[NET-6931]

- adding correct security groups - moving un-related stuff to their own folder
hashicorp · Jan 10, 2024 · 43e236b · 43e236b
1 parent 75a805a
commit 43e236b
Show file tree

Hide file tree

Showing 5 changed files with 244 additions and 156 deletions.
diff --git a/examples/terminating-gateway-tls/certs.tf b/examples/terminating-gateway-tls/certs.tf
@@ -0,0 +1,161 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+# generate ca cert and key for tgw <-> external app communication
+resource "tls_private_key" "external_app_ca_key" {
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P256"
+}
+
+resource "tls_self_signed_cert" "external_app_ca_cert" {
+  private_key_pem       = tls_private_key.external_app_ca_key.private_key_pem
+  validity_period_hours = 43800
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+    "cert_signing",
+    "crl_signing",
+    "client_auth",
+  ]
+  dns_names = ["*"]
+  subject {
+    common_name  = "*"
+    organization = "HashiCorp Inc."
+  }
+
+  is_ca_certificate  = true
+  set_subject_key_id = true
+}
+
+resource "aws_secretsmanager_secret" "external_app_ca_key" {
+  name                    = "${var.name}-external-app-ca-key"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "external_app_ca_key" {
+  secret_id     = aws_secretsmanager_secret.external_app_ca_key.id
+  secret_string = tls_private_key.external_app_ca_key.private_key_pem
+}
+
+resource "aws_secretsmanager_secret" "external_app_ca_cert" {
+  name                    = "${var.name}-external-app-ca-cert"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "external_app_ca_cert" {
+  secret_id     = aws_secretsmanager_secret.external_app_ca_cert.id
+  secret_string = tls_self_signed_cert.external_app_ca_cert.cert_pem
+}
+
+# generate cert and key for the external app
+resource "tls_private_key" "external_app_private_key" {
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P256"
+}
+
+resource "tls_cert_request" "csr_external_app" {
+
+  private_key_pem = tls_private_key.external_app_private_key.private_key_pem
+
+  dns_names = ["*"]
+
+  subject {
+    common_name  = "*"
+    organization = "HashiCorp Inc."
+  }
+}
+
+resource "tls_locally_signed_cert" "external_app_cert" {
+  validity_period_hours = 168
+  early_renewal_hours   = 24
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+    "client_auth",
+  ]
+
+  // CSR by the development servers
+  cert_request_pem = tls_cert_request.csr_external_app.cert_request_pem
+  // CA Private key
+  ca_private_key_pem = tls_private_key.external_app_ca_key.private_key_pem
+  // CA certificate
+  ca_cert_pem = tls_self_signed_cert.external_app_ca_cert.cert_pem
+}
+
+resource "aws_secretsmanager_secret" "external_app_private_key" {
+  name                    = "${var.name}-external-private-key"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "external_private_key" {
+  secret_id     = aws_secretsmanager_secret.external_app_private_key.id
+  secret_string = tls_private_key.external_app_private_key.private_key_pem
+}
+
+resource "aws_secretsmanager_secret" "external_cert" {
+  name                    = "${var.name}-external-cert"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "external_cert" {
+  secret_id     = aws_secretsmanager_secret.external_cert.id
+  secret_string = tls_locally_signed_cert.external_app_cert.cert_pem
+}
+
+# generate cert and key for the gateway
+resource "tls_private_key" "tgw_private_key" {
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P256"
+}
+
+resource "tls_cert_request" "csr_tgw" {
+
+  private_key_pem = tls_private_key.tgw_private_key.private_key_pem
+
+  dns_names = ["*"]
+
+  subject {
+    common_name  = "*"
+    organization = "HashiCorp Inc."
+  }
+}
+
+resource "tls_locally_signed_cert" "tgw_cert" {
+  validity_period_hours = 168
+  early_renewal_hours   = 24
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+    "client_auth",
+  ]
+
+  // CSR by the development servers
+  cert_request_pem = tls_cert_request.csr_tgw.cert_request_pem
+  // CA Private key
+  ca_private_key_pem = tls_private_key.external_app_ca_key.private_key_pem
+  // CA certificate
+  ca_cert_pem = tls_self_signed_cert.external_app_ca_cert.cert_pem
+}
+
+resource "aws_secretsmanager_secret" "tgw_private_key" {
+  name                    = "${var.name}-tgw-private-key"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "tgw_private_key" {
+  secret_id     = aws_secretsmanager_secret.tgw_private_key.id
+  secret_string = tls_private_key.tgw_private_key.private_key_pem
+}
+
+resource "aws_secretsmanager_secret" "tgw_cert" {
+  name                    = "${var.name}-tgw-cert"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "tgw_cert" {
+  secret_id     = aws_secretsmanager_secret.tgw_cert.id
+  secret_string = tls_locally_signed_cert.tgw_cert.cert_pem
+}
diff --git a/examples/terminating-gateway-tls/efs.tf b/examples/terminating-gateway-tls/efs.tf
@@ -1,12 +1,15 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 resource "aws_security_group" "efs" {
-  name        = "efs-sg"
+  name        = "${var.name}-efs-sg"
   description = "Allows inbound efs traffic from ec2"
   vpc_id      = module.vpc.vpc_id
 
   ingress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
+    from_port   = 2049
+    to_port     = 2049
+    protocol    = "tcp"
     cidr_blocks = ["0.0.0.0/0"]
   }
 
@@ -19,10 +22,7 @@ resource "aws_security_group" "efs" {
 }
 
 resource "aws_efs_file_system" "certs_efs" {
-  creation_token   = "certs-efs"
-  performance_mode = "generalPurpose"
-  throughput_mode  = "bursting"
-  encrypted        = "true"
+  creation_token = "certs-efs"
   tags = {
     Name = "Certs"
   }
@@ -36,109 +36,12 @@ resource "aws_efs_mount_target" "efs_mt" {
   security_groups = [aws_security_group.efs.id]
 }
 
-#############################################################
-
-# generate ca cert and key
-resource "tls_private_key" "tgw_external_app_ca_key" {
-  algorithm   = "ECDSA"
-  ecdsa_curve = "P256"
-}
-
-resource "tls_self_signed_cert" "tgw_external_app_ca_cert" {
-  private_key_pem       = tls_private_key.tgw_external_app_ca_key.private_key_pem
-  validity_period_hours = 43800
-  allowed_uses = [
-    "key_encipherment",
-    "digital_signature",
-    "server_auth",
-    "cert_signing",
-    "crl_signing",
-  ]
-  dns_names = ["*"]
-  subject {
-    common_name  = "*"
-    organization = "HashiCorp Inc."
-  }
-
-  is_ca_certificate  = true
-  set_subject_key_id = true
-}
-
-resource "aws_secretsmanager_secret" "tgw_external_app_ca_key" {
-  name                    = "tgw-external-app-ca-key"
-  recovery_window_in_days = 0
-}
-
-resource "aws_secretsmanager_secret_version" "tgw_external_app_ca_key" {
-  secret_id     = aws_secretsmanager_secret.tgw_external_app_ca_key.id
-  secret_string = tls_private_key.tgw_external_app_ca_key.private_key_pem
-}
-
-resource "aws_secretsmanager_secret" "tgw_external_app_ca_cert" {
-  name                    = "tgw-external-app-ca-cert"
-  recovery_window_in_days = 0
-}
-
-resource "aws_secretsmanager_secret_version" "tgw_external_app_ca_cert" {
-  secret_id     = aws_secretsmanager_secret.tgw_external_app_ca_cert.id
-  secret_string = tls_self_signed_cert.tgw_external_app_ca_cert.cert_pem
-}
-
-#generate cert and key for the gateway
-resource "tls_private_key" "tgw_external_app_private_key" {
-  algorithm   = "ECDSA"
-  ecdsa_curve = "P256"
-}
-
-resource "tls_cert_request" "csr" {
-
-  private_key_pem = tls_private_key.tgw_external_app_private_key.private_key_pem
-
-  dns_names = ["*"]
-
-  subject {
-    common_name  = "*"
-    organization = "HashiCorp Inc."
-  }
-}
-
-resource "tls_locally_signed_cert" "tgw_external_app_cert" {
-  validity_period_hours = 168
-  early_renewal_hours   = 24
-  allowed_uses = [
-    "key_encipherment",
-    "digital_signature",
-    "server_auth",
-    "client_auth",
-  ]
-
-  // CSR by the development servers
-  cert_request_pem = tls_cert_request.csr.cert_request_pem
-  // CA Private key
-  ca_private_key_pem = tls_private_key.tgw_external_app_ca_key.private_key_pem
-  // CA certificate
-  ca_cert_pem = tls_self_signed_cert.tgw_external_app_ca_cert.cert_pem
-}
-
-resource "aws_secretsmanager_secret" "tgw_external_app_key" {
-  name                    = "tgw-external-app-key"
-  recovery_window_in_days = 0
-}
-
-resource "aws_secretsmanager_secret_version" "tgw_external_app_key" {
-  secret_id     = aws_secretsmanager_secret.tgw_external_app_key.id
-  secret_string = tls_private_key.tgw_external_app_private_key.private_key_pem
-}
-
-resource "aws_secretsmanager_secret" "tgw_external_app_cert" {
-  name                    = "tgw-external-app-cert"
-  recovery_window_in_days = 0
-}
-
-resource "aws_secretsmanager_secret_version" "tgw_external_app_cert" {
-  secret_id     = aws_secretsmanager_secret.tgw_external_app_cert.id
-  secret_string = tls_locally_signed_cert.tgw_external_app_cert.cert_pem
-}
-
-#############################################################
-
+# both external app server and gateway server are deployed in the default vpc
+resource "aws_security_group_rule" "ingress_from_default_vpc_to_efs" {
+  type                     = "ingress"
+  from_port                = 0
+  to_port                  = 2049
+  protocol                 = "tcp"
+  source_security_group_id = data.aws_security_group.vpc_default.id
+  security_group_id        = aws_security_group.efs.id
+}