2018-12-17 17:40:09 +00:00
|
|
|
data "aws_vpc" "default" {
|
|
|
|
default = true
|
|
|
|
}
|
|
|
|
|
2020-03-04 15:44:51 +00:00
|
|
|
data "aws_subnet" "default" {
|
|
|
|
availability_zone = var.availability_zone
|
|
|
|
vpc_id = data.aws_vpc.default.id
|
2023-02-20 09:08:28 +00:00
|
|
|
default_for_az = true
|
|
|
|
}
|
|
|
|
|
|
|
|
data "aws_subnet" "secondary" {
|
|
|
|
availability_zone = var.availability_zone
|
|
|
|
vpc_id = data.aws_vpc.default.id
|
|
|
|
default_for_az = false
|
|
|
|
tags = {
|
|
|
|
Secondary = "true"
|
|
|
|
}
|
2020-03-04 15:44:51 +00:00
|
|
|
}
|
|
|
|
|
2021-06-04 14:04:45 +00:00
|
|
|
data "http" "my_public_ipv4" {
|
2021-06-07 22:12:42 +00:00
|
|
|
url = "https://api.ipify.org"
|
2021-06-04 14:04:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
locals {
|
|
|
|
ingress_cidr = var.restrict_ingress_cidrblock ? "${chomp(data.http.my_public_ipv4.body)}/32" : "0.0.0.0/0"
|
|
|
|
}
|
|
|
|
|
2023-02-20 09:08:28 +00:00
|
|
|
resource "aws_security_group" "servers" {
|
|
|
|
name = "${local.random_name}-servers"
|
2019-10-14 15:27:08 +00:00
|
|
|
vpc_id = data.aws_vpc.default.id
|
2018-12-17 17:40:09 +00:00
|
|
|
|
2023-02-20 09:08:28 +00:00
|
|
|
# SSH from test runner
|
2018-12-17 17:40:09 +00:00
|
|
|
ingress {
|
|
|
|
from_port = 22
|
|
|
|
to_port = 22
|
|
|
|
protocol = "tcp"
|
2021-06-04 14:04:45 +00:00
|
|
|
cidr_blocks = [local.ingress_cidr]
|
2018-12-17 17:40:09 +00:00
|
|
|
}
|
|
|
|
|
2023-02-20 09:08:28 +00:00
|
|
|
# Nomad HTTP and RPC from test runner
|
2018-12-17 17:40:09 +00:00
|
|
|
ingress {
|
|
|
|
from_port = 4646
|
2023-02-20 09:08:28 +00:00
|
|
|
to_port = 4647
|
2018-12-17 17:40:09 +00:00
|
|
|
protocol = "tcp"
|
2021-06-04 14:04:45 +00:00
|
|
|
cidr_blocks = [local.ingress_cidr]
|
2018-12-17 17:40:09 +00:00
|
|
|
}
|
|
|
|
|
2023-02-20 09:08:28 +00:00
|
|
|
# Nomad HTTP and RPC from clients
|
2022-04-19 20:55:05 +00:00
|
|
|
ingress {
|
2023-02-20 09:08:28 +00:00
|
|
|
from_port = 4646
|
|
|
|
to_port = 4647
|
|
|
|
protocol = "tcp"
|
|
|
|
security_groups = [aws_security_group.clients.id]
|
|
|
|
}
|
|
|
|
|
|
|
|
# Nomad serf is covered here: only allowed between hosts in the servers own
|
|
|
|
# security group so that clients can't accidentally use serf address
|
|
|
|
ingress {
|
|
|
|
from_port = 0
|
|
|
|
to_port = 0
|
|
|
|
protocol = "-1"
|
|
|
|
self = true
|
|
|
|
}
|
|
|
|
|
|
|
|
# allow all outbound
|
|
|
|
egress {
|
|
|
|
from_port = 0
|
|
|
|
to_port = 0
|
|
|
|
protocol = "-1"
|
|
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# the secondary VPC security group is intended only for internal traffic
|
|
|
|
# and so that we can exercise behaviors with multiple IPs
|
|
|
|
resource "aws_security_group" "servers_secondary" {
|
|
|
|
name = "${local.random_name}-servers-secondary"
|
|
|
|
vpc_id = data.aws_vpc.default.id
|
|
|
|
|
|
|
|
ingress {
|
|
|
|
from_port = 0
|
|
|
|
to_port = 0
|
|
|
|
protocol = "-1"
|
|
|
|
self = true
|
|
|
|
}
|
|
|
|
|
|
|
|
# allow all outbound
|
|
|
|
egress {
|
|
|
|
from_port = 0
|
|
|
|
to_port = 0
|
|
|
|
protocol = "-1"
|
|
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_security_group" "clients" {
|
|
|
|
name = "${local.random_name}-clients"
|
|
|
|
vpc_id = data.aws_vpc.default.id
|
|
|
|
|
|
|
|
# SSH from test runner
|
|
|
|
ingress {
|
|
|
|
from_port = 22
|
|
|
|
to_port = 22
|
2022-04-19 20:55:05 +00:00
|
|
|
protocol = "tcp"
|
|
|
|
cidr_blocks = [local.ingress_cidr]
|
|
|
|
}
|
|
|
|
|
2023-02-20 09:08:28 +00:00
|
|
|
# Nomad HTTP and RPC from test runner
|
2018-12-17 17:40:09 +00:00
|
|
|
ingress {
|
2023-02-20 09:08:28 +00:00
|
|
|
from_port = 4646
|
|
|
|
to_port = 4647
|
2018-12-17 17:40:09 +00:00
|
|
|
protocol = "tcp"
|
2021-06-04 14:04:45 +00:00
|
|
|
cidr_blocks = [local.ingress_cidr]
|
2018-12-17 17:40:09 +00:00
|
|
|
}
|
|
|
|
|
2023-02-20 09:08:28 +00:00
|
|
|
# UI reverse proxy from test runner
|
2018-12-17 17:40:09 +00:00
|
|
|
ingress {
|
2023-02-20 09:08:28 +00:00
|
|
|
from_port = 6464
|
|
|
|
to_port = 6464
|
2018-12-17 17:40:09 +00:00
|
|
|
protocol = "tcp"
|
2021-06-04 14:04:45 +00:00
|
|
|
cidr_blocks = [local.ingress_cidr]
|
2018-12-17 17:40:09 +00:00
|
|
|
}
|
|
|
|
|
2023-02-20 09:08:28 +00:00
|
|
|
# Fabio from test runner
|
2020-10-05 13:28:37 +00:00
|
|
|
ingress {
|
2023-02-20 09:08:28 +00:00
|
|
|
from_port = 9998
|
|
|
|
to_port = 9999
|
2020-10-05 13:28:37 +00:00
|
|
|
protocol = "tcp"
|
2021-06-04 14:04:45 +00:00
|
|
|
cidr_blocks = [local.ingress_cidr]
|
2020-10-05 13:28:37 +00:00
|
|
|
}
|
|
|
|
|
2023-02-20 09:08:28 +00:00
|
|
|
# allow all client-to-client
|
2018-12-17 17:40:09 +00:00
|
|
|
ingress {
|
|
|
|
from_port = 0
|
|
|
|
to_port = 0
|
|
|
|
protocol = "-1"
|
|
|
|
self = true
|
|
|
|
}
|
|
|
|
|
2023-02-20 09:08:28 +00:00
|
|
|
# allow all outbound
|
|
|
|
egress {
|
|
|
|
from_port = 0
|
|
|
|
to_port = 0
|
|
|
|
protocol = "-1"
|
|
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# the secondary VPC security group is intended only for internal traffic
|
|
|
|
# and so that we can exercise behaviors with multiple IPs
|
|
|
|
resource "aws_security_group" "clients_secondary" {
|
|
|
|
name = "${local.random_name}-clients-secondary"
|
|
|
|
vpc_id = data.aws_vpc.default.id
|
|
|
|
|
|
|
|
ingress {
|
|
|
|
from_port = 0
|
|
|
|
to_port = 0
|
|
|
|
protocol = "-1"
|
|
|
|
self = true
|
|
|
|
}
|
|
|
|
|
|
|
|
# allow all outbound
|
2018-12-17 17:40:09 +00:00
|
|
|
egress {
|
|
|
|
from_port = 0
|
|
|
|
to_port = 0
|
|
|
|
protocol = "-1"
|
|
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-03-04 15:44:51 +00:00
|
|
|
resource "aws_security_group" "nfs" {
|
2020-10-14 14:29:33 +00:00
|
|
|
count = var.volumes ? 1 : 0
|
2020-03-04 15:44:51 +00:00
|
|
|
name = "${local.random_name}-nfs"
|
|
|
|
vpc_id = data.aws_vpc.default.id
|
|
|
|
|
|
|
|
ingress {
|
|
|
|
from_port = 2049
|
|
|
|
to_port = 2049
|
|
|
|
protocol = "tcp"
|
2023-02-20 09:08:28 +00:00
|
|
|
security_groups = [aws_security_group.clients.id]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# every server gets a ENI
|
|
|
|
resource "aws_network_interface" "servers_secondary" {
|
|
|
|
subnet_id = data.aws_subnet.secondary.id
|
|
|
|
security_groups = [aws_security_group.servers_secondary.id]
|
|
|
|
|
|
|
|
count = var.server_count
|
|
|
|
attachment {
|
|
|
|
instance = aws_instance.server[count.index].id
|
|
|
|
device_index = 1
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# every Linux client gets a ENI
|
|
|
|
resource "aws_network_interface" "clients_secondary" {
|
|
|
|
subnet_id = data.aws_subnet.secondary.id
|
|
|
|
security_groups = [aws_security_group.clients_secondary.id]
|
|
|
|
|
|
|
|
count = var.client_count_ubuntu_jammy_amd64
|
|
|
|
attachment {
|
|
|
|
instance = aws_instance.client_ubuntu_jammy_amd64[count.index].id
|
|
|
|
device_index = 1
|
2020-03-04 15:44:51 +00:00
|
|
|
}
|
|
|
|
}
|