diff --git a/README.md b/README.md index ca0f17a..2af644d 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ This module creates one or more autorecovery instances. ```HCL module "ar" { - source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery//?ref=v0.0.24" + source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery//?ref=v0.0.25" ec2_os = "amazon" subnets = ["${module.vpc.private_subnets}"] @@ -62,7 +62,10 @@ Using [aws-terraform-cloudwatch\_alarm](https://github.com/rackspace-infrastruct | eip\_allocation\_id\_list | A list of Allocation IDs of the EIPs you want to associate with the instance(s). This is one per instance. e.g. if you specify 2 for instance\_count then you must supply two allocation ids here. | `list` | `[]` | no | | enable\_ebs\_optimization | Use EBS Optimized? true or false | `string` | `false` | no | | enable\_recovery\_alarms | Boolean parameter controlling if auto-recovery alarms should be created. Recovery actions are not supported on all instance types and AMIs, especially those with ephemeral storage. This parameter should be set to false for those cases. | `string` | `true` | no | -| encrypt\_secondary\_ebs\_volume | Encrypt EBS Volume? true or false | `string` | `false` | no | +| encrypt\_primary\_ebs\_volume | Encrypt root EBS Volume? true or false | `string` | `false` | no | +| encrypt\_primary\_ebs\_volume\_kms\_id | If `encrypt_primary_ebs_volume` is `true` you can optionally provide a KMS CMK ARN. | `string` | `""` | no | +| encrypt\_secondary\_ebs\_volume | Encrypt secondary EBS Volume? true or false | `string` | `false` | no | +| encrypt\_secondary\_ebs\_volume\_kms\_id | If `encrypt_secondary_ebs_volume` is `true` you can optionally provide a KMS CMK ARN. | `string` | `""` | no | | environment | Application environment for which this network is being created. Preferred value are Development, Integration, PreProduction, Production, QA, Staging, or Test | `string` | `"Development"` | no | | final\_userdata\_commands | Commands to be given at the end of userdata for an instance. This should generally not include bootstrapping or ssm install. | `string` | `""` | no | | image\_id | The AMI ID to be used to build the EC2 Instance. If not provided, an AMI ID will be queried with an OS specified in variable ec2\_os. | `string` | `""` | no | diff --git a/examples/custom_cw_agent_config.tf b/examples/custom_cw_agent_config.tf index e3128eb..c04f6e8 100644 --- a/examples/custom_cw_agent_config.tf +++ b/examples/custom_cw_agent_config.tf @@ -19,7 +19,7 @@ module "vpc" { data "aws_region" "current_region" {} module "ec2_ar_with_codedeploy" { - source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery?ref=v0.0.24" + source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery?ref=v0.0.25" ec2_os = "rhel6" instance_count = "1" diff --git a/examples/main.tf b/examples/main.tf index ccbc857..c15d7a2 100644 --- a/examples/main.tf +++ b/examples/main.tf @@ -29,7 +29,7 @@ data "aws_ami" "amazon_centos_7" { } module "ec2_ar" { - source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery?ref=v0.0.24" + source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery?ref=v0.0.25" ec2_os = "centos7" instance_count = "3" diff --git a/examples/unmanaged.tf b/examples/unmanaged.tf index 48fe8df..ea1ed36 100644 --- a/examples/unmanaged.tf +++ b/examples/unmanaged.tf @@ -35,7 +35,7 @@ module "sns" { } module "unmanaged_ar" { - source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery?ref=v0.0.24" + source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery?ref=v0.0.25" ec2_os = "centos7" instance_count = "1" diff --git a/main.tf b/main.tf index 5292872..b6c6274 100644 --- a/main.tf +++ b/main.tf @@ -7,7 +7,7 @@ * * ```HCL * module "ar" { - * source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery//?ref=v0.0.24" + * source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-ec2_autorecovery//?ref=v0.0.25" * * ec2_os = "amazon" * subnets = ["${module.vpc.private_subnets}"] @@ -246,12 +246,16 @@ data "aws_ami" "ar_ami" { filter = "${concat(local.standard_filters, local.image_filter[local.ec2_os])}" } +locals { + user_data_file_path = "${path.module}/text/${lookup(local.user_data_map, local.ec2_os)}" +} + data "template_file" "user_data" { - template = "${file("${path.module}/text/${lookup(local.user_data_map, local.ec2_os)}")}" + template = "${file(local.user_data_file_path)}" vars { - initial_commands = "${var.initial_userdata_commands != "" ? "${var.initial_userdata_commands}" : "" }" - final_commands = "${var.final_userdata_commands != "" ? "${var.final_userdata_commands}" : "" }" + initial_commands = "${var.initial_userdata_commands != "" ? var.initial_userdata_commands : "" }" + final_commands = "${var.final_userdata_commands != "" ? var.final_userdata_commands : "" }" } } @@ -413,8 +417,12 @@ resource "aws_iam_instance_profile" "instance_role_instance_profile" { # SSM Association # +locals { + ssm_managed_commands_file_path = "${path.module}/text/managed_ssm_steps.json" +} + data "template_file" "ssm_managed_commands" { - template = "\n${file("${path.module}/text/managed_ssm_steps.json")}" + template = "\n${file(local.ssm_managed_commands_file_path)}" vars { region = "${data.aws_region.current_region.name}" @@ -431,8 +439,12 @@ data "template_file" "additional_ssm_docs" { } } +locals { + ssm_bootstrap_template_file_path = "${path.module}/text/ssm_bootstrap_template.json" +} + data "template_file" "ssm_bootstrap_template" { - template = "${file("${path.module}/text/ssm_bootstrap_template.json")}" + template = "${file(local.ssm_bootstrap_template_file_path)}" vars { region = "${data.aws_region.current_region.name}" @@ -452,13 +464,17 @@ resource "aws_ssm_document" "ssm_bootstrap_doc" { content = "${data.template_file.ssm_bootstrap_template.rendered}" } +locals { + cwagent_config_file_path = "${path.module}/text/${local.cwagent_config}" +} + resource "aws_ssm_parameter" "cwagentparam" { count = "${var.provide_custom_cw_agent_config ? 0 : 1}" name = "${local.cw_config_parameter_name}" description = "${var.resource_name} Cloudwatch Agent configuration" type = "String" - value = "${replace(replace(file("${path.module}/text/${local.cwagent_config}"),"((SYSTEM_LOG_GROUP_NAME))",aws_cloudwatch_log_group.system_logs.name),"((APPLICATION_LOG_GROUP_NAME))",aws_cloudwatch_log_group.application_logs.name)}" + value = "${replace(replace(file(local.cwagent_config_file_path),"((SYSTEM_LOG_GROUP_NAME))",aws_cloudwatch_log_group.system_logs.name),"((APPLICATION_LOG_GROUP_NAME))",aws_cloudwatch_log_group.application_logs.name)}" } resource "aws_ssm_association" "ssm_bootstrap_assoc" { @@ -598,6 +614,10 @@ module "cpu_alarm_high" { # Provisioning of Instance(s) # +locals { + instance_name = "${var.instance_count > 1 ? "%s-%03d" : "%s"}" +} + resource "aws_instance" "mod_ec2_instance_no_secondary_ebs" { count = "${var.secondary_ebs_volume_size != "" ? 0 : var.instance_count}" @@ -624,6 +644,8 @@ resource "aws_instance" "mod_ec2_instance_no_secondary_ebs" { volume_type = "${var.primary_ebs_volume_type}" volume_size = "${var.primary_ebs_volume_size}" iops = "${var.primary_ebs_volume_iops}" + encrypted = "${var.encrypt_primary_ebs_volume}" + kms_key_id = "${var.encrypt_primary_ebs_volume && var.encrypt_primary_ebs_volume_kms_id != "" ? var.encrypt_primary_ebs_volume_kms_id : ""}" } volume_tags = "${var.ebs_volume_tags}" @@ -633,9 +655,9 @@ resource "aws_instance" "mod_ec2_instance_no_secondary_ebs" { } tags = "${merge( - map("Name", "${var.resource_name}${var.instance_count > 1 ? format("-%03d",count.index+1) : ""}"), + map("Name", var.instance_count > 1 ? format(local.instance_name, var.resource_name, count.index) : format(local.instance_name, var.resource_name)), local.tags, - var.additional_tags + var.additional_tags, )}" } @@ -665,6 +687,8 @@ resource "aws_instance" "mod_ec2_instance_with_secondary_ebs" { volume_type = "${var.primary_ebs_volume_type}" volume_size = "${var.primary_ebs_volume_size}" iops = "${var.primary_ebs_volume_iops}" + encrypted = "${var.encrypt_primary_ebs_volume}" + kms_key_id = "${var.encrypt_primary_ebs_volume && var.encrypt_primary_ebs_volume_kms_id != "" ? var.encrypt_primary_ebs_volume_kms_id : ""}" } volume_tags = "${var.ebs_volume_tags}" @@ -675,6 +699,7 @@ resource "aws_instance" "mod_ec2_instance_with_secondary_ebs" { volume_size = "${var.secondary_ebs_volume_size}" iops = "${var.secondary_ebs_volume_iops}" encrypted = "${var.secondary_ebs_volume_existing_id == "" ? var.encrypt_secondary_ebs_volume: false}" + kms_key_id = "${var.encrypt_secondary_ebs_volume && var.encrypt_secondary_ebs_volume_kms_id != "" ? var.encrypt_secondary_ebs_volume_kms_id : ""}" snapshot_id = "${var.secondary_ebs_volume_existing_id}" } @@ -683,9 +708,9 @@ resource "aws_instance" "mod_ec2_instance_with_secondary_ebs" { } tags = "${merge( - map("Name", "${var.resource_name}${var.instance_count > 1 ? format("-%03d",count.index+1) : ""}"), + map("Name", var.instance_count > 1 ? format(local.instance_name, var.resource_name, count.index) : format(local.instance_name, var.resource_name)), local.tags, - var.additional_tags + var.additional_tags, )}" } diff --git a/tests/test1/main.tf b/tests/test1/main.tf index 1962c4a..6c54960 100644 --- a/tests/test1/main.tf +++ b/tests/test1/main.tf @@ -1,8 +1,17 @@ provider "aws" { - version = "~> 1.2" + version = "~> 2.2, != 2.65" region = "us-west-2" } +locals { + tags = { + Environment = "Test" + Purpose = "Testing aws-terraform-ec2_autorecovery" + ServiceProvider = "Rackspace" + Terraform = "true" + } +} + resource "random_string" "res_name" { length = 8 upper = false @@ -22,9 +31,10 @@ data "aws_region" "current_region" {} resource "aws_eip" "test_eip_1" { vpc = true - tags = { - Name = "Circle-CI-Test1-1-${random_string.res_name.result}" - } + tags = "${merge( + local.tags, + map("Name", format("Circle-CI-Test1-1-%s", random_string.res_name.result)), + )}" } module "ec2_ar_centos7_with_codedeploy" { @@ -99,19 +109,16 @@ EOF }, ] - additional_tags = { - MyTag1 = "MyValue1" - MyTag2 = "MyValue2" - MyTag3 = "MyValue3" - } + additional_tags = "${local.tags}" } resource "aws_eip" "test_eip_2" { vpc = true - tags = { - Name = "Circle-CI-Test1-2-${random_string.res_name.result}" - } + tags = "${merge( + local.tags, + map("Name", format("Circle-CI-Test1-2-%s", random_string.res_name.result)), + )}" } module "ec2_ar_centos7_no_codedeploy" { @@ -138,11 +145,7 @@ module "ec2_ar_centos7_no_codedeploy" { secondary_ebs_volume_type = "gp2" encrypt_secondary_ebs_volume = "False" - ebs_volume_tags = { - MyTag1 = "MyValue1" - MyTag2 = "MyValue2" - MyTag3 = "MyValue3" - } + ebs_volume_tags = "${local.tags}" environment = "Development" instance_role_managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonEC2FullAccess", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetRole", "arn:aws:iam::aws:policy/CloudWatchActionsEC2Access"] @@ -196,11 +199,7 @@ EOF }, ] - additional_tags = { - MyTag1 = "MyValue1" - MyTag2 = "MyValue2" - MyTag3 = "MyValue3" - } + additional_tags = "${local.tags}" } module "ec2_ar_centos7_no_scaleft" { @@ -228,11 +227,7 @@ module "ec2_ar_centos7_no_scaleft" { secondary_ebs_volume_type = "gp2" encrypt_secondary_ebs_volume = "False" - ebs_volume_tags = { - MyTag1 = "MyValue1" - MyTag2 = "MyValue2" - MyTag3 = "MyValue3" - } + ebs_volume_tags = "${local.tags}" environment = "Development" instance_role_managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonEC2FullAccess", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetRole", "arn:aws:iam::aws:policy/CloudWatchActionsEC2Access"] @@ -286,11 +281,7 @@ EOF }, ] - additional_tags = { - MyTag1 = "MyValue1" - MyTag2 = "MyValue2" - MyTag3 = "MyValue3" - } + additional_tags = "${local.tags}" } module "ec2_ar_windows_with_codedeploy" { @@ -363,11 +354,7 @@ EOF }, ] - additional_tags = { - MyTag1 = "MyValue1" - MyTag2 = "MyValue2" - MyTag3 = "MyValue3" - } + additional_tags = "${local.tags}" } module "ec2_ar_windows_no_codedeploy" { @@ -450,11 +437,7 @@ EOF }, ] - additional_tags = { - MyTag1 = "MyValue1" - MyTag2 = "MyValue2" - MyTag3 = "MyValue3" - } + additional_tags = "${local.tags}" } module "ec2_ar_windows_no_scaleft" { @@ -538,11 +521,7 @@ EOF }, ] - additional_tags = { - MyTag1 = "MyValue1" - MyTag2 = "MyValue2" - MyTag3 = "MyValue3" - } + additional_tags = "${local.tags}" } module "sns" { @@ -577,20 +556,45 @@ module "zero_count_ar" { rackspace_managed = false } +resource "aws_ebs_volume" "nfs" { + availability_zone = "us-west-2a" + size = 60 + encrypted = true + + tags = "${merge( + local.tags, + map("Name", format("%s-ar-nfs", random_string.res_name.result)), + )}" +} + +resource "aws_ebs_snapshot" "encrypted_nfs" { + volume_id = "${aws_ebs_volume.nfs.id}" + + tags = "${merge( + local.tags, + map("Name", format("%s-ar-nfs", random_string.res_name.result)), + )}" +} + module "ec2_nfs" { - source = "../../module" - ec2_os = "amazon2" - instance_count = "1" - subnets = "${module.vpc.private_subnets}" - security_group_list = ["${module.vpc.default_sg}"] - key_pair = "CircleCI" - instance_type = "t2.micro" - resource_name = "ar-nfs-${random_string.res_name.result}" - install_nfs = true - primary_ebs_volume_size = "60" - primary_ebs_volume_iops = "0" - primary_ebs_volume_type = "gp2" - secondary_ebs_volume_size = "60" - secondary_ebs_volume_iops = "0" - secondary_ebs_volume_type = "gp2" + source = "../../module" + + ec2_os = "amazon2" + instance_count = 1 + subnets = "${module.vpc.private_subnets}" + security_group_list = ["${module.vpc.default_sg}"] + key_pair = "CircleCI" + instance_type = "t2.micro" + resource_name = "ar-nfs-${random_string.res_name.result}" + install_nfs = true + primary_ebs_volume_size = 60 + primary_ebs_volume_iops = 0 + primary_ebs_volume_type = "gp2" + encrypt_primary_ebs_volume = true + secondary_ebs_volume_size = 60 + secondary_ebs_volume_iops = 0 + secondary_ebs_volume_type = "gp2" + secondary_ebs_volume_existing_id = "${aws_ebs_snapshot.encrypted_nfs.id}" + + additional_tags = "${local.tags}" } diff --git a/variables.tf b/variables.tf index 7060e48..ad79610 100644 --- a/variables.tf +++ b/variables.tf @@ -139,12 +139,30 @@ variable "enable_ebs_optimization" { default = false } +variable "encrypt_primary_ebs_volume" { + description = "Encrypt root EBS Volume? true or false" + type = "string" + default = false +} + +variable "encrypt_primary_ebs_volume_kms_id" { + description = "If `encrypt_primary_ebs_volume` is `true` you can optionally provide a KMS CMK ARN." + type = "string" + default = "" +} + variable "encrypt_secondary_ebs_volume" { - description = "Encrypt EBS Volume? true or false" + description = "Encrypt secondary EBS Volume? true or false" type = "string" default = false } +variable "encrypt_secondary_ebs_volume_kms_id" { + description = "If `encrypt_secondary_ebs_volume` is `true` you can optionally provide a KMS CMK ARN." + type = "string" + default = "" +} + variable "primary_ebs_volume_iops" { description = "Iops value required for use with io1 EBS volumes. This value should be 3 times the EBS volume size" type = "string"