forked from ketan/atlas-examples
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into b-etc-permissions
- Loading branch information
Showing
27 changed files
with
898 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
193 changes: 193 additions & 0 deletions
193
consul-cluster/aws-nat-consul-cluster/terraform/firewalls.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,193 @@ | ||
// tldr; | ||
// - Default egress to 0.0.0.0/0 to talk to SCADA | ||
// | ||
// - Servers can talk to other Servers on tcp/8300, tcp/8301, udp/8301, tcp/8302, udp/8302 | ||
// - Servers can talk to Clients on tcp/8301, udp/8301 | ||
// | ||
// - Clients can talk to Servers on tcp/8300, tcp/8301, udp/8301 | ||
// - Clients can talk to other Clients on tcp/8301, udp/8301 | ||
// | ||
|
||
// | ||
// Default Egress | ||
// | ||
resource "aws_security_group" "default_egress" { | ||
name = "default_egress" | ||
description = "Default Egress" | ||
vpc_id = "${aws_vpc.main.id}" | ||
} | ||
|
||
resource "aws_security_group_rule" "default_egress" { | ||
security_group_id = "${aws_security_group.default_egress.id}" | ||
type = "egress" | ||
protocol = "-1" | ||
from_port = 0 | ||
to_port = 0 | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
|
||
// | ||
// Administrative Access | ||
// | ||
resource "aws_security_group" "admin_access" { | ||
name = "admin_access" | ||
description = "Admin Access" | ||
vpc_id = "${aws_vpc.main.id}" | ||
} | ||
|
||
resource "aws_security_group_rule" "admin_ssh" { | ||
security_group_id = "${aws_security_group.admin_access.id}" | ||
type = "ingress" | ||
protocol = "tcp" | ||
from_port = 22 | ||
to_port = 22 | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
|
||
// | ||
// NAT | ||
// | ||
resource "aws_security_group" "nat" { | ||
name = "nat" | ||
description = "NAT" | ||
vpc_id = "${aws_vpc.main.id}" | ||
} | ||
|
||
resource "aws_security_group_rule" "nat" { | ||
security_group_id = "${aws_security_group.nat.id}" | ||
type = "ingress" | ||
protocol = "-1" | ||
from_port = 0 | ||
to_port = 0 | ||
cidr_blocks = ["${var.vpc_cidr}"] | ||
} | ||
|
||
// | ||
// Consul Client | ||
// - required for Consul Clients | ||
// | ||
resource "aws_security_group" "consul_client" { | ||
name = "consul_client" | ||
description = "Consul Client Access (from servers and other clients)" | ||
vpc_id = "${aws_vpc.main.id}" | ||
} | ||
|
||
resource "aws_security_group_rule" "consul_client_serf_lan_tcp_self" { | ||
security_group_id = "${aws_security_group.consul_client.id}" | ||
type = "ingress" | ||
protocol = "tcp" | ||
from_port = 8301 | ||
to_port = 8301 | ||
self = true | ||
} | ||
|
||
resource "aws_security_group_rule" "consul_client_serf_lan_udp_self" { | ||
security_group_id = "${aws_security_group.consul_client.id}" | ||
type = "ingress" | ||
protocol = "udp" | ||
from_port = 8301 | ||
to_port = 8301 | ||
self = true | ||
} | ||
|
||
// These next 2 are for consul server access to the clients. | ||
resource "aws_security_group_rule" "consul_client_serf_lan_tcp_consul" { | ||
security_group_id = "${aws_security_group.consul_client.id}" | ||
type = "ingress" | ||
protocol = "tcp" | ||
from_port = 8301 | ||
to_port = 8301 | ||
source_security_group_id = "${aws_security_group.consul.id}" | ||
} | ||
|
||
resource "aws_security_group_rule" "consul_client_serf_lan_udp_consul" { | ||
security_group_id = "${aws_security_group.consul_client.id}" | ||
type = "ingress" | ||
protocol = "udp" | ||
from_port = 8301 | ||
to_port = 8301 | ||
source_security_group_id = "${aws_security_group.consul.id}" | ||
} | ||
|
||
// | ||
// Consul LAN Access | ||
// - required for Consul Servers | ||
// | ||
resource "aws_security_group" "consul" { | ||
name = "consul" | ||
description = "Consul Server LAN Access (from other servers and clients)" | ||
vpc_id = "${aws_vpc.main.id}" | ||
} | ||
|
||
resource "aws_security_group_rule" "consul_server_rpc_tcp_self" { | ||
security_group_id = "${aws_security_group.consul.id}" | ||
type = "ingress" | ||
protocol = "tcp" | ||
from_port = 8300 | ||
to_port = 8300 | ||
self = true | ||
} | ||
|
||
resource "aws_security_group_rule" "consul_serf_lan_tcp_self" { | ||
security_group_id = "${aws_security_group.consul.id}" | ||
type = "ingress" | ||
protocol = "tcp" | ||
from_port = 8301 | ||
to_port = 8301 | ||
self = true | ||
} | ||
|
||
resource "aws_security_group_rule" "consul_serf_lan_udp_self" { | ||
security_group_id = "${aws_security_group.consul.id}" | ||
type = "ingress" | ||
protocol = "udp" | ||
from_port = 8301 | ||
to_port = 8301 | ||
self = true | ||
} | ||
|
||
resource "aws_security_group_rule" "consul_serf_wan_tcp_self" { | ||
security_group_id = "${aws_security_group.consul.id}" | ||
type = "ingress" | ||
protocol = "tcp" | ||
from_port = 8302 | ||
to_port = 8302 | ||
self = true | ||
} | ||
|
||
resource "aws_security_group_rule" "consul_serf_wan_udp_self" { | ||
security_group_id = "${aws_security_group.consul.id}" | ||
type = "ingress" | ||
protocol = "udp" | ||
from_port = 8302 | ||
to_port = 8302 | ||
self = true | ||
} | ||
|
||
// These next 3 are for consul_client access to servers. | ||
resource "aws_security_group_rule" "consul_server_rpc_tcp_consul_client" { | ||
security_group_id = "${aws_security_group.consul.id}" | ||
type = "ingress" | ||
protocol = "tcp" | ||
from_port = 8300 | ||
to_port = 8300 | ||
source_security_group_id = "${aws_security_group.consul_client.id}" | ||
} | ||
|
||
resource "aws_security_group_rule" "consul_serf_lan_tcp_consul_client" { | ||
security_group_id = "${aws_security_group.consul.id}" | ||
type = "ingress" | ||
protocol = "tcp" | ||
from_port = 8301 | ||
to_port = 8301 | ||
source_security_group_id = "${aws_security_group.consul_client.id}" | ||
} | ||
|
||
resource "aws_security_group_rule" "consul_serf_lan_udp_consul_client" { | ||
security_group_id = "${aws_security_group.consul.id}" | ||
type = "ingress" | ||
protocol = "udp" | ||
from_port = 8301 | ||
to_port = 8301 | ||
source_security_group_id = "${aws_security_group.consul_client.id}" | ||
} |
110 changes: 110 additions & 0 deletions
110
consul-cluster/aws-nat-consul-cluster/terraform/instances.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
resource "template_file" "consul_update" { | ||
filename = "${module.shared.path}/consul/userdata/consul_update.sh.tpl" | ||
|
||
vars { | ||
region = "${var.region}" | ||
atlas_token = "${var.atlas_token}" | ||
atlas_username = "${var.atlas_username}" | ||
atlas_environment = "${var.atlas_environment}" | ||
consul_bootstrap_expect = "${var.consul_bootstrap_expect}" | ||
} | ||
} | ||
|
||
// | ||
// Consul Client | ||
// | ||
resource "atlas_artifact" "consul_client" { | ||
name = "${var.atlas_username}/consul_client" | ||
type = "amazon.image" | ||
} | ||
|
||
resource "aws_instance" "consul_client" { | ||
instance_type = "${var.instance_type}" | ||
ami = "${atlas_artifact.consul_client.metadata_full.region-us-east-1}" | ||
key_name = "${aws_key_pair.main.key_name}" | ||
|
||
user_data = "${template_file.consul_update.rendered}" | ||
|
||
vpc_security_group_ids = ["${aws_security_group.default_egress.id}","${aws_security_group.admin_access.id}","${aws_security_group.consul_client.id}"] | ||
subnet_id = "${aws_subnet.subnet_a.id}" | ||
|
||
tags { | ||
Name = "consul_client" | ||
} | ||
|
||
} | ||
|
||
// | ||
// Consul Servers | ||
// | ||
resource "atlas_artifact" "consul" { | ||
name = "${var.atlas_username}/consul" | ||
type = "amazon.image" | ||
} | ||
|
||
resource "aws_instance" "consul_0" { | ||
instance_type = "${var.instance_type}" | ||
ami = "${atlas_artifact.consul.metadata_full.region-us-east-1}" | ||
key_name = "${aws_key_pair.main.key_name}" | ||
|
||
user_data = "${template_file.consul_update.rendered}" | ||
|
||
vpc_security_group_ids = ["${aws_security_group.default_egress.id}","${aws_security_group.admin_access.id}","${aws_security_group.consul.id}"] | ||
subnet_id = "${aws_subnet.subnet_a.id}" | ||
|
||
tags { | ||
Name = "consul_0" | ||
} | ||
|
||
} | ||
|
||
resource "aws_instance" "consul_1" { | ||
instance_type = "${var.instance_type}" | ||
ami = "${atlas_artifact.consul.metadata_full.region-us-east-1}" | ||
key_name = "${aws_key_pair.main.key_name}" | ||
|
||
user_data = "${template_file.consul_update.rendered}" | ||
|
||
vpc_security_group_ids = ["${aws_security_group.default_egress.id}","${aws_security_group.admin_access.id}","${aws_security_group.consul.id}"] | ||
subnet_id = "${aws_subnet.subnet_b.id}" | ||
|
||
tags { | ||
Name = "consul_1" | ||
} | ||
|
||
} | ||
|
||
resource "aws_instance" "consul_2" { | ||
instance_type = "${var.instance_type}" | ||
ami = "${atlas_artifact.consul.metadata_full.region-us-east-1}" | ||
key_name = "${aws_key_pair.main.key_name}" | ||
|
||
user_data = "${template_file.consul_update.rendered}" | ||
|
||
vpc_security_group_ids = ["${aws_security_group.default_egress.id}","${aws_security_group.admin_access.id}","${aws_security_group.consul.id}"] | ||
subnet_id = "${aws_subnet.subnet_c.id}" | ||
|
||
tags { | ||
Name = "consul_2" | ||
} | ||
|
||
} | ||
|
||
// | ||
// NAT | ||
// | ||
resource "aws_instance" "nat" { | ||
instance_type = "${var.instance_type}" | ||
ami = "${var.nat_ami}" | ||
key_name = "${aws_key_pair.main.key_name}" | ||
|
||
vpc_security_group_ids = ["${aws_security_group.default_egress.id}","${aws_security_group.admin_access.id}","${aws_security_group.nat.id}"] | ||
subnet_id = "${aws_subnet.public.id}" | ||
|
||
source_dest_check = false | ||
|
||
tags { | ||
Name = "nat" | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
resource "aws_key_pair" "main" { | ||
key_name = "${var.key_name}" | ||
public_key = "${file(module.shared.public_key_path)}" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
// | ||
// Providers & Modules | ||
// | ||
provider "aws" { | ||
region = "${var.region}" | ||
} | ||
|
||
module "shared" { | ||
source = "../../shared" | ||
key_name = "${var.key_name}" | ||
} | ||
|
||
// | ||
// Variables | ||
// | ||
variable "atlas_token" {} | ||
variable "atlas_username" {} | ||
variable "atlas_environment" { default = "consul-cluster" } | ||
|
||
variable "region" { default = "us-east-1" } | ||
variable "source_ami" { default = "ami-9a562df2" } | ||
variable "nat_ami" { default = "ami-b0210ed8" } | ||
variable "key_name" { default = "atlas-example" } | ||
variable "instance_type" { default = "t2.micro" } | ||
|
||
variable "vpc_cidr" { default = "172.31.0.0/16" } | ||
variable "vpc_cidrs" { default = "172.31.0.0/20,172.31.16.0/20,172.31.32.0/20,172.31.48.0/20" } | ||
|
||
variable "consul_bootstrap_expect" { default = "3" } | ||
|
||
// | ||
// Outputs | ||
// | ||
output "consul_client" { | ||
value = "${aws_instance.consul_client.private_ip}" | ||
} | ||
|
||
output "consul_0" { | ||
value = "${aws_instance.consul_0.private_ip}" | ||
} | ||
|
||
output "consul_1" { | ||
value = "${aws_instance.consul_1.private_ip}" | ||
} | ||
|
||
output "consul_2" { | ||
value = "${aws_instance.consul_2.private_ip}" | ||
} | ||
|
||
output "nat" { | ||
value = "${aws_instance.nat.public_ip}" | ||
} |
Oops, something went wrong.