"
}

output "ssm_security_group_id" {
value = "${module.management.ssm_security_group_id}"
}
@@ -3,9 +3,7 @@
# subnet
#--------------------------------------------------------------

variable "name" {
default = "private"
}
variable "name" {}

variable "vpc_id" {}
variable "azs" {}
@@ -21,17 +19,17 @@ variable "egress_gateway_id" {}

variable "subnet_tier" {}

data "aws_vpc" "current" {
data "aws_vpc" "this" {
id = "${var.vpc_id}"
}

resource "aws_subnet" "private" {
vpc_id = "${data.aws_vpc.current.id}"
cidr_block = "${cidrsubnet(cidrsubnet(data.aws_vpc.current.cidr_block, 3, var.subnet_tier), 5, count.index)}"
vpc_id = "${data.aws_vpc.this.id}"
cidr_block = "${cidrsubnet(cidrsubnet(data.aws_vpc.this.cidr_block, 3, var.subnet_tier), 5, count.index)}"
availability_zone = "${element(split(",", var.azs), count.index)}"
count = "${length(split(",", var.azs))}"

ipv6_cidr_block = "${cidrsubnet(cidrsubnet(data.aws_vpc.current.ipv6_cidr_block, 3, var.subnet_tier), 5, count.index)}"
ipv6_cidr_block = "${cidrsubnet(cidrsubnet(data.aws_vpc.this.ipv6_cidr_block, 3, var.subnet_tier), 5, count.index)}"
assign_ipv6_address_on_creation = true

tags {
@@ -45,7 +43,7 @@ resource "aws_subnet" "private" {
}

resource "aws_route_table" "private" {
vpc_id = "${data.aws_vpc.current.id}"
vpc_id = "${data.aws_vpc.this.id}"
count = "${length(split(",", var.azs))}"

tags {
@@ -92,10 +90,14 @@ resource "aws_route_table_association" "private" {
}

output "subnet_ids" {
value = "${join(",", aws_subnet.private.*.id)}"
value = "${aws_subnet.private.*.id}"
}

output "tier" {
value = "subnet-tier-${var.subnet_tier}"
depends_on = ["aws_subnet.private"]
}

output "route_table" {
value = "${aws_route_table.private.*.id}"
}
Oops, something went wrong.

0 comments on commit 1a6b562

Please sign in to comment.