use efs instead of ebs to store mongodb datas

maddevsio · Mar 26, 2021 · 24aa774 · 24aa774
1 parent 27c8db8
commit 24aa774
Show file tree

Hide file tree

Showing 10 changed files with 163 additions and 193 deletions.
diff --git a/terraform/layer1-aws/examples/aws-ec2-pritunl.tf b/terraform/layer1-aws/examples/aws-ec2-pritunl.tf
@@ -1,20 +1,27 @@
 module "pritunl" {
   source = "../modules/pritunl"
 
+  environment    = local.env
   vpc_id         = module.vpc.vpc_id
   public_subnets = module.vpc.public_subnets
-  pritunl_sg_rules = [
+  ingress_with_cidr_blocks = [
     {
       protocol    = "6"
       from_port   = 443
       to_port     = 443
-      cidr_blocks = ["8.8.8.8/32"] # the list of IPs that will have access to the web console
+      cidr_blocks = "127.0.0.1/32" # IP address that will have access to the web console
     },
     {
       protocol    = "17"
-      from_port   = 19739 #this is a port that we will set in pritunl server configuration (after installation)
+      from_port   = 19739 # this is a port that we will set in pritunl server configuration (after installation)
       to_port     = 19739
-      cidr_blocks = ["0.0.0.0/0"]
-    }
+      cidr_blocks = "0.0.0.0/0"
+    },
+    {
+      protocol    = "6"
+      from_port   = 80
+      to_port     = 80
+      cidr_blocks = "127.0.0.1/32" # IP address that will have access to the web console
+    },
   ]
 }
diff --git a/terraform/modules/aws-ec2-pritunl/backup.tf b/terraform/modules/aws-ec2-pritunl/backup.tf
@@ -0,0 +1,25 @@
+resource "aws_backup_vault" "this" {
+  name = var.name
+}
+
+resource "aws_backup_plan" "this" {
+  name = "${var.name}_backup_plan"
+  rule {
+    rule_name         = "${var.name}_backup_plan_efs"
+    target_vault_name = aws_backup_vault.this.name
+    schedule          = "cron(0 1 * * ? *)"
+    lifecycle {
+      delete_after = 30
+    }
+  }
+}
+
+resource "aws_backup_selection" "efs" {
+  iam_role_arn = module.backup_role.this_iam_role_arn
+  name         = "${var.name}_backup_selection_efs"
+  plan_id      = aws_backup_plan.this.id
+
+  resources = [
+    aws_efs_file_system.this.arn
+  ]
+}
diff --git a/terraform/modules/aws-ec2-pritunl/dlm.tf b/terraform/modules/aws-ec2-pritunl/dlm.tf
diff --git a/terraform/modules/aws-ec2-pritunl/efs.tf b/terraform/modules/aws-ec2-pritunl/efs.tf
@@ -0,0 +1,26 @@
+#------------------------------------------------------------------------------
+# Create EFS
+#------------------------------------------------------------------------------
+resource "aws_efs_file_system" "this" {
+  creation_token = var.name
+  encrypted      = var.encrypted
+  kms_key_id     = var.kms_key_id
+
+  tags = {
+      "Name" = var.name
+    }
+  lifecycle {
+    ignore_changes = [
+      tags,
+    ]
+  }
+}
+
+resource "aws_efs_mount_target" "this" {
+  count = length(var.public_subnets)
+  file_system_id = aws_efs_file_system.this.id
+  subnet_id      = var.public_subnets[count.index]
+  security_groups = [
+    module.efs_sg.this_security_group_id
+  ]
+}
diff --git a/terraform/modules/aws-ec2-pritunl/iam.tf b/terraform/modules/aws-ec2-pritunl/iam.tf
@@ -1,13 +1,20 @@
 data "aws_iam_policy_document" "this" {
   statement {
-    sid = "AllowAttachDetachVolume"
-    actions = ["ec2:AttachVolume",
-      "ec2:DetachVolume",
-      "ec2:DescribeVolumes"
+    sid = "AllowMountEFS"
+    actions = [
+      "elasticfilesystem:ClientMount",
+      "elasticfilesystem:ClientWrite"
     ]
-    resources = ["arn:aws:ec2:*:*:volume/${aws_ebs_volume.mongodb_data.id}",
-      "arn:aws:ec2:*:*:instance/*"
+    resources = [
+      "arn:aws:elasticfilesystem:*:*:file-system/${aws_efs_file_system.this.id}"
     ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+
+      values = [var.encrypted]
+    }
   }
 
   statement {
@@ -73,11 +80,29 @@ module "this_role" {
 
   custom_role_policy_arns = [
     module.iam_policy.arn,
-    "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
+    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
   ]
 }
 
 resource "aws_iam_instance_profile" "this_instance_profile" {
-  name = "${var.name}-discovery-profile"
+  name = var.name
   role = module.this_role.this_iam_role_name
 }
+
+module "backup_role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "3.8.0"
+
+  trusted_role_services = [
+    "backup.amazonaws.com"
+  ]
+
+  create_role = true
+
+  role_name         = "${var.name}-backup-role"
+  role_requires_mfa = false
+
+  custom_role_policy_arns = [
+    "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
+  ]
+}
diff --git a/terraform/modules/aws-ec2-pritunl/main.tf b/terraform/modules/aws-ec2-pritunl/main.tf
@@ -1,23 +1,4 @@
 data "aws_region" "current" {}
-data "aws_availability_zones" "available" {}
-data "aws_subnet_ids" "selected" {
-  # availability_zone = data.aws_availability_zones.available.names[0]
-  vpc_id = var.vpc_id
-  filter {
-    name   = "availabilityZone"
-    values = [data.aws_availability_zones.available.names[0]] # insert values here
-  }
-}
-resource "aws_ebs_volume" "mongodb_data" {
-  availability_zone = data.aws_availability_zones.available.names[0]
-  size              = 10
-
-  tags = {
-    Name        = var.name
-    Environment = var.environment
-  }
-}
-
 resource "aws_eip" "this" {
   vpc = true
   tags = {
@@ -26,22 +7,12 @@ resource "aws_eip" "this" {
   }
 }
 
-data "template_file" "userdata_script" {
-  template = file("${path.module}/templates/user-data.sh")
-
-  vars = {
-    aws_region = data.aws_region.current.name
-    eipalloc   = aws_eip.this.id
-    volume_id  = aws_ebs_volume.mongodb_data.id
-  }
-}
-
 resource "aws_launch_template" "this" {
   name_prefix            = var.name
   image_id               = data.aws_ami.amazon_linux_2.id
   instance_type          = var.instance_type
   ebs_optimized          = false
-  vpc_security_group_ids = [aws_security_group.this.id]
+  vpc_security_group_ids = [module.ec2_sg.this_security_group_id]
 
   iam_instance_profile {
     arn = aws_iam_instance_profile.this_instance_profile.arn
@@ -53,7 +24,13 @@ resource "aws_launch_template" "this" {
     http_put_response_hop_limit = 3
   }
 
-  user_data = base64encode(data.template_file.userdata_script.rendered)
+  user_data = base64encode(templatefile("${path.module}/templates/user-data.sh",
+    {
+      aws_region = data.aws_region.current.name
+      eipalloc   = aws_eip.this.id
+      efs_id     = aws_efs_file_system.this.id
+    })
+  )
 
   monitoring {
     enabled = false
@@ -67,6 +44,8 @@ resource "aws_launch_template" "this" {
     }
   }
 
+  depends_on = [aws_efs_mount_target.this]
+
 }
 
 resource "aws_autoscaling_group" "this" {
@@ -76,14 +55,14 @@ resource "aws_autoscaling_group" "this" {
   min_size             = 1
   default_cooldown     = 30
   force_delete         = true
-  termination_policies = ["OldestLaunchConfiguration", "OldestInstance"]
+  termination_policies = ["OldestLaunchTemplate", "OldestInstance"]
 
   launch_template {
     id      = aws_launch_template.this.id
     version = "$Latest"
   }
 
-  vpc_zone_identifier = [tolist(data.aws_subnet_ids.selected.ids)[0]]
+  vpc_zone_identifier = var.public_subnets
 
   tag {
     key                 = "Name"

diff --git a/terraform/modules/aws-ec2-pritunl/output.tf b/terraform/modules/aws-ec2-pritunl/output.tf
@@ -2,5 +2,5 @@ output "pritunl_endpoint" {
   value = aws_eip.this.id
 }
 output "pritunl_security_group" {
-  value = aws_security_group.this.id
+  value = module.ec2_sg.this_security_group_id
 }
diff --git a/terraform/modules/aws-ec2-pritunl/security_groups.tf b/terraform/modules/aws-ec2-pritunl/security_groups.tf
@@ -1,34 +1,37 @@
-resource "aws_security_group" "this" {
+module "ec2_sg" {
+  source = "terraform-aws-modules/security-group/aws"
+
   name        = var.name
   description = "${var.name} security group"
   vpc_id      = var.vpc_id
 
-  ingress {
-    protocol    = "6"
-    from_port   = 80
-    to_port     = 80
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+  ingress_with_source_security_group_id = var.ingress_with_source_security_group_id
 
-  dynamic "ingress" {
-    for_each = var.pritunl_sg_rules
+  ingress_with_cidr_blocks = var.ingress_with_cidr_blocks
 
-    content {
-      protocol    = ingress.value["protocol"]
-      from_port   = ingress.value["from_port"]
-      to_port     = ingress.value["to_port"]
-      cidr_blocks = ingress.value["cidr_blocks"]
+  egress_with_cidr_blocks = [
+    {
+      protocol    = "-1"
+      from_port   = 0
+      to_port     = 0
+      cidr_blocks = "0.0.0.0/0"
     }
-  }
+  ]
+}
 
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+module "efs_sg" {
+  source = "terraform-aws-modules/security-group/aws"
 
-  tags = {
-    Name = "${var.name} security group"
-  }
+  name        = "${var.name}-efs"
+  description = "${var.name} efs security group"
+  vpc_id      = var.vpc_id
+
+  ingress_with_source_security_group_id = [
+    {
+      protocol                 = "6"
+      from_port                = 2049
+      to_port                  = 2049
+      source_security_group_id = module.ec2_sg.this_security_group_id
+    }
+  ]
 }