-
Notifications
You must be signed in to change notification settings - Fork 34
/
Copy pathmain.tf
129 lines (111 loc) · 5.04 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
terraform {
required_version = ">= 1.0.0, < 2.0.0"
required_providers {
ibm = {
source = "IBM-Cloud/ibm"
version = "~> 1.33.0"
}
}
}
# provider block required with Schematics to set VPC region
provider "ibm" {
region = var.ibm_region
#ibmcloud_api_key = var.ibmcloud_api_key
}
data "ibm_resource_group" "all_rg" {
name = var.resource_group_name
}
locals {
frontend_count = 2
backend_count = 1
}
##################################################################################################
# Select CIDRs allowed to access bastion host
# When running under Schematics allowed ingress CIDRs are set to only allow access from Schematics
# for use with Remote-exec and Redhat Ansible
# When running under Terraform local execution ingress is set to 0.0.0.0/0
# Access CIDRs are overridden if user_bastion_ingress_cidr is set to anything other than "0.0.0.0/0"
##################################################################################################
data "external" "env" { program = ["jq", "-n", "env"] }
locals {
region = lookup(data.external.env.result, "TF_VAR_SCHEMATICSLOCATION", "")
geo = substr(local.region, 0, 2)
schematics_ssh_access_map = {
us = ["169.44.0.0/14", "169.60.0.0/14", "150.238.230.128/27"],
eu = ["158.175.0.0/16", "158.176.0.0/15", "141.125.75.80/28", "161.156.139.192/28", "149.81.103.128/28", "159.122.111.224/27"],
}
schematics_ssh_access = lookup(local.schematics_ssh_access_map, local.geo, ["0.0.0.0/0"])
bastion_ingress_cidr = var.ssh_source_cidr_override[0] != "0.0.0.0/0" ? var.ssh_source_cidr_override : local.schematics_ssh_access
}
module "vpc" {
source = "./vpc"
ibm_region = var.ibm_region
resource_group_name = var.resource_group_name
unique_id = var.vpc_name
frontend_count = local.frontend_count
frontend_cidr_blocks = local.frontend_cidr_blocks
backend_count = local.backend_count
backend_cidr_blocks = local.backend_cidr_blocks
}
locals {
# bastion_cidr_blocks = [cidrsubnet(var.bastion_cidr, 4, 0), cidrsubnet(var.bastion_cidr, 4, 2), cidrsubnet(var.bastion_cidr, 4, 4)]
frontend_cidr_blocks = [cidrsubnet(var.frontend_cidr, 4, 0), cidrsubnet(var.frontend_cidr, 4, 2), cidrsubnet(var.frontend_cidr, 4, 4)]
backend_cidr_blocks = [cidrsubnet(var.backend_cidr, 4, 0), cidrsubnet(var.backend_cidr, 4, 2), cidrsubnet(var.backend_cidr, 4, 4)]
}
# Create single zone bastion
module "bastion" {
source = "./bastionmodule"
ibm_region = var.ibm_region
bastion_count = 1
unique_id = var.vpc_name
ibm_is_vpc_id = module.vpc.vpc_id
ibm_is_image_id = data.ibm_is_image.os.id
ibm_is_resource_group_id = data.ibm_resource_group.all_rg.id
bastion_cidr = var.bastion_cidr
ssh_source_cidr_blocks = local.bastion_ingress_cidr
destination_cidr_blocks = [var.frontend_cidr, var.backend_cidr]
destination_sgs = [module.frontend.security_group_id, module.backend.security_group_id]
# destination_sg = [module.frontend.security_group_id, module.backend.security_group_id]
# vsi_profile = "cx2-2x4"
# image_name = "ibm-centos-7-6-minimal-amd64-1"
ssh_key_id = data.ibm_is_ssh_key.sshkey.id
}
module "frontend" {
source = "./frontendmodule"
ibm_region = var.ibm_region
unique_id = var.vpc_name
ibm_is_vpc_id = module.vpc.vpc_id
ibm_is_resource_group_id = data.ibm_resource_group.all_rg.id
frontend_count = local.frontend_count
profile = var.profile
ibm_is_image_id = data.ibm_is_image.os.id
ibm_is_ssh_key_id = data.ibm_is_ssh_key.sshkey.id
subnet_ids = module.vpc.frontend_subnet_ids
bastion_remote_sg_id = module.bastion.security_group_id
bastion_subnet_CIDR = var.bastion_cidr
pub_repo_egress_cidr = local.pub_repo_egress_cidr
app_backend_sg_id = module.backend.security_group_id
}
module "backend" {
source = "./backendmodule"
ibm_region = var.ibm_region
unique_id = var.vpc_name
ibm_is_vpc_id = module.vpc.vpc_id
ibm_is_resource_group_id = data.ibm_resource_group.all_rg.id
backend_count = local.backend_count
profile = var.profile
ibm_is_image_id = data.ibm_is_image.os.id
ibm_is_ssh_key_id = data.ibm_is_ssh_key.sshkey.id
subnet_ids = module.vpc.backend_subnet_ids
bastion_remote_sg_id = module.bastion.security_group_id
bastion_subnet_CIDR = var.bastion_cidr
app_frontend_sg_id = module.frontend.security_group_id
pub_repo_egress_cidr = local.pub_repo_egress_cidr
}
module "accesscheck" {
source = "./accesscheck"
ssh_accesscheck = var.ssh_accesscheck
ssh_private_key = var.ssh_private_key
bastion_host = module.bastion.bastion_ip_addresses[0]
target_hosts = concat(module.frontend.primary_ipv4_address, module.backend.primary_ipv4_address)
}