From be17710b6cd62d73ec0d1577d468f7409c707122 Mon Sep 17 00:00:00 2001 From: Montek Singh Date: Thu, 1 Jun 2023 09:55:42 +0100 Subject: [PATCH] Add NLB support for amazon mq * nlb integration * nlb integration code review * nlb integration code review * security group * security group * security group * nlb * nlb * workaround logic * docs * tf docs * tf docs * example * example modified * example modified * nlb integration * nlb integration * nlb integration --------- Co-authored-by: Matt Love <42376582+m477r1x@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- README.md | 57 +++++++- data.tf | 3 + examples/activemq-with-nlb/main.tf | 82 +++++++++++ examples/activemq/main.tf | 2 +- examples/rabbitmq/main.tf | 2 +- lb.tf | 71 ++++++++++ sg.tf | 219 +++++++++++++++++++++++++++++ variables.tf | 180 ++++++++++++++++++++++++ versions.tf | 2 +- 10 files changed, 614 insertions(+), 6 deletions(-) create mode 100644 data.tf create mode 100644 examples/activemq-with-nlb/main.tf create mode 100644 lb.tf create mode 100644 sg.tf diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9af94cf..d921b00 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -18,7 +18,7 @@ repos: args: ['--allow-missing-credentials'] - id: trailing-whitespace - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.1 + rev: v1.79.1 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/README.md b/README.md index 453405c..935aab6 100644 --- a/README.md +++ b/README.md @@ -24,13 +24,13 @@ module "mq" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3.0 | -| [aws](#requirement\_aws) | >= 4.0 | +| [aws](#requirement\_aws) | >= 5.0.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.60.0 | +| [aws](#provider\_aws) | 5.0.1 | ## Modules @@ -40,8 +40,31 @@ No modules. | Name | Type | |------|------| +| [aws_lb.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource | +| [aws_lb_listener.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | +| [aws_lb_target_group.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource | +| [aws_lb_target_group_attachment.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource | | [aws_mq_broker.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker) | resource | | [aws_mq_configuration.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_configuration) | resource | +| [aws_security_group.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.cidr_blocks_15671](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.cidr_blocks_443](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.cidr_blocks_5671](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.cidr_blocks_61614](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.cidr_blocks_61617](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.cidr_blocks_61619](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.cidr_blocks_8162](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.cidr_blocks_8883](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.prefix_lists_15671](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.prefix_lists_443](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.prefix_lists_5671](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.prefix_lists_61614](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.prefix_lists_61617](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.prefix_lists_61619](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.prefix_lists_8162](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.prefix_lists_8883](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_subnet.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | ## Inputs @@ -52,9 +75,20 @@ No modules. | [authentication\_strategy](#input\_authentication\_strategy) | Authentication strategy used to secure the broker. Valid values are simple and ldap. ldap is not supported for engine\_type RabbitMQ. | `string` | `null` | no | | [auto\_minor\_version\_upgrade](#input\_auto\_minor\_version\_upgrade) | Enables automatic upgrades to new minor versions for brokers, as Apache releases the versions | `bool` | `false` | no | | [broker\_name](#input\_broker\_name) | Name of the broker | `string` | n/a | yes | +| [cidr\_blocks\_15671](#input\_cidr\_blocks\_15671) | Cidr blocks for the Amazon MQ for RabbitMQ Console security group ingress rule | `list(string)` | `[]` | no | +| [cidr\_blocks\_443](#input\_cidr\_blocks\_443) | Cidr blocks for the Amazon MQ for RabbitMQ Console security group ingress rule | `list(string)` | `[]` | no | +| [cidr\_blocks\_5671](#input\_cidr\_blocks\_5671) | Cidr block for connections made via SSL AMQP security group ingress rule | `list(string)` | `[]` | no | +| [cidr\_blocks\_61614](#input\_cidr\_blocks\_61614) | Cidr blocks for the Amazon MQ Stomp SSL security group ingress rule | `list(string)` | `[]` | no | +| [cidr\_blocks\_61617](#input\_cidr\_blocks\_61617) | Cidr blocks for the Amazon MQ SSL security group ingress rule | `list(string)` | `[]` | no | +| [cidr\_blocks\_61619](#input\_cidr\_blocks\_61619) | Cidr block for the websocket security group ingress rule | `list(string)` | `[]` | no | +| [cidr\_blocks\_8162](#input\_cidr\_blocks\_8162) | Cidr blocks for the ActiveMQ Console security group ingress rule | `list(string)` | `[]` | no | +| [cidr\_blocks\_8883](#input\_cidr\_blocks\_8883) | Cidr block for the MQTT security group ingress rule | `list(string)` | `[]` | no | | [configuration\_data](#input\_configuration\_data) | Broker configuration in XML format | `string` | `null` | no | | [configuration\_enabled](#input\_configuration\_enabled) | Enable configuration block for broker configuration. Applies to engine\_type of ActiveMQ only | `bool` | `true` | no | +| [create\_security\_group](#input\_create\_security\_group) | Flag to create Security Group for the broker | `bool` | `false` | no | | [deployment\_mode](#input\_deployment\_mode) | The deployment mode of the broker. Supported: SINGLE\_INSTANCE and ACTIVE\_STANDBY\_MULTI\_AZ | `string` | `"ACTIVE_STANDBY_MULTI_AZ"` | no | +| [enable\_cross\_zone\_load\_balancing](#input\_enable\_cross\_zone\_load\_balancing) | Flag to enable/disable cross zone load balancing of the NLB | `bool` | `true` | no | +| [enable\_deletion\_protection](#input\_enable\_deletion\_protection) | Flag to enable/disable deletion of NLB via AWS API and Terraform | `bool` | `true` | no | | [encryption\_enabled](#input\_encryption\_enabled) | Flag to enable/disable Amazon MQ encryption at rest | `bool` | `true` | no | | [engine\_type](#input\_engine\_type) | Type of broker engine, `ActiveMQ` or `RabbitMQ` | `string` | `"ActiveMQ"` | no | | [engine\_version](#input\_engine\_version) | The version of the broker engine. See https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html for more details | `string` | `"5.17.1"` | no | @@ -65,8 +99,27 @@ No modules. | [maintenance\_time\_of\_day](#input\_maintenance\_time\_of\_day) | The maintenance time, in 24-hour format. e.g. 02:00 | `string` | `"03:00"` | no | | [maintenance\_time\_zone](#input\_maintenance\_time\_zone) | The maintenance time zone, in either the Country/City format, or the UTC offset format. e.g. CET | `string` | `"UTC"` | no | | [mq\_additional\_users](#input\_mq\_additional\_users) | Additional MQ users | 
list(object({
    username       = string
    password       = string
    groups         = optional(list(string), [])
    console_access = optional(bool, false)
  }))
| `[]` | no | +| [nlb\_certificate\_arn](#input\_nlb\_certificate\_arn) | Ceritificate ARN of NLB | `string` | `null` | no | +| [nlb\_enabled](#input\_nlb\_enabled) | Flag to attach Network Load Balancer to Active MQ | `bool` | `false` | no | +| [nlb\_internal](#input\_nlb\_internal) | Scheme type of the NLB, valid value is true or false where true is for internal and false for internet facing | `bool` | `true` | no | +| [nlb\_name](#input\_nlb\_name) | Name of the NLB | `string` | `null` | no | +| [nlb\_tags](#input\_nlb\_tags) | A mapping of additional tags to be attached to the NLB | `map(string)` | `{}` | no | +| [nlb\_tg\_port](#input\_nlb\_tg\_port) | Target Group Port for NLB | `number` | `8883` | no | +| [nlb\_tg\_protocol](#input\_nlb\_tg\_protocol) | Target Group Protocol for NLB | `string` | `"TCP"` | no | | [password](#input\_password) | Username for the admin user | `string` | `"adminpass123"` | no | +| [prefix\_lists\_15671](#input\_prefix\_lists\_15671) | Prefix list ids for the Amazon MQ for RabbitMQ Console security group ingress rule | `list(string)` | `[]` | no | +| [prefix\_lists\_443](#input\_prefix\_lists\_443) | Prefix list ids for the Amazon MQ for RabbitMQ Console security group ingress rule | `list(string)` | `[]` | no | +| [prefix\_lists\_5671](#input\_prefix\_lists\_5671) | Prefix list ids for connections made via SSL AMQP URL security group ingress rule | `list(string)` | `[]` | no | +| [prefix\_lists\_61614](#input\_prefix\_lists\_61614) | Prefix list ids for the Amazon MQ Stomp SSL security group ingress rule | `list(string)` | `[]` | no | +| [prefix\_lists\_61617](#input\_prefix\_lists\_61617) | Prefix list ids for the Amazon MQ SSL security group ingress rule | `list(string)` | `[]` | no | +| [prefix\_lists\_61619](#input\_prefix\_lists\_61619) | Prefix list ids for the websocket security group ingress rule | `list(string)` | `[]` | no | +| [prefix\_lists\_8162](#input\_prefix\_lists\_8162) | Prefix list ids for the ActiveMQ Console security group ingress rule | `list(string)` | `[]` | no | +| [prefix\_lists\_8883](#input\_prefix\_lists\_8883) | Prefix list ids for the MQTT security group ingress rule | `list(string)` | `[]` | no | | [publicly\_accessible](#input\_publicly\_accessible) | Whether to enable connections from applications outside of the VPC that hosts the broker's subnets | `bool` | `false` | no | +| [revoke\_rules\_on\_delete](#input\_revoke\_rules\_on\_delete) | Instruct Terraform to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. | `string` | `true` | no | +| [security\_group\_description](#input\_security\_group\_description) | Description of the Security Group | `string` | `"Security Group for the AWS MQ"` | no | +| [security\_group\_name](#input\_security\_group\_name) | Name of the Security Group | `string` | `""` | no | +| [security\_group\_tags](#input\_security\_group\_tags) | A mapping of additional tags to be attached to the Security Group | `map(string)` | `{}` | no | | [security\_groups](#input\_security\_groups) | List of security group IDs assigned to the broker | `list(string)` | `[]` | no | | [storage\_type](#input\_storage\_type) | Storage type of the broker. For engine\_type ActiveMQ, the valid values are efs and ebs, and the AWS-default is efs. For engine\_type RabbitMQ, only ebs is supported. When using ebs, only the mq.m5 broker instance type family is supported. | `string` | `null` | no | | [subnet\_ids](#input\_subnet\_ids) | List of VPC subnet IDs | `list(string)` | n/a | yes | diff --git a/data.tf b/data.tf new file mode 100644 index 0000000..647a8e9 --- /dev/null +++ b/data.tf @@ -0,0 +1,3 @@ +data "aws_subnet" "main" { + id = var.subnet_ids[0] +} diff --git a/examples/activemq-with-nlb/main.tf b/examples/activemq-with-nlb/main.tf new file mode 100644 index 0000000..bda9edc --- /dev/null +++ b/examples/activemq-with-nlb/main.tf @@ -0,0 +1,82 @@ +terraform { + required_version = ">= 1.3.0" + + required_providers { + aws = ">= 5.0.0" + } +} + +provider "aws" { + region = "eu-west-2" +} + +data "aws_vpc" "default" { + id = "" +} + +data "aws_subnets" "all" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } + + filter { + name = "tag:Name" + values = ["*private*"] + } +} + +locals { + mq_admin_user = "adminUsername" + mq_admin_password = "adminPassword" +} + +module "active_mq" { + source = "../../" + + broker_name = "my-active-mq-broker" + + subnet_ids = [data.aws_subnets.all.ids[0], data.aws_subnets.all.ids[1]] + + security_groups = [""] + + engine_type = "ActiveMQ" + engine_version = "5.17.2" + host_instance_type = "mq.t3.micro" + + apply_immediately = true + + deployment_mode = "ACTIVE_STANDBY_MULTI_AZ" + + encryption_enabled = false + + username = local.mq_admin_user + password = local.mq_admin_password + + general_log_enabled = true + audit_log_enabled = true + + configuration_data = < + + + + + + + +DATA + + nlb_enabled = true + nlb_certificate_arn = "" + + create_security_group = true + security_group_name = "" + security_group_description = "example" + cidr_blocks_8883 = [data.aws_vpc.default.cidr_block] + prefix_lists_8883 = [data.aws_ec2_managed_prefix_list.default.id] +} + +data "aws_ec2_managed_prefix_list" "default" { + name = "" +} diff --git a/examples/activemq/main.tf b/examples/activemq/main.tf index 3e12a7d..b3569e6 100644 --- a/examples/activemq/main.tf +++ b/examples/activemq/main.tf @@ -2,7 +2,7 @@ terraform { required_version = ">= 1.3.0" required_providers { - aws = ">= 4.0.0" + aws = ">= 5.0.0" } } diff --git a/examples/rabbitmq/main.tf b/examples/rabbitmq/main.tf index 6323bd3..553ba34 100644 --- a/examples/rabbitmq/main.tf +++ b/examples/rabbitmq/main.tf @@ -2,7 +2,7 @@ terraform { required_version = ">= 1.3.0" required_providers { - aws = ">= 4.0.0" + aws = ">= 5.0.0" } } diff --git a/lb.tf b/lb.tf new file mode 100644 index 0000000..0a26290 --- /dev/null +++ b/lb.tf @@ -0,0 +1,71 @@ +resource "aws_lb" "main" { + count = var.nlb_enabled && var.deployment_mode == "ACTIVE_STANDBY_MULTI_AZ" ? 1 : 0 + + name = var.nlb_name == null ? "${var.broker_name}-nlb" : var.nlb_name + internal = var.nlb_internal + load_balancer_type = "network" + subnets = var.subnet_ids + + enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing + enable_deletion_protection = var.enable_deletion_protection + + tags = merge(var.nlb_tags, var.tags) + + depends_on = [ + aws_mq_broker.main, + ] +} + +resource "aws_lb_target_group" "main" { + count = var.nlb_enabled && var.deployment_mode == "ACTIVE_STANDBY_MULTI_AZ" ? 1 : 0 + + name = aws_lb.main[0].name + port = var.nlb_tg_port + protocol = var.nlb_tg_protocol + target_type = "ip" + vpc_id = data.aws_subnet.main.vpc_id + + health_check { + enabled = true + port = 8162 + protocol = "TCP" + interval = 10 + healthy_threshold = 3 + } + + depends_on = [ + aws_lb.main, + ] +} + +resource "aws_lb_target_group_attachment" "main" { + count = (var.nlb_enabled && var.deployment_mode == "ACTIVE_STANDBY_MULTI_AZ") ? length(var.subnet_ids) : 0 + + target_group_arn = aws_lb_target_group.main[0].arn + target_id = aws_mq_broker.main.instances[count.index]["ip_address"] + port = 8883 + + depends_on = [ + aws_mq_broker.main, + ] +} + +resource "aws_lb_listener" "main" { + count = var.nlb_enabled && var.deployment_mode == "ACTIVE_STANDBY_MULTI_AZ" ? 1 : 0 + + load_balancer_arn = aws_lb.main[0].arn + port = "8883" + protocol = "TLS" + certificate_arn = var.nlb_certificate_arn + alpn_policy = "HTTP2Preferred" + ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.main[0].arn + } + + depends_on = [ + aws_lb.main, + ] +} diff --git a/sg.tf b/sg.tf new file mode 100644 index 0000000..6c76fa3 --- /dev/null +++ b/sg.tf @@ -0,0 +1,219 @@ +resource "aws_security_group" "main" { + count = var.create_security_group ? 1 : 0 + + name = var.security_group_name + description = var.security_group_description + vpc_id = data.aws_subnet.main.vpc_id + + revoke_rules_on_delete = var.revoke_rules_on_delete + + tags = merge(var.tags, var.security_group_tags) + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_security_group_rule" "cidr_blocks_8883" { + count = var.create_security_group && length(var.cidr_blocks_8883) > 0 ? 1 : 0 + + type = "ingress" + security_group_id = aws_security_group.main[0].id + cidr_blocks = var.cidr_blocks_8883 + description = "Cidr Blocks for MQTT" + from_port = 8883 + to_port = 8883 + protocol = "tcp" +} + +resource "aws_security_group_rule" "prefix_lists_8883" { + count = var.create_security_group && length(var.prefix_lists_8883) > 0 ? 1 : 0 + + type = "ingress" + security_group_id = aws_security_group.main[0].id + prefix_list_ids = var.prefix_lists_8883 + description = "Prefix Lists for MQTT" + from_port = 8883 + to_port = 8883 + protocol = "tcp" +} + +resource "aws_security_group_rule" "cidr_blocks_8162" { + count = var.create_security_group && length(var.cidr_blocks_8162) > 0 ? 1 : 0 + + type = "ingress" + security_group_id = aws_security_group.main[0].id + cidr_blocks = var.cidr_blocks_8162 + description = "Cidr Blocks for Amazon MQ for ActiveMQ console" + from_port = 8162 + to_port = 8162 + protocol = "tcp" +} + +resource "aws_security_group_rule" "prefix_lists_8162" { + count = var.create_security_group && length(var.prefix_lists_8162) > 0 ? 1 : 0 + + type = "ingress" + security_group_id = aws_security_group.main[0].id + prefix_list_ids = var.prefix_lists_8162 + description = "Prefix Lists for Amazon MQ for ActiveMQ console" + from_port = 8162 + to_port = 8162 + protocol = "tcp" +} + +resource "aws_security_group_rule" "cidr_blocks_61619" { + count = var.create_security_group && length(var.cidr_blocks_61619) > 0 ? 1 : 0 + + type = "ingress" + security_group_id = aws_security_group.main[0].id + cidr_blocks = var.cidr_blocks_61619 + description = "Cidr Blocks for ActiveMQ Websocket" + from_port = 61619 + to_port = 61619 + protocol = "tcp" +} + +resource "aws_security_group_rule" "prefix_lists_61619" { + count = var.create_security_group && length(var.prefix_lists_61619) > 0 ? 1 : 0 + + type = "ingress" + security_group_id = aws_security_group.main[0].id + prefix_list_ids = var.prefix_lists_61619 + description = "Prefix Lists for ActiveMQ Websocket" + from_port = 61619 + to_port = 61619 + protocol = "tcp" +} + +resource "aws_security_group_rule" "cidr_blocks_5671" { + count = var.create_security_group && length(var.cidr_blocks_5671) > 0 ? 1 : 0 + + type = "ingress" + security_group_id = aws_security_group.main[0].id + cidr_blocks = var.cidr_blocks_5671 + description = "Cidr block for connections made via SSL AMQP" + from_port = 5671 + to_port = 5671 + protocol = "tcp" +} + +resource "aws_security_group_rule" "prefix_lists_5671" { + count = var.create_security_group && length(var.prefix_lists_5671) > 0 ? 1 : 0 + + type = "ingress" + security_group_id = aws_security_group.main[0].id + prefix_list_ids = var.prefix_lists_5671 + description = "Prefix Lists for connections made via SSL AMQP" + from_port = 5671 + to_port = 5671 + protocol = "tcp" +} + +resource "aws_security_group_rule" "cidr_blocks_443" { + count = var.create_security_group && length(var.cidr_blocks_443) > 0 ? 1 : 0 + + type = "ingress" + security_group_id = aws_security_group.main[0].id + cidr_blocks = var.cidr_blocks_443 + description = "Cidr Blocks for Amazon MQ RabbitMQ console" + from_port = 443 + to_port = 443 + protocol = "tcp" +} + +resource "aws_security_group_rule" "prefix_lists_443" { + count = var.create_security_group && length(var.prefix_lists_443) > 0 ? 1 : 0 + + type = "ingress" + security_group_id = aws_security_group.main[0].id + prefix_list_ids = var.prefix_lists_443 + description = "Prefix Lists for Amazon MQ RabbitMQ console" + from_port = 443 + to_port = 443 + protocol = "tcp" +} + +resource "aws_security_group_rule" "cidr_blocks_15671" { + count = var.create_security_group && length(var.cidr_blocks_15671) > 0 ? 1 : 0 + + type = "ingress" + security_group_id = aws_security_group.main[0].id + cidr_blocks = var.cidr_blocks_15671 + description = "Cidr blocks for Amazon MQ RabbitMQ console" + from_port = 15671 + to_port = 15671 + protocol = "tcp" +} + +resource "aws_security_group_rule" "prefix_lists_15671" { + count = var.create_security_group && length(var.prefix_lists_15671) > 0 ? 1 : 0 + + type = "ingress" + security_group_id = aws_security_group.main[0].id + prefix_list_ids = var.prefix_lists_15671 + description = "Prefix Lists for Amazon MQ RabbitMQ console" + from_port = 15671 + to_port = 15671 + protocol = "tcp" +} + +resource "aws_security_group_rule" "cidr_blocks_61617" { + count = var.create_security_group && length(var.cidr_blocks_61617) > 0 ? 1 : 0 + + type = "ingress" + security_group_id = aws_security_group.main[0].id + cidr_blocks = var.cidr_blocks_61617 + description = "Cidr block for Amazon MQ SSL" + from_port = 61617 + to_port = 61617 + protocol = "tcp" +} + +resource "aws_security_group_rule" "prefix_lists_61617" { + count = var.create_security_group && length(var.prefix_lists_61617) > 0 ? 1 : 0 + + type = "ingress" + security_group_id = aws_security_group.main[0].id + prefix_list_ids = var.prefix_lists_61617 + description = "Prefix Lists for Amazon MQ SSL" + from_port = 61617 + to_port = 61617 + protocol = "tcp" +} + +resource "aws_security_group_rule" "cidr_blocks_61614" { + count = var.create_security_group && length(var.cidr_blocks_61614) > 0 ? 1 : 0 + + type = "ingress" + security_group_id = aws_security_group.main[0].id + cidr_blocks = var.cidr_blocks_61614 + description = "Cidr block for Amazon MQ Stomp + SSL" + from_port = 61614 + to_port = 61614 + protocol = "tcp" +} + +resource "aws_security_group_rule" "prefix_lists_61614" { + count = var.create_security_group && length(var.prefix_lists_61614) > 0 ? 1 : 0 + + type = "ingress" + security_group_id = aws_security_group.main[0].id + prefix_list_ids = var.prefix_lists_61614 + description = "Prefix Lists for Amazon MQ Stomp + SSL" + from_port = 61614 + to_port = 61614 + protocol = "tcp" +} + +resource "aws_security_group_rule" "main" { + count = var.create_security_group ? 1 : 0 + + type = "egress" + description = "Egress Rule for ${aws_mq_broker.main.broker_name}" + protocol = "-1" + from_port = -1 + to_port = -1 + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.main[0].id +} diff --git a/variables.tf b/variables.tf index e8e23a5..940b2b3 100644 --- a/variables.tf +++ b/variables.tf @@ -157,3 +157,183 @@ variable "tags" { type = map(string) default = {} } + +variable "nlb_enabled" { + description = "Flag to attach Network Load Balancer to Active MQ" + type = bool + default = false +} + +variable "nlb_name" { + description = "Name of the NLB" + type = string + default = null +} + +variable "nlb_internal" { + description = "Scheme type of the NLB, valid value is true or false where true is for internal and false for internet facing" + type = bool + default = true +} + +variable "enable_cross_zone_load_balancing" { + description = "Flag to enable/disable cross zone load balancing of the NLB" + type = bool + default = true +} + +variable "enable_deletion_protection" { + description = "Flag to enable/disable deletion of NLB via AWS API and Terraform" + type = bool + default = true +} + +variable "nlb_certificate_arn" { + description = "Ceritificate ARN of NLB" + type = string + default = null +} + +variable "nlb_tg_port" { + description = "Target Group Port for NLB" + type = number + default = 8883 +} + +variable "nlb_tg_protocol" { + description = "Target Group Protocol for NLB" + type = string + default = "TCP" +} + +variable "nlb_tags" { + description = "A mapping of additional tags to be attached to the NLB" + type = map(string) + default = {} +} + +variable "create_security_group" { + description = "Flag to create Security Group for the broker" + type = bool + default = false +} + +variable "security_group_name" { + description = "Name of the Security Group" + type = string + default = "" +} + +variable "security_group_description" { + description = "Description of the Security Group" + type = string + default = "Security Group for the AWS MQ" +} + +variable "security_group_tags" { + description = "A mapping of additional tags to be attached to the Security Group" + type = map(string) + default = {} +} + +variable "revoke_rules_on_delete" { + description = "Instruct Terraform to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself." + type = string + default = true +} + +variable "cidr_blocks_8883" { + description = "Cidr block for the MQTT security group ingress rule" + type = list(string) + default = [] +} + +variable "prefix_lists_8883" { + description = "Prefix list ids for the MQTT security group ingress rule" + type = list(string) + default = [] +} + +variable "cidr_blocks_8162" { + description = "Cidr blocks for the ActiveMQ Console security group ingress rule" + type = list(string) + default = [] +} + +variable "prefix_lists_8162" { + description = "Prefix list ids for the ActiveMQ Console security group ingress rule" + type = list(string) + default = [] +} + +variable "cidr_blocks_61619" { + description = "Cidr block for the websocket security group ingress rule" + type = list(string) + default = [] +} + +variable "prefix_lists_61619" { + description = "Prefix list ids for the websocket security group ingress rule" + type = list(string) + default = [] +} + +variable "cidr_blocks_5671" { + description = "Cidr block for connections made via SSL AMQP security group ingress rule" + type = list(string) + default = [] +} + +variable "prefix_lists_5671" { + description = "Prefix list ids for connections made via SSL AMQP URL security group ingress rule" + type = list(string) + default = [] +} + +variable "cidr_blocks_443" { + description = "Cidr blocks for the Amazon MQ for RabbitMQ Console security group ingress rule" + type = list(string) + default = [] +} + +variable "prefix_lists_443" { + description = "Prefix list ids for the Amazon MQ for RabbitMQ Console security group ingress rule" + type = list(string) + default = [] +} + +variable "cidr_blocks_15671" { + description = "Cidr blocks for the Amazon MQ for RabbitMQ Console security group ingress rule" + type = list(string) + default = [] +} + +variable "prefix_lists_15671" { + description = "Prefix list ids for the Amazon MQ for RabbitMQ Console security group ingress rule" + type = list(string) + default = [] +} + +variable "cidr_blocks_61617" { + description = "Cidr blocks for the Amazon MQ SSL security group ingress rule" + type = list(string) + default = [] +} + +variable "prefix_lists_61617" { + description = "Prefix list ids for the Amazon MQ SSL security group ingress rule" + type = list(string) + default = [] +} + +variable "cidr_blocks_61614" { + description = "Cidr blocks for the Amazon MQ Stomp SSL security group ingress rule" + type = list(string) + default = [] +} + +variable "prefix_lists_61614" { + description = "Prefix list ids for the Amazon MQ Stomp SSL security group ingress rule" + type = list(string) + default = [] +} diff --git a/versions.tf b/versions.tf index 4c8603d..a9e6407 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 5.0.0" } } }