luxolus/open-nomad
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
open-nomad/e2e/terraform/network.tf
Tim Gross e23ed85d57
E2E: add multi-home networking to test infrastructure (#16218) 
Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet
we have provisioned in each AZ. Revise security groups as follows:

* Split out client security groups from servers so that we can't have clients
  accidentally accessing serf addresses or other unexpected cross-talk.
* Add new security groups for the secondary subnet that only allows
  communication within the security group so we can exercise behaviors with
  multiple IPs.

This changeset doesn't include any Nomad configuration changes needed to take
advantage of the extra network interface. I'll include those with testing for
PR #16217.
2023-02-20 10:08:28 +01:00

207 lines
4.5 KiB
HCL
Raw Blame History

data "aws_vpc" "default" {
default = true
}
data "aws_subnet" "default" {
availability_zone = var.availability_zone
vpc_id = data.aws_vpc.default.id
default_for_az = true
}
data "aws_subnet" "secondary" {
availability_zone = var.availability_zone
vpc_id = data.aws_vpc.default.id
default_for_az = false
tags = {
Secondary = "true"
}
}
data "http" "my_public_ipv4" {
url = "https://api.ipify.org"
}
locals {
ingress_cidr = var.restrict_ingress_cidrblock ? "${chomp(data.http.my_public_ipv4.body)}/32" : "0.0.0.0/0"
}
resource "aws_security_group" "servers" {
name = "${local.random_name}-servers"
vpc_id = data.aws_vpc.default.id
# SSH from test runner
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [local.ingress_cidr]
}
# Nomad HTTP and RPC from test runner
ingress {
from_port = 4646
to_port = 4647
protocol = "tcp"
cidr_blocks = [local.ingress_cidr]
}
# Nomad HTTP and RPC from clients
ingress {
from_port = 4646
to_port = 4647
protocol = "tcp"
security_groups = [aws_security_group.clients.id]
}
# Nomad serf is covered here: only allowed between hosts in the servers own
# security group so that clients can't accidentally use serf address
ingress {
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
# allow all outbound
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# the secondary VPC security group is intended only for internal traffic
# and so that we can exercise behaviors with multiple IPs
resource "aws_security_group" "servers_secondary" {
name = "${local.random_name}-servers-secondary"
vpc_id = data.aws_vpc.default.id
ingress {
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
# allow all outbound
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "clients" {
name = "${local.random_name}-clients"
vpc_id = data.aws_vpc.default.id
# SSH from test runner
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [local.ingress_cidr]
}
# Nomad HTTP and RPC from test runner
ingress {
from_port = 4646
to_port = 4647
protocol = "tcp"
cidr_blocks = [local.ingress_cidr]
}
# UI reverse proxy from test runner
ingress {
from_port = 6464
to_port = 6464
protocol = "tcp"
cidr_blocks = [local.ingress_cidr]
}
# Fabio from test runner
ingress {
from_port = 9998
to_port = 9999
protocol = "tcp"
cidr_blocks = [local.ingress_cidr]
}
# allow all client-to-client
ingress {
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
# allow all outbound
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# the secondary VPC security group is intended only for internal traffic
# and so that we can exercise behaviors with multiple IPs
resource "aws_security_group" "clients_secondary" {
name = "${local.random_name}-clients-secondary"
vpc_id = data.aws_vpc.default.id
ingress {
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
# allow all outbound
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "nfs" {
count = var.volumes ? 1 : 0
name = "${local.random_name}-nfs"
vpc_id = data.aws_vpc.default.id
ingress {
from_port = 2049
to_port = 2049
protocol = "tcp"
security_groups = [aws_security_group.clients.id]
}
}
# every server gets a ENI
resource "aws_network_interface" "servers_secondary" {
subnet_id = data.aws_subnet.secondary.id
security_groups = [aws_security_group.servers_secondary.id]
count = var.server_count
attachment {
instance = aws_instance.server[count.index].id
device_index = 1
}
}
# every Linux client gets a ENI
resource "aws_network_interface" "clients_secondary" {
subnet_id = data.aws_subnet.secondary.id
security_groups = [aws_security_group.clients_secondary.id]
count = var.client_count_ubuntu_jammy_amd64
attachment {
instance = aws_instance.client_ubuntu_jammy_amd64[count.index].id
device_index = 1
}
}
Reference in a new issue View git blame Copy permalink