Initial route53 support

Author: cameronbrunner

terraform/aws_route53/README.md

@@ -0,0 +1,5 @@
+# Terraform files for AWS and Route 53
+
+To use this directory you will need to be authenticated to aws and an existing 'base' zone registered in Route 53.
+
+Read variables.tf and set as appropriate before terraform init, terraform plan and terraform apply

terraform/aws_route53/certificates.tf

@@ -0,0 +1,50 @@
+# This verifies ownership through Route 53. Other DNS providers are available and
+# could be swapped in
+
+resource "aws_acm_certificate" "lb" {
+  domain_name       = "hub.hub-${var.prefix}.${var.dns_zone}"
+  validation_method = "DNS"
+}
+
+data "aws_route53_zone" "dev" {
+  name         = "${var.dns_zone}"
+  private_zone = false
+}
+
+resource "aws_route53_zone" "hub" {
+  name = "hub-${var.prefix}.${var.dns_zone}"
+
+  tags = {
+    Environment = "hub-${var.prefix}"
+  }
+}
+
+resource "aws_route53_record" "hub-ns" {
+  zone_id = data.aws_route53_zone.dev.zone_id
+  name    = aws_route53_zone.hub.name
+  type    = "NS"
+  ttl     = "30"
+  records = aws_route53_zone.hub.name_servers
+}
+
+resource "aws_route53_record" "lb_validate" {
+  for_each = {
+    for dvo in aws_acm_certificate.lb.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = aws_route53_zone.hub.zone_id
+}
+
+resource "aws_acm_certificate_validation" "lb" {
+  certificate_arn         = aws_acm_certificate.lb.arn
+  validation_record_fqdns = [for record in aws_route53_record.lb_validate : record.fqdn]
+}

terraform/aws_route53/common.tf

@@ -0,0 +1,130 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.0"
+	}
+  }
+}
+
+provider "aws" {
+  region = "${var.region}"
+}
+
+resource "aws_vpc" "amber" {
+  cidr_block = "172.17.0.0/16"
+  tags = {
+	Name = "${var.prefix}-amber"
+  }
+}
+
+resource "aws_vpc" "green" {
+  cidr_block = "172.18.0.0/16"
+  tags = {
+	Name = "${var.prefix}-green"
+  }
+}
+
+
+resource "aws_subnet" "amber-lb" {
+  vpc_id            = aws_vpc.amber.id
+  cidr_block        = "172.17.1.0/24"
+  availability_zone = "${var.region}a"
+  map_public_ip_on_launch = "true"
+  tags = {
+	Name = "${var.prefix}-amber-lb"
+  }
+}
+
+resource "aws_subnet" "amber-vms" {
+  vpc_id            = aws_vpc.amber.id
+  cidr_block        = "172.17.2.0/24"
+  availability_zone = "${var.region}b"
+  map_public_ip_on_launch = "true"
+  tags = {
+	Name = "${var.prefix}-amber-vms"
+  }
+}
+
+resource "aws_subnet" "green-a" {
+  vpc_id            = aws_vpc.green.id
+  cidr_block        = "172.18.1.0/24"
+  availability_zone = "${var.region}a"
+  tags = {
+	Name = "${var.prefix}-green-a"
+  }
+}
+
+resource "aws_subnet" "green-b" {
+  vpc_id            = aws_vpc.green.id
+  cidr_block        = "172.18.2.0/24"
+  availability_zone = "${var.region}b"
+  tags = {
+	Name = "${var.prefix}-green-b"
+  }
+}
+
+data "aws_caller_identity" "current" {}
+
+resource "aws_vpc_peering_connection" "amber2green" {
+  vpc_id = "${aws_vpc.amber.id}"
+  peer_owner_id = "${data.aws_caller_identity.current.account_id}"
+  peer_vpc_id = "${aws_vpc.green.id}"
+  auto_accept = true
+}
+
+resource "aws_route" "green2amber" {
+  route_table_id = "${aws_vpc.green.main_route_table_id}"
+  destination_cidr_block = "${aws_vpc.amber.cidr_block}"
+  vpc_peering_connection_id = "${aws_vpc_peering_connection.amber2green.id}"
+}
+
+resource "aws_internet_gateway" "gw" {
+  vpc_id            = aws_vpc.amber.id
+}
+
+resource "aws_default_route_table" "amber" {
+  default_route_table_id = aws_vpc.amber.default_route_table_id
+
+  route {
+	cidr_block = "0.0.0.0/0"
+	gateway_id = aws_internet_gateway.gw.id
+  }
+  route {
+	cidr_block = "${aws_vpc.green.cidr_block}"
+	vpc_peering_connection_id = "${aws_vpc_peering_connection.amber2green.id}"
+  }
+  tags = {
+	Name = "${var.prefix}-amber-internet"
+  }
+}
+
+resource "aws_key_pair" "common-auth" {
+  key_name   = "auth-${var.prefix}"
+  public_key = "${var.ssh_public_key}"
+}
+
+
+
+data "aws_ami" "centos" {
+  owners      = ["679593333241"]
+  most_recent = true
+
+  filter {
+      name   = "name"
+      values = ["AlmaLinux OS 8.5 *"]
+  }
+
+  filter {
+      name   = "architecture"
+      values = ["x86_64"]
+  }
+
+  filter {
+      name   = "root-device-type"
+      values = ["ebs"]
+  }
+}
+
+
+

terraform/aws_route53/database.tf

@@ -0,0 +1,50 @@
+resource "aws_security_group" "hubdb" {
+  name   = "${var.prefix}-hubdb"
+  vpc_id = aws_vpc.green.id
+
+  ingress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+	cidr_blocks = ["${aws_instance.hub.private_ip}/32"]
+  }
+
+  egress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = ["${aws_instance.hub.private_ip}/32"]
+  }
+
+  tags = {
+    Name = "${var.prefix}-hub-db"
+  }
+}
+
+resource "aws_db_subnet_group" "hubdb" {
+  name = "${var.prefix}-hubdb"
+  subnet_ids = [aws_subnet.green-a.id,aws_subnet.green-b.id]
+  tags = {
+    Name = "${var.prefix}-hub-db"
+  }
+}
+
+resource "aws_db_instance" "hubdb" {
+  allocated_storage    = 8
+  engine               = "postgres"
+  identifier           = "${var.prefix}-hub-db"
+  engine_version       = "13"
+  instance_class       = "db.t3.medium"
+  name                 = "${var.prefix}hub"
+  username             = "${var.dbusername}"
+  password             = "${var.dbpassword}"
+  vpc_security_group_ids = [aws_security_group.hubdb.id]
+  db_subnet_group_name = aws_db_subnet_group.hubdb.name
+  skip_final_snapshot  = true
+  publicly_accessible  = false
+  storage_encrypted    = true
+  tags = {
+	Name = "${var.prefix}-hub-db"
+  }
+}
+

terraform/aws_route53/dns.tf

@@ -0,0 +1,26 @@
+# This generates records in route53. Other DNS providers could be substituted.
+
+resource "aws_route53_record" "lb" {
+  zone_id = aws_route53_zone.hub.zone_id
+  ttl  = 300
+  name = "${aws_acm_certificate.lb.domain_name}"
+  records = ["${aws_lb.hublb.dns_name}"]
+  type = "CNAME"
+}
+
+resource "aws_route53_record" "hub" {
+  zone_id = aws_route53_zone.hub.zone_id
+  ttl  = 300
+  name = "hubvm.hub-${var.prefix}.${var.dns_zone}"
+  records = ["${aws_instance.hub.private_ip}"]
+  type = "A"
+}
+
+resource "aws_route53_record" "worker" {
+  count = var.worker_vm_count
+  ttl  = 300
+  zone_id = aws_route53_zone.hub.zone_id
+  name = "worker${count.index}.hub-${var.prefix}.${var.dns_zone}"
+  records = ["${aws_instance.worker[count.index].private_ip}"]
+  type = "A"
+}

terraform/aws_route53/efs.tf

@@ -0,0 +1,42 @@
+resource "aws_efs_file_system" "shared_store" {
+  creation_token = "${var.prefix}-shared_store"
+  encrypted = true
+
+  lifecycle_policy {
+    transition_to_ia = "AFTER_30_DAYS"
+  }
+  tags = {
+	Name = "${var.prefix}-shared_store"
+  }
+}
+
+resource "aws_security_group" "shared_store" {
+  name        = "shared_store"
+  vpc_id      = "${aws_vpc.amber.id}"
+
+  # SSH access from anywhere
+  ingress {
+	from_port   = 2049
+    to_port     = 2049
+    protocol    = "tcp"
+    cidr_blocks = [aws_subnet.amber-vms.cidr_block]
+  }
+
+  # outbound internet access
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+	cidr_blocks = ["0.0.0.0/0"]
+	ipv6_cidr_blocks = ["::/0"]
+  }
+  tags = {
+	Name = "shared_store"
+  }
+}
+
+resource "aws_efs_mount_target" "shared_store" {
+  file_system_id = aws_efs_file_system.shared_store.id
+  subnet_id      = aws_subnet.amber-vms.id
+  security_groups = [aws_security_group.shared_store.id]
+}

terraform/aws_route53/hosts.tpl

@@ -0,0 +1,21 @@
+[all:vars]
+ingress_url = ${ingress_url}
+shared_store_ip = ${shared_store_ip}
+db_host = ${db_host}
+db_name = ${db_name}
+db_user = ${db_user}
+db_password = ${db_password}
+s3_useIam = ${s3_useIam}
+s3_endpoint = ${s3_endpoint}
+s3_accessKeyId = ${s3_accessKeyId}
+s3_secretAccessKey = ${s3_secretAccessKey}
+s3_bucket = ${s3_bucket}
+s3_region = ${s3_region}
+
+[hub]
+${hub_ip} ansible_user=${username} private_name=${hub_private_name}
+
+[workers]
+%{ for worker in workers ~}
+${worker.public_ip} ansible_user=${username} private_name=${worker.private_name}
+%{endfor ~}