From af51be88b88e42f94c52ef67c4da1f12e44d6918 Mon Sep 17 00:00:00 2001 From: Bhaskar Roy Date: Thu, 26 Aug 2021 21:52:26 -0400 Subject: [PATCH 1/9] add provider --- .gitignore | 45 +++++++++++++++++++++++++++++++++++++++++++++ versions.tf | 7 ++++++- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3e75452 --- /dev/null +++ b/.gitignore @@ -0,0 +1,45 @@ +# Global files to ignore in the project + +# macOS files to ignore +.DS_Store +._* + +# Visual Studio Code files to ignore +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +*.code-workspace +.history/ + +# Node files to ignore +node_modules +bower_components +build/Release +web_modules/ +.npm +*.tgz +.env +.env.test +.cache/ + +# Log files to ignore +logs +*.log* + +# Keys and Certificates files to ignore +*.crt +*.pem +*.key + +# Terraform files to ignore +**/.terraform/* +*.tf.bkp +*.tfstate +*.tfstate.* +*.auto.tfvars +*.lock.hcl +crash.log +test +terraform_key.json diff --git a/versions.tf b/versions.tf index ac97c6a..88f9319 100644 --- a/versions.tf +++ b/versions.tf @@ -1,4 +1,9 @@ terraform { - required_version = ">= 0.12" + required_providers { + ibm = { + source = "IBM-Cloud/ibm" + version = "~> 1.30.0" + } + } } From 6cfe4f518d902df4574bb38c7c28a164947ef612 Mon Sep 17 00:00:00 2001 From: Bhaskar Roy Date: Sat, 28 Aug 2021 12:09:10 -0400 Subject: [PATCH 2/9] Added version to every module, the should be linked to root, if needed, as all modules may or may not use the same provider version --- accesscheck/versions.tf | 9 +++++++++ backendmodule/versions.tf | 9 +++++++++ bastionmodule/versions.tf | 9 +++++++++ frontendmodule/versions.tf | 9 +++++++++ main.tf | 3 +-- versions.tf | 6 +++--- vpc/versions.tf | 9 +++++++++ vpc/vpc.tf | 1 + 8 files changed, 50 insertions(+), 5 deletions(-) create mode 100644 accesscheck/versions.tf create mode 100644 backendmodule/versions.tf create mode 100644 bastionmodule/versions.tf create mode 100644 frontendmodule/versions.tf create mode 100644 vpc/versions.tf diff --git a/accesscheck/versions.tf b/accesscheck/versions.tf new file mode 100644 index 0000000..ff9ba3f --- /dev/null +++ b/accesscheck/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + ibm = { + source = "ibm-cloud/ibm" + version = "1.30.0" + } + } +} + diff --git a/backendmodule/versions.tf b/backendmodule/versions.tf new file mode 100644 index 0000000..ff9ba3f --- /dev/null +++ b/backendmodule/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + ibm = { + source = "ibm-cloud/ibm" + version = "1.30.0" + } + } +} + diff --git a/bastionmodule/versions.tf b/bastionmodule/versions.tf new file mode 100644 index 0000000..ff9ba3f --- /dev/null +++ b/bastionmodule/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + ibm = { + source = "ibm-cloud/ibm" + version = "1.30.0" + } + } +} + diff --git a/frontendmodule/versions.tf b/frontendmodule/versions.tf new file mode 100644 index 0000000..ff9ba3f --- /dev/null +++ b/frontendmodule/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + ibm = { + source = "ibm-cloud/ibm" + version = "1.30.0" + } + } +} + diff --git a/main.tf b/main.tf index a0a407d..ef7be85 100644 --- a/main.tf +++ b/main.tf @@ -1,10 +1,9 @@ - # provider block required with Schematics to set VPC region provider "ibm" { region = var.ibm_region #ibmcloud_api_key = var.ibmcloud_api_key generation = local.generation - version = "~> 1.4" + # version = "~> 1.4" } data "ibm_resource_group" "all_rg" { diff --git a/versions.tf b/versions.tf index 88f9319..ff9ba3f 100644 --- a/versions.tf +++ b/versions.tf @@ -1,9 +1,9 @@ - terraform { required_providers { ibm = { - source = "IBM-Cloud/ibm" - version = "~> 1.30.0" + source = "ibm-cloud/ibm" + version = "1.30.0" } } } + diff --git a/vpc/versions.tf b/vpc/versions.tf new file mode 100644 index 0000000..ff9ba3f --- /dev/null +++ b/vpc/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + ibm = { + source = "ibm-cloud/ibm" + version = "1.30.0" + } + } +} + diff --git a/vpc/vpc.tf b/vpc/vpc.tf index 909207f..e7e3c68 100755 --- a/vpc/vpc.tf +++ b/vpc/vpc.tf @@ -6,6 +6,7 @@ # Separately setup up any required load balancers, listeners, pools and members ############################################################################## + ############################################################################## # Create a VPC ############################################################################## From 0f58defab30d884b3345b248ac5524e9a3bf6426 Mon Sep 17 00:00:00 2001 From: Bhaskar Roy Date: Sat, 28 Aug 2021 15:21:22 -0400 Subject: [PATCH 3/9] updating gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 3e75452..b8e3e6f 100644 --- a/.gitignore +++ b/.gitignore @@ -18,6 +18,7 @@ node_modules bower_components build/Release web_modules/ +keys/ .npm *.tgz .env From 4594dccd4ef838ea1c873b911155d19df9c184a8 Mon Sep 17 00:00:00 2001 From: Bhaskar Roy Date: Sat, 28 Aug 2021 16:14:59 -0400 Subject: [PATCH 4/9] Data Governance module added --- backendmodule/back_nacl.tf | 10 ---------- main.tf | 35 +++++++++++++++++++++++++++++------ outputs.tf | 4 ++++ variables.tf | 7 ++++++- vpc/outputs.tf | 4 ++++ vpc/vars.tf | 8 ++++++++ vpc/vpc.tf | 18 ++++++++++++++++++ 7 files changed, 69 insertions(+), 17 deletions(-) delete mode 100644 backendmodule/back_nacl.tf diff --git a/backendmodule/back_nacl.tf b/backendmodule/back_nacl.tf deleted file mode 100644 index 67d527b..0000000 --- a/backendmodule/back_nacl.tf +++ /dev/null @@ -1,10 +0,0 @@ - -############################################################################## -# Config to dynamically create backend host Network ACL and rules -# -# Base rules for access to DNS, repos are predefined. Inputs required for -# source subnets backend VSIs host will be connected to by the front end VSIs and -# bastion host -############################################################################## - -# placeholder diff --git a/main.tf b/main.tf index ef7be85..fe7bc81 100644 --- a/main.tf +++ b/main.tf @@ -2,7 +2,7 @@ provider "ibm" { region = var.ibm_region #ibmcloud_api_key = var.ibmcloud_api_key - generation = local.generation + # generation = local.generation # version = "~> 1.4" } @@ -11,9 +11,10 @@ data "ibm_resource_group" "all_rg" { } locals { - generation = 2 + # generation = 2 frontend_count = 2 backend_count = 1 + datgov_count = 1 } @@ -43,18 +44,21 @@ module "vpc" { source = "./vpc" ibm_region = var.ibm_region resource_group_name = var.resource_group_name - generation = local.generation + # generation = local.generation unique_id = var.vpc_name frontend_count = local.frontend_count frontend_cidr_blocks = local.frontend_cidr_blocks backend_count = local.backend_count backend_cidr_blocks = local.backend_cidr_blocks + datgov_count = local.datgov_count + datgov_cidr_blocks = local.datgov_cidr_blocks } locals { # bastion_cidr_blocks = [cidrsubnet(var.bastion_cidr, 4, 0), cidrsubnet(var.bastion_cidr, 4, 2), cidrsubnet(var.bastion_cidr, 4, 4)] frontend_cidr_blocks = [cidrsubnet(var.frontend_cidr, 4, 0), cidrsubnet(var.frontend_cidr, 4, 2), cidrsubnet(var.frontend_cidr, 4, 4)] backend_cidr_blocks = [cidrsubnet(var.backend_cidr, 4, 0), cidrsubnet(var.backend_cidr, 4, 2), cidrsubnet(var.backend_cidr, 4, 4)] + datgov_cidr_blocks = [cidrsubnet(var.datgov_cidr, 4, 0), cidrsubnet(var.datgov_cidr, 4, 2), cidrsubnet(var.datgov_cidr, 4, 4)] } @@ -77,7 +81,6 @@ module "bastion" { } - module "frontend" { source = "./frontendmodule" ibm_region = var.ibm_region @@ -91,8 +94,9 @@ module "frontend" { subnet_ids = module.vpc.frontend_subnet_ids bastion_remote_sg_id = module.bastion.security_group_id bastion_subnet_CIDR = var.bastion_cidr - pub_repo_egress_cidr = local.pub_repo_egress_cidr app_backend_sg_id = module.backend.security_group_id + app_datgov_sg_id = module.datgov.security_group_id + pub_repo_egress_cidr = local.pub_repo_egress_cidr } module "backend" { @@ -109,6 +113,25 @@ module "backend" { bastion_remote_sg_id = module.bastion.security_group_id bastion_subnet_CIDR = var.bastion_cidr app_frontend_sg_id = module.frontend.security_group_id + app_datgov_sg_id = module.datgov.security_group_id + pub_repo_egress_cidr = local.pub_repo_egress_cidr +} + +module "datgov" { + source = "./datgovmodule" + ibm_region = var.ibm_region + unique_id = var.vpc_name + ibm_is_vpc_id = module.vpc.vpc_id + ibm_is_resource_group_id = data.ibm_resource_group.all_rg.id + datgov_count = local.datgov_count + profile = var.profile + ibm_is_image_id = data.ibm_is_image.os.id + ibm_is_ssh_key_id = data.ibm_is_ssh_key.sshkey.id + subnet_ids = module.vpc.datgov_subnet_ids + bastion_remote_sg_id = module.bastion.security_group_id + bastion_subnet_CIDR = var.bastion_cidr + app_frontend_sg_id = module.frontend.security_group_id + app_backend_sg_id = module.backend.security_group_id pub_repo_egress_cidr = local.pub_repo_egress_cidr } @@ -117,5 +140,5 @@ module "accesscheck" { ssh_accesscheck = var.ssh_accesscheck ssh_private_key = var.ssh_private_key bastion_host = module.bastion.bastion_ip_addresses[0] - target_hosts = concat(module.frontend.primary_ipv4_address, module.backend.primary_ipv4_address) + target_hosts = concat(module.frontend.primary_ipv4_address, module.backend.primary_ipv4_address, module.datgov.primary_ipv4_address) } diff --git a/outputs.tf b/outputs.tf index 7120a5d..307d373 100644 --- a/outputs.tf +++ b/outputs.tf @@ -15,6 +15,10 @@ output "backend_server_host_ip_addresses" { value = [module.backend.primary_ipv4_address] } +output "datgov_server_host_ip_addresses" { + value = [module.datgov.primary_ipv4_address] +} + output "app_dns_hostname" { value = module.frontend.lb_hostname } diff --git a/variables.tf b/variables.tf index c7473a2..39c3fb7 100755 --- a/variables.tf +++ b/variables.tf @@ -72,12 +72,17 @@ variable "backend_cidr" { default = "172.17.0.0/20" } +variable "datgov_cidr" { + description = "Complete CIDR range across all three zones for data gov subnets" + default = "172.18.0.0/20" +} + ############################################################################## # VSI profile variable "profile" { - description = "Profile for VSIs deployed in frontend and backend" + description = "Profile for VSIs deployed in frontend, data governance and backend" default = "cx2-2x4" } diff --git a/vpc/outputs.tf b/vpc/outputs.tf index 0e4ba7a..965bf62 100644 --- a/vpc/outputs.tf +++ b/vpc/outputs.tf @@ -6,6 +6,10 @@ output "frontend_subnet_ids" { value = ibm_is_subnet.frontend_subnet.*.id } +output "datgov_subnet_ids" { + value = ibm_is_subnet.datgov_subnet.*.id +} + output "backend_subnet_ids" { value = ibm_is_subnet.backend_subnet.*.id } diff --git a/vpc/vars.tf b/vpc/vars.tf index d838970..b4a2a11 100644 --- a/vpc/vars.tf +++ b/vpc/vars.tf @@ -35,6 +35,11 @@ variable "backend_count" { default = 1 } +variable "datgov_count" { + description = "number of data governance zones" + default = 1 +} + ############################################################################## # Network variables ############################################################################## @@ -44,6 +49,9 @@ variable "frontend_cidr_blocks" { variable "backend_cidr_blocks" { } + +variable "datgov_cidr_blocks" { +} ############################################################################## diff --git a/vpc/vpc.tf b/vpc/vpc.tf index e7e3c68..ff038ca 100755 --- a/vpc/vpc.tf +++ b/vpc/vpc.tf @@ -50,6 +50,14 @@ resource "ibm_is_vpc_address_prefix" "backend_subnet_prefix" { cidr = var.backend_cidr_blocks[count.index] } +resource "ibm_is_vpc_address_prefix" "datgov_subnet_prefix" { + count = var.datgov_count + name = "${var.unique_id}-datgov-prefix-zone-${count.index + 1}" + zone = "${var.ibm_region}-${count.index % 3 + 1}" + vpc = ibm_is_vpc.vpc.id + cidr = var.datgov_cidr_blocks[count.index] +} + ############################################################################## ############################################################################## @@ -83,6 +91,16 @@ resource "ibm_is_subnet" "backend_subnet" { depends_on = [ibm_is_vpc_address_prefix.backend_subnet_prefix] } +resource "ibm_is_subnet" "datgov_subnet" { + count = var.datgov_count + name = "${var.unique_id}-datgov-subnet-${count.index + 1}" + vpc = ibm_is_vpc.vpc.id + zone = "${var.ibm_region}-${count.index % 3 + 1}" + ipv4_cidr_block = var.datgov_cidr_blocks[count.index] + #network_acl = "${ibm_is_network_acl.multizone_acl.id}" + public_gateway = ibm_is_public_gateway.repo_gateway[count.index].id + depends_on = [ibm_is_vpc_address_prefix.datgov_subnet_prefix] +} From 7216fd62c156c5d284716797ecc7ceba934ba350 Mon Sep 17 00:00:00 2001 From: Bhaskar Roy Date: Sat, 28 Aug 2021 16:17:40 -0400 Subject: [PATCH 5/9] Data Governance and Backend got net acl templates switched previously, fixed in this commit --- backendmodule/back_nacl.tf | 10 ++++++++++ datgovmodule/data_nacl.tf | 10 ++++++++++ 2 files changed, 20 insertions(+) create mode 100644 backendmodule/back_nacl.tf create mode 100644 datgovmodule/data_nacl.tf diff --git a/backendmodule/back_nacl.tf b/backendmodule/back_nacl.tf new file mode 100644 index 0000000..0e55a14 --- /dev/null +++ b/backendmodule/back_nacl.tf @@ -0,0 +1,10 @@ + +############################################################################## +# Config to dynamically create data governance host Network ACL and rules +# +# Base rules for access to DNS, repos are predefined. Inputs required for +# source subnets data governance VSIs host will be connected to by the front end VSIs and +# bastion host +############################################################################## + +# placeholder diff --git a/datgovmodule/data_nacl.tf b/datgovmodule/data_nacl.tf new file mode 100644 index 0000000..67d527b --- /dev/null +++ b/datgovmodule/data_nacl.tf @@ -0,0 +1,10 @@ + +############################################################################## +# Config to dynamically create backend host Network ACL and rules +# +# Base rules for access to DNS, repos are predefined. Inputs required for +# source subnets backend VSIs host will be connected to by the front end VSIs and +# bastion host +############################################################################## + +# placeholder From a82f1f733f9678074f8640abac8fe6854376837c Mon Sep 17 00:00:00 2001 From: Bhaskar Roy Date: Sat, 28 Aug 2021 16:19:25 -0400 Subject: [PATCH 6/9] adding Data Governance --- datgovmodule/cloudinit.tf | 19 +++++ datgovmodule/main.tf | 159 ++++++++++++++++++++++++++++++++++++++ datgovmodule/outputs.tf | 8 ++ datgovmodule/vars.tf | 51 ++++++++++++ datgovmodule/versions.tf | 9 +++ 5 files changed, 246 insertions(+) create mode 100644 datgovmodule/cloudinit.tf create mode 100644 datgovmodule/main.tf create mode 100644 datgovmodule/outputs.tf create mode 100644 datgovmodule/vars.tf create mode 100644 datgovmodule/versions.tf diff --git a/datgovmodule/cloudinit.tf b/datgovmodule/cloudinit.tf new file mode 100644 index 0000000..0d0025c --- /dev/null +++ b/datgovmodule/cloudinit.tf @@ -0,0 +1,19 @@ +data "template_cloudinit_config" "app_userdata" { + base64_encode = false + gzip = false + + part { + content = < Date: Sat, 28 Aug 2021 18:37:11 -0400 Subject: [PATCH 7/9] tf init works with these changes on local --- backendmodule/main.tf | 1 + {datgovmodule => datagovmodule}/cloudinit.tf | 0 {datgovmodule => datagovmodule}/data_nacl.tf | 0 {datgovmodule => datagovmodule}/main.tf | 27 +++++++++--------- datagovmodule/outputs.tf | 8 ++++++ {datgovmodule => datagovmodule}/vars.tf | 2 +- {datgovmodule => datagovmodule}/versions.tf | 0 datgovmodule/outputs.tf | 8 ------ frontendmodule/main.tf | 1 + main.tf | 30 ++++++++++---------- outputs.tf | 4 +-- variables.tf | 4 +-- versions.tf | 2 +- vpc/outputs.tf | 4 +-- vpc/vars.tf | 4 +-- vpc/vpc.tf | 18 ++++++------ 16 files changed, 58 insertions(+), 55 deletions(-) rename {datgovmodule => datagovmodule}/cloudinit.tf (100%) rename {datgovmodule => datagovmodule}/data_nacl.tf (100%) rename {datgovmodule => datagovmodule}/main.tf (85%) create mode 100644 datagovmodule/outputs.tf rename {datgovmodule => datagovmodule}/vars.tf (97%) rename {datgovmodule => datagovmodule}/versions.tf (100%) delete mode 100644 datgovmodule/outputs.tf diff --git a/backendmodule/main.tf b/backendmodule/main.tf index 4756fc5..4d69d37 100644 --- a/backendmodule/main.tf +++ b/backendmodule/main.tf @@ -95,6 +95,7 @@ locals { sg_rules = [ ["inbound", var.bastion_remote_sg_id, "tcp", 22, 22], + ["inbound", var.app_datagov_sg_id, "tcp", 9300, 9300], ["inbound", var.app_frontend_sg_id, "tcp", 27017, 27017], ["outbound", "161.26.0.0/24", "tcp", 443, 443], ["outbound", "161.26.0.0/24", "tcp", 80, 80], diff --git a/datgovmodule/cloudinit.tf b/datagovmodule/cloudinit.tf similarity index 100% rename from datgovmodule/cloudinit.tf rename to datagovmodule/cloudinit.tf diff --git a/datgovmodule/data_nacl.tf b/datagovmodule/data_nacl.tf similarity index 100% rename from datgovmodule/data_nacl.tf rename to datagovmodule/data_nacl.tf diff --git a/datgovmodule/main.tf b/datagovmodule/main.tf similarity index 85% rename from datgovmodule/main.tf rename to datagovmodule/main.tf index 5d5568b..e7858b4 100644 --- a/datgovmodule/main.tf +++ b/datagovmodule/main.tf @@ -6,22 +6,22 @@ # # Redhat Ansible usage is enabled by the addition of VSI tags. All Ansible related VSI # tags are prefixed with "ans_group:" followed by the group name. ' -# tags = ["ans_group:datgov"]' +# tags = ["ans_group:datagov"]' # Correct specification of tags is essential for operation of the Ansible dynamic inventory # script used to pass host information to Ansible. The tags here should match the roles # defined in the site.yml playbook file. ####################################################################################### -resource "ibm_is_instance" "datgov-server" { - count = var.datgov_count - name = "${var.unique_id}-datgov-vsi-${count.index + 1}" +resource "ibm_is_instance" "datagov-server" { + count = var.datagov_count + name = "${var.unique_id}-datagov-vsi-${count.index + 1}" image = var.ibm_is_image_id profile = var.profile primary_network_interface { subnet = var.subnet_ids[count.index] - security_groups = [ibm_is_security_group.datgov.id] + security_groups = [ibm_is_security_group.datagov.id] } vpc = var.ibm_is_vpc_id @@ -29,7 +29,7 @@ resource "ibm_is_instance" "datgov-server" { resource_group = var.ibm_is_resource_group_id keys = [var.ibm_is_ssh_key_id] user_data = data.template_cloudinit_config.app_userdata.rendered - tags = ["schematics:group:datgov"] + tags = ["schematics:group:datagov"] } @@ -69,11 +69,11 @@ resource "ibm_is_instance" "datgov-server" { # } # resource "ibm_is_lb_pool_member" "webapptier-lb-pool-member-zone1" { -# count = var.datgov_count +# count = var.datagov_count # lb = ibm_is_lb.webapptier-lb.id # pool = element(split("/", ibm_is_lb_pool.webapptier-lb-pool.id), 1) # port = "8080" -# target_address = ibm_is_instance.datgov-server[count.index].primary_network_interface[0].primary_ipv4_address +# target_address = ibm_is_instance.datagov-server[count.index].primary_network_interface[0].primary_ipv4_address # depends_on = [ibm_is_lb_pool.webapptier-lb-pool] # } @@ -82,8 +82,8 @@ resource "ibm_is_instance" "datgov-server" { # this is the SG applied to the data governance instances -resource "ibm_is_security_group" "datgov" { - name = "${var.unique_id}-datgov-sg" +resource "ibm_is_security_group" "datagov" { + name = "${var.unique_id}-datagov-sg" vpc = var.ibm_is_vpc_id resource_group = var.ibm_is_resource_group_id } @@ -95,7 +95,8 @@ locals { sg_rules = [ ["inbound", var.bastion_remote_sg_id, "tcp", 22, 22], - ["inbound", var.app_frontend_sg_id, "tcp", 27017, 27017], + ["inbound", var.app_backend_sg_id, "tcp", 9300, 9300], + ["inbound", var.app_frontend_sg_id, "tcp", 9300, 9300], ["outbound", "161.26.0.0/24", "tcp", 443, 443], ["outbound", "161.26.0.0/24", "tcp", 80, 80], ["outbound", "161.26.0.0/24", "udp", 53, 53], @@ -110,9 +111,9 @@ locals { } -resource "ibm_is_security_group_rule" "datgov_access" { +resource "ibm_is_security_group_rule" "datagov_access" { count = length(local.sg_mappedrules) - group = ibm_is_security_group.datgov.id + group = ibm_is_security_group.datagov.id direction = (local.sg_mappedrules[count.index]).direction remote = (local.sg_mappedrules[count.index]).remote dynamic "tcp" { diff --git a/datagovmodule/outputs.tf b/datagovmodule/outputs.tf new file mode 100644 index 0000000..c6e5229 --- /dev/null +++ b/datagovmodule/outputs.tf @@ -0,0 +1,8 @@ + +output security_group_id { + value = ibm_is_security_group.datagov.id +} + +output primary_ipv4_address { + value = ibm_is_instance.datagov-server[*].primary_network_interface[0].primary_ipv4_address +} diff --git a/datgovmodule/vars.tf b/datagovmodule/vars.tf similarity index 97% rename from datgovmodule/vars.tf rename to datagovmodule/vars.tf index 0f063a0..98c75d5 100644 --- a/datgovmodule/vars.tf +++ b/datagovmodule/vars.tf @@ -45,7 +45,7 @@ variable "bastion_subnet_CIDR" { variable "pub_repo_egress_cidr" { } -variable "datgov_count" { +variable "datagov_count" { description = "number of data governance zones" default = 1 } diff --git a/datgovmodule/versions.tf b/datagovmodule/versions.tf similarity index 100% rename from datgovmodule/versions.tf rename to datagovmodule/versions.tf diff --git a/datgovmodule/outputs.tf b/datgovmodule/outputs.tf deleted file mode 100644 index d5f3e58..0000000 --- a/datgovmodule/outputs.tf +++ /dev/null @@ -1,8 +0,0 @@ - -output security_group_id { - value = ibm_is_security_group.datgov.id -} - -output primary_ipv4_address { - value = ibm_is_instance.datgov-server[*].primary_network_interface[0].primary_ipv4_address -} diff --git a/frontendmodule/main.tf b/frontendmodule/main.tf index 36ced8e..f59e92e 100644 --- a/frontendmodule/main.tf +++ b/frontendmodule/main.tf @@ -101,6 +101,7 @@ locals { sg_rules = [ + ["outbound", var.app_datagov_sg_id, "tcp", 9300, 9300], ["outbound", var.app_backend_sg_id, "tcp", 27017, 27017], ["inbound", var.bastion_remote_sg_id, "tcp", 22, 22], ["outbound", "161.26.0.0/24", "tcp", 443, 443], diff --git a/main.tf b/main.tf index fe7bc81..4ba269d 100644 --- a/main.tf +++ b/main.tf @@ -14,7 +14,7 @@ locals { # generation = 2 frontend_count = 2 backend_count = 1 - datgov_count = 1 + datagov_count = 1 } @@ -33,7 +33,7 @@ locals { geo = substr(local.region, 0, 2) schematics_ssh_access_map = { us = ["169.44.0.0/14", "169.60.0.0/14"], - eu = ["158.175.0.0/16","158.176.0.0/15","141.125.75.80/28","161.156.139.192/28","149.81.103.128/28"], + eu = ["158.175.0.0/16", "158.176.0.0/15", "141.125.75.80/28", "161.156.139.192/28", "149.81.103.128/28"], } schematics_ssh_access = lookup(local.schematics_ssh_access_map, local.geo, ["0.0.0.0/0"]) bastion_ingress_cidr = var.ssh_source_cidr_override[0] != "0.0.0.0/0" ? var.ssh_source_cidr_override : local.schematics_ssh_access @@ -41,24 +41,24 @@ locals { module "vpc" { - source = "./vpc" - ibm_region = var.ibm_region - resource_group_name = var.resource_group_name + source = "./vpc" + ibm_region = var.ibm_region + resource_group_name = var.resource_group_name # generation = local.generation unique_id = var.vpc_name frontend_count = local.frontend_count frontend_cidr_blocks = local.frontend_cidr_blocks backend_count = local.backend_count backend_cidr_blocks = local.backend_cidr_blocks - datgov_count = local.datgov_count - datgov_cidr_blocks = local.datgov_cidr_blocks + datagov_count = local.datagov_count + datagov_cidr_blocks = local.datagov_cidr_blocks } locals { # bastion_cidr_blocks = [cidrsubnet(var.bastion_cidr, 4, 0), cidrsubnet(var.bastion_cidr, 4, 2), cidrsubnet(var.bastion_cidr, 4, 4)] frontend_cidr_blocks = [cidrsubnet(var.frontend_cidr, 4, 0), cidrsubnet(var.frontend_cidr, 4, 2), cidrsubnet(var.frontend_cidr, 4, 4)] backend_cidr_blocks = [cidrsubnet(var.backend_cidr, 4, 0), cidrsubnet(var.backend_cidr, 4, 2), cidrsubnet(var.backend_cidr, 4, 4)] - datgov_cidr_blocks = [cidrsubnet(var.datgov_cidr, 4, 0), cidrsubnet(var.datgov_cidr, 4, 2), cidrsubnet(var.datgov_cidr, 4, 4)] + datagov_cidr_blocks = [cidrsubnet(var.datagov_cidr, 4, 0), cidrsubnet(var.datagov_cidr, 4, 2), cidrsubnet(var.datagov_cidr, 4, 4)] } @@ -95,7 +95,7 @@ module "frontend" { bastion_remote_sg_id = module.bastion.security_group_id bastion_subnet_CIDR = var.bastion_cidr app_backend_sg_id = module.backend.security_group_id - app_datgov_sg_id = module.datgov.security_group_id + app_datagov_sg_id = module.datagov.security_group_id pub_repo_egress_cidr = local.pub_repo_egress_cidr } @@ -113,21 +113,21 @@ module "backend" { bastion_remote_sg_id = module.bastion.security_group_id bastion_subnet_CIDR = var.bastion_cidr app_frontend_sg_id = module.frontend.security_group_id - app_datgov_sg_id = module.datgov.security_group_id + app_datagov_sg_id = module.datagov.security_group_id pub_repo_egress_cidr = local.pub_repo_egress_cidr } -module "datgov" { - source = "./datgovmodule" +module "datagov" { + source = "./datagovmodule" ibm_region = var.ibm_region unique_id = var.vpc_name ibm_is_vpc_id = module.vpc.vpc_id ibm_is_resource_group_id = data.ibm_resource_group.all_rg.id - datgov_count = local.datgov_count + datagov_count = local.datagov_count profile = var.profile ibm_is_image_id = data.ibm_is_image.os.id ibm_is_ssh_key_id = data.ibm_is_ssh_key.sshkey.id - subnet_ids = module.vpc.datgov_subnet_ids + subnet_ids = module.vpc.datagov_subnet_ids bastion_remote_sg_id = module.bastion.security_group_id bastion_subnet_CIDR = var.bastion_cidr app_frontend_sg_id = module.frontend.security_group_id @@ -140,5 +140,5 @@ module "accesscheck" { ssh_accesscheck = var.ssh_accesscheck ssh_private_key = var.ssh_private_key bastion_host = module.bastion.bastion_ip_addresses[0] - target_hosts = concat(module.frontend.primary_ipv4_address, module.backend.primary_ipv4_address, module.datgov.primary_ipv4_address) + target_hosts = concat(module.frontend.primary_ipv4_address, module.backend.primary_ipv4_address, module.datagov.primary_ipv4_address) } diff --git a/outputs.tf b/outputs.tf index 307d373..adf2bee 100644 --- a/outputs.tf +++ b/outputs.tf @@ -15,8 +15,8 @@ output "backend_server_host_ip_addresses" { value = [module.backend.primary_ipv4_address] } -output "datgov_server_host_ip_addresses" { - value = [module.datgov.primary_ipv4_address] +output "datagov_server_host_ip_addresses" { + value = [module.datagov.primary_ipv4_address] } output "app_dns_hostname" { diff --git a/variables.tf b/variables.tf index 39c3fb7..19d0071 100755 --- a/variables.tf +++ b/variables.tf @@ -43,7 +43,7 @@ variable "vpc_name" { # from remove-exec or Redhat Ansible running under Schematics variable "ssh_source_cidr_override" { - type = list + type = list(any) description = "Override CIDR range that is allowed to ssh to the bastion" default = ["0.0.0.0/0"] } @@ -72,7 +72,7 @@ variable "backend_cidr" { default = "172.17.0.0/20" } -variable "datgov_cidr" { +variable "datagov_cidr" { description = "Complete CIDR range across all three zones for data gov subnets" default = "172.18.0.0/20" } diff --git a/versions.tf b/versions.tf index ff9ba3f..dc4c823 100644 --- a/versions.tf +++ b/versions.tf @@ -1,7 +1,7 @@ terraform { required_providers { ibm = { - source = "ibm-cloud/ibm" + source = "ibm-cloud/ibm" version = "1.30.0" } } diff --git a/vpc/outputs.tf b/vpc/outputs.tf index 965bf62..4e0a0a1 100644 --- a/vpc/outputs.tf +++ b/vpc/outputs.tf @@ -6,8 +6,8 @@ output "frontend_subnet_ids" { value = ibm_is_subnet.frontend_subnet.*.id } -output "datgov_subnet_ids" { - value = ibm_is_subnet.datgov_subnet.*.id +output "datagov_subnet_ids" { + value = ibm_is_subnet.datagov_subnet.*.id } output "backend_subnet_ids" { diff --git a/vpc/vars.tf b/vpc/vars.tf index b4a2a11..8aa2fc5 100644 --- a/vpc/vars.tf +++ b/vpc/vars.tf @@ -35,7 +35,7 @@ variable "backend_count" { default = 1 } -variable "datgov_count" { +variable "datagov_count" { description = "number of data governance zones" default = 1 } @@ -50,7 +50,7 @@ variable "frontend_cidr_blocks" { variable "backend_cidr_blocks" { } -variable "datgov_cidr_blocks" { +variable "datagov_cidr_blocks" { } ############################################################################## diff --git a/vpc/vpc.tf b/vpc/vpc.tf index ff038ca..ba2efb3 100755 --- a/vpc/vpc.tf +++ b/vpc/vpc.tf @@ -50,12 +50,12 @@ resource "ibm_is_vpc_address_prefix" "backend_subnet_prefix" { cidr = var.backend_cidr_blocks[count.index] } -resource "ibm_is_vpc_address_prefix" "datgov_subnet_prefix" { - count = var.datgov_count - name = "${var.unique_id}-datgov-prefix-zone-${count.index + 1}" +resource "ibm_is_vpc_address_prefix" "datagov_subnet_prefix" { + count = var.datagov_count + name = "${var.unique_id}-datagov-prefix-zone-${count.index + 1}" zone = "${var.ibm_region}-${count.index % 3 + 1}" vpc = ibm_is_vpc.vpc.id - cidr = var.datgov_cidr_blocks[count.index] + cidr = var.datagov_cidr_blocks[count.index] } ############################################################################## @@ -91,15 +91,15 @@ resource "ibm_is_subnet" "backend_subnet" { depends_on = [ibm_is_vpc_address_prefix.backend_subnet_prefix] } -resource "ibm_is_subnet" "datgov_subnet" { - count = var.datgov_count - name = "${var.unique_id}-datgov-subnet-${count.index + 1}" +resource "ibm_is_subnet" "datagov_subnet" { + count = var.datagov_count + name = "${var.unique_id}-datagov-subnet-${count.index + 1}" vpc = ibm_is_vpc.vpc.id zone = "${var.ibm_region}-${count.index % 3 + 1}" - ipv4_cidr_block = var.datgov_cidr_blocks[count.index] + ipv4_cidr_block = var.datagov_cidr_blocks[count.index] #network_acl = "${ibm_is_network_acl.multizone_acl.id}" public_gateway = ibm_is_public_gateway.repo_gateway[count.index].id - depends_on = [ibm_is_vpc_address_prefix.datgov_subnet_prefix] + depends_on = [ibm_is_vpc_address_prefix.datagov_subnet_prefix] } From f06cb9edce28f1177836a996ed43e41b75196d31 Mon Sep 17 00:00:00 2001 From: Bhaskar Roy Date: Sat, 28 Aug 2021 20:01:19 -0400 Subject: [PATCH 8/9] missing var defs in order to pass ref between modules, a variable also needs to be defined else the reference is missing --- backendmodule/back_nacl.tf | 4 ++-- backendmodule/main.tf | 3 ++- backendmodule/vars.tf | 3 +++ datagovmodule/main.tf | 1 + datagovmodule/vars.tf | 3 +++ frontendmodule/main.tf | 2 +- frontendmodule/vars.tf | 3 +++ main.tf | 4 ++-- 8 files changed, 17 insertions(+), 6 deletions(-) diff --git a/backendmodule/back_nacl.tf b/backendmodule/back_nacl.tf index 0e55a14..67d527b 100644 --- a/backendmodule/back_nacl.tf +++ b/backendmodule/back_nacl.tf @@ -1,9 +1,9 @@ ############################################################################## -# Config to dynamically create data governance host Network ACL and rules +# Config to dynamically create backend host Network ACL and rules # # Base rules for access to DNS, repos are predefined. Inputs required for -# source subnets data governance VSIs host will be connected to by the front end VSIs and +# source subnets backend VSIs host will be connected to by the front end VSIs and # bastion host ############################################################################## diff --git a/backendmodule/main.tf b/backendmodule/main.tf index 4d69d37..5ba93d5 100644 --- a/backendmodule/main.tf +++ b/backendmodule/main.tf @@ -95,8 +95,9 @@ locals { sg_rules = [ ["inbound", var.bastion_remote_sg_id, "tcp", 22, 22], - ["inbound", var.app_datagov_sg_id, "tcp", 9300, 9300], ["inbound", var.app_frontend_sg_id, "tcp", 27017, 27017], + ["inbound", var.app_datagov_sg_id, "tcp", 27017, 27017], + ["outbound", var.app_datagov_sg_id, "tcp", 9300, 9300], ["outbound", "161.26.0.0/24", "tcp", 443, 443], ["outbound", "161.26.0.0/24", "tcp", 80, 80], ["outbound", "161.26.0.0/24", "udp", 53, 53], diff --git a/backendmodule/vars.tf b/backendmodule/vars.tf index ef2c1db..e65456c 100644 --- a/backendmodule/vars.tf +++ b/backendmodule/vars.tf @@ -33,6 +33,9 @@ variable "subnet_ids" { variable "app_frontend_sg_id" { } +variable "app_datagov_sg_id" { +} + # bastion sg requiring access to backend security group variable "bastion_remote_sg_id" { } diff --git a/datagovmodule/main.tf b/datagovmodule/main.tf index e7858b4..8fe31ee 100644 --- a/datagovmodule/main.tf +++ b/datagovmodule/main.tf @@ -97,6 +97,7 @@ locals { ["inbound", var.bastion_remote_sg_id, "tcp", 22, 22], ["inbound", var.app_backend_sg_id, "tcp", 9300, 9300], ["inbound", var.app_frontend_sg_id, "tcp", 9300, 9300], + ["outbound", var.app_backend_sg_id, "tcp", 27017, 27017], ["outbound", "161.26.0.0/24", "tcp", 443, 443], ["outbound", "161.26.0.0/24", "tcp", 80, 80], ["outbound", "161.26.0.0/24", "udp", 53, 53], diff --git a/datagovmodule/vars.tf b/datagovmodule/vars.tf index 98c75d5..11fc17a 100644 --- a/datagovmodule/vars.tf +++ b/datagovmodule/vars.tf @@ -33,6 +33,9 @@ variable "subnet_ids" { variable "app_frontend_sg_id" { } +variable "app_backend_sg_id" { +} + # bastion sg requiring access to data governance security group variable "bastion_remote_sg_id" { } diff --git a/frontendmodule/main.tf b/frontendmodule/main.tf index f59e92e..2bfd6d8 100644 --- a/frontendmodule/main.tf +++ b/frontendmodule/main.tf @@ -101,8 +101,8 @@ locals { sg_rules = [ - ["outbound", var.app_datagov_sg_id, "tcp", 9300, 9300], ["outbound", var.app_backend_sg_id, "tcp", 27017, 27017], + ["outbound", var.app_datagov_sg_id, "tcp", 9300, 9300], ["inbound", var.bastion_remote_sg_id, "tcp", 22, 22], ["outbound", "161.26.0.0/24", "tcp", 443, 443], ["outbound", "161.26.0.0/24", "tcp", 80, 80], diff --git a/frontendmodule/vars.tf b/frontendmodule/vars.tf index 2b76744..bc85e90 100644 --- a/frontendmodule/vars.tf +++ b/frontendmodule/vars.tf @@ -41,6 +41,9 @@ variable "bastion_subnet_CIDR" { variable "app_backend_sg_id" { } +variable "app_datagov_sg_id" { +} + # Allowable CIDRs of public repos from which Ansible can deploy code variable "pub_repo_egress_cidr" { } diff --git a/main.tf b/main.tf index 4ba269d..56bf336 100644 --- a/main.tf +++ b/main.tf @@ -72,8 +72,8 @@ module "bastion" { ibm_is_resource_group_id = data.ibm_resource_group.all_rg.id bastion_cidr = var.bastion_cidr ssh_source_cidr_blocks = local.bastion_ingress_cidr - destination_cidr_blocks = [var.frontend_cidr, var.backend_cidr] - destination_sgs = [module.frontend.security_group_id, module.backend.security_group_id] + destination_cidr_blocks = [var.frontend_cidr, var.backend_cidr, var.datagov_cidr] + destination_sgs = [module.frontend.security_group_id, module.backend.security_group_id, module.datagov.security_group_id] # destination_sg = [module.frontend.security_group_id, module.backend.security_group_id] # vsi_profile = "cx2-2x4" # image_name = "ibm-centos-7-6-minimal-amd64-1" From ac3314d1f360e557d952b0a6b4064b4fbddb1383 Mon Sep 17 00:00:00 2001 From: Bhaskar Roy Date: Mon, 30 Aug 2021 07:23:53 -0400 Subject: [PATCH 9/9] Updateing module structure --- main.tf | 14 +- {accesscheck => modules/accesscheck}/main.tf | 0 .../accesscheck}/outputs.tf | 0 {accesscheck => modules/accesscheck}/vars.tf | 0 .../accesscheck}/versions.tf | 0 .../backend}/back_nacl.tf | 0 .../backend}/cloudinit.tf | 0 {backendmodule => modules/backend}/main.tf | 0 {backendmodule => modules/backend}/outputs.tf | 0 {backendmodule => modules/backend}/vars.tf | 0 .../backend}/versions.tf | 0 .../bastion}/bast_nacl.tf | 0 {bastionmodule => modules/bastion}/bast_sg.tf | 0 {bastionmodule => modules/bastion}/bastion.tf | 0 .../bastion}/bastion_config.yml | 0 {bastionmodule => modules/bastion}/outputs.tf | 0 {bastionmodule => modules/bastion}/vars.tf | 0 .../bastion}/versions.tf | 0 modules/create_services/main.tf | 142 ++++++++++++++++++ modules/create_services/outputs.tf | 42 ++++++ modules/create_services/variables.tf | 28 ++++ modules/create_services/versions.tf | 7 + modules/create_vpe/main.tf | 23 +++ modules/create_vpe/variables.tf | 28 ++++ modules/create_vpe/versions.tf | 7 + .../datagovernance}/cloudinit.tf | 0 .../datagovernance}/data_nacl.tf | 0 .../datagovernance}/main.tf | 2 +- .../datagovernance}/outputs.tf | 0 .../datagovernance}/vars.tf | 0 .../datagovernance}/versions.tf | 0 modules/flowlogs/flowlog.tf | 32 ++++ modules/flowlogs/vars.tf | 27 ++++ modules/flowlogs/versions.tf | 9 ++ .../frontend}/cloudinit.tf | 0 .../frontend}/front_nacl.tf | 0 {frontendmodule => modules/frontend}/main.tf | 2 - .../frontend}/outputs.tf | 0 {frontendmodule => modules/frontend}/vars.tf | 0 .../frontend}/versions.tf | 0 variables.tf | 77 ++++++++-- vpc/versions.tf | 2 +- vpc/vpc.tf | 22 ++- 43 files changed, 432 insertions(+), 32 deletions(-) rename {accesscheck => modules/accesscheck}/main.tf (100%) rename {accesscheck => modules/accesscheck}/outputs.tf (100%) rename {accesscheck => modules/accesscheck}/vars.tf (100%) rename {accesscheck => modules/accesscheck}/versions.tf (100%) rename {backendmodule => modules/backend}/back_nacl.tf (100%) rename {backendmodule => modules/backend}/cloudinit.tf (100%) rename {backendmodule => modules/backend}/main.tf (100%) rename {backendmodule => modules/backend}/outputs.tf (100%) rename {backendmodule => modules/backend}/vars.tf (100%) rename {backendmodule => modules/backend}/versions.tf (100%) rename {bastionmodule => modules/bastion}/bast_nacl.tf (100%) rename {bastionmodule => modules/bastion}/bast_sg.tf (100%) rename {bastionmodule => modules/bastion}/bastion.tf (100%) rename {bastionmodule => modules/bastion}/bastion_config.yml (100%) rename {bastionmodule => modules/bastion}/outputs.tf (100%) rename {bastionmodule => modules/bastion}/vars.tf (100%) rename {bastionmodule => modules/bastion}/versions.tf (100%) create mode 100644 modules/create_services/main.tf create mode 100644 modules/create_services/outputs.tf create mode 100644 modules/create_services/variables.tf create mode 100644 modules/create_services/versions.tf create mode 100644 modules/create_vpe/main.tf create mode 100644 modules/create_vpe/variables.tf create mode 100644 modules/create_vpe/versions.tf rename {datagovmodule => modules/datagovernance}/cloudinit.tf (100%) rename {datagovmodule => modules/datagovernance}/data_nacl.tf (100%) rename {datagovmodule => modules/datagovernance}/main.tf (99%) rename {datagovmodule => modules/datagovernance}/outputs.tf (100%) rename {datagovmodule => modules/datagovernance}/vars.tf (100%) rename {datagovmodule => modules/datagovernance}/versions.tf (100%) create mode 100755 modules/flowlogs/flowlog.tf create mode 100644 modules/flowlogs/vars.tf create mode 100644 modules/flowlogs/versions.tf rename {frontendmodule => modules/frontend}/cloudinit.tf (100%) rename {frontendmodule => modules/frontend}/front_nacl.tf (100%) rename {frontendmodule => modules/frontend}/main.tf (99%) rename {frontendmodule => modules/frontend}/outputs.tf (100%) rename {frontendmodule => modules/frontend}/vars.tf (100%) rename {frontendmodule => modules/frontend}/versions.tf (100%) diff --git a/main.tf b/main.tf index 56bf336..786129a 100644 --- a/main.tf +++ b/main.tf @@ -17,7 +17,6 @@ locals { datagov_count = 1 } - ################################################################################################## # Select CIDRs allowed to access bastion host # When running under Schematics allowed ingress CIDRs are set to only allow access from Schematics @@ -64,7 +63,7 @@ locals { # Create single zone bastion module "bastion" { - source = "./bastionmodule" + source = "./modules/bastion" ibm_region = var.ibm_region bastion_count = 1 unique_id = var.vpc_name @@ -74,15 +73,12 @@ module "bastion" { ssh_source_cidr_blocks = local.bastion_ingress_cidr destination_cidr_blocks = [var.frontend_cidr, var.backend_cidr, var.datagov_cidr] destination_sgs = [module.frontend.security_group_id, module.backend.security_group_id, module.datagov.security_group_id] - # destination_sg = [module.frontend.security_group_id, module.backend.security_group_id] - # vsi_profile = "cx2-2x4" - # image_name = "ibm-centos-7-6-minimal-amd64-1" ssh_key_id = data.ibm_is_ssh_key.sshkey.id } module "frontend" { - source = "./frontendmodule" + source = "./modules/frontend" ibm_region = var.ibm_region unique_id = var.vpc_name ibm_is_vpc_id = module.vpc.vpc_id @@ -100,7 +96,7 @@ module "frontend" { } module "backend" { - source = "./backendmodule" + source = "./modules/backend" ibm_region = var.ibm_region unique_id = var.vpc_name ibm_is_vpc_id = module.vpc.vpc_id @@ -118,7 +114,7 @@ module "backend" { } module "datagov" { - source = "./datagovmodule" + source = "./modules/datagovernance" ibm_region = var.ibm_region unique_id = var.vpc_name ibm_is_vpc_id = module.vpc.vpc_id @@ -136,7 +132,7 @@ module "datagov" { } module "accesscheck" { - source = "./accesscheck" + source = "./modules/accesscheck" ssh_accesscheck = var.ssh_accesscheck ssh_private_key = var.ssh_private_key bastion_host = module.bastion.bastion_ip_addresses[0] diff --git a/accesscheck/main.tf b/modules/accesscheck/main.tf similarity index 100% rename from accesscheck/main.tf rename to modules/accesscheck/main.tf diff --git a/accesscheck/outputs.tf b/modules/accesscheck/outputs.tf similarity index 100% rename from accesscheck/outputs.tf rename to modules/accesscheck/outputs.tf diff --git a/accesscheck/vars.tf b/modules/accesscheck/vars.tf similarity index 100% rename from accesscheck/vars.tf rename to modules/accesscheck/vars.tf diff --git a/accesscheck/versions.tf b/modules/accesscheck/versions.tf similarity index 100% rename from accesscheck/versions.tf rename to modules/accesscheck/versions.tf diff --git a/backendmodule/back_nacl.tf b/modules/backend/back_nacl.tf similarity index 100% rename from backendmodule/back_nacl.tf rename to modules/backend/back_nacl.tf diff --git a/backendmodule/cloudinit.tf b/modules/backend/cloudinit.tf similarity index 100% rename from backendmodule/cloudinit.tf rename to modules/backend/cloudinit.tf diff --git a/backendmodule/main.tf b/modules/backend/main.tf similarity index 100% rename from backendmodule/main.tf rename to modules/backend/main.tf diff --git a/backendmodule/outputs.tf b/modules/backend/outputs.tf similarity index 100% rename from backendmodule/outputs.tf rename to modules/backend/outputs.tf diff --git a/backendmodule/vars.tf b/modules/backend/vars.tf similarity index 100% rename from backendmodule/vars.tf rename to modules/backend/vars.tf diff --git a/backendmodule/versions.tf b/modules/backend/versions.tf similarity index 100% rename from backendmodule/versions.tf rename to modules/backend/versions.tf diff --git a/bastionmodule/bast_nacl.tf b/modules/bastion/bast_nacl.tf similarity index 100% rename from bastionmodule/bast_nacl.tf rename to modules/bastion/bast_nacl.tf diff --git a/bastionmodule/bast_sg.tf b/modules/bastion/bast_sg.tf similarity index 100% rename from bastionmodule/bast_sg.tf rename to modules/bastion/bast_sg.tf diff --git a/bastionmodule/bastion.tf b/modules/bastion/bastion.tf similarity index 100% rename from bastionmodule/bastion.tf rename to modules/bastion/bastion.tf diff --git a/bastionmodule/bastion_config.yml b/modules/bastion/bastion_config.yml similarity index 100% rename from bastionmodule/bastion_config.yml rename to modules/bastion/bastion_config.yml diff --git a/bastionmodule/outputs.tf b/modules/bastion/outputs.tf similarity index 100% rename from bastionmodule/outputs.tf rename to modules/bastion/outputs.tf diff --git a/bastionmodule/vars.tf b/modules/bastion/vars.tf similarity index 100% rename from bastionmodule/vars.tf rename to modules/bastion/vars.tf diff --git a/bastionmodule/versions.tf b/modules/bastion/versions.tf similarity index 100% rename from bastionmodule/versions.tf rename to modules/bastion/versions.tf diff --git a/modules/create_services/main.tf b/modules/create_services/main.tf new file mode 100644 index 0000000..4c2a3ac --- /dev/null +++ b/modules/create_services/main.tf @@ -0,0 +1,142 @@ +# Cloud logging +resource "ibm_resource_instance" "logging" { + count = var.create_logging ? 1 : 0 + name = "${var.basename}-logging" + resource_group_id = var.resource_group_id + service = "logdna" + plan = "7-day" + location = var.region + tags = concat(var.tags, ["service"]) +} + +resource "ibm_resource_key" "logging_key" { + count = var.create_logging ? 1 : 0 + name = "${var.basename}-logging-key" + resource_instance_id = ibm_resource_instance.logging.0.id + role = "Manager" +} + +# Cloud monitoring +resource "ibm_resource_instance" "monitoring" { + count = var.create_monitoring ? 1 : 0 + name = "${var.basename}-monitoring" + resource_group_id = var.resource_group_id + service = "sysdig-monitor" + plan = "graduated-tier" + location = var.region + tags = concat(var.tags, ["service"]) +} + +resource "ibm_resource_key" "monitoring_key" { + count = var.create_monitoring ? 1 : 0 + name = "${var.basename}-monitoring-key" + resource_instance_id = ibm_resource_instance.monitoring.0.id + role = "Manager" +} + +# Create Key protect + root key +resource "ibm_resource_instance" "keyprotect" { + + name = "${var.basename}-kms" + resource_group_id = var.resource_group_id + service = "kms" + plan = "tiered-pricing" + location = var.region + tags = concat(var.tags, ["service"]) + service_endpoints = "private" +} + +resource "ibm_kms_key" "key" { + instance_id = ibm_resource_instance.keyprotect.guid + key_name = "root_key" + standard_key = false + force_delete = true +} + +# Create Cloud Object Storage service, policy and COS bucket + +resource "ibm_resource_instance" "cos" { + + name = "${var.basename}-cos" + resource_group_id = var.resource_group_id + service = "cloud-object-storage" + plan = "standard" + location = "global" + tags = concat(var.tags, ["service"]) + service_endpoints = "private" +} + +resource "ibm_resource_key" "cos_key" { + + name = "${var.basename}-cos-key" + resource_instance_id = ibm_resource_instance.cos.id + role = "Writer" + + parameters = { + service-endpoints = "private" + HMAC = true + } + depends_on = [ibm_iam_authorization_policy.cos_policy] +} + +resource "ibm_iam_authorization_policy" "cos_policy" { + source_service_name = "cloud-object-storage" + source_resource_instance_id = ibm_resource_instance.cos.guid + target_service_name = ibm_kms_key.key.type + target_resource_instance_id = ibm_resource_instance.keyprotect.guid + roles = ["Reader"] +} + +resource "random_uuid" "uuid" { +} + +resource "ibm_cos_bucket" "bucket" { + bucket_name = "${var.basename}-${random_uuid.uuid.result}-bucket" + key_protect = ibm_kms_key.key.crn + resource_instance_id = ibm_resource_instance.cos.id + region_location = var.region + storage_class = "smart" + force_delete = true + depends_on = [ibm_iam_authorization_policy.cos_policy] +} + +# Create a Postgresql DB + +resource "ibm_database" "postgresql" { + resource_group_id = var.resource_group_id + name = "${var.basename}-postgres" + service = "databases-for-postgresql" + plan = "standard" + location = var.region + tags = concat(var.tags, ["service"]) + key_protect_key = ibm_kms_key.key.crn + service_endpoints = "private" + depends_on = [ibm_iam_authorization_policy.postgresql_policy] +} + +resource "ibm_resource_key" "postgresql_key" { + name = "${var.basename}-postgresql-key" + resource_instance_id = ibm_database.postgresql.id + role = "Administrator" + + parameters = { + service-endpoints = "private" + } + depends_on = [ibm_iam_authorization_policy.postgresql_policy] +} + +resource "ibm_iam_authorization_policy" "postgresql_policy" { + source_service_name = "databases-for-postgresql" + target_service_name = ibm_kms_key.key.type + target_resource_instance_id = ibm_resource_instance.keyprotect.guid + roles = ["Reader", "AuthorizationDelegator"] +} + +resource "time_sleep" "wait_for_postgresql_initialization" { + #count = var.step2_create_vpc || var.step4_create_dedicated ? 1 : 0 + depends_on = [ + ibm_database.postgresql + ] + + create_duration = "5m" +} \ No newline at end of file diff --git a/modules/create_services/outputs.tf b/modules/create_services/outputs.tf new file mode 100644 index 0000000..8e2e57e --- /dev/null +++ b/modules/create_services/outputs.tf @@ -0,0 +1,42 @@ +output "keyprotect_guid" { + value = ibm_resource_instance.keyprotect.guid +} + +output "keyprotect_key_type" { + value = ibm_kms_key.key.type +} + +output "keyprotect_key_id" { + value = ibm_kms_key.key.id +} + +output "keyprotect_crn" { + value = ibm_resource_instance.keyprotect.target_crn +} + +output "cos_crn" { + value = ibm_resource_instance.cos.target_crn +} + +output "cos_key" { + value = ibm_resource_key.cos_key + sensitive = true +} + +output "postgresql" { + value = ibm_database.postgresql + sensitive = true +} + +output "postgresql_crn" { + value = ibm_database.postgresql.id +} + +output "postgresql_key" { + value = ibm_resource_key.postgresql_key + sensitive = true +} + +output "bucket_name" { + value = ibm_cos_bucket.bucket.bucket_name +} \ No newline at end of file diff --git a/modules/create_services/variables.tf b/modules/create_services/variables.tf new file mode 100644 index 0000000..de9021d --- /dev/null +++ b/modules/create_services/variables.tf @@ -0,0 +1,28 @@ +variable "basename" { + type = string +} + +variable "region" { + type = string + default = "us-south" +} + +variable "resource_group_id" { + type = string +} + +variable "tags" { + type = list(string) +} + +variable "create_logging" { + type = bool + default = false + description = "Create a logging instance in the region and resource group provided above" +} + +variable "create_monitoring" { + type = bool + default = false + description = "Create a monitoring instance in the region and resource group provided above" +} \ No newline at end of file diff --git a/modules/create_services/versions.tf b/modules/create_services/versions.tf new file mode 100644 index 0000000..38fd583 --- /dev/null +++ b/modules/create_services/versions.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + ibm = { + source = "IBM-Cloud/ibm" + } + } +} diff --git a/modules/create_vpe/main.tf b/modules/create_vpe/main.tf new file mode 100644 index 0000000..a88af5d --- /dev/null +++ b/modules/create_vpe/main.tf @@ -0,0 +1,23 @@ +resource "ibm_is_virtual_endpoint_gateway" "vpe" { + for_each = { for target in var.endpoints : target.name => target } + + name = "${var.basename}-${each.key}-vpe" + resource_group = var.resource_group_id + vpc = var.vpc_id + + target { + crn = each.value.crn + resource_type = "provider_cloud_service" + } + + # one Reserved IP for per zone in the VPC + dynamic "ips" { + for_each = { for subnet in var.subnets : subnet.id => subnet } + content { + subnet = ips.key + name = "${ips.value.name}-${each.key}-ip" + } + } + + tags = var.tags +} \ No newline at end of file diff --git a/modules/create_vpe/variables.tf b/modules/create_vpe/variables.tf new file mode 100644 index 0000000..a712461 --- /dev/null +++ b/modules/create_vpe/variables.tf @@ -0,0 +1,28 @@ +variable "basename" { + type = string +} + +variable "region" { + type = string +} + +variable "resource_group_id" { + type = string +} + +variable "vpc_id" { + type = string +} + +variable "endpoints" { + type = any +} + +variable "subnets" { + type = any +} + +variable "tags" { + type = list(string) + default = ["terraform", "vpc-scaling"] +} diff --git a/modules/create_vpe/versions.tf b/modules/create_vpe/versions.tf new file mode 100644 index 0000000..38fd583 --- /dev/null +++ b/modules/create_vpe/versions.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + ibm = { + source = "IBM-Cloud/ibm" + } + } +} diff --git a/datagovmodule/cloudinit.tf b/modules/datagovernance/cloudinit.tf similarity index 100% rename from datagovmodule/cloudinit.tf rename to modules/datagovernance/cloudinit.tf diff --git a/datagovmodule/data_nacl.tf b/modules/datagovernance/data_nacl.tf similarity index 100% rename from datagovmodule/data_nacl.tf rename to modules/datagovernance/data_nacl.tf diff --git a/datagovmodule/main.tf b/modules/datagovernance/main.tf similarity index 99% rename from datagovmodule/main.tf rename to modules/datagovernance/main.tf index 8fe31ee..d00d5f2 100644 --- a/datagovmodule/main.tf +++ b/modules/datagovernance/main.tf @@ -40,7 +40,7 @@ resource "ibm_is_instance" "datagov-server" { # resource "ibm_is_lb" "webapptier-lb" { -# name = "backapptier" +# name = "datagovtier" # type = "private" # subnets = toset(var.subnet_ids) # resource_group = var.ibm_is_resource_group_id diff --git a/datagovmodule/outputs.tf b/modules/datagovernance/outputs.tf similarity index 100% rename from datagovmodule/outputs.tf rename to modules/datagovernance/outputs.tf diff --git a/datagovmodule/vars.tf b/modules/datagovernance/vars.tf similarity index 100% rename from datagovmodule/vars.tf rename to modules/datagovernance/vars.tf diff --git a/datagovmodule/versions.tf b/modules/datagovernance/versions.tf similarity index 100% rename from datagovmodule/versions.tf rename to modules/datagovernance/versions.tf diff --git a/modules/flowlogs/flowlog.tf b/modules/flowlogs/flowlog.tf new file mode 100755 index 0000000..1f7d8f7 --- /dev/null +++ b/modules/flowlogs/flowlog.tf @@ -0,0 +1,32 @@ +############################################################################## +# This file creates flow log for any given resource. +# All logs are assumed to go in the same global cos instance. In case aother +# instance is supposed to be used +############################################################################## + +# Instance Details +resource "ibm_resource_instance" "flowlog_cos_instance" { + name = "flowlog-cos-instance" + resource_group_id = var.ibm_is_resource_group_id + service = "cloud-object-storage" + plan = var.ibm_res_cos_plan + location = "global" +} + +# Bucket specific to the resource +resource "ibm_cos_bucket" "cos_bucket" { + bucket_name = "${var.unique_id}-cos-flowlog" + resource_instance_id = ibm_resource_instance.flowlog_cos_instance.id + storage_class = var.ibm_res_cos_plan + region_location = var.ibm_region +} + +# There are flow logs that may or may not need dependency check +resource "ibm_is_flow_log" "res_flowlog" { + # check if there is dependency + # depends_on = ibm_is_vpc.VPC + name = "${var.unique_id}-flow-log" + target = var.ibm_is_res_target_id + # active = true + storage_bucket = ibm_cos_bucket.cos_bucket.bucket_name +} diff --git a/modules/flowlogs/vars.tf b/modules/flowlogs/vars.tf new file mode 100644 index 0000000..31ad528 --- /dev/null +++ b/modules/flowlogs/vars.tf @@ -0,0 +1,27 @@ +variable "unique_id" { +} # string added to the front for all created resources + +variable "ibm_region" { + description = "IBM Cloud region where all resources will be deployed" + default = "us-south" +} + +# create resources in this vpc id +variable "ibm_is_vpc_id" { +} + +# create resources in this resource group id +variable "ibm_is_resource_group_id" { +} + +# Target is an instance, subnet, or VPC, flow logs is not collected for any network +# interfaces within the target that are more specific flow log collector. +variable "ibm_is_res_target_id" { + description = "The ID of the target to collect flow logs" +} + +# COS Plan selected for Flow Logs +variable "ibm_res_cos_plan" { + description = "Default plan for IBM Cloud Object Storage" + default = "standard" +} \ No newline at end of file diff --git a/modules/flowlogs/versions.tf b/modules/flowlogs/versions.tf new file mode 100644 index 0000000..dc4c823 --- /dev/null +++ b/modules/flowlogs/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + ibm = { + source = "ibm-cloud/ibm" + version = "1.30.0" + } + } +} + diff --git a/frontendmodule/cloudinit.tf b/modules/frontend/cloudinit.tf similarity index 100% rename from frontendmodule/cloudinit.tf rename to modules/frontend/cloudinit.tf diff --git a/frontendmodule/front_nacl.tf b/modules/frontend/front_nacl.tf similarity index 100% rename from frontendmodule/front_nacl.tf rename to modules/frontend/front_nacl.tf diff --git a/frontendmodule/main.tf b/modules/frontend/main.tf similarity index 99% rename from frontendmodule/main.tf rename to modules/frontend/main.tf index 2bfd6d8..991c06b 100644 --- a/frontendmodule/main.tf +++ b/modules/frontend/main.tf @@ -86,8 +86,6 @@ resource "ibm_is_lb_pool_member" "webapptier-lb-pool-member-zone1" { - - # this is the SG applied to the frontend instances resource "ibm_is_security_group" "frontend" { name = "${var.unique_id}-frontend-sg" diff --git a/frontendmodule/outputs.tf b/modules/frontend/outputs.tf similarity index 100% rename from frontendmodule/outputs.tf rename to modules/frontend/outputs.tf diff --git a/frontendmodule/vars.tf b/modules/frontend/vars.tf similarity index 100% rename from frontendmodule/vars.tf rename to modules/frontend/vars.tf diff --git a/frontendmodule/versions.tf b/modules/frontend/versions.tf similarity index 100% rename from frontendmodule/versions.tf rename to modules/frontend/versions.tf diff --git a/variables.tf b/variables.tf index 19d0071..b5ebb04 100755 --- a/variables.tf +++ b/variables.tf @@ -15,7 +15,6 @@ variable "ibm_region" { # } - variable "resource_group_name" { description = "Name of IBM Cloud Resource Group used for all VPC resources" default = "Default" @@ -27,6 +26,19 @@ variable "resource_group_name" { # default = 2 # } +# unique name for the project to use as prefix +variable "prj" { + description = "Name of active project" + default = "broy" +} + +# unique name for the environment to use as prefix +variable "active_envionment" { + description = "Name of active environment" + default = "dev" +} + + # unique name for the VPC in the account variable "vpc_name" { description = "Name of vpc" @@ -79,23 +91,64 @@ variable "datagov_cidr" { ############################################################################## - # VSI profile +############################################################################## + +# RHEL Profile variable "profile" { - description = "Profile for VSIs deployed in frontend, data governance and backend" - default = "cx2-2x4" + description = "Default RHEL Profile for VSIs deployed in all tiers" + default = "bx2-2x8" } - # image names can be determined with the cli command `ibmcloud is images` variable "image_name" { - description = "OS image for VSI deployments. Only tested with Centos" - default = "ibm-centos-7-6-minimal-amd64-1" + description = "Default RHEL 7 image for VSI deployments." + default = "ibm-redhat-7-9-minimal-amd64-3" } - data "ibm_is_image" "os" { name = var.image_name } +# Windows Profile +variable "win_profile" { + description = "MS Windows profile for VSIs deployed in all tiers" + default = "bx2-4x16" +} +# image names can be determined with the cli command `ibmcloud is images` +variable "win_image_name" { + description = "Windows OS image for VSI deployments" + default = "ibm-windows-server-2019-full-standard-amd64-3" +} +data "ibm_is_image" "win_os" { + name = var.win_image_name +} + +# Satellite +variable "sat_profile" { + description = "Default RHEL Profile for satellite" + default = "bx2-16x64" +} +# image names can be determined with the cli command `ibmcloud is images` +variable "sat_image_name" { + description = "Defaults to default RHEL VSI os image" + default = "ibm-redhat-7-9-minimal-amd64-3" +} +data "ibm_is_image" "sat_os" { + name = var.sat_image_name +} + +# Cognos +variable "cog_profile" { + description = "Default RHEL Profile for Cognos servers" + default = "mx2d-8x64" +} +# image names can be determined with the cli command `ibmcloud is images` +variable "cog_image_name" { + description = "Defaults to RHEL 8 VSI deployments" + default = "ibm-redhat-8-3-minimal-amd64-3" +} +data "ibm_is_image" "cog_os" { + name = var.cog_image_name +} ############################################################################## # Access check variables @@ -110,11 +163,11 @@ variable "ssh_private_key" { description = "SSH private key of SSH key pair used for VSIs and Bastion" } -data "ibm_is_ssh_key" "sshkey" { - name = var.ssh_key_name -} - variable "ssh_key_name" { description = "Name giving to public SSH key uploaded to IBM Cloud for VSI access" + default = "broy-bastion-psm-host" } +data "ibm_is_ssh_key" "sshkey" { + name = var.ssh_key_name +} \ No newline at end of file diff --git a/vpc/versions.tf b/vpc/versions.tf index ff9ba3f..dc4c823 100644 --- a/vpc/versions.tf +++ b/vpc/versions.tf @@ -1,7 +1,7 @@ terraform { required_providers { ibm = { - source = "ibm-cloud/ibm" + source = "ibm-cloud/ibm" version = "1.30.0" } } diff --git a/vpc/vpc.tf b/vpc/vpc.tf index ba2efb3..28b3ad2 100755 --- a/vpc/vpc.tf +++ b/vpc/vpc.tf @@ -24,9 +24,6 @@ resource "ibm_is_vpc" "vpc" { - - - ############################################################################## # Prefixes and subnets for zone 1 ############################################################################## @@ -64,9 +61,6 @@ resource "ibm_is_vpc_address_prefix" "datagov_subnet_prefix" { # Create Subnets ############################################################################## - - - # Increase count to create subnets in all zones resource "ibm_is_subnet" "frontend_subnet" { count = var.frontend_count @@ -104,7 +98,6 @@ resource "ibm_is_subnet" "datagov_subnet" { - # Increase count to create gateways in all zones resource "ibm_is_public_gateway" "repo_gateway" { count = var.frontend_count @@ -118,12 +111,27 @@ resource "ibm_is_public_gateway" "repo_gateway" { } } +############################################################################# + + ############################################################################# +# Enable Flow logs +############################################################################# + +module "vpc_flow_log" { + source = "..modules/flowlogs" + unique_id = ibm_is_vpc.vpc.name + ibm_region = var.ibm_region + ibm_is_vpc_id = ibm_is_vpc.vpc.id + ibm_is_resource_group_id = data.ibm_resource_group.all_rg.id + ibm_is_res_target_id = ibm_is_vpc.vpc.id +} +############################################################################# \ No newline at end of file