210 lines
4.5 KiB
HCL
210 lines
4.5 KiB
HCL
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: MPL-2.0
|
|
|
|
data "aws_vpc" "default" {
|
|
default = true
|
|
}
|
|
|
|
data "aws_subnet" "default" {
|
|
availability_zone = var.availability_zone
|
|
vpc_id = data.aws_vpc.default.id
|
|
default_for_az = true
|
|
}
|
|
|
|
data "aws_subnet" "secondary" {
|
|
availability_zone = var.availability_zone
|
|
vpc_id = data.aws_vpc.default.id
|
|
default_for_az = false
|
|
tags = {
|
|
Secondary = "true"
|
|
}
|
|
}
|
|
|
|
data "http" "my_public_ipv4" {
|
|
url = "https://api.ipify.org"
|
|
}
|
|
|
|
locals {
|
|
ingress_cidr = var.restrict_ingress_cidrblock ? "${chomp(data.http.my_public_ipv4.body)}/32" : "0.0.0.0/0"
|
|
}
|
|
|
|
resource "aws_security_group" "servers" {
|
|
name = "${local.random_name}-servers"
|
|
vpc_id = data.aws_vpc.default.id
|
|
|
|
# SSH from test runner
|
|
ingress {
|
|
from_port = 22
|
|
to_port = 22
|
|
protocol = "tcp"
|
|
cidr_blocks = [local.ingress_cidr]
|
|
}
|
|
|
|
# Nomad HTTP and RPC from test runner
|
|
ingress {
|
|
from_port = 4646
|
|
to_port = 4647
|
|
protocol = "tcp"
|
|
cidr_blocks = [local.ingress_cidr]
|
|
}
|
|
|
|
# Nomad HTTP and RPC from clients
|
|
ingress {
|
|
from_port = 4646
|
|
to_port = 4647
|
|
protocol = "tcp"
|
|
security_groups = [aws_security_group.clients.id]
|
|
}
|
|
|
|
# Nomad serf is covered here: only allowed between hosts in the servers own
|
|
# security group so that clients can't accidentally use serf address
|
|
ingress {
|
|
from_port = 0
|
|
to_port = 0
|
|
protocol = "-1"
|
|
self = true
|
|
}
|
|
|
|
# allow all outbound
|
|
egress {
|
|
from_port = 0
|
|
to_port = 0
|
|
protocol = "-1"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
}
|
|
|
|
# the secondary VPC security group is intended only for internal traffic
|
|
# and so that we can exercise behaviors with multiple IPs
|
|
resource "aws_security_group" "servers_secondary" {
|
|
name = "${local.random_name}-servers-secondary"
|
|
vpc_id = data.aws_vpc.default.id
|
|
|
|
ingress {
|
|
from_port = 0
|
|
to_port = 0
|
|
protocol = "-1"
|
|
self = true
|
|
}
|
|
|
|
# allow all outbound
|
|
egress {
|
|
from_port = 0
|
|
to_port = 0
|
|
protocol = "-1"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
}
|
|
|
|
resource "aws_security_group" "clients" {
|
|
name = "${local.random_name}-clients"
|
|
vpc_id = data.aws_vpc.default.id
|
|
|
|
# SSH from test runner
|
|
ingress {
|
|
from_port = 22
|
|
to_port = 22
|
|
protocol = "tcp"
|
|
cidr_blocks = [local.ingress_cidr]
|
|
}
|
|
|
|
# Nomad HTTP and RPC from test runner
|
|
ingress {
|
|
from_port = 4646
|
|
to_port = 4647
|
|
protocol = "tcp"
|
|
cidr_blocks = [local.ingress_cidr]
|
|
}
|
|
|
|
# UI reverse proxy from test runner
|
|
ingress {
|
|
from_port = 6464
|
|
to_port = 6464
|
|
protocol = "tcp"
|
|
cidr_blocks = [local.ingress_cidr]
|
|
}
|
|
|
|
# Fabio from test runner
|
|
ingress {
|
|
from_port = 9998
|
|
to_port = 9999
|
|
protocol = "tcp"
|
|
cidr_blocks = [local.ingress_cidr]
|
|
}
|
|
|
|
# allow all client-to-client
|
|
ingress {
|
|
from_port = 0
|
|
to_port = 0
|
|
protocol = "-1"
|
|
self = true
|
|
}
|
|
|
|
# allow all outbound
|
|
egress {
|
|
from_port = 0
|
|
to_port = 0
|
|
protocol = "-1"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
}
|
|
|
|
# the secondary VPC security group is intended only for internal traffic
|
|
# and so that we can exercise behaviors with multiple IPs
|
|
resource "aws_security_group" "clients_secondary" {
|
|
name = "${local.random_name}-clients-secondary"
|
|
vpc_id = data.aws_vpc.default.id
|
|
|
|
ingress {
|
|
from_port = 0
|
|
to_port = 0
|
|
protocol = "-1"
|
|
self = true
|
|
}
|
|
|
|
# allow all outbound
|
|
egress {
|
|
from_port = 0
|
|
to_port = 0
|
|
protocol = "-1"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
}
|
|
|
|
resource "aws_security_group" "nfs" {
|
|
count = var.volumes ? 1 : 0
|
|
name = "${local.random_name}-nfs"
|
|
vpc_id = data.aws_vpc.default.id
|
|
|
|
ingress {
|
|
from_port = 2049
|
|
to_port = 2049
|
|
protocol = "tcp"
|
|
security_groups = [aws_security_group.clients.id]
|
|
}
|
|
}
|
|
|
|
# every server gets a ENI
|
|
resource "aws_network_interface" "servers_secondary" {
|
|
subnet_id = data.aws_subnet.secondary.id
|
|
security_groups = [aws_security_group.servers_secondary.id]
|
|
|
|
count = var.server_count
|
|
attachment {
|
|
instance = aws_instance.server[count.index].id
|
|
device_index = 1
|
|
}
|
|
}
|
|
|
|
# every Linux client gets a ENI
|
|
resource "aws_network_interface" "clients_secondary" {
|
|
subnet_id = data.aws_subnet.secondary.id
|
|
security_groups = [aws_security_group.clients_secondary.id]
|
|
|
|
count = var.client_count_ubuntu_jammy_amd64
|
|
attachment {
|
|
instance = aws_instance.client_ubuntu_jammy_amd64[count.index].id
|
|
device_index = 1
|
|
}
|
|
}
|