Improve deploy to enable custom resource targets

BBVA · Apr 4, 2019 · d94a90b · d94a90b
1 parent 6c972e0
commit d94a90b
Show file tree

Hide file tree

Showing 5 changed files with 173 additions and 101 deletions.
diff --git a/deploy/aws/flavour.tf b/deploy/aws/flavour.tf
@@ -0,0 +1,54 @@
+#  Copyright 2018-2019 Banco Bilbao Vizcaya Argentaria, S.A.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+resource null_resource "qed-base" {
+
+  triggers {
+    qed = "${format("%s",module.qed.private_ip)}"
+    prometheus = "${module.prometheus.private_ip}"
+    riot = "${module.riot.private_ip}"
+    gateway = "${aws_internet_gateway.qed.id}"
+    aws_route = "${aws_route.qed.id}"
+    aws_vpc_dhcp_options = "${aws_vpc_dhcp_options.qed.id}"
+    aws_vpc_dhcp_options_association = "${aws_vpc_dhcp_options_association.qed.id}"
+    aws_cloudwatch_log_group = "${aws_cloudwatch_log_group.qed.name}"
+    aws_iam_role = "${aws_iam_role.qed.id}"
+    aws_flow_log = "${aws_flow_log.qed.id}"
+    aws_iam_role_policy_attachmentCloudWatch = "${aws_iam_role_policy_attachment.CloudWatchLogsFullAccess-attach.role}"
+    aws_iam_role_policy_attachmentQed = "${aws_iam_role_policy_attachment.qed.role}"
+  }
+
+}
+
+resource null_resource "qed-full" {
+
+  triggers {
+    qed = "${format("%s",module.qed.private_ip)}"
+    prometheus = "${module.prometheus.private_ip}"
+    riot = "${module.riot.private_ip}"
+    auditor = "${format("%s", module.agent-auditor.private_ip)}"
+    monitor = "${format("%s", module.agent-monitor.private_ip)}"
+    publisher = "${format("%s", module.agent-publisher.private_ip)}"
+    storage = "${module.inmemory-storage.private_ip}"
+    gateway = "${aws_internet_gateway.qed.id}"
+    aws_route = "${aws_route.qed.id}"
+    aws_vpc_dhcp_options = "${aws_vpc_dhcp_options.qed.id}"
+    aws_vpc_dhcp_options_association = "${aws_vpc_dhcp_options_association.qed.id}"
+    aws_cloudwatch_log_group = "${aws_cloudwatch_log_group.qed.name}"
+    aws_iam_role = "${aws_iam_role.qed.id}"
+    aws_flow_log = "${aws_flow_log.qed.id}"
+    aws_iam_role_policy_attachmentCloudWatch = "${aws_iam_role_policy_attachment.CloudWatchLogsFullAccess-attach.role}"
+    aws_iam_role_policy_attachmentQed = "${aws_iam_role_policy_attachment.qed.role}"
+  }
+
+}
diff --git a/deploy/aws/main.tf b/deploy/aws/main.tf
@@ -46,7 +46,7 @@ module "qed" {
   instance_type          = "z1d.xlarge"
   iam_instance_profile   = "${aws_iam_instance_profile.qed-profile.name}"
   volume_size            = "20"
-  vpc_security_group_ids = "${module.security_group.this_security_group_id}"
+  vpc_security_group_ids = "${aws_security_group.qed.id}"
   subnet_id              = "${aws_subnet.qed.id}"
   key_name               = "${aws_key_pair.qed.key_name}"
   key_path               = "${var.keypath}"
@@ -58,7 +58,7 @@ module "inmemory-storage" {
   instance_type          = "r5.large"
   iam_instance_profile   = "${aws_iam_instance_profile.qed-profile.name}"
   volume_size            = "20"
-  vpc_security_group_ids = "${module.security_group.this_security_group_id}"
+  vpc_security_group_ids = "${aws_security_group.qed.id}"
   subnet_id              = "${aws_subnet.qed.id}"
   key_name               = "${aws_key_pair.qed.key_name}"
   key_path               = "${var.keypath}"
@@ -73,7 +73,7 @@ module "agent-publisher" {
   instance_type          = "m5.large"
   iam_instance_profile   = "${aws_iam_instance_profile.qed-profile.name}"
   volume_size            = "20"
-  vpc_security_group_ids = "${module.security_group.this_security_group_id}"
+  vpc_security_group_ids = "${aws_security_group.qed.id}"
   subnet_id              = "${aws_subnet.qed.id}"
   key_name               = "${aws_key_pair.qed.key_name}"
   key_path               = "${var.keypath}"
@@ -88,7 +88,7 @@ module "agent-monitor" {
   instance_type          = "m5.large"
   iam_instance_profile   = "${aws_iam_instance_profile.qed-profile.name}"
   volume_size            = "20"
-  vpc_security_group_ids = "${module.security_group.this_security_group_id}"
+  vpc_security_group_ids = "${aws_security_group.qed.id}"
   subnet_id              = "${aws_subnet.qed.id}"
   key_name               = "${aws_key_pair.qed.key_name}"
   key_path               = "${var.keypath}"
@@ -103,7 +103,7 @@ module "agent-auditor" {
   instance_type          = "m5.large"
   iam_instance_profile   = "${aws_iam_instance_profile.qed-profile.name}"
   volume_size            = "20"
-  vpc_security_group_ids = "${module.security_group.this_security_group_id}"
+  vpc_security_group_ids = "${aws_security_group.qed.id}"
   subnet_id              = "${aws_subnet.qed.id}"
   key_name               = "${aws_key_pair.qed.key_name}"
   key_path               = "${var.keypath}"
@@ -115,7 +115,7 @@ module "prometheus" {
   instance_type          = "m5.large"
   iam_instance_profile   = "${aws_iam_instance_profile.qed-profile.name}"
   volume_size            = "20"
-  vpc_security_group_ids = "${module.prometheus_security_group.this_security_group_id}"
+  vpc_security_group_ids = "${aws_security_group.prometheus.id}"
   subnet_id              = "${aws_subnet.qed.id}"
   key_name               = "${aws_key_pair.qed.key_name}"
   key_path               = "${var.keypath}"
@@ -127,7 +127,7 @@ module "riot" {
   instance_type          = "m5.large"
   iam_instance_profile   = "${aws_iam_instance_profile.qed-profile.name}"
   volume_size            = "20"
-  vpc_security_group_ids = "${module.security_group.this_security_group_id}"
+  vpc_security_group_ids = "${aws_security_group.qed.id}"
   subnet_id              = "${aws_subnet.qed.id}"
   key_name               = "${aws_key_pair.qed.key_name}"
   key_path               = "${var.keypath}"

diff --git a/deploy/aws/network.tf b/deploy/aws/network.tf
@@ -13,7 +13,6 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 */
-
 data "http" "ip" {
   url = "http://icanhazip.com"
 }
@@ -35,6 +34,7 @@ resource "aws_subnet" "qed" {
   tags = {
     Name = "QED-${terraform.workspace}"
   }
+
 }
 
 resource "aws_internet_gateway" "qed" {
@@ -43,6 +43,7 @@ resource "aws_internet_gateway" "qed" {
   tags = {
     Name = "QED-${terraform.workspace}"
   }
+
 }
 
 resource "aws_route" "qed" {
@@ -58,6 +59,7 @@ resource "aws_vpc_dhcp_options" "qed" {
   tags = {
     Name = "QED-${terraform.workspace}"
   }
+
 }
 
 resource "aws_vpc_dhcp_options_association" "qed" {
@@ -71,7 +73,6 @@ resource "aws_cloudwatch_log_group" "qed" {
 
 resource "aws_iam_role" "qed" {
   name = "qed-${terraform.workspace}"
-
   assume_role_policy = <<EOF
 {
   "Version": "2012-10-17",
@@ -106,112 +107,117 @@ resource "aws_key_pair" "qed" {
   public_key = "${file("${var.keypath}.pub")}"
 }
 
-module "security_group" {
-  source  = "terraform-aws-modules/security-group/aws"
-  version = "2.11.0"
-
+# Create the Security Group
+resource "aws_security_group" "qed" {
+  vpc_id       = "${aws_vpc.qed.id}"
   name        = "qed-${terraform.workspace}"
   description = "Security group for QED usage"
-  vpc_id      = "${aws_vpc.qed.id}"
-
-  egress_rules = ["all-all"]
-
-  ingress_cidr_blocks = ["${chomp(data.http.ip.body)}/32"]
-  ingress_rules       = ["all-icmp", "ssh-tcp"]
-
-  ingress_with_cidr_blocks = [
-    {
+  ingress {
+      from_port   = 22
+      to_port     = 22
+      protocol    = "tcp"
+      cidr_blocks = ["${chomp(data.http.ip.body)}/32"]
+  }
+  ingress {
       from_port   = 8800
       to_port     = 8800
       protocol    = "tcp"
-      cidr_blocks = "${chomp(data.http.ip.body)}/32"
-    },
-    {
+      cidr_blocks = ["${chomp(data.http.ip.body)}/32"]
+  }
+  ingress {
       from_port   = 8888
       to_port     = 8888
       protocol    = "tcp"
-      cidr_blocks = "${chomp(data.http.ip.body)}/32"
-    },
-    {
-      from_port   = 8600
-      to_port     = 8600
-      protocol    = "tcp"
-      cidr_blocks = "${chomp(data.http.ip.body)}/32"
-    },
-    {
-      from_port   = 6060
-      to_port     = 6060
-      protocol    = "tcp"
-      cidr_blocks = "${chomp(data.http.ip.body)}/32"
-    },
-    {
-      from_port   = 7700
-      to_port     = 7700
-      protocol    = "tcp"
-      cidr_blocks = "${chomp(data.http.ip.body)}/32"
-    },
-    {
-      from_port   = 9100
-      to_port     = 9100
-      protocol    = "tcp"
-      cidr_blocks = "${chomp(data.http.ip.body)}/32"
-    },
-  ]
-
-  computed_ingress_with_source_security_group_id = [
-    {
-      from_port                = 0
-      to_port                  = 65535
-      protocol                 = "tcp"
-      source_security_group_id = "${module.security_group.this_security_group_id}"
-    },
-    {
-      from_port                = 0
-      to_port                  = 65535
-      protocol                 = "tcp"
-      source_security_group_id = "${module.prometheus_security_group.this_security_group_id}"
-    },
-  ]
+      cidr_blocks = ["${chomp(data.http.ip.body)}/32"]
+  }
+  ingress {
+    from_port   = 8600
+    to_port     = 8600
+    protocol    = "tcp"
+    cidr_blocks = ["${chomp(data.http.ip.body)}/32"]
+  }
+  ingress {
+    from_port   = 6060
+    to_port     = 6060
+    protocol    = "tcp"
+    cidr_blocks = ["${chomp(data.http.ip.body)}/32"]
+  }
+  ingress {
+    from_port   = 7700
+    to_port     = 7700
+    protocol    = "tcp"
+    cidr_blocks = ["${chomp(data.http.ip.body)}/32"]
+  }
+  ingress {
+    from_port   = 9100
+    to_port     = 9100
+    protocol    = "tcp"
+    cidr_blocks = ["${chomp(data.http.ip.body)}/32"]
+  }
+  ingress  {
+      from_port    = 0
+      to_port      = 65535
+      protocol     = "tcp"
+      self         = true
+  }
+  ingress {
+      from_port        = 0
+      to_port          = 65535
+      protocol         = "tcp"
+      security_groups  = ["${aws_security_group.prometheus.id}"]
+  }
 
-  number_of_computed_ingress_with_source_security_group_id = 2
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags {
+    Name = "qed-${terraform.workspace}"
+    Workspace = "${terraform.workspace}"
+  }
 }
 
-module "prometheus_security_group" {
-  source  = "terraform-aws-modules/security-group/aws"
-  version = "2.11.0"
-
+resource "aws_security_group" "prometheus" {
+  vpc_id       = "${aws_vpc.qed.id}"
   name        = "prometheus-${terraform.workspace}"
-  description = "Security group for Prometheus/Grafana usage"
-  vpc_id      = "${aws_vpc.qed.id}"
-
-  egress_rules = ["all-all"]
-
-  ingress_cidr_blocks = ["${chomp(data.http.ip.body)}/32"]
-  ingress_rules       = ["all-icmp", "ssh-tcp"]
+  description = "Security group for QED usage"
 
-  ingress_with_cidr_blocks = [
-    {
-      from_port   = 9090                             # prometheus metrics
+  ingress {
+      from_port   = 22
+      to_port     = 22
+      protocol    = "tcp"
+      cidr_blocks = ["${chomp(data.http.ip.body)}/32"]
+  }
+  # Prometheus metrics
+  ingress {
+      from_port   = 9090          
       to_port     = 9090
       protocol    = "tcp"
-      cidr_blocks = "${chomp(data.http.ip.body)}/32"
-    },
-    {
-      from_port   = 3000                             # graphana
+      cidr_blocks = ["${chomp(data.http.ip.body)}/32"]
+    }
+  # Grafana
+  ingress {
+      from_port   = 3000
       to_port     = 3000
       protocol    = "tcp"
-      cidr_blocks = "${chomp(data.http.ip.body)}/32"
-    },
-  ]
-
-  computed_ingress_with_source_security_group_id = [
-    {
-      from_port                = 0
-      to_port                  = 65535
-      protocol                 = "tcp"
-      source_security_group_id = "${module.security_group.this_security_group_id}"
-    },
-  ]
-
-  number_of_computed_ingress_with_source_security_group_id = 1
+      cidr_blocks = ["${chomp(data.http.ip.body)}/32"]
+  }
+  ingress  {
+      from_port    = 0
+      to_port      = 65535
+      protocol     = "tcp"
+      self         = true
+  }
+  egress {
+      from_port   = 0
+      to_port     = 0
+      protocol    = "-1"
+      cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags {
+    Name = "prometheus-${terraform.workspace}"
+    Workspace = "${terraform.workspace}"
+  }
 }