Skip to content

Commit

Permalink
Merge terraform DMZ and LZ
Browse files Browse the repository at this point in the history
  • Loading branch information
@aloftus23
aloftus23 committed May 7, 2024
1 parent 9b777df commit 5c42d0f
Show file tree
Hide file tree
Showing 21 changed files with 885 additions and 318 deletions.
13 changes: 7 additions & 6 deletions infrastructure/cloudtrail.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ resource "aws_cloudtrail" "all-events" {
s3_bucket_name = var.cloudtrail_bucket_name
kms_key_id = aws_kms_key.key.arn
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*"
cloud_watch_logs_role_arn = "arn:aws-us-gov:iam::${data.aws_caller_identity.current.account_id}:role/${var.cloudtrail_role_name}"
cloud_watch_logs_role_arn = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:role/${var.cloudtrail_role_name}"
tags = {
Project = var.project
Stage = var.stage
Expand All @@ -14,11 +14,11 @@ resource "aws_cloudtrail" "all-events" {
include_management_events = true
data_resource {
type = "AWS::S3::Object"
values = ["arn:aws-us-gov:s3"]
values = ["arn:${var.aws_partition}:s3"]
}
data_resource {
type = "AWS::Lambda::Function"
values = ["arn:aws-us-gov:lambda"]
values = ["arn:${var.aws_partition}:lambda"]
}
}
enable_log_file_validation = true
Expand Down Expand Up @@ -100,8 +100,9 @@ resource "aws_iam_role" "cloudtrail_role" {
data "template_file" "cloudtrail_bucket_policy" {
template = file("cloudtrail_bucket_policy.tpl")
vars = {
bucketName = var.cloudtrail_bucket_name
accountId = data.aws_caller_identity.current.account_id
bucketName = var.cloudtrail_bucket_name
accountId = data.aws_caller_identity.current.account_id
awsPartition = var.aws_partition
}
}

Expand Down Expand Up @@ -138,7 +139,7 @@ resource "aws_iam_role_policy" "cloudtrail_cloudwatch_policy" {
"logs:PutLogEvents"
],
Effect = "Allow",
Resource = "arn:aws-us-gov:logs:*"
Resource = "arn:${var.aws_partition}:logs:*"
}]
})
}
12 changes: 6 additions & 6 deletions infrastructure/cloudtrail_bucket_policy.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"Service": "cloudtrail.amazonaws.com"
},
"Action": ["s3:GetBucketAcl"],
"Resource": ["arn:aws-us-gov:s3:::${bucketName}"]
"Resource": ["arn:${awsPartition}:s3:::${bucketName}"]
},
{
"Sid": "AWSCloudTrailWrite20121017",
Expand All @@ -18,8 +18,8 @@
},
"Action": ["s3:PutObject"],
"Resource": [
"arn:aws-us-gov:s3:::${bucketName}/AWSLogs/${accountId}",
"arn:aws-us-gov:s3:::${bucketName}/AWSLogs/${accountId}/*"
"arn:${awsPartition}:s3:::${bucketName}/AWSLogs/${accountId}",
"arn:${awsPartition}:s3:::${bucketName}/AWSLogs/${accountId}/*"
],
"Condition": {
"StringEquals": {
Expand All @@ -33,8 +33,8 @@
"Effect": "Deny",
"Principal": "*",
"Resource": [
"arn:aws-us-gov:s3:::${bucketName}",
"arn:aws-us-gov:s3:::${bucketName}/*"
"arn:${awsPartition}:s3:::${bucketName}",
"arn:${awsPartition}:s3:::${bucketName}/*"
],
"Condition": {
"Bool": {
Expand All @@ -43,4 +43,4 @@
}
}
]
}
}
90 changes: 74 additions & 16 deletions infrastructure/database.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ data "aws_ssm_parameter" "db_username" { name = var.ssm_db_username }

resource "aws_db_subnet_group" "default" {
name = var.db_group_name
subnet_ids = [data.aws_ssm_parameter.subnet_db_1_id.value, data.aws_ssm_parameter.subnet_db_2_id.value]
subnet_ids = var.is_dmz ? [aws_subnet.db_1[0].id, aws_subnet.db_2[0].id] : [data.aws_ssm_parameter.subnet_db_1_id[0].value, data.aws_ssm_parameter.subnet_db_2_id[0].value]

tags = {
Project = var.project
Expand Down Expand Up @@ -52,15 +52,34 @@ resource "aws_db_instance" "db" {
db_subnet_group_name = aws_db_subnet_group.default.name
parameter_group_name = aws_db_parameter_group.default.name

vpc_security_group_ids = [aws_security_group.allow_internal.id]
vpc_security_group_ids = [var.is_dmz ? aws_security_group.allow_internal[0].id : aws_security_group.allow_internal_lz[0].id]

tags = {
Project = "Crossfeed"
Owner = "Crossfeed managed resource"
}
}

data "aws_ami" "ubuntu" {
count = var.is_dmz ? 1 : 0
most_recent = true

filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
}

filter {
name = "virtualization-type"
values = ["hvm"]
}

# Canonical
owners = ["099720109477"]
}

resource "aws_iam_role" "db_accessor" {
count = var.create_db_accessor_instance ? 1 : 0
name = "crossfeed-db-accessor-${var.stage}"
assume_role_policy = <<EOF
{
Expand All @@ -87,8 +106,9 @@ EOF

#Instance Profile
resource "aws_iam_instance_profile" "db_accessor" {
name = "crossfeed-db-accessor-${var.stage}"
role = aws_iam_role.db_accessor.id
count = var.create_db_accessor_instance ? 1 : 0
name = "crossfeed-db-accessor-${var.stage}"
role = aws_iam_role.db_accessor[0].id
tags = {
Project = var.project
Stage = var.stage
Expand All @@ -98,20 +118,23 @@ resource "aws_iam_instance_profile" "db_accessor" {

#Attach Policies to Instance Role
resource "aws_iam_policy_attachment" "db_accessor_1" {
count = var.create_db_accessor_instance ? 1 : 0
name = "crossfeed-db-accessor-${var.stage}"
roles = [aws_iam_role.db_accessor.id, "AmazonSSMRoleForInstancesQuickSetup"]
policy_arn = "arn:aws-us-gov:iam::aws:policy/AmazonSSMManagedInstanceCore"
roles = [aws_iam_role.db_accessor[0].id, "AmazonSSMRoleForInstancesQuickSetup"]
policy_arn = "arn:${var.aws_partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
}

resource "aws_iam_policy_attachment" "db_accessor_2" {
count = var.create_db_accessor_instance ? 1 : 0
name = "crossfeed-db-accessor-${var.stage}"
roles = [aws_iam_role.db_accessor.id]
policy_arn = "arn:aws-us-gov:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
roles = [aws_iam_role.db_accessor[0].id]
policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}

resource "aws_iam_role_policy" "db_accessor_s3_policy" {
count = var.create_db_accessor_instance ? 1 : 0
name_prefix = "crossfeed-db-accessor-s3-${var.stage}"
role = aws_iam_role.db_accessor.id
role = aws_iam_role.db_accessor[0].id
policy = <<EOF
{
"Version": "2012-10-17",
Expand All @@ -135,6 +158,29 @@ resource "aws_iam_role_policy" "db_accessor_s3_policy" {
EOF
}

resource "aws_iam_role_policy" "sqs_send_message_policy" {
count = var.create_db_accessor_instance ? 1 : 0
name_prefix = "ec2-send-sqs-message-${var.stage}"
role = aws_iam_role.db_accessor[0].id
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Action = [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:GetQueueUrl"
],
Effect = "Allow",
Resource = "*"
}
]
})
}

resource "aws_instance" "db_accessor" {
count = var.create_db_accessor_instance ? 1 : 0
ami = var.ami_id
Expand Down Expand Up @@ -163,10 +209,10 @@ resource "aws_instance" "db_accessor" {
volume_size = 1000
}

vpc_security_group_ids = [aws_security_group.allow_internal.id]
subnet_id = data.aws_ssm_parameter.subnet_db_1_id.value
vpc_security_group_ids = [var.is_dmz ? aws_security_group.allow_internal[0].id : aws_security_group.allow_internal_lz[0].id]
subnet_id = var.is_dmz ? aws_subnet.backend[0].id : data.aws_ssm_parameter.subnet_db_1_id[0].value

iam_instance_profile = aws_iam_instance_profile.db_accessor.id
iam_instance_profile = aws_iam_instance_profile.db_accessor[0].id
user_data = file("./ssm-agent-install.sh")
lifecycle {
# prevent_destroy = true
Expand All @@ -177,7 +223,7 @@ resource "aws_instance" "db_accessor" {
resource "aws_ssm_parameter" "lambda_sg_id" {
name = var.ssm_lambda_sg
type = "String"
value = aws_security_group.allow_internal.id
value = var.is_dmz ? aws_security_group.allow_internal[0].id : aws_security_group.allow_internal_lz[0].id
overwrite = true

tags = {
Expand All @@ -189,7 +235,7 @@ resource "aws_ssm_parameter" "lambda_sg_id" {
resource "aws_ssm_parameter" "lambda_subnet_id" {
name = var.ssm_lambda_subnet
type = "String"
value = data.aws_ssm_parameter.subnet_db_2_id.value
value = var.is_dmz ? aws_subnet.backend[0].id : data.aws_ssm_parameter.subnet_db_2_id[0].value
overwrite = true

tags = {
Expand All @@ -201,7 +247,7 @@ resource "aws_ssm_parameter" "lambda_subnet_id" {
resource "aws_ssm_parameter" "worker_sg_id" {
name = var.ssm_worker_sg
type = "String"
value = aws_security_group.worker.id
value = var.is_dmz ? aws_security_group.worker[0].id : aws_security_group.worker_lz[0].id
overwrite = true

tags = {
Expand All @@ -213,7 +259,7 @@ resource "aws_ssm_parameter" "worker_sg_id" {
resource "aws_ssm_parameter" "worker_subnet_id" {
name = var.ssm_worker_subnet
type = "String"
value = data.aws_ssm_parameter.subnet_db_2_id.value
value = var.is_dmz ? aws_subnet.worker[0].id : data.aws_ssm_parameter.subnet_db_2_id[0].value
overwrite = true

tags = {
Expand Down Expand Up @@ -279,6 +325,12 @@ resource "aws_s3_bucket_policy" "reports_bucket" {
})
}

resource "aws_s3_bucket_acl" "reports_bucket" {
count = var.is_dmz ? 1 : 0
bucket = aws_s3_bucket.reports_bucket.id
acl = "private"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "reports_bucket" {
bucket = aws_s3_bucket.reports_bucket.id
rule {
Expand Down Expand Up @@ -334,6 +386,12 @@ resource "aws_s3_bucket_policy" "pe_db_backups_bucket" {
})
}

resource "aws_s3_bucket_acl" "pe_db_backups_bucket" {
count = var.is_dmz ? 1 : 0
bucket = aws_s3_bucket.pe_db_backups_bucket.id
acl = "private"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "pe_db_backups_bucket" {
bucket = aws_s3_bucket.pe_db_backups_bucket.id
rule {
Expand Down
8 changes: 4 additions & 4 deletions infrastructure/elastic.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

resource "aws_instance" "elk_stack" {
count = var.create_elk_instance ? 1 : 0
ami = var.ami_id
ami = var.is_dmz ? data.aws_ami.ubuntu[0].id : var.ami_id
instance_type = var.elk_instance_class
associate_public_ip_address = false

Expand All @@ -29,10 +29,10 @@ resource "aws_instance" "elk_stack" {
volume_size = 15
}

vpc_security_group_ids = [aws_security_group.allow_internal.id]
subnet_id = data.aws_ssm_parameter.subnet_db_1_id.value
vpc_security_group_ids = [aws_security_group.allow_internal[0].id]
subnet_id = var.is_dmz ? aws_subnet.backend[0].id : data.aws_ssm_parameter.subnet_db_1_id[0].value

iam_instance_profile = aws_iam_instance_profile.db_accessor.id
iam_instance_profile = aws_iam_instance_profile.db_accessor[0].id
user_data = file("./ssm-agent-install.sh")


Expand Down
8 changes: 4 additions & 4 deletions infrastructure/es.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,15 +31,15 @@ resource "aws_elasticsearch_domain" "es" {
"Action": "es:ESHttp*",
"Principal": "*",
"Effect": "Allow",
"Resource": "arn:aws-us-gov:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/crossfeed-${var.stage}/*"
"Resource": "arn:${var.aws_partition}:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/crossfeed-${var.stage}/*"
}
]
}
POLICY

vpc_options {
subnet_ids = [data.aws_ssm_parameter.subnet_es_id.value]
security_group_ids = [aws_security_group.allow_internal.id]
subnet_ids = [var.is_dmz ? aws_subnet.es_1[0].id : data.aws_ssm_parameter.subnet_es_id[0].value]
security_group_ids = [var.is_dmz ? aws_security_group.allow_internal[0].id : aws_security_group.allow_internal_lz[0].id]
}

# Only supported on certain instance types, so let's only enable this on prod: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-supported-instance-types.html
Expand Down Expand Up @@ -104,7 +104,7 @@ resource "aws_cloudwatch_log_resource_policy" "es" {
"logs:PutLogEventsBatch",
"logs:CreateLogStream"
],
"Resource": "arn:aws-us-gov:logs:*"
"Resource": "arn:${var.aws_partition}:logs:*"
}
]
}
Expand Down
14 changes: 7 additions & 7 deletions infrastructure/kms.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ resource "aws_kms_key" "key" {
Effect : "Allow",

Principal : {
AWS : "arn:aws-us-gov:iam::${data.aws_caller_identity.current.account_id}:root"
AWS : "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:root"
},

Action : [
Expand Down Expand Up @@ -127,7 +127,7 @@ resource "aws_kms_key" "key" {

Condition : {
ArnLike : {
"kms:EncryptionContext:aws:logs:arn" : "arn:aws-us-gov:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"
"kms:EncryptionContext:aws:logs:arn" : "arn:${var.aws_partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"
}
}
},
Expand All @@ -141,10 +141,10 @@ resource "aws_kms_key" "key" {
Resource : "*",
Condition : {
StringEquals : {
"aws:SourceArn" : "arn:aws-us-gov:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"
"aws:SourceArn" : "arn:${var.aws_partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"
},
StringLike : {
"kms:EncryptionContext:aws:cloudtrail:arn" : "arn:aws-us-gov:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"
"kms:EncryptionContext:aws:cloudtrail:arn" : "arn:${var.aws_partition}:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"
}
}
},
Expand All @@ -164,10 +164,10 @@ resource "aws_kms_key" "key" {
Service : "cloudtrail.amazonaws.com"
},
Action : "kms:DescribeKey",
Resource : "arn:aws-us-gov:kms:region:${data.aws_caller_identity.current.account_id}:key/*}",
Resource : "arn:${var.aws_partition}:kms:region:${data.aws_caller_identity.current.account_id}:key/*}",
Condition : {
StringEquals : {
"aws:SourceArn" : "arn:aws-us-gov:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"
"aws:SourceArn" : "arn:${var.aws_partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"
}
}
}
Expand All @@ -184,4 +184,4 @@ resource "aws_kms_alias" "key" {
target_key_id = aws_kms_key.key.id
name = "alias/${var.stage}-key"

}
}
Loading

0 comments on commit 5c42d0f

Please sign in to comment.