open-nomad/e2e/terraform/network.tf

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

207 lines
4.5 KiB
Terraform
Raw Normal View History

2018-12-17 17:40:09 +00:00
data "aws_vpc" "default" {
default = true
}
data "aws_subnet" "default" {
availability_zone = var.availability_zone
vpc_id = data.aws_vpc.default.id
default_for_az = true
}
data "aws_subnet" "secondary" {
availability_zone = var.availability_zone
vpc_id = data.aws_vpc.default.id
default_for_az = false
tags = {
Secondary = "true"
}
}
2021-06-04 14:04:45 +00:00
data "http" "my_public_ipv4" {
url = "https://api.ipify.org"
2021-06-04 14:04:45 +00:00
}
locals {
ingress_cidr = var.restrict_ingress_cidrblock ? "${chomp(data.http.my_public_ipv4.body)}/32" : "0.0.0.0/0"
}
resource "aws_security_group" "servers" {
name = "${local.random_name}-servers"
vpc_id = data.aws_vpc.default.id
2018-12-17 17:40:09 +00:00
# SSH from test runner
2018-12-17 17:40:09 +00:00
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
2021-06-04 14:04:45 +00:00
cidr_blocks = [local.ingress_cidr]
2018-12-17 17:40:09 +00:00
}
# Nomad HTTP and RPC from test runner
2018-12-17 17:40:09 +00:00
ingress {
from_port = 4646
to_port = 4647
2018-12-17 17:40:09 +00:00
protocol = "tcp"
2021-06-04 14:04:45 +00:00
cidr_blocks = [local.ingress_cidr]
2018-12-17 17:40:09 +00:00
}
# Nomad HTTP and RPC from clients
ingress {
from_port = 4646
to_port = 4647
protocol = "tcp"
security_groups = [aws_security_group.clients.id]
}
# Nomad serf is covered here: only allowed between hosts in the servers own
# security group so that clients can't accidentally use serf address
ingress {
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
# allow all outbound
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# the secondary VPC security group is intended only for internal traffic
# and so that we can exercise behaviors with multiple IPs
resource "aws_security_group" "servers_secondary" {
name = "${local.random_name}-servers-secondary"
vpc_id = data.aws_vpc.default.id
ingress {
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
# allow all outbound
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "clients" {
name = "${local.random_name}-clients"
vpc_id = data.aws_vpc.default.id
# SSH from test runner
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [local.ingress_cidr]
}
# Nomad HTTP and RPC from test runner
2018-12-17 17:40:09 +00:00
ingress {
from_port = 4646
to_port = 4647
2018-12-17 17:40:09 +00:00
protocol = "tcp"
2021-06-04 14:04:45 +00:00
cidr_blocks = [local.ingress_cidr]
2018-12-17 17:40:09 +00:00
}
# UI reverse proxy from test runner
2018-12-17 17:40:09 +00:00
ingress {
from_port = 6464
to_port = 6464
2018-12-17 17:40:09 +00:00
protocol = "tcp"
2021-06-04 14:04:45 +00:00
cidr_blocks = [local.ingress_cidr]
2018-12-17 17:40:09 +00:00
}
# Fabio from test runner
ingress {
from_port = 9998
to_port = 9999
protocol = "tcp"
2021-06-04 14:04:45 +00:00
cidr_blocks = [local.ingress_cidr]
}
# allow all client-to-client
2018-12-17 17:40:09 +00:00
ingress {
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
# allow all outbound
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# the secondary VPC security group is intended only for internal traffic
# and so that we can exercise behaviors with multiple IPs
resource "aws_security_group" "clients_secondary" {
name = "${local.random_name}-clients-secondary"
vpc_id = data.aws_vpc.default.id
ingress {
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
# allow all outbound
2018-12-17 17:40:09 +00:00
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "nfs" {
count = var.volumes ? 1 : 0
name = "${local.random_name}-nfs"
vpc_id = data.aws_vpc.default.id
ingress {
from_port = 2049
to_port = 2049
protocol = "tcp"
security_groups = [aws_security_group.clients.id]
}
}
# every server gets a ENI
resource "aws_network_interface" "servers_secondary" {
subnet_id = data.aws_subnet.secondary.id
security_groups = [aws_security_group.servers_secondary.id]
count = var.server_count
attachment {
instance = aws_instance.server[count.index].id
device_index = 1
}
}
# every Linux client gets a ENI
resource "aws_network_interface" "clients_secondary" {
subnet_id = data.aws_subnet.secondary.id
security_groups = [aws_security_group.clients_secondary.id]
count = var.client_count_ubuntu_jammy_amd64
attachment {
instance = aws_instance.client_ubuntu_jammy_amd64[count.index].id
device_index = 1
}
}