-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add bastion configuration to terraform
Added a terraform configuration to allow the creation of a bastion host for remote access and management of the OpenSearch cluster.
- Loading branch information
Showing
11 changed files
with
197 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
pillarbox-monitoring-terraform/20-pillarbox-monitoring-app/locals.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
25 changes: 25 additions & 0 deletions
25
pillarbox-monitoring-terraform/22-bastion/.terraform.lock.hcl
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| locals { | ||
| bastion_ami = "ami-0d7c381edfc5ee30e" | ||
| bastion_instance_type = "t4g.nano" | ||
| vpc_id = var.vpc_ids[terraform.workspace] | ||
|
|
||
| default_tags = { | ||
| "srg-managed-by" = "terraform" | ||
| "srg-application" = var.application_name | ||
| "srg-owner" = "[email protected]" | ||
| "srg-businessowner" = "pillarbox" | ||
| "srg-environment" = terraform.workspace | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,128 @@ | ||
| # ----------------------------------- | ||
| # Terraform Configuration | ||
| # ----------------------------------- | ||
|
|
||
| terraform { | ||
| # Backend configuration for storing the Terraform state in S3 with DynamoDB table for state locking | ||
| backend "s3" { | ||
| encrypt = true | ||
| bucket = "pillarbox-monitoring-tfstate" | ||
| key = "terraform/22-bastion/terraform.tfstate" | ||
| dynamodb_table = "pillarbox-monitoring-terraform-statelock" | ||
| profile = "prod" | ||
| } | ||
|
|
||
| # Specify required providers and their versions | ||
| required_providers { | ||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = "~>5.4.0" | ||
| } | ||
| } | ||
| } | ||
|
|
||
| # ----------------------------------- | ||
| # AWS Provider Setup | ||
| # ----------------------------------- | ||
|
|
||
| provider "aws" { | ||
| # Apply default tags to all AWS resources | ||
| default_tags { | ||
| tags = local.default_tags | ||
| } | ||
| } | ||
|
|
||
| # ----------------------------------- | ||
| # AWS Data Sources | ||
| # ----------------------------------- | ||
|
|
||
| # Retrieve the VPC information | ||
| data "aws_vpc" "main_vpc" { | ||
| id = local.vpc_id | ||
| } | ||
|
|
||
| # Retrieve public subnets based on VPC and tags | ||
| data "aws_subnets" "public_subnets" { | ||
| filter { | ||
| name = "vpc-id" | ||
| values = [data.aws_vpc.main_vpc.id] | ||
| } | ||
|
|
||
| tags = { | ||
| Name = "*public*" | ||
| } | ||
| } | ||
|
|
||
| # ----------------------------------- | ||
| # Bastion configuration | ||
| # ----------------------------------- | ||
|
|
||
| resource "aws_key_pair" "bastion_key" { | ||
| key_name = "bastion-keypair" | ||
| public_key = var.bastion_public_key | ||
| } | ||
|
|
||
| # Security Group for the Bastion Host | ||
| resource "aws_security_group" "bastion_sg" { | ||
| name = "bastion-sg" | ||
| description = "Allow SSH access by IP" | ||
| vpc_id = data.aws_vpc.main_vpc.id | ||
|
|
||
| ingress { | ||
| description = "SSH from my IP" | ||
| from_port = 22 | ||
| to_port = 22 | ||
| protocol = "tcp" | ||
| cidr_blocks = var.allowed_ips | ||
| } | ||
|
|
||
| egress { | ||
| from_port = 0 | ||
| to_port = 0 | ||
| protocol = "-1" | ||
| cidr_blocks = var.allowed_ips | ||
| } | ||
| } | ||
|
|
||
| # Bastion Host EC2 Instance in Public Subnet | ||
| resource "aws_instance" "bastion" { | ||
| ami = local.bastion_ami | ||
| instance_type = local.bastion_instance_type | ||
| subnet_id = data.aws_subnets.public_subnets.ids[0] | ||
| key_name = "bastion-keypair" | ||
| vpc_security_group_ids = [aws_security_group.bastion_sg.id] | ||
| associate_public_ip_address = true | ||
|
|
||
| tags = { | ||
| Name = "bastion-host" | ||
| } | ||
| } | ||
|
|
||
| # ----------------------------------- | ||
| # OpenSearch security group rule | ||
| # ----------------------------------- | ||
|
|
||
| data "aws_security_group" "opensearch_sg" { | ||
| filter { | ||
| name = "group-name" | ||
| values = ["opensearch-sg"] | ||
| } | ||
| } | ||
|
|
||
| resource "aws_security_group_rule" "new_ingress" { | ||
| type = "ingress" | ||
| from_port = 443 | ||
| to_port = 443 | ||
| protocol = "tcp" | ||
| source_security_group_id = aws_security_group.bastion_sg.id | ||
| security_group_id = data.aws_security_group.opensearch_sg.id | ||
| } | ||
|
|
||
| # ----------------------------------- | ||
| # Outputs | ||
| # ----------------------------------- | ||
|
|
||
| output "bastion_public_ip" { | ||
| description = "Public IP of the Bastion Host" | ||
| value = aws_instance.bastion.public_ip | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| variable "application_name" { | ||
| description = "The name of the application" | ||
| type = string | ||
| default = "pillarbox-monitoring" | ||
| } | ||
|
|
||
| variable "vpc_ids" { | ||
| description = "VPC id map by terraform workspace" | ||
| type = map(string) | ||
| } | ||
|
|
||
| # Variable for Public Key | ||
| variable "bastion_public_key" { | ||
| description = "Public key for the bastion host" | ||
| type = string | ||
| } | ||
|
|
||
| variable "allowed_ips" { | ||
| description = "The list of ips that are allowed to connect to the bastion" | ||
| type = list(string) | ||
| } |
Submodule pillarbox-monitoring-transfer
updated
15 files