fec0adbb0e
This allows us to spin up e2e clusters with mTLS configured for all HashiCorp services, i.e. Nomad, Consul, and Vault. Used it for testing #11089 . mTLS is disabled by default. I have not updated Windows provisioning scripts yet - Windows also lacks ACL support from before. I intend to follow up for them in another round.
88 lines
1.6 KiB
HCL
88 lines
1.6 KiB
HCL
data "aws_vpc" "default" {
|
|
default = true
|
|
}
|
|
|
|
data "aws_subnet" "default" {
|
|
availability_zone = var.availability_zone
|
|
vpc_id = data.aws_vpc.default.id
|
|
}
|
|
|
|
data "http" "my_public_ipv4" {
|
|
url = "https://api.ipify.org"
|
|
}
|
|
|
|
locals {
|
|
ingress_cidr = var.restrict_ingress_cidrblock ? "${chomp(data.http.my_public_ipv4.body)}/32" : "0.0.0.0/0"
|
|
}
|
|
|
|
resource "aws_security_group" "primary" {
|
|
name = local.random_name
|
|
vpc_id = data.aws_vpc.default.id
|
|
|
|
ingress {
|
|
from_port = 22
|
|
to_port = 22
|
|
protocol = "tcp"
|
|
cidr_blocks = [local.ingress_cidr]
|
|
}
|
|
|
|
# Nomad
|
|
ingress {
|
|
from_port = 4646
|
|
to_port = 4646
|
|
protocol = "tcp"
|
|
cidr_blocks = [local.ingress_cidr]
|
|
}
|
|
|
|
# Fabio
|
|
ingress {
|
|
from_port = 9998
|
|
to_port = 9999
|
|
protocol = "tcp"
|
|
cidr_blocks = [local.ingress_cidr]
|
|
}
|
|
|
|
# Consul: 8500 for HTTP, 8501 for HTTPS
|
|
ingress {
|
|
from_port = 8500
|
|
to_port = 8501
|
|
protocol = "tcp"
|
|
cidr_blocks = [local.ingress_cidr]
|
|
}
|
|
|
|
# Vault
|
|
ingress {
|
|
from_port = 8200
|
|
to_port = 8200
|
|
protocol = "tcp"
|
|
cidr_blocks = [local.ingress_cidr]
|
|
}
|
|
|
|
ingress {
|
|
from_port = 0
|
|
to_port = 0
|
|
protocol = "-1"
|
|
self = true
|
|
}
|
|
|
|
egress {
|
|
from_port = 0
|
|
to_port = 0
|
|
protocol = "-1"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
}
|
|
|
|
resource "aws_security_group" "nfs" {
|
|
count = var.volumes ? 1 : 0
|
|
name = "${local.random_name}-nfs"
|
|
vpc_id = data.aws_vpc.default.id
|
|
|
|
ingress {
|
|
from_port = 2049
|
|
to_port = 2049
|
|
protocol = "tcp"
|
|
security_groups = [aws_security_group.primary.id]
|
|
}
|
|
}
|