Merges origin/sgs-module (pull request #18)

README.md

@@ -84,4 +84,4 @@ module "aws_vault" {
 
 [Apache 2.0](LICENSE)
 
-Copyright (c) 2018 [Flaconi GmbH](https://github.com/Flaconi)
+Copyright (c) 2018-2021 [Flaconi GmbH](https://github.com/Flaconi)

data.tf

@@ -0,0 +1,46 @@
+data "aws_region" "current" {}
+
+data "aws_ami" "vault_consul" {
+  most_recent = true
+
+  owners = [var.ami_owner]
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  filter {
+    name   = "name"
+    values = var.ami_name_filter
+  }
+}
+
+data "aws_elb" "vault_elb" {
+  name = module.vault_elb.name
+}
+
+data "template_file" "user_data_vault_cluster" {
+  template = file("${path.module}/user-data-vault.sh")
+
+  vars = {
+    enable_s3_backend        = var.enable_s3_backend ? 1 : 0
+    s3_bucket_region         = data.aws_region.current.name
+    s3_bucket_name           = var.s3_bucket_name
+    consul_cluster_tag_key   = local.consul_cluster_tag_key
+    consul_cluster_tag_value = local.consul_cluster_tag_val
+    ssh_keys                 = join("\n", var.ssh_keys)
+    ssh_user                 = "ubuntu"
+  }
+}
+
+data "template_file" "user_data_consul" {
+  template = file("${path.module}/user-data-consul.sh")
+
+  vars = {
+    consul_cluster_tag_key   = local.consul_cluster_tag_key
+    consul_cluster_tag_value = local.consul_cluster_tag_val
+    ssh_keys                 = join("\n", var.ssh_keys)
+    ssh_user                 = "ubuntu"
+  }
+}

locals.tf

@@ -1,9 +1,4 @@
-# -------------------------------------------------------------------------------------------------
-# Locals
-# -------------------------------------------------------------------------------------------------
-
 locals {
   consul_cluster_tag_key = "consul-servers"
   consul_cluster_tag_val = var.consul_cluster_name
 }
-

main.tf

@@ -1,51 +1,3 @@
-# This module has been copy/pasted from the following repository:
-# https://github.com/hashicorp/terraform-aws-vault
-#
-# After having copy/pasted it, I have done some heavy rewriting.
-# Customization was necessary as the default provided module is not production ready:
-# https://github.com/hashicorp/terraform-aws-vault/issues/103
-#
-# Additionally the following pitfalls were discovered:
-# * AMI needs to be built by ourselves in order to provide valid SSL certificates
-# * Security groups are to open and cannot be easily closed without rewriting the submodules
-#   (https://github.com/hashicorp/terraform-aws-vault/issues/107)
-# * Security groups are written in a way that Terraform will not detect any manual changes
-#
-# For the above reasons, also some submodules had to be rewritten (see modules/)
-#
-
-# -------------------------------------------------------------------------------------------------
-# Terraform Settings
-# -------------------------------------------------------------------------------------------------
-# Terraform 0.9.5 suffered from https://github.com/hashicorp/terraform/issues/14399, which causes
-# this template the conditionals in this template to fail.
-terraform {
-  required_version = ">= 0.9.3, != 0.9.5"
-}
-
-# -------------------------------------------------------------------------------------------------
-# TODO: Use custom build AMI.
-# -------------------------------------------------------------------------------------------------
-# TODO: Create custom AMI baked with our own SSL certificates for HTTPS access.
-data "aws_ami" "vault_consul" {
-  most_recent = true
-
-  owners = [var.ami_owner]
-
-  filter {
-    name   = "virtualization-type"
-    values = ["hvm"]
-  }
-
-  filter {
-    name   = "name"
-    values = var.ami_name_filter
-  }
-}
-
-# -------------------------------------------------------------------------------------------------
-# DEPLOY THE VAULT SERVER CLUSTER
-# -------------------------------------------------------------------------------------------------
 module "vault_cluster" {
   source = "./modules/vault-cluster"
 
@@ -59,118 +11,64 @@ module "vault_cluster" {
   vpc_id     = var.vpc_id
   subnet_ids = var.private_subnet_ids
 
-  # Use S3 Storage Backend?
   enable_s3_backend = var.enable_s3_backend
   s3_bucket_name    = var.s3_bucket_name
 
-  # Encrypt S3 Storage Backend?
   enable_s3_backend_encryption = var.enable_s3_backend_encryption
   kms_alias_name               = var.kms_alias_name
 
-  # Do NOT use the ELB for the ASG health check, or the ASG will assume all sealed instances are
-  # unhealthy and repeatedly try to redeploy them.
-  # The ELB health check does not work on unsealed Vault instances.
   health_check_type = "EC2"
 
-  # Security groups
   elb_security_group_id    = module.vault_elb.security_group_ids[0]
   consul_security_group_id = module.consul_cluster.security_group_id
-  ssh_security_group_ids   = var.ssh_security_group_ids
+  ssh_security_group_id    = var.ssh_security_group_id
 
   tags = var.tags
 }
 
-# -------------------------------------------------------------------------------------------------
-# ATTACH IAM POLICIES FOR CONSUL
-# To allow our Vault servers to automatically discover the Consul servers, we need to give them the
-# IAM permissions from the Consul AWS Module's consul-iam-policies module.
-# -------------------------------------------------------------------------------------------------
 module "consul_iam_policies_servers" {
   source = "github.com/hashicorp/terraform-aws-consul//modules/consul-iam-policies?ref=v0.7.0"
 
   iam_role_id = module.vault_cluster.iam_role_id
 }
 
-# -------------------------------------------------------------------------------------------------
-# THE USER DATA SCRIPT THAT WILL RUN ON EACH VAULT SERVER WHEN IT'S BOOTING
-# This script will configure and start Vault
-# -------------------------------------------------------------------------------------------------
-data "template_file" "user_data_vault_cluster" {
-  template = file("${path.module}/user-data-vault.sh")
-
-  vars = {
-    enable_s3_backend        = var.enable_s3_backend ? 1 : 0
-    s3_bucket_region         = data.aws_region.current.name
-    s3_bucket_name           = var.s3_bucket_name
-    consul_cluster_tag_key   = local.consul_cluster_tag_key
-    consul_cluster_tag_value = local.consul_cluster_tag_val
-    ssh_keys                 = join("\n", var.ssh_keys)
-    ssh_user                 = "ubuntu"
-  }
-}
-
-data "aws_region" "current" {
-}
-
-# -------------------------------------------------------------------------------------------------
-# Vault ELB
-# -------------------------------------------------------------------------------------------------
 module "vault_elb" {
   source = "github.com/Flaconi/terraform-aws-elb?ref=v1.0.0"
 
   name       = var.vault_cluster_name
   vpc_id     = var.vpc_id
   subnet_ids = var.public_subnet_ids
 
-  # Listener
   lb_port            = "443"
   lb_protocol        = "HTTPS"
   instance_port      = "8200"
   instance_protocol  = "HTTPS"
   ssl_certificate_id = var.ssl_certificate_id
 
-  # Health Checks
   target              = "HTTPS:8200/v1/sys/health?standbyok=true"
   timeout             = "5"
   interval            = "15"
   healthy_threshold   = "2"
   unhealthy_threshold = "2"
 
-  # Security
   inbound_cidr_blocks  = var.vault_ingress_cidr_https
   security_group_names = var.security_group_names
 
-  # DNS
   route53_public_dns_name = var.vault_route53_public_dns_name
 
-  # https://github.com/hashicorp/terraform-aws-vault/blob/master/modules/vault-elb/main.tf#L104
-  # When set to true, if either none of the ELB's EC2 instances are healthy or the ELB itself is
-  # unhealthy, Route 53 routes queries to "other resources." But since we haven't defined any other
-  # resources, we'd rather avoid any latency due to switchovers and just wait for the ELB and Vault
-  # instances to come back online. For more info, see
-  # http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values-alias.html#rrsets-values-alias-evaluate-target-health
   public_dns_evaluate_target_health = false
 
   tags = var.tags
 }
 
-# Attach Vault ASG to Vault ELB
 resource "aws_autoscaling_attachment" "vault" {
   autoscaling_group_name = module.vault_cluster.asg_name
   elb                    = data.aws_elb.vault_elb.id
 }
 
-data "aws_elb" "vault_elb" {
-  name = module.vault_elb.name
-}
-
-# -------------------------------------------------------------------------------------------------
-# DEPLOY THE CONSUL SERVER CLUSTER
-# -------------------------------------------------------------------------------------------------
 module "consul_cluster" {
   source = "./modules/consul-cluster"
 
-  # Naming/Tagging
   cluster_name  = var.consul_cluster_name
   cluster_size  = var.consul_cluster_size
   instance_type = var.consul_instance_type
@@ -181,29 +79,11 @@ module "consul_cluster" {
   vpc_id     = var.vpc_id
   subnet_ids = var.private_subnet_ids
 
-  # Security groups
   vault_security_group_id = module.vault_cluster.security_group_id
-  ssh_security_group_ids  = var.ssh_security_group_ids
+  ssh_security_group_id   = var.ssh_security_group_id
 
-  # The EC2 Instances will use these tags to automatically discover each other and form a cluster
   cluster_tag_key   = local.consul_cluster_tag_key
   cluster_tag_value = local.consul_cluster_tag_val
 
   tags = var.tags
 }
-
-# -------------------------------------------------------------------------------------------------
-# THE USER DATA SCRIPT THAT WILL RUN ON EACH CONSUL SERVER WHEN IT'S BOOTING
-# This script will configure and start Consul
-# -------------------------------------------------------------------------------------------------
-data "template_file" "user_data_consul" {
-  template = file("${path.module}/user-data-consul.sh")
-
-  vars = {
-    consul_cluster_tag_key   = local.consul_cluster_tag_key
-    consul_cluster_tag_value = local.consul_cluster_tag_val
-    ssh_keys                 = join("\n", var.ssh_keys)
-    ssh_user                 = "ubuntu"
-  }
-}
-

modules/consul-cluster/README.md

@@ -1,17 +1,20 @@
 # Consul Cluster
 
-This module has been copy/pasted from the following repository:
-https://github.com/hashicorp/terraform-aws-consul/tree/master/modules/consul-cluster
+This module was inspired by the following repository: [terraform-aws-vault][1].
 
-Security groups have been re-written in order to make sure they are exclusively managed
-by Terraform and any other rules that have been added by hand (or other means) will be
-removed, whenever this module is called.
+## Caveats
 
-This is achieved by moving all separately defined rules from 'aws_security_group_rule'
-into a single 'aws_security_group' block.
+### Security Groups
+
+See this [GitHub issue][2], for clarifying the purpose of the SGs and their
+rules.
+
+[Here][3] are the ports in use and their purpose.
 
 ## Inputs
 
+See all required rules [here][2].
+
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | vpc_id | The ID of the VPC in which to deploy the Consul cluster | string | - | yes |
@@ -48,3 +51,7 @@ into a single 'aws_security_group' block.
 | iam_role_id | ID of the IAM role attached to the Consul instance. |
 | iam_role_name | Name of the IAM role attached to the Consul instance. |
 | security_group_id | Security group ID to attach to other security group rules as destination. |
+
+[1]: https://github.com/hashicorp/terraform-aws-consul/tree/master/modules/consul-cluster
+[2]: https://github.com/hashicorp/terraform-aws-vault/issues/107
+[3]: https://www.consul.io/docs/install/ports#ports-table

modules/consul-cluster/iam.tf

@@ -0,0 +1,36 @@
+data "aws_iam_policy_document" "instance_role" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+
+module "iam_policies" {
+  source = "github.com/hashicorp/terraform-aws-consul//modules/consul-iam-policies?ref=v0.7.0"
+
+  iam_role_id = aws_iam_role.instance_role.id
+}
+
+resource "aws_iam_role" "instance_role" {
+  name_prefix        = var.cluster_name
+  assume_role_policy = data.aws_iam_policy_document.instance_role.json
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_iam_instance_profile" "instance_profile" {
+  name_prefix = var.cluster_name
+  path        = var.instance_profile_path
+  role        = aws_iam_role.instance_role.name
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}

modules/consul-cluster/locals.tf

@@ -1,9 +1,3 @@
-# -------------------------------------------------------------------------------------------------
-# Locals
-# -------------------------------------------------------------------------------------------------
-
-# The following example converts key/val maps into AWS ASG 3er tuple maps.
-# Credits: https://github.com/terraform-aws-modules/terraform-aws-autoscaling/blob/master/locals.tf
 locals {
   tags_asg_format = null_resource.tags_as_list_of_maps.*.triggers
 }
@@ -17,4 +11,3 @@ resource "null_resource" "tags_as_list_of_maps" {
     "propagate_at_launch" = "true"
   }
 }
-