|
@@ -15,7 +15,7 @@ variable "common-tags" {
|
|
|
variable "open-nets" {
|
|
variable "open-nets" {
|
|
|
type = list
|
|
type = list
|
|
|
description = "CIDRs that will have access to everything"
|
|
description = "CIDRs that will have access to everything"
|
|
|
- default = []
|
|
|
|
|
|
|
+ default = []
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
variable "vpc-cidr" {
|
|
variable "vpc-cidr" {
|
|
@@ -32,7 +32,7 @@ variable "vpc-name" {
|
|
|
|
|
|
|
|
variable "ssh-key" {
|
|
variable "ssh-key" {
|
|
|
description = "Set if the SSH key you wish to use does not match the VPC name"
|
|
description = "Set if the SSH key you wish to use does not match the VPC name"
|
|
|
- default = ""
|
|
|
|
|
|
|
+ default = ""
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@@ -68,233 +68,233 @@ variable "enable-flash" {
|
|
|
|
|
|
|
|
variable "enable-volumes" {
|
|
variable "enable-volumes" {
|
|
|
description = "Enable EBS Devices for Ephemeral and Persistent storage"
|
|
description = "Enable EBS Devices for Ephemeral and Persistent storage"
|
|
|
- default = true
|
|
|
|
|
|
|
+ default = false
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
variable "flash-iops" {
|
|
variable "flash-iops" {
|
|
|
description = "Enable Flash IOPS"
|
|
description = "Enable Flash IOPS"
|
|
|
default = "100"
|
|
default = "100"
|
|
|
- }
|
|
|
|
|
|
|
+}
|
|
|
|
|
|
|
|
variable "allow-public-ssh" {
|
|
variable "allow-public-ssh" {
|
|
|
description = "Allow SSH to be open to the public - disabled by default"
|
|
description = "Allow SSH to be open to the public - disabled by default"
|
|
|
default = "0"
|
|
default = "0"
|
|
|
- }
|
|
|
|
|
|
|
+}
|
|
|
|
|
|
|
|
variable "internal-rules" {
|
|
variable "internal-rules" {
|
|
|
description = "Security rules to allow for connectivity within the VPC"
|
|
description = "Security rules to allow for connectivity within the VPC"
|
|
|
- type = list
|
|
|
|
|
|
|
+ type = list
|
|
|
default = [
|
|
default = [
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "22"
|
|
from_port = "22"
|
|
|
to_port = "22"
|
|
to_port = "22"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "SSH from VPC"
|
|
comment = "SSH from VPC"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "1968"
|
|
from_port = "1968"
|
|
|
to_port = "1968"
|
|
to_port = "1968"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "Proxy traffic (Internal use)"
|
|
comment = "Proxy traffic (Internal use)"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "3333"
|
|
from_port = "3333"
|
|
|
to_port = "3339"
|
|
to_port = "3339"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "Cluster traffic (Internal use)"
|
|
comment = "Cluster traffic (Internal use)"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "36379"
|
|
from_port = "36379"
|
|
|
to_port = "36380"
|
|
to_port = "36380"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "Cluster traffic (Internal use)"
|
|
comment = "Cluster traffic (Internal use)"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "8001"
|
|
from_port = "8001"
|
|
|
to_port = "8001"
|
|
to_port = "8001"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "Traffic from application to RS Discovery Service"
|
|
comment = "Traffic from application to RS Discovery Service"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "8443"
|
|
from_port = "8443"
|
|
|
to_port = "8443"
|
|
to_port = "8443"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "Secure (HTTPS) access to the management web UI"
|
|
comment = "Secure (HTTPS) access to the management web UI"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "8444"
|
|
from_port = "8444"
|
|
|
to_port = "8444"
|
|
to_port = "8444"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "nginx <-> cnm_http/cm traffic (Internal use)"
|
|
comment = "nginx <-> cnm_http/cm traffic (Internal use)"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "9080"
|
|
from_port = "9080"
|
|
|
to_port = "9080"
|
|
to_port = "9080"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "nginx <-> cnm_http/cm traffic (Internal use)"
|
|
comment = "nginx <-> cnm_http/cm traffic (Internal use)"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "9081"
|
|
from_port = "9081"
|
|
|
to_port = "9081"
|
|
to_port = "9081"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "For CRDB management (Internal use)"
|
|
comment = "For CRDB management (Internal use)"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "8070"
|
|
from_port = "8070"
|
|
|
to_port = "8071"
|
|
to_port = "8071"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "Prometheus metrics exporter"
|
|
comment = "Prometheus metrics exporter"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "9443"
|
|
from_port = "9443"
|
|
|
to_port = "9443"
|
|
to_port = "9443"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "REST API traffic, including cluster management and node bootstrap"
|
|
comment = "REST API traffic, including cluster management and node bootstrap"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "10000"
|
|
from_port = "10000"
|
|
|
to_port = "19999"
|
|
to_port = "19999"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "Database traffic - if manually creating db ports pare down"
|
|
comment = "Database traffic - if manually creating db ports pare down"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "20000"
|
|
from_port = "20000"
|
|
|
to_port = "29999"
|
|
to_port = "29999"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "Database shards traffic - if manually creating db ports pare down"
|
|
comment = "Database shards traffic - if manually creating db ports pare down"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "53"
|
|
from_port = "53"
|
|
|
to_port = "53"
|
|
to_port = "53"
|
|
|
protocol = "udp"
|
|
protocol = "udp"
|
|
|
comment = "DNS Traffic"
|
|
comment = "DNS Traffic"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "5353"
|
|
from_port = "5353"
|
|
|
to_port = "5353"
|
|
to_port = "5353"
|
|
|
protocol = "udp"
|
|
protocol = "udp"
|
|
|
comment = "DNS Traffic"
|
|
comment = "DNS Traffic"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "-1"
|
|
from_port = "-1"
|
|
|
to_port = "-1"
|
|
to_port = "-1"
|
|
|
protocol = "icmp"
|
|
protocol = "icmp"
|
|
|
comment = "Ping for connectivity checks between nodes"
|
|
comment = "Ping for connectivity checks between nodes"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "egress"
|
|
|
|
|
|
|
+ type = "egress"
|
|
|
from_port = "-1"
|
|
from_port = "-1"
|
|
|
to_port = "-1"
|
|
to_port = "-1"
|
|
|
protocol = "icmp"
|
|
protocol = "icmp"
|
|
|
comment = "Ping for connectivity checks between nodes"
|
|
comment = "Ping for connectivity checks between nodes"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "egress"
|
|
|
|
|
|
|
+ type = "egress"
|
|
|
from_port = "0"
|
|
from_port = "0"
|
|
|
to_port = "65535"
|
|
to_port = "65535"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "Let TCP out to the VPC"
|
|
comment = "Let TCP out to the VPC"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "egress"
|
|
|
|
|
|
|
+ type = "egress"
|
|
|
from_port = "0"
|
|
from_port = "0"
|
|
|
to_port = "65535"
|
|
to_port = "65535"
|
|
|
protocol = "udp"
|
|
protocol = "udp"
|
|
|
comment = "Let UDP out to the VPC"
|
|
comment = "Let UDP out to the VPC"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "8301"
|
|
from_port = "8301"
|
|
|
to_port = "8301"
|
|
to_port = "8301"
|
|
|
protocol = "udp"
|
|
protocol = "udp"
|
|
|
comment = "Consul Traffic Gossip"
|
|
comment = "Consul Traffic Gossip"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "8301"
|
|
from_port = "8301"
|
|
|
to_port = "8301"
|
|
to_port = "8301"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "Consul Traffic Gossip"
|
|
comment = "Consul Traffic Gossip"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "8600"
|
|
from_port = "8600"
|
|
|
to_port = "8600"
|
|
to_port = "8600"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "Consul Traffic DNS"
|
|
comment = "Consul Traffic DNS"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "8600"
|
|
from_port = "8600"
|
|
|
to_port = "8600"
|
|
to_port = "8600"
|
|
|
protocol = "udp"
|
|
protocol = "udp"
|
|
|
comment = "Consul Traffic DNS"
|
|
comment = "Consul Traffic DNS"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "8400"
|
|
from_port = "8400"
|
|
|
to_port = "8400"
|
|
to_port = "8400"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "Consul Traffic RPC"
|
|
comment = "Consul Traffic RPC"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "8500"
|
|
from_port = "8500"
|
|
|
to_port = "8500"
|
|
to_port = "8500"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "Consul Traffic HTTP"
|
|
comment = "Consul Traffic HTTP"
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "8300"
|
|
from_port = "8300"
|
|
|
to_port = "8300"
|
|
to_port = "8300"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
comment = "Consul Traffic Internal"
|
|
comment = "Consul Traffic Internal"
|
|
|
},
|
|
},
|
|
|
- ]
|
|
|
|
|
- }
|
|
|
|
|
|
|
+ ]
|
|
|
|
|
+}
|
|
|
|
|
|
|
|
variable "external-rules" {
|
|
variable "external-rules" {
|
|
|
description = "Security rules to allow for connectivity external to the VPC"
|
|
description = "Security rules to allow for connectivity external to the VPC"
|
|
|
- type = list
|
|
|
|
|
|
|
+ type = list
|
|
|
default = [
|
|
default = [
|
|
|
{
|
|
{
|
|
|
- type = "ingress"
|
|
|
|
|
|
|
+ type = "ingress"
|
|
|
from_port = "53"
|
|
from_port = "53"
|
|
|
to_port = "53"
|
|
to_port = "53"
|
|
|
protocol = "udp"
|
|
protocol = "udp"
|
|
|
cidr = ["0.0.0.0/0"]
|
|
cidr = ["0.0.0.0/0"]
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "egress"
|
|
|
|
|
|
|
+ type = "egress"
|
|
|
from_port = "0"
|
|
from_port = "0"
|
|
|
to_port = "65535"
|
|
to_port = "65535"
|
|
|
protocol = "tcp"
|
|
protocol = "tcp"
|
|
|
cidr = ["0.0.0.0/0"]
|
|
cidr = ["0.0.0.0/0"]
|
|
|
},
|
|
},
|
|
|
{
|
|
{
|
|
|
- type = "egress"
|
|
|
|
|
|
|
+ type = "egress"
|
|
|
from_port = "0"
|
|
from_port = "0"
|
|
|
to_port = "65535"
|
|
to_port = "65535"
|
|
|
protocol = "udp"
|
|
protocol = "udp"
|
|
|
cidr = ["0.0.0.0/0"]
|
|
cidr = ["0.0.0.0/0"]
|
|
|
}
|
|
}
|
|
|
- ]
|
|
|
|
|
- }
|
|
|
|
|
|
|
+ ]
|
|
|
|
|
+}
|
|
|
|
|
|
Chris Mague