From 4a58799741db791b3159865bb2d10d78718ade98 Mon Sep 17 00:00:00 2001 From: Sergey Novikov Date: Wed, 11 Dec 2024 17:49:43 +0100 Subject: [PATCH 1/3] OPS-6392 Replace ELB with ALB --- README.md | 18 ++-- data.tf | 29 ++++++ examples/custom-vpc-with-vault/main.tf | 6 +- main.tf | 120 ++++++++++++++++++----- modules/vault-cluster/README.md | 2 +- modules/vault-cluster/security-groups.tf | 2 +- modules/vault-cluster/variables.tf | 2 +- outputs.tf | 12 +-- variables.tf | 8 +- 9 files changed, 144 insertions(+), 55 deletions(-) diff --git a/README.md b/README.md index 28e3b66..6c23b79 100644 --- a/README.md +++ b/README.md @@ -186,19 +186,13 @@ Type: `number` Default: `3` -### [vault\_ingress\_cidr\_https](#input\_vault\_ingress\_cidr\_https) +### [vault\_ingress\_cidr](#input\_vault\_ingress\_cidr) -Description: List of CIDR's from which you are allowed to https access the vault cluster. +Description: CIDR's from which you are allowed to https access the vault cluster. -Type: `list(string)` - -Default: +Type: `string` -```json -[ - "0.0.0.0/0" -] -``` +Default: `"0.0.0.0/0"` ### [security\_group\_names](#input\_security\_group\_names) @@ -255,11 +249,11 @@ Default: `null` | Name | Description | |------|-------------| +| [alb\_fqdn\_vault](#output\_alb\_fqdn\_vault) | The AWS provided CNAME of the Vault ALB. | +| [alb\_route53\_public\_dns\_name\_vault](#output\_alb\_route53\_public\_dns\_name\_vault) | The Route53 name attached to the Vault ALB, if specified in variables. | | [asg\_name\_consul\_cluster](#output\_asg\_name\_consul\_cluster) | Autoscaling group name of the Consul cluster. | | [asg\_name\_vault\_cluster](#output\_asg\_name\_vault\_cluster) | Autoscaling group name of the Vault cluster. | | [aws\_region](#output\_aws\_region) | Used AWS region. | -| [elb\_fqdn\_vault](#output\_elb\_fqdn\_vault) | The AWS provided CNAME of the Vault ELB. | -| [elb\_route53\_public\_dns\_name\_vault](#output\_elb\_route53\_public\_dns\_name\_vault) | The Route53 name attached to the Vault ELB, if spcified in variables. | | [iam\_role\_arn\_consul\_cluster](#output\_iam\_role\_arn\_consul\_cluster) | IAM role ARN attached to the Consul cluster. | | [iam\_role\_arn\_vault\_cluster](#output\_iam\_role\_arn\_vault\_cluster) | IAM role ARN attached to the Vault cluster. | | [iam\_role\_id\_consul\_cluster](#output\_iam\_role\_id\_consul\_cluster) | IAM role ID attached to the Consul cluster. | diff --git a/data.tf b/data.tf index 2502393..f0346c8 100644 --- a/data.tf +++ b/data.tf @@ -1 +1,30 @@ data "aws_region" "current" {} + +data "aws_route53_zone" "public" { + count = var.vault_route53_public_dns_name != "" ? 1 : 0 + + private_zone = false + + # Removes the first sub-domain part from the FQDN to use as hosted zone. + name = "${replace(var.vault_route53_public_dns_name, "/^.+?\\./", "")}." +} + +data "aws_route53_zone" "private" { + count = var.vault_route53_public_dns_name != "" ? 1 : 0 + + private_zone = true + + # Removes the first sub-domain part from the FQDN to use as hosted zone. + name = "${replace(var.vault_route53_public_dns_name, "/^.+?\\./", "")}." +} + +data "aws_security_groups" "alb" { + filter { + name = "group-name" + values = var.security_group_names + } + filter { + name = "vpc-id" + values = [var.vpc_id] + } +} diff --git a/examples/custom-vpc-with-vault/main.tf b/examples/custom-vpc-with-vault/main.tf index 86e42fc..ab0a417 100644 --- a/examples/custom-vpc-with-vault/main.tf +++ b/examples/custom-vpc-with-vault/main.tf @@ -38,9 +38,9 @@ module "aws_vault" { vault_cluster_name = "vault-example-vault" # Security - ssh_keys = ["ssh-ed25519 AAAAC3Nznte5aaCdi1a1Lzaai/tX6Mc2E+S6g3lrClL09iBZ5cW2OZdSIqomcMko 2 mysshkey"] - ssh_security_group_id = module.aws_vpc.bastion_security_group_id - vault_ingress_cidr_https = ["0.0.0.0/0"] + ssh_keys = ["ssh-ed25519 AAAAC3Nznte5aaCdi1a1Lzaai/tX6Mc2E+S6g3lrClL09iBZ5cW2OZdSIqomcMko 2 mysshkey"] + ssh_security_group_id = module.aws_vpc.bastion_security_group_id + vault_ingress_cidr = "0.0.0.0/0" ssl_certificate_id = "arn:aws:acm:eu-central-1:123456789012:certificate/xxxxx-xxxx-xxxx-xxxx-xxxxx" } diff --git a/main.tf b/main.tf index 3c983c6..80dca76 100644 --- a/main.tf +++ b/main.tf @@ -27,7 +27,7 @@ module "vault_cluster" { health_check_type = "EC2" - elb_security_group_id = module.vault_elb.security_group_ids[0] + alb_security_group_id = module.vault_alb.security_group_id consul_security_group_id = module.consul_cluster.security_group_id ssh_security_group_id = var.ssh_security_group_id @@ -40,38 +40,104 @@ module "consul_iam_policies_servers" { iam_role_id = module.vault_cluster.iam_role_id } -module "vault_elb" { - source = "github.com/Flaconi/terraform-aws-elb?ref=v2.0.0" - - name = var.vault_cluster_name - vpc_id = var.vpc_id - subnet_ids = var.public_subnet_ids - - lb_port = 443 - lb_protocol = "HTTPS" - instance_port = 8200 - instance_protocol = "HTTPS" - ssl_certificate_id = var.ssl_certificate_id - - target = "HTTPS:8200/v1/sys/health?standbyok=true" - timeout = 5 - interval = 15 - healthy_threshold = 2 - unhealthy_threshold = 2 - - inbound_cidr_blocks = var.vault_ingress_cidr_https - security_group_names = var.security_group_names - - route53_public_dns_name = var.vault_route53_public_dns_name - - public_dns_evaluate_target_health = false +module "vault_alb" { + source = "github.com/terraform-aws-modules/terraform-aws-alb?ref=v9.12.0" + + name = var.vault_cluster_name + vpc_id = var.vpc_id + subnets = var.public_subnet_ids + + security_group_name = "${var.name}-alb" + security_group_description = "ALB security group for external connection" + security_group_ingress_rules = { + all_http = { + from_port = 80 + to_port = 80 + ip_protocol = "tcp" + cidr_ipv4 = var.vault_ingress_cidr + description = "HTTP web traffic" + } + all_https = { + from_port = 443 + to_port = 443 + ip_protocol = "tcp" + cidr_ipv4 = var.vault_ingress_cidr + description = "HTTPS web traffic" + } + } + security_group_egress_rules = { + all = { + ip_protocol = "-1" + cidr_ipv4 = "0.0.0.0/0" + description = "AWS default egress rule" + } + } + security_groups = data.aws_security_groups.alb.ids + + # new + listeners = { + http-https-redirect = { + port = 80 + protocol = "HTTP" + redirect = { + port = "443" + protocol = "HTTPS" + status_code = "HTTP_301" + } + } + https = { + port = 443 + protocol = "HTTPS" + ssl_policy = "ELBSecurityPolicy-TLS13-1-3-2021-06" + certificate_arn = var.ssl_certificate_id + + forward = { + target_group_key = "vault" + } + } + } + + target_groups = { + vault = { + name_prefix = "vault" + protocol = "HTTPS" + port = 8200 + + create_attachment = false + + health_check = { + enable = true + path = "/v1/sys/health?standbyok=true" + port = "traffic-port" + protocol = "HTTPS" + timeout = 5 + interval = 15 + healthy_threshold = 2 + unhealthy_threshold = 2 + } + } + } + + # Route53 Record(s) + route53_records = var.vault_route53_public_dns_name != "" ? { + public = { + name = var.vault_route53_public_dns_name + type = "A" + zone_id = data.aws_route53_zone.public[0].id + } + private = { + name = var.vault_route53_public_dns_name + type = "A" + zone_id = data.aws_route53_zone.private[0].id + } + } : {} tags = var.tags } resource "aws_autoscaling_attachment" "vault" { autoscaling_group_name = module.vault_cluster.asg_name - elb = module.vault_elb.id + lb_target_group_arn = module.vault_alb.target_groups["vault"].arn } module "consul_cluster" { diff --git a/modules/vault-cluster/README.md b/modules/vault-cluster/README.md index 354b415..c85dba1 100644 --- a/modules/vault-cluster/README.md +++ b/modules/vault-cluster/README.md @@ -89,7 +89,7 @@ machines. | [wait\_for\_capacity\_timeout](#input\_wait\_for\_capacity\_timeout) | A maximum duration that Terraform should wait for ASG instances to be healthy before timing out. Setting this to '0' causes Terraform to skip all Capacity Waiting behavior. | `string` | `"10m"` | no | | [health\_check\_type](#input\_health\_check\_type) | Controls how health checking is done. Must be one of EC2 or ELB. | `string` | `"EC2"` | no | | [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | Time, in seconds, after instance comes into service before checking health. | `number` | `60` | no | -| [elb\_security\_group\_id](#input\_elb\_security\_group\_id) | ID of the security group of a public ELB from which you can API access the Vault instances. | `string` | n/a | yes | +| [alb\_security\_group\_id](#input\_alb\_security\_group\_id) | ID of the security group of a public ELB from which you can API access the Vault instances. | `string` | n/a | yes | | [ssh\_security\_group\_id](#input\_ssh\_security\_group\_id) | ID of the security group of a bastion ssh instance from where you can ssh into the Vault instances. | `string` | n/a | yes | | [consul\_security\_group\_id](#input\_consul\_security\_group\_id) | ID of the security group of the Consul instances to allow traffic from Consul into Vault. | `string` | n/a | yes | | [cluster\_name](#input\_cluster\_name) | The name of the Vault cluster (e.g. vault-stage). This variable is used to namespace all resources created by this module. | `string` | n/a | yes | diff --git a/modules/vault-cluster/security-groups.tf b/modules/vault-cluster/security-groups.tf index 50d779a..751acb4 100644 --- a/modules/vault-cluster/security-groups.tf +++ b/modules/vault-cluster/security-groups.tf @@ -79,7 +79,7 @@ module "lc_security_group" { from_port = "8200" to_port = "8200" protocol = "tcp" - source_security_group_id = var.elb_security_group_id + source_security_group_id = var.alb_security_group_id description = "External API. Allow API access to Vault instances from this security group (from ELB or instances)." }, ] diff --git a/modules/vault-cluster/variables.tf b/modules/vault-cluster/variables.tf index a99aab0..2974d42 100644 --- a/modules/vault-cluster/variables.tf +++ b/modules/vault-cluster/variables.tf @@ -78,7 +78,7 @@ variable "health_check_grace_period" { type = number } -variable "elb_security_group_id" { +variable "alb_security_group_id" { description = "ID of the security group of a public ELB from which you can API access the Vault instances." type = string } diff --git a/outputs.tf b/outputs.tf index 32c59c3..36cbc6a 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,11 +1,11 @@ -output "elb_fqdn_vault" { - value = module.vault_elb.fqdn - description = "The AWS provided CNAME of the Vault ELB." +output "alb_fqdn_vault" { + value = module.vault_alb.dns_name + description = "The AWS provided CNAME of the Vault ALB." } -output "elb_route53_public_dns_name_vault" { - value = module.vault_elb.route53_public_dns_name - description = "The Route53 name attached to the Vault ELB, if spcified in variables." +output "alb_route53_public_dns_name_vault" { + value = var.vault_route53_public_dns_name + description = "The Route53 name attached to the Vault ALB, if specified in variables." } output "asg_name_consul_cluster" { diff --git a/variables.tf b/variables.tf index 9ce4e5d..6eb5530 100644 --- a/variables.tf +++ b/variables.tf @@ -84,10 +84,10 @@ variable "ssh_security_group_id" { type = string } -variable "vault_ingress_cidr_https" { - description = "List of CIDR's from which you are allowed to https access the vault cluster." - type = list(string) - default = ["0.0.0.0/0"] +variable "vault_ingress_cidr" { + description = "CIDR's from which you are allowed to https access the vault cluster." + type = string + default = "0.0.0.0/0" } variable "security_group_names" { From bda162a33557c23df9e9e7b6aaf10d1203cdb4c3 Mon Sep 17 00:00:00 2001 From: Sergey Novikov Date: Wed, 11 Dec 2024 18:34:11 +0100 Subject: [PATCH 2/3] OPS-6392 Add private records for ALB --- README.md | 8 ++++++++ data.tf | 4 ++-- main.tf | 28 ++++++++++++++++------------ variables.tf | 6 ++++++ 4 files changed, 32 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 6c23b79..37a53d1 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,14 @@ Type: `string` Default: `""` +### [vault\_route53\_private\_dns\_name](#input\_vault\_route53\_private\_dns\_name) + +Description: The Route53 private DNS name for the vault ELB. If not set, no Route53 record will be created. + +Type: `string` + +Default: `""` + ### [ssh\_user](#input\_ssh\_user) Description: User name used for SSH-connections. diff --git a/data.tf b/data.tf index f0346c8..8684aef 100644 --- a/data.tf +++ b/data.tf @@ -10,12 +10,12 @@ data "aws_route53_zone" "public" { } data "aws_route53_zone" "private" { - count = var.vault_route53_public_dns_name != "" ? 1 : 0 + count = var.vault_route53_private_dns_name != "" ? 1 : 0 private_zone = true # Removes the first sub-domain part from the FQDN to use as hosted zone. - name = "${replace(var.vault_route53_public_dns_name, "/^.+?\\./", "")}." + name = "${replace(var.vault_route53_private_dns_name, "/^.+?\\./", "")}." } data "aws_security_groups" "alb" { diff --git a/main.tf b/main.tf index 80dca76..cdf3e32 100644 --- a/main.tf +++ b/main.tf @@ -119,18 +119,22 @@ module "vault_alb" { } # Route53 Record(s) - route53_records = var.vault_route53_public_dns_name != "" ? { - public = { - name = var.vault_route53_public_dns_name - type = "A" - zone_id = data.aws_route53_zone.public[0].id - } - private = { - name = var.vault_route53_public_dns_name - type = "A" - zone_id = data.aws_route53_zone.private[0].id - } - } : {} + route53_records = merge( + var.vault_route53_public_dns_name != "" ? { + public = { + name = var.vault_route53_public_dns_name + type = "A" + zone_id = data.aws_route53_zone.public[0].id + } + } : {}, + var.vault_route53_private_dns_name != "" ? { + private = { + name = var.vault_route53_private_dns_name + type = "A" + zone_id = data.aws_route53_zone.private[0].id + } + } : {} + ) tags = var.tags } diff --git a/variables.tf b/variables.tf index 6eb5530..efc5c0e 100644 --- a/variables.tf +++ b/variables.tf @@ -43,6 +43,12 @@ variable "vault_route53_public_dns_name" { type = string } +variable "vault_route53_private_dns_name" { + description = "The Route53 private DNS name for the vault ELB. If not set, no Route53 record will be created." + default = "" + type = string +} + variable "ssh_user" { description = "User name used for SSH-connections." type = string From c4add2cb0dc4b4facd53b503c349bee944a68941 Mon Sep 17 00:00:00 2001 From: Sergey Novikov Date: Thu, 12 Dec 2024 10:26:54 +0100 Subject: [PATCH 3/3] OPS-6392 Fix examples outputs --- examples/custom-vpc-with-vault/README.md | 4 ++-- examples/custom-vpc-with-vault/outputs.tf | 16 ++++++++-------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/examples/custom-vpc-with-vault/README.md b/examples/custom-vpc-with-vault/README.md index d69f3cf..c7d85a9 100644 --- a/examples/custom-vpc-with-vault/README.md +++ b/examples/custom-vpc-with-vault/README.md @@ -66,8 +66,8 @@ No resources. | Name | Description | |------|-------------| | [elb\_fqdn\_bastion](#output\_elb\_fqdn\_bastion) | AWS generated CNAME for the bastion host ELB | -| [elb\_fqdn\_vault](#output\_elb\_fqdn\_vault) | AWS generated CNAME for the vault ELB | | [elb\_route53\_public\_dns\_name\_bastion](#output\_elb\_route53\_public\_dns\_name\_bastion) | Route53 public DNS name for the bastion host ELB | -| [elb\_route53\_public\_dns\_name\_vault](#output\_elb\_route53\_public\_dns\_name\_vault) | Route53 public DNS name for the vault ELB | +| [alb\_fqdn\_vault](#output\_alb\_fqdn\_vault) | AWS generated CNAME for the vault ALB | +| [alb\_route53\_public\_dns\_name\_vault](#output\_alb\_route53\_public\_dns\_name\_vault) | Route53 public DNS name for the vault ALB | diff --git a/examples/custom-vpc-with-vault/outputs.tf b/examples/custom-vpc-with-vault/outputs.tf index a195215..e56aee4 100644 --- a/examples/custom-vpc-with-vault/outputs.tf +++ b/examples/custom-vpc-with-vault/outputs.tf @@ -6,17 +6,17 @@ output "elb_fqdn_bastion" { description = "AWS generated CNAME for the bastion host ELB" } -output "elb_fqdn_vault" { - value = module.aws_vault.elb_fqdn_vault - description = "AWS generated CNAME for the vault ELB" -} - output "elb_route53_public_dns_name_bastion" { value = module.aws_vpc.bastion_route53_public_dns_name description = "Route53 public DNS name for the bastion host ELB" } -output "elb_route53_public_dns_name_vault" { - value = module.aws_vault.elb_route53_public_dns_name_vault - description = "Route53 public DNS name for the vault ELB" +output "alb_fqdn_vault" { + value = module.aws_vault.alb_fqdn_vault + description = "AWS generated CNAME for the vault ALB" +} + +output "alb_route53_public_dns_name_vault" { + value = module.aws_vault.alb_route53_public_dns_name_vault + description = "Route53 public DNS name for the vault ALB" }