Skip to content

Instantly share code, notes, and snippets.

@swade1987

swade1987/bastion module

Created June 16, 2016 13:40
Show Gist options
  • Save swade1987/675252b0cb3009f4a1589d157ee59357 to your computer and use it in GitHub Desktop.
Save swade1987/675252b0cb3009f4a1589d157ee59357 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
bastion module
# ====== Bastion security groups ======= #
# Allow access to the bastion host from authorised networks.
# This security group will be applied to the bastion server.
resource "aws_security_group" "bastion" {
name = "bastion"
description = "Allow access from allowed_networks via SSH, and NAT internal traffic"
vpc_id = "${var.vpc_id}"
# SSH
ingress = {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [ "${var.allowed_ip_addresses}" ]
self = false
}
# VPN PORTS
ingress = {
from_port = 1194
to_port = 1194
protocol = "udp"
cidr_blocks = [ "${var.allowed_ip_addresses}" ]
self = false
}
ingress = {
from_port = 943
to_port = 943
protocol = "tcp"
cidr_blocks = [ "${var.allowed_ip_addresses}" ]
self = false
}
# NAT
ingress {
from_port = 0
to_port = 65535
protocol = "tcp"
cidr_blocks = [
"${var.cidr_block}"
]
self = false
}
# Allow SSH within our VPC
egress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["${var.cidr_block}"]
}
# Allow UDP and TCP anywhere
egress {
from_port = 0
to_port = 65535
protocol = "tcp"
cidr_blocks = [
"0.0.0.0/0"
]
self = false
}
egress {
from_port = 0
to_port = 65535
protocol = "udp"
cidr_blocks = [
"0.0.0.0/0"
]
self = false
}
}
# Allow access to other servers from the bastion host.
# This security group will be applied to any server that is accessed by the bastion server.
resource "aws_security_group" "allow_bastion" {
name = "allow_vpn_and_ssh_access"
description = "Allow SSH and VPN access from the bastion host"
vpc_id = "${var.vpc_id}"
ingress {
from_port = 0
to_port = 65535
protocol = "tcp"
security_groups = ["${aws_security_group.bastion.id}"]
self = false
}
}
# ====== Bastion host instances ======= #
resource "template_file" "user_data" {
template = "${file("${path.module}/user_data.sh")}"
vars {
ssh_key = "${file("${path.module}/ssh/id_rsa")}"
}
}
resource "aws_instance" "bastion_host" {
ami = "${var.ami}"
instance_type = "${var.instance_type}"
key_name = "${var.key_name}"
vpc_security_group_ids = ["${aws_security_group.bastion.id}"]
user_data = "${template_file.user_data.rendered}"
subnet_id = "${element(split(",", var.public_subnets), 0)}"
tags { Name = "bastion-host" }
}
# ====== Domain name ======= #
# Associate the instances created above with a single domain name.
resource "aws_route53_record" "bastion_host" {
zone_id = "XYZ123"
name = "${var.bastion_host_domain_name}"
type = "A"
ttl = "300"
records = ["${aws_instance.bastion_host.public_ip}"]
}
Raw
gocd server module
# ====== Go.cd server security groups ======= #
# Allow access to go.cd from authorised networks.
resource "aws_security_group" "gocd_elb" {
name = "gocd-ui-elb-sg"
description = "Security group for the gocd UI ELBs"
vpc_id = "${var.vpc_id}"
tags {
Name = "gocd (ELB)"
}
# HTTP
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["${var.ingress_cidr_blocks}"]
}
# HTTPS - SSL (UI)
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["${var.ingress_cidr_blocks}"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["${var.ingress_cidr_blocks}"]
}
}
# Allow access to the instances ONLY via the load balancer.
resource "aws_security_group" "gocd_server" {
name = "gocd-server-sg"
description = "Security group for Go.cd Server instances"
vpc_id = "${var.vpc_id}"
tags {
Name = "gocd Server (Instance)"
}
# HTTP from ELB
ingress {
from_port = 8153
to_port = 8153
protocol = "tcp"
security_groups = ["${aws_elb.gocd_elb.source_security_group_id}"]
}
# HTTPS -> HTTP from ELB
ingress {
from_port = 8154
to_port = 8154
protocol = "tcp"
security_groups = ["${aws_elb.gocd_elb.source_security_group_id}"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["${var.ingress_cidr_blocks}"]
}
}
# ====== IAM Roles, Policies & Certificiates ======= #
resource "aws_iam_role" "gocd_server" {
name = "gocdServer"
assume_role_policy = "${file("${path.module}/policies/assume-role-policy.json")}"
}
resource "aws_iam_role_policy" "gocd_server" {
name = "gocdServer"
role = "${aws_iam_role.gocd_server.id}"
policy = "${file("${path.module}/policies/gocd-server-policy.json")}"
}
resource "aws_iam_instance_profile" "gocd_server" {
name = "gocdServer"
roles = ["${aws_iam_role.gocd_server.name}"]
}
resource "aws_iam_server_certificate" "gocd_cert" {
name_prefix = "gocd-cert"
certificate_body = "${file("${path.module}/ssl/gocd-certificate-body.pem")}"
private_key = "${file("${path.module}/ssl/gocd-private-key.pem")}"
certificate_chain = "${file("${path.module}/ssl/gocd-certificate-chain.pem")}"
lifecycle {
create_before_destroy = true
}
}
# Place an Elastic Load Balancer in the private subnet.
resource "aws_elb" "gocd_elb" {
name = "gocd-elb"
subnets = ["${split(",", var.private_subnets)}"]
security_groups = ["${aws_security_group.gocd_elb.id}"]
cross_zone_load_balancing = true
connection_draining = true
internal = true
# HTTP
listener {
lb_port = 80
lb_protocol = "tcp"
instance_port = 8153
instance_protocol = "tcp"
}
# HTTPS
listener {
lb_port = 443
lb_protocol = "https"
instance_port = 8153
instance_protocol = "http"
ssl_certificate_id = "${aws_iam_server_certificate.gocd_cert.arn}"
}
health_check {
healthy_threshold = 2
unhealthy_threshold = 2
interval = 10
target = "TCP:8153"
timeout = 5
}
}
# Associate gocd.ukpds.org with the load balancer.
// resource "aws_route53_record" "gocd-server" {
// zone_id = "ABC123"
// name = "${var.domain_name}"
// type = "A"
// alias {
// name = "${aws_elb.gocd_elb.dns_name}"
// zone_id = "${aws_elb.gocd_elb.zone_id}"
// evaluate_target_health = true
// }
// }
# ====== Launch configuration ======= #
resource "template_file" "init" {
lifecycle {create_before_destroy = true}
template = "${file("${path.module}/user_data.sh")}"
vars {
ssh_key = "${file("${path.module}/ssh/id_rsa")}"
ssh_known_hosts = "${file("${path.module}/ssh/known_hosts")}"
}
}
resource "aws_launch_configuration" "gocd_server" {
lifecycle {create_before_destroy = true}
user_data = "${template_file.init.rendered}"
image_id = "${var.ami}"
instance_type = "${var.instance_type}"
iam_instance_profile = "${aws_iam_instance_profile.gocd_server.id}"
name_prefix = "gocd-server-launch-configuration"
security_groups = ["${aws_security_group.gocd_server.id}", "${var.allow_bastion_security_group}"]
associate_public_ip_address = false
ebs_optimized = false
key_name = "${var.key_name}"
}
# ====== Auto scaling group (allow instances located in the private subnet) ======= #
resource "aws_autoscaling_group" "gocd_server" {
lifecycle { create_before_destroy = true }
name = "gocd-server-autoscaling-group"
launch_configuration = "${aws_launch_configuration.gocd_server.id}"
max_size = 2
min_size = 1
desired_capacity = 2
wait_for_elb_capacity = 1
default_cooldown = 30
health_check_grace_period = "900"
health_check_type = "EC2"
load_balancers = ["${aws_elb.gocd_elb.name}"]
vpc_zone_identifier = ["${split(",", var.private_subnets)}"]
tag {
key = "Name"
value = "gocd-server"
propagate_at_launch = true
}
tag {
key = "role"
value = "gocd-server"
propagate_at_launch = true
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment