Updated server security groups and instance user data

Author: blakeneyops

certs/main.tf

@@ -1,7 +1,7 @@
 # OpenVPN Server
 
 ## Creates IAM role & policies
-resource "aws_iam_role" "vpn_role" {
+resource "aws_iam_role" "role" {
   name = "${var.stack_item_label}-${var.region}"
   path = "/"
 
@@ -21,9 +21,9 @@ resource "aws_iam_role" "vpn_role" {
 EOF
 }
 
-resource "aws_iam_role_policy" "s3_vpn_ro" {
-  name = "s3_vpn_ro"
-  role = "${aws_iam_role.vpn_role.id}"
+resource "aws_iam_role_policy" "s3_certs_ro" {
+  name = "s3_certs_ro"
+  role = "${aws_iam_role.role.id}"
 
   policy = <<EOF
 {
@@ -54,8 +54,8 @@ EOF
 }
 
 resource "aws_iam_role_policy" "tags" {
-  name = "vpn-tags"
-  role = "${aws_iam_role.vpn_role.id}"
+  name = "tags"
+  role = "${aws_iam_role.role.id}"
 
   policy = <<EOF
 {
@@ -77,45 +77,109 @@ EOF
 }
 
 ## Creates IAM instance profile
-resource "aws_iam_instance_profile" "vpn_profile" {
+resource "aws_iam_instance_profile" "profile" {
   name  = "${var.stack_item_label}-${var.region}"
-  roles = ["${aws_iam_role.vpn_role.name}"]
+  roles = ["${aws_iam_role.role.name}"]
 }
 
-## Creates security group rules
-resource "aws_security_group_rule" "allow_all_out" {
+## Create elastic load balancer security group and rules
+resource "aws_security_group" "sg_elb" {
+  name_prefix = "${var.stack_item_label}-elb-"
+  description = "${var.stack_item_fullname} load balancer security group"
+  vpc_id      = "${var.vpc_id}"
+
+  tags {
+    Name        = "${var.stack_item_label}-elb"
+    application = "${var.stack_item_fullname}"
+    managed_by  = "terraform"
+  }
+}
+
+resource "aws_security_group_rule" "elb_allow_all_out" {
   type              = "egress"
   from_port         = 0
   to_port           = 0
   protocol          = "-1"
   cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = "${module.cluster.sg_id}"
+  security_group_id = "${aws_security_group.sg_elb.id}"
 }
 
-resource "aws_security_group_rule" "allow_ssh_in_tcp" {
+resource "aws_security_group_rule" "elb_allow_openvpn_tcp_in" {
   type              = "ingress"
-  from_port         = 22
-  to_port           = 22
+  from_port         = 1194
+  to_port           = 1194
   protocol          = "tcp"
-  cidr_blocks       = ["${split(",",var.cidr_whitelist)}"]
+  cidr_blocks       = ["${split(",",var.vpn_whitelist)}"]
+  security_group_id = "${aws_security_group.sg_elb.id}"
+}
+
+## Creates an elastic load balancer
+resource "aws_elb" "elb" {
+  name            = "${var.stack_item_label}"
+  subnets         = ["${split(",",var.subnets)}"]
+  internal        = false
+  security_groups = ["${aws_security_group.sg_elb.id}"]
+
+  listener {
+    instance_port     = 1194
+    instance_protocol = "tcp"
+    lb_port           = 1194
+    lb_protocol       = "tcp"
+  }
+
+  health_check {
+    healthy_threshold   = 4
+    unhealthy_threshold = 2
+    timeout             = 3
+    target              = "TCP:1194"
+    interval            = 30
+  }
+
+  tags {
+    Name        = "${var.stack_item_label}"
+    application = "${var.stack_item_fullname}"
+    managed_by  = "terraform"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+## Creates security group rules
+resource "aws_security_group_rule" "cluster_allow_all_out" {
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = "${module.cluster.sg_id}"
 }
 
-resource "aws_security_group_rule" "allow_openvpn_in_tcp" {
+resource "aws_security_group_rule" "cluster_allow_openvpn_tcp_in" {
+  type                     = "ingress"
+  from_port                = 1194
+  to_port                  = 1194
+  protocol                 = "tcp"
+  source_security_group_id = "${aws_security_group.sg_elb.id}"
+  security_group_id        = "${module.cluster.sg_id}"
+}
+
+resource "aws_security_group_rule" "cluster_allow_ssh_in" {
   type              = "ingress"
-  from_port         = 1194
-  to_port           = 1194
+  from_port         = 22
+  to_port           = 22
   protocol          = "tcp"
-  cidr_blocks       = ["${split(",",var.cidr_whitelist)}"]
+  cidr_blocks       = ["${split(",",var.ssh_whitelist)}"]
   security_group_id = "${module.cluster.sg_id}"
 }
 
-resource "aws_security_group_rule" "allow_ping_in_icmp" {
+resource "aws_security_group_rule" "cluster_allow_icmp_in" {
   type              = "ingress"
   from_port         = 0
   to_port           = 0
   protocol          = "icmp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["${split(",",var.ssh_whitelist)}"]
   security_group_id = "${module.cluster.sg_id}"
 }
 
@@ -124,6 +188,7 @@ resource "template_file" "user_data" {
   template = "${file("${path.module}/templates/user_data.tpl")}"
 
   vars {
+    hostname         = "${var.stack_item_label}"
     s3_bucket        = "${var.s3_bucket}"
     s3_bucket_prefix = "${var.s3_bucket_prefix}"
     route_cidrs      = "${var.route_cidrs}"
@@ -150,7 +215,7 @@ module "cluster" {
   # LC parameters
   ami              = "${var.ami}"
   instance_type    = "${var.instance_type}"
-  instance_profile = "${aws_iam_instance_profile.vpn_profile.id}"
+  instance_profile = "${aws_iam_instance_profile.profile.id}"
   user_data        = "${template_file.user_data.rendered}"
   key_name         = "${var.key_name}"
   ebs_optimized    = false
@@ -162,36 +227,3 @@ module "cluster" {
   min_elb_capacity = 1
   load_balancers   = "${aws_elb.elb.id}"
 }
-
-## Creates a load balancer
-resource "aws_elb" "elb" {
-  name            = "${var.stack_item_label}"
-  subnets         = ["${split(",",var.subnets)}"]
-  internal        = false
-  security_groups = ["${module.cluster.sg_id}"]
-
-  listener {
-    instance_port     = 1194
-    instance_protocol = "tcp"
-    lb_port           = 1194
-    lb_protocol       = "tcp"
-  }
-
-  health_check {
-    healthy_threshold   = 2
-    unhealthy_threshold = 2
-    timeout             = 3
-    target              = "TCP:1194"
-    interval            = 30
-  }
-
-  tags {
-    Name        = "${var.stack_item_label}"
-    application = "${var.stack_item_fullname}"
-    managed_by  = "terraform"
-  }
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}

certs/outputs.tf

@@ -4,6 +4,6 @@ output "vpn_server_sg_id" {
   value = "${module.cluster.sg_id}"
 }
 
-output "cidr_whitelist" {
-  value = "${var.cidr_whitelist}"
+output "vpn_whitelist" {
+  value = "${var.vpn_whitelist}"
 }

certs/variables.tf

@@ -12,17 +12,6 @@ variable "stack_item_fullname" {
 }
 
 ## VPC parameters
-
-###
-### 0 - if instance is a standalone instance outside a VPC
-### 1 - if instance is in a vpc
-###
-variable "in_vpc" {
-  type        = "string"
-  description = "Flag for associating the cluster with a VPC."
-  default     = 1
-}
-
 variable "vpc_id" {
   type        = "string"
   description = "ID of the target VPC."
@@ -74,8 +63,14 @@ variable "s3_bucket_prefix" {
   default     = ""
 }
 
-variable "cidr_whitelist" {
+variable "vpn_whitelist" {
+  type        = "string"
+  description = "Limit VPN access to the designated list of CIDRs"
+  default     = "0.0.0.0/0"
+}
+
+variable "ssh_whitelist" {
   type        = "string"
-  description = "Limit access to the designated list of CIDRs"
+  description = "Limit SSH access to the designated list of CIDRs"
   default     = "0.0.0.0/0"
 }