Skip to content
Permalink
Browse files

terraform: add configuration for the bastion server

  • Loading branch information
pietroalbini committed Oct 16, 2019
1 parent f9ab73b commit c8414cdee20ba61822112ea9522e020a5bd28f41
@@ -0,0 +1,97 @@
data "aws_ami" "ubuntu_bionic" {
most_recent = true
owners = ["099720109477"] # Canonical

filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
}

filter {
name = "virtualization-type"
values = ["hvm"]
}
}

resource "aws_key_pair" "buildbot_west_slave_key" {
key_name = "buildbot-west-slave-key"
public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdGoRV9XPamZwqCMr4uk1oHWPnknzwOOSjuRBnu++WRkn7TtCM4ndDfqtKnvzlX5mzPhdvO1KKx1K8TiJ3wiq7WS4AFLGKQmPHWjg8qxGW7x4S8DHrb4ctmaujZ1+XCNSK3nsCl1lLW8DOrRlKbfeHIAllbMBZxIRmQ+XICVvhKAmSmxzTmYC8tBqvqQprG/uIuKonjLxL/ljtBxXBNECXl/JFCYG0AsB0aiuiMVeHLVzMiEppQ7YP/5Ml1Rpmn6h0dDzFtoD7xenroS98BIQF5kQWhakHbtWcNMz7DVFghWgi9wYr0gtoIshhqWYorC4yJq6HGXd0qdNHuLWNz39h buildbot-west-slave-key.pem"
}

resource "aws_vpc" "rust_prod" {
cidr_block = "172.30.0.0/16"

tags = {
Name = "rust-prod"
}
}

resource "aws_subnet" "rust_prod" {
vpc_id = aws_vpc.rust_prod.id
cidr_block = "172.30.0.0/24"
map_public_ip_on_launch = true

tags = {
Name = "rust-prod"
}
}

resource "aws_security_group" "rust_prod_common" {
vpc_id = aws_vpc.rust_prod.id
name = "rust-prod-common"
description = "Common rules for all our instances"

ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["${module.service_bastion.ip}/32"]
description = "SSH from the bastion"
}

ingress {
from_port = -1
to_port = -1
protocol = "icmp"
cidr_blocks = ["${module.service_bastion.ip}/32"]
description = "ICMP from the bastion"
}

ingress {
from_port = 9100
to_port = 9100
protocol = "tcp"
cidr_blocks = ["52.9.166.219/32"]
description = "node_exporter from monitoring"
}

tags = {
Name = "rust-prod-common"
}
}

resource "aws_security_group" "rust_prod_http" {
vpc_id = aws_vpc.rust_prod.id
name = "rust-prod-http"
description = "Inbound access for HTTP and HTTPS requests"

ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}

ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}

tags = {
Name = "rust-prod-http"
}
}
@@ -5,3 +5,31 @@ module "service_crater" {
source = "./services/crater"
ecr_repo = module.ecr_crater
}

module "service_bastion" {
source = "./services/bastion"
ami_id = data.aws_ami.ubuntu_bionic.id
vpc_id = aws_vpc.rust_prod.id
subnet_id = aws_subnet.rust_prod.id
common_security_group_id = aws_security_group.rust_prod_common.id
key_pair = aws_key_pair.buildbot_west_slave_key.key_name

// Users allowed to connect to the bastion through SSH. Each user needs to
// have the CIDR of the static IP they want to connect from stored in AWS SSM
// Parameter Store (us-west-1), in a string key named:
//
// /prod/bastion/allowed-ips/${user}
//
allowed_users = [
"aidanhs",
"guillaumegomez",
"mozilla-mountain-view",
"mozilla-portland",
"mozilla-san-francisco",
"onur",
"pietro",
"quietmisdreavus",
"shep",
"simulacrum",
]
}
@@ -0,0 +1,76 @@
resource "aws_eip" "bastion" {
vpc = true

tags = {
Name = "bastion"
}
}

data "aws_ssm_parameter" "allowed_ips" {
for_each = toset(var.allowed_users)
name = "/prod/bastion/allowed-ips/${each.value}"
}

resource "aws_security_group" "rust_prod_bastion" {
vpc_id = var.vpc_id
name = "rust-prod-bastion"
description = "SSH access to the bastion from whitelisted networks"

dynamic "ingress" {
for_each = toset(var.allowed_users)
content {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [data.aws_ssm_parameter.allowed_ips[ingress.value].value]
description = ingress.value
}
}

tags = {
Name = "rust-prod-bastion"
}
}

resource "aws_network_interface" "bastion" {
subnet_id = var.subnet_id
security_groups = [
var.common_security_group_id,
aws_security_group.rust_prod_bastion.id,
]

}

resource "aws_instance" "bastion" {
ami = var.ami_id
instance_type = "t3a.nano"
key_name = var.key_pair
ebs_optimized = true
disable_api_termination = true
monitoring = false

root_block_device {
volume_type = "gp2"
volume_size = 8
delete_on_termination = true
}

network_interface {
network_interface_id = aws_network_interface.bastion.id
device_index = 0
}

tags = {
Name = "bastion"
}

lifecycle {
# Don't recreate the instance automatically when the AMI changes.
ignore_changes = ["ami"]
}
}

resource "aws_eip_association" "bastion" {
network_interface_id = aws_network_interface.bastion.id
allocation_id = aws_eip.bastion.id
}
@@ -0,0 +1,3 @@
output "ip" {
value = aws_eip.bastion.public_ip
}
@@ -0,0 +1,23 @@
variable "ami_id" {
type = string
}

variable "common_security_group_id" {
type = string
}

variable "vpc_id" {
type = string
}

variable "subnet_id" {
type = string
}

variable "key_pair" {
type = string
}

variable "allowed_users" {
type = list(string)
}

0 comments on commit c8414cd

Please sign in to comment.
You can’t perform that action at this time.