merge changes with master branch

CHANGELOG.md

@@ -5,6 +5,20 @@
 * Tune kernel according to Banyan best practices
 * Support configurable rate limiting
 
+## v1.1.14
+
+* Add variables to support IMDS v2
+
+## v1.1.13
+
+* Add descriptions to each rule in the security group
+* Add all resources to module output so you can reference them downstream
+* Install pybanyan so it's available for troubleshooting and automation
+
+## v1.1.12
+
+* Support individual tags per resource.
+
 ## v1.1.11
 
 * Documented the `host_tags`, `groups_by_userinfo`, and `name_prefix` input variables.

README.md

@@ -14,7 +14,6 @@ provider "aws" {
 
 module "aws_accesstier" {
   source                 = "banyansecurity/banyan-accesstier/aws"
-  region                 = "us-east-1"
   vpc_id                 = "vpc-0e73afd7c24062f0a"
   public_subnet_ids      = ["subnet-09ef9206ca406ffe7", "subnet-0bcb18d59e3ff3cc7"]
   private_subnet_ids     = ["subnet-00e393f22c3f09e16", "subnet-0dfce8195de704b65"]
@@ -83,6 +82,9 @@ terraform plan
 | <a name="input_ssh_key_name"></a> [ssh\_key\_name](#input\_ssh\_key\_name) | Name of an SSH key stored in AWS to allow management access | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Add tags to each resource | `map(any)` | `null` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC in which to create the Access Tier | `string` | n/a | yes |
+| <a name="input_http\_endpoint\_imds\_v2"></a> [http\_endpoint\_imds\_v2](#input\_http\_endpoint\_imds\_v2) | Value for http_endpoint to enable imds v2 for ec2 instance | `string` | `"enabled"` | no |
+| <a name="input_http\_tokens\_imds\_v2"></a> [http\_tokens\_imds\_v2](#input\_http\_tokens\_imds\_v2) | Value for http_tokens to enable imds v2 for ec2 instance | `string` | `"required"` | no |
+| <a name="input_http_hop_limit_imds_v2"></a> [http\_hop\_limit\_imds\_v2](#input\_http\_hop\_limit\_imds\_v2) | Value for http_put_response_hop_limit to enable imds v2 for ec2 instance | `number` | `1` | no |
 
 The `rate_limiting` object has the following structure:
 

main.tf

@@ -1,4 +1,14 @@
-data "aws_ami" "default_ami" {
+locals {
+  tags = merge(var.tags, {
+    Provider = "BanyanOps"
+  })
+
+  asg_tags = merge(local.tags, {
+    Name = "${var.site_name}-BanyanHost"
+  })
+}
+
+data aws_ami "default_ami" {
   most_recent = true
   owners      = ["amazon"]
 
@@ -18,6 +28,7 @@ resource "aws_security_group" "sg" {
     to_port     = 443
     protocol    = "tcp"
     cidr_blocks = ["0.0.0.0/0"]
+    description = "Web traffic"
   }
 
   dynamic "ingress" {
@@ -27,6 +38,7 @@ resource "aws_security_group" "sg" {
       to_port     = 80
       protocol    = "tcp"
       cidr_blocks = ["0.0.0.0/0"]
+      description = "Redirect to 443"
     }
   }
 
@@ -35,32 +47,34 @@ resource "aws_security_group" "sg" {
     to_port     = 8443
     protocol    = "tcp"
     cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow for web traffic"
   }
 
   ingress {
     from_port   = 9998
     to_port     = 9998
     protocol    = "tcp"
     cidr_blocks = var.healthcheck_cidrs
+    description = "Healthcheck"
   }
 
   ingress {
     from_port   = 2222
     to_port     = 2222
     protocol    = "tcp"
     cidr_blocks = var.management_cidrs
+    description = "Management"
   }
 
   egress {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow egress to everything"
   }
 
-  tags = merge(var.tags, {
-    Provider = "BanyanOps"
-  })
+  tags = merge(local.tags, var.security_group_tags)
 }
 
 resource "aws_autoscaling_group" "asg" {
@@ -73,13 +87,11 @@ resource "aws_autoscaling_group" "asg" {
   health_check_grace_period = 300
   health_check_type         = "ELB"
   target_group_arns         = compact([join("", aws_lb_target_group.target80.*.arn), aws_lb_target_group.target443.arn, aws_lb_target_group.target8443.arn])
+  max_instance_lifetime     = var.max_instance_lifetime
 
   dynamic "tag" {
     # do another merge for application specific tags if need-be
-    for_each = merge(var.tags, {
-      Provider = "BanyanOps"
-      Name     = "${var.site_name}-BanyanHost"
-    })
+    for_each = merge(local.asg_tags, var.autoscaling_group_tags)
 
     content {
       key                 = tag.key
@@ -104,6 +116,13 @@ resource "aws_launch_configuration" "conf" {
     virtual_name = "ephemeral0"
   }
 
+  metadata_options {
+    http_endpoint               = var.http_endpoint_imds_v2
+    http_tokens                 = var.http_tokens_imds_v2
+    http_put_response_hop_limit = var.http_hop_limit_imds_v2
+  }
+
+
   lifecycle {
     create_before_destroy = true
   }
@@ -122,7 +141,9 @@ resource "aws_launch_configuration" "conf" {
     "echo '262144' > /proc/sys/net/netfilter/nf_conntrack_max\n",
     # install prerequisites and Banyan netagent
     "yum update -y\n",
-    "yum install -y jq tar gzip curl sed\n",
+    "yum install -y jq tar gzip curl sed python3\n",
+    "pip3 install --upgrade pip\n",
+    "/usr/local/bin/pip3 install pybanyan\n", # previous line changes /bin/pip3 to /usr/local/bin which is not in the path
     "rpm --import https://www.banyanops.com/onramp/repo/RPM-GPG-KEY-banyan\n",
     "yum-config-manager --add-repo https://www.banyanops.com/onramp/repo\n",
     "while [ -f /var/run/yum.pid ]; do sleep 1; done\n",
@@ -156,9 +177,7 @@ resource "aws_alb" "nlb" {
   subnets                          = var.public_subnet_ids
   enable_cross_zone_load_balancing = var.cross_zone_enabled
 
-  tags = merge(var.tags, {
-    Provider = "BanyanOps"
-  })
+  tags = merge(local.tags, var.lb_tags)
 }
 
 resource "aws_lb_target_group" "target443" {
@@ -174,9 +193,7 @@ resource "aws_lb_target_group" "target443" {
     unhealthy_threshold = 2
   }
 
-  tags = merge(var.tags, {
-    Provider = "BanyanOps"
-  })
+  tags = merge(local.tags, var.target_group_tags)
 }
 
 resource "aws_lb_listener" "listener443" {
@@ -204,9 +221,7 @@ resource "aws_lb_target_group" "target80" {
     unhealthy_threshold = 2
   }
 
-  tags = merge(var.tags, {
-    Provider = "BanyanOps"
-  })
+  tags = merge(local.tags, var.target_group_tags)
 }
 
 resource "aws_lb_listener" "listener80" {
@@ -234,9 +249,7 @@ resource "aws_lb_target_group" "target8443" {
     unhealthy_threshold = 2
   }
 
-  tags = merge(var.tags, {
-    Provider = "BanyanOps"
-  })
+  tags = merge(local.tags, var.target_group_tags)
 }
 
 resource "aws_lb_listener" "listener8443" {
@@ -260,4 +273,3 @@ resource "aws_autoscaling_policy" "cpu_policy" {
     target_value = 80
   }
 }
-

outputs.tf

@@ -12,3 +12,53 @@ output "security_group_id" {
   value       = aws_security_group.sg.id
   description = "The ID of the security group, which can be added as an inbound rule on other backend groups (example: `sg-1234abcd`)"
 }
+
+output "sg" {
+  value       = aws_security_group.sg
+  description = "The `aws_security_group.sg` resource" 
+}
+
+output "asg" {
+  value       = aws_autoscaling_group.asg
+  description = "The `aws_autoscaling_group.asg` resource" 
+}
+
+output "nlb" {
+  value       = aws_alb.nlb
+  description = "The `aws_alb.nlb` resource" 
+}
+
+output "target443" {
+  value       = aws_lb_target_group.target443
+  description = "The `aws_lb_target_group.target443` resource" 
+}
+
+output "target8443" {
+  value       = aws_lb_target_group.target8443
+  description = "The `aws_lb_target_group.target8443` resource" 
+}
+
+output "target80" {
+  value       = aws_lb_target_group.target80
+  description = "The `aws_lb_target_group.target80` resource" 
+}
+
+output "listener443" {
+  value       = aws_lb_listener.listener443
+  description = "The `aws_lb_listener.listener443` resource" 
+}
+
+output "listener8443" {
+  value       = aws_lb_listener.listener8443
+  description = "The `aws_lb_listener.listener8443` resource" 
+}
+
+output "listener80" {
+  value       = aws_lb_listener.listener80
+  description = "The `aws_lb_listener.listener80` resource" 
+}
+
+output "cpu_policy" {
+  value       = aws_autoscaling_policy.cpu_policy
+  description = "The `aws_autoscaling_policy.cpu_policy` resource" 
+}

variables.tf

@@ -1,8 +1,3 @@
-variable "region" {
-  type        = string
-  description = "Region in which to create Access Tier"
-}
-
 variable "vpc_id" {
   type        = string
   description = "ID of the VPC in which to create the Access Tier"
@@ -122,6 +117,30 @@ variable "tags" {
   default     = null
 }
 
+variable "security_group_tags" {
+  type        = map
+  description = "Additional tags to the security_group"
+  default     = null
+}
+
+variable "autoscaling_group_tags" {
+  type        = map
+  description = "Additional tags to the autoscaling_group"
+  default     = null
+}
+
+variable "lb_tags" {
+  type        = map
+  description = "Additional tags to the lb"
+  default     = null
+}
+
+variable "target_group_tags" {
+  type        = map
+  description = "Additional tags to each target_group"
+  default     = null
+}
+
 variable "host_tags" {
   type        = map(any)
   description = "Additional tags to assign to this AccessTier"
@@ -160,3 +179,26 @@ variable "rate_limiting" {
   }
 }
 
+variable "max_instance_lifetime" {
+  type        = number
+  default     = null
+  description = "The maximum amount of time, in seconds, that an instance can be in service, values must be either equal to 0 or between 604800 and 31536000 seconds"
+}
+
+variable "http_endpoint_imds_v2" {
+  type        = string
+  description = "value for http_endpoint to enable imds v2 for ec2 instance"
+  default     = "enabled"
+}
+
+variable "http_tokens_imds_v2" {
+  type        = string
+  description = "value for http_tokens to enable imds v2 for ec2 instance"
+  default     = "required"
+}
+
+variable "http_hop_limit_imds_v2" {
+  type        = number
+  description = "value for http_put_response_hop_limit to enable imds v2 for ec2 instance"
+  default     = 1
+}