From 24aa7742455eeded92d214355f4cb47478b579c6 Mon Sep 17 00:00:00 2001
From: maxim <nikromax@gmail.com>
Date: Fri, 26 Mar 2021 13:51:36 +0600
Subject: [PATCH] use efs instead of ebs to store mongodb datas

---
 .../layer1-aws/examples/aws-ec2-pritunl.tf    | 17 ++--
 terraform/modules/aws-ec2-pritunl/backup.tf   | 25 ++++++
 terraform/modules/aws-ec2-pritunl/dlm.tf      | 84 -------------------
 terraform/modules/aws-ec2-pritunl/efs.tf      | 26 ++++++
 terraform/modules/aws-ec2-pritunl/iam.tf      | 41 +++++++--
 terraform/modules/aws-ec2-pritunl/main.tf     | 45 +++-------
 terraform/modules/aws-ec2-pritunl/output.tf   |  2 +-
 .../aws-ec2-pritunl/security_groups.tf        | 51 +++++------
 .../aws-ec2-pritunl/templates/user-data.sh    | 40 ++-------
 .../modules/aws-ec2-pritunl/variables.tf      | 25 ++++--
 10 files changed, 163 insertions(+), 193 deletions(-)
 create mode 100644 terraform/modules/aws-ec2-pritunl/backup.tf
 delete mode 100644 terraform/modules/aws-ec2-pritunl/dlm.tf
 create mode 100644 terraform/modules/aws-ec2-pritunl/efs.tf

diff --git a/terraform/layer1-aws/examples/aws-ec2-pritunl.tf b/terraform/layer1-aws/examples/aws-ec2-pritunl.tf
index f08f81ce..e5f8153b 100644
--- a/terraform/layer1-aws/examples/aws-ec2-pritunl.tf
+++ b/terraform/layer1-aws/examples/aws-ec2-pritunl.tf
@@ -1,20 +1,27 @@
 module "pritunl" {
   source = "../modules/pritunl"
 
+  environment    = local.env
   vpc_id         = module.vpc.vpc_id
   public_subnets = module.vpc.public_subnets
-  pritunl_sg_rules = [
+  ingress_with_cidr_blocks = [
     {
       protocol    = "6"
       from_port   = 443
       to_port     = 443
-      cidr_blocks = ["8.8.8.8/32"] # the list of IPs that will have access to the web console
+      cidr_blocks = "127.0.0.1/32" # IP address that will have access to the web console
     },
     {
       protocol    = "17"
-      from_port   = 19739 #this is a port that we will set in pritunl server configuration (after installation)
+      from_port   = 19739 # this is a port that we will set in pritunl server configuration (after installation)
       to_port     = 19739
-      cidr_blocks = ["0.0.0.0/0"]
-    }
+      cidr_blocks = "0.0.0.0/0"
+    },
+    {
+      protocol    = "6"
+      from_port   = 80
+      to_port     = 80
+      cidr_blocks = "127.0.0.1/32" # IP address that will have access to the web console
+    },
   ]
 }
diff --git a/terraform/modules/aws-ec2-pritunl/backup.tf b/terraform/modules/aws-ec2-pritunl/backup.tf
new file mode 100644
index 00000000..78cb6e92
--- /dev/null
+++ b/terraform/modules/aws-ec2-pritunl/backup.tf
@@ -0,0 +1,25 @@
+resource "aws_backup_vault" "this" {
+  name = var.name
+}
+
+resource "aws_backup_plan" "this" {
+  name = "${var.name}_backup_plan"
+  rule {
+    rule_name         = "${var.name}_backup_plan_efs"
+    target_vault_name = aws_backup_vault.this.name
+    schedule          = "cron(0 1 * * ? *)"
+    lifecycle {
+      delete_after = 30
+    }
+  }
+}
+
+resource "aws_backup_selection" "efs" {
+  iam_role_arn = module.backup_role.this_iam_role_arn
+  name         = "${var.name}_backup_selection_efs"
+  plan_id      = aws_backup_plan.this.id
+
+  resources = [
+    aws_efs_file_system.this.arn
+  ]
+}
diff --git a/terraform/modules/aws-ec2-pritunl/dlm.tf b/terraform/modules/aws-ec2-pritunl/dlm.tf
deleted file mode 100644
index 64d5c59e..00000000
--- a/terraform/modules/aws-ec2-pritunl/dlm.tf
+++ /dev/null
@@ -1,84 +0,0 @@
-resource "aws_iam_role" "dlm_lifecycle_role" {
-  name = "${var.name}-dlm-lifecycle-role"
-
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "dlm.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy" "dlm_lifecycle" {
-  name = "${var.name}-dlm-lifecycle-policy"
-  role = aws_iam_role.dlm_lifecycle_role.id
-
-  policy = <<EOF
-{
-   "Version": "2012-10-17",
-   "Statement": [
-      {
-         "Effect": "Allow",
-         "Action": [
-            "ec2:CreateSnapshot",
-            "ec2:DeleteSnapshot",
-            "ec2:DescribeVolumes",
-            "ec2:DescribeSnapshots"
-         ],
-         "Resource": "*"
-      },
-      {
-         "Effect": "Allow",
-         "Action": [
-            "ec2:CreateTags"
-         ],
-         "Resource": "arn:aws:ec2:*::snapshot/*"
-      }
-   ]
-}
-EOF
-}
-
-resource "aws_dlm_lifecycle_policy" "this" {
-  description        = "${var.name} DLM lifecycle policy"
-  execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn
-  state              = "ENABLED"
-
-  policy_details {
-    resource_types = ["VOLUME"]
-
-    schedule {
-      name = "1 week of daily snapshots"
-
-      create_rule {
-        interval      = 24
-        interval_unit = "HOURS"
-        times         = ["23:45"]
-      }
-
-      retain_rule {
-        count = 7
-      }
-
-      tags_to_add = {
-        SnapshotCreator = "DLM"
-      }
-
-      copy_tags = true
-    }
-
-    target_tags = {
-      Name        = var.name
-      Environment = var.environment
-    }
-  }
-}
diff --git a/terraform/modules/aws-ec2-pritunl/efs.tf b/terraform/modules/aws-ec2-pritunl/efs.tf
new file mode 100644
index 00000000..2242148b
--- /dev/null
+++ b/terraform/modules/aws-ec2-pritunl/efs.tf
@@ -0,0 +1,26 @@
+#------------------------------------------------------------------------------
+# Create EFS
+#------------------------------------------------------------------------------
+resource "aws_efs_file_system" "this" {
+  creation_token = var.name
+  encrypted      = var.encrypted
+  kms_key_id     = var.kms_key_id
+
+  tags = {
+      "Name" = var.name
+    }
+  lifecycle {
+    ignore_changes = [
+      tags,
+    ]
+  }
+}
+
+resource "aws_efs_mount_target" "this" {
+  count = length(var.public_subnets)
+  file_system_id = aws_efs_file_system.this.id
+  subnet_id      = var.public_subnets[count.index]
+  security_groups = [
+    module.efs_sg.this_security_group_id
+  ]
+}
diff --git a/terraform/modules/aws-ec2-pritunl/iam.tf b/terraform/modules/aws-ec2-pritunl/iam.tf
index 6b710d19..ddcb7d18 100644
--- a/terraform/modules/aws-ec2-pritunl/iam.tf
+++ b/terraform/modules/aws-ec2-pritunl/iam.tf
@@ -1,13 +1,20 @@
 data "aws_iam_policy_document" "this" {
   statement {
-    sid = "AllowAttachDetachVolume"
-    actions = ["ec2:AttachVolume",
-      "ec2:DetachVolume",
-      "ec2:DescribeVolumes"
+    sid = "AllowMountEFS"
+    actions = [
+      "elasticfilesystem:ClientMount",
+      "elasticfilesystem:ClientWrite"
     ]
-    resources = ["arn:aws:ec2:*:*:volume/${aws_ebs_volume.mongodb_data.id}",
-      "arn:aws:ec2:*:*:instance/*"
+    resources = [
+      "arn:aws:elasticfilesystem:*:*:file-system/${aws_efs_file_system.this.id}"
     ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+
+      values = [var.encrypted]
+    }
   }
 
   statement {
@@ -73,11 +80,29 @@ module "this_role" {
 
   custom_role_policy_arns = [
     module.iam_policy.arn,
-    "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
+    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
   ]
 }
 
 resource "aws_iam_instance_profile" "this_instance_profile" {
-  name = "${var.name}-discovery-profile"
+  name = var.name
   role = module.this_role.this_iam_role_name
 }
+
+module "backup_role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "3.8.0"
+
+  trusted_role_services = [
+    "backup.amazonaws.com"
+  ]
+
+  create_role = true
+
+  role_name         = "${var.name}-backup-role"
+  role_requires_mfa = false
+
+  custom_role_policy_arns = [
+    "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
+  ]
+}
diff --git a/terraform/modules/aws-ec2-pritunl/main.tf b/terraform/modules/aws-ec2-pritunl/main.tf
index 2a86df35..164b231c 100644
--- a/terraform/modules/aws-ec2-pritunl/main.tf
+++ b/terraform/modules/aws-ec2-pritunl/main.tf
@@ -1,23 +1,4 @@
 data "aws_region" "current" {}
-data "aws_availability_zones" "available" {}
-data "aws_subnet_ids" "selected" {
-  # availability_zone = data.aws_availability_zones.available.names[0]
-  vpc_id = var.vpc_id
-  filter {
-    name   = "availabilityZone"
-    values = [data.aws_availability_zones.available.names[0]] # insert values here
-  }
-}
-resource "aws_ebs_volume" "mongodb_data" {
-  availability_zone = data.aws_availability_zones.available.names[0]
-  size              = 10
-
-  tags = {
-    Name        = var.name
-    Environment = var.environment
-  }
-}
-
 resource "aws_eip" "this" {
   vpc = true
   tags = {
@@ -26,22 +7,12 @@ resource "aws_eip" "this" {
   }
 }
 
-data "template_file" "userdata_script" {
-  template = file("${path.module}/templates/user-data.sh")
-
-  vars = {
-    aws_region = data.aws_region.current.name
-    eipalloc   = aws_eip.this.id
-    volume_id  = aws_ebs_volume.mongodb_data.id
-  }
-}
-
 resource "aws_launch_template" "this" {
   name_prefix            = var.name
   image_id               = data.aws_ami.amazon_linux_2.id
   instance_type          = var.instance_type
   ebs_optimized          = false
-  vpc_security_group_ids = [aws_security_group.this.id]
+  vpc_security_group_ids = [module.ec2_sg.this_security_group_id]
 
   iam_instance_profile {
     arn = aws_iam_instance_profile.this_instance_profile.arn
@@ -53,7 +24,13 @@ resource "aws_launch_template" "this" {
     http_put_response_hop_limit = 3
   }
 
-  user_data = base64encode(data.template_file.userdata_script.rendered)
+  user_data = base64encode(templatefile("${path.module}/templates/user-data.sh",
+    {
+      aws_region = data.aws_region.current.name
+      eipalloc   = aws_eip.this.id
+      efs_id     = aws_efs_file_system.this.id
+    })
+  )
 
   monitoring {
     enabled = false
@@ -67,6 +44,8 @@ resource "aws_launch_template" "this" {
     }
   }
 
+  depends_on = [aws_efs_mount_target.this]
+
 }
 
 resource "aws_autoscaling_group" "this" {
@@ -76,14 +55,14 @@ resource "aws_autoscaling_group" "this" {
   min_size             = 1
   default_cooldown     = 30
   force_delete         = true
-  termination_policies = ["OldestLaunchConfiguration", "OldestInstance"]
+  termination_policies = ["OldestLaunchTemplate", "OldestInstance"]
 
   launch_template {
     id      = aws_launch_template.this.id
     version = "$Latest"
   }
 
-  vpc_zone_identifier = [tolist(data.aws_subnet_ids.selected.ids)[0]]
+  vpc_zone_identifier = var.public_subnets
 
   tag {
     key                 = "Name"
diff --git a/terraform/modules/aws-ec2-pritunl/output.tf b/terraform/modules/aws-ec2-pritunl/output.tf
index 7dfbb934..388c9ad2 100644
--- a/terraform/modules/aws-ec2-pritunl/output.tf
+++ b/terraform/modules/aws-ec2-pritunl/output.tf
@@ -2,5 +2,5 @@ output "pritunl_endpoint" {
   value = aws_eip.this.id
 }
 output "pritunl_security_group" {
-  value = aws_security_group.this.id
+  value = module.ec2_sg.this_security_group_id
 }
diff --git a/terraform/modules/aws-ec2-pritunl/security_groups.tf b/terraform/modules/aws-ec2-pritunl/security_groups.tf
index 8746a67c..bb37d482 100644
--- a/terraform/modules/aws-ec2-pritunl/security_groups.tf
+++ b/terraform/modules/aws-ec2-pritunl/security_groups.tf
@@ -1,34 +1,37 @@
-resource "aws_security_group" "this" {
+module "ec2_sg" {
+  source = "terraform-aws-modules/security-group/aws"
+
   name        = var.name
   description = "${var.name} security group"
   vpc_id      = var.vpc_id
 
-  ingress {
-    protocol    = "6"
-    from_port   = 80
-    to_port     = 80
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+  ingress_with_source_security_group_id = var.ingress_with_source_security_group_id
 
-  dynamic "ingress" {
-    for_each = var.pritunl_sg_rules
+  ingress_with_cidr_blocks = var.ingress_with_cidr_blocks
 
-    content {
-      protocol    = ingress.value["protocol"]
-      from_port   = ingress.value["from_port"]
-      to_port     = ingress.value["to_port"]
-      cidr_blocks = ingress.value["cidr_blocks"]
+  egress_with_cidr_blocks = [
+    {
+      protocol    = "-1"
+      from_port   = 0
+      to_port     = 0
+      cidr_blocks = "0.0.0.0/0"
     }
-  }
+  ]
+}
 
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+module "efs_sg" {
+  source = "terraform-aws-modules/security-group/aws"
 
-  tags = {
-    Name = "${var.name} security group"
-  }
+  name        = "${var.name}-efs"
+  description = "${var.name} efs security group"
+  vpc_id      = var.vpc_id
+
+  ingress_with_source_security_group_id = [
+    {
+      protocol                 = "6"
+      from_port                = 2049
+      to_port                  = 2049
+      source_security_group_id = module.ec2_sg.this_security_group_id
+    }
+  ]
 }
diff --git a/terraform/modules/aws-ec2-pritunl/templates/user-data.sh b/terraform/modules/aws-ec2-pritunl/templates/user-data.sh
index ec0abdc3..7fcfb178 100644
--- a/terraform/modules/aws-ec2-pritunl/templates/user-data.sh
+++ b/terraform/modules/aws-ec2-pritunl/templates/user-data.sh
@@ -1,6 +1,9 @@
 #!/bin/bash
 set -x
 
+
+yum install -y amazon-efs-utils
+
 export AWS_DEFAULT_REGION="${aws_region}"
 MONGODB_DATA_DIR="/var/lib/mongo"
 
@@ -11,43 +14,13 @@ echo "root soft nofile 64000" >> /etc/security/limits.conf
 
 INSTANCE_ID=$(curl http://169.254.169.254/latest/meta-data/instance-id)
 
+
 # Attach EIP
 aws ec2 associate-address --instance-id $${INSTANCE_ID} --allocation-id ${eipalloc} --allow-reassociation
 
-# Attach volume for MongoDB
-aws ec2 detach-volume --volume-id ${volume_id}
-
-until aws ec2 attach-volume --volume-id ${volume_id} --instance-id $${INSTANCE_ID} --device /dev/sdf; do
-  sleep 10
-  echo "Trying to attach volume"
-done
-
-# wait for EBS volume to attach
-DATA_STATE="unknown"
-until [[ $${DATA_STATE} == "attached" ]]; do
-  DATA_STATE=$(aws ec2 describe-volumes \
-      --filters \
-          Name=attachment.instance-id,Values=$${INSTANCE_ID} \
-          Name=attachment.device,Values=/dev/sdf \
-      --query Volumes[].Attachments[].State \
-      --output text)
-  echo 'waiting for volume...'
-  sleep 5
-done
-
-echo 'EBS volume attached!'
-
 # Change source-destination checking
 aws ec2 modify-instance-attribute --instance-id $${INSTANCE_ID} --source-dest-check "{\"Value\": false}"
 
-sleep 5
-FILESYSTEM=$(file -s /dev/nvme1n1 | grep filesystem)
-
-if [[ $${#FILESYSTEM} -eq 0 ]]; then
-  mkfs -t ext4 /dev/nvme1n1
-fi
-
-
 tee /etc/yum.repos.d/mongodb-org-4.2.repo << EOF
 [mongodb-org-4.2]
 name=MongoDB Repository
@@ -70,9 +43,10 @@ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017
 gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; rpm --import key.tmp; rm -f key.tmp
 yum -y install pritunl mongodb-org
 
-mount /dev/nvme1n1 $${MONGODB_DATA_DIR}
+# Mount EFS filesystem
+mount -t efs -o tls ${efs_id}:/ $${MONGODB_DATA_DIR}
 chown -R mongod:mongod $${MONGODB_DATA_DIR}
-echo "/dev/nvme1n1 $${MONGODB_DATA_DIR} ext4 defaults,nofail 0 2" >> /etc/fstab
+echo "${efs_id}:/ $${MONGODB_DATA_DIR} efs _netdev,tls 0 0" >> /etc/fstab
 
 systemctl enable mongod pritunl
 pritunl set-mongodb 'mongodb://localhost:27017/pritunl'
diff --git a/terraform/modules/aws-ec2-pritunl/variables.tf b/terraform/modules/aws-ec2-pritunl/variables.tf
index b04d4997..e17e95f2 100644
--- a/terraform/modules/aws-ec2-pritunl/variables.tf
+++ b/terraform/modules/aws-ec2-pritunl/variables.tf
@@ -1,8 +1,6 @@
 variable "vpc_id" {}
 variable "public_subnets" {}
-variable "availability_zone" {
-  default = "us-east-1a"
-}
+
 variable "name" {
   default = "pritunl"
 }
@@ -13,12 +11,29 @@ variable "instance_type" {
   default = "t3.small"
 }
 
-variable "pritunl_sg_rules" {
+variable "encrypted" {
+  default = true
+}
+
+variable "kms_key_id" {
+  default = null
+}
+variable "ingress_with_source_security_group_id" {
+  type = list(object({
+    protocol        = string
+    from_port       = string
+    to_port         = string
+    security_groups = string
+  }))
+
+  default = []
+}
+variable "ingress_with_cidr_blocks" {
   type = list(object({
     protocol    = string
     from_port   = string
     to_port     = string
-    cidr_blocks = list(string)
+    cidr_blocks = string
   }))
 
   default = []