diff --git a/main.tf b/main.tf index 1daff0b..d387087 100644 --- a/main.tf +++ b/main.tf @@ -12,21 +12,28 @@ provider "aws" { } } +module "iam" { + source = "./modules/iam" + + resource_name_prefix = var.resource_name_prefix + permissions_boundary = var.permissions_boundary + user_supplied_iam_role_name = var.user_supplied_iam_role_name +} + module "dns" { source = "./modules/dns" - vpc_id = var.vpc_id - zone_dns_name = var.zone_dns_name + vpc_id = var.vpc_id + resource_name_prefix = var.resource_name_prefix + zone_dns_name = var.zone_dns_name + iam_role_id = module.iam.iam_role_id } -module "iam" { - source = "./modules/iam" +module "backup" { + source = "./modules/backup" - permissions_boundary = var.permissions_boundary - resource_name_prefix = var.resource_name_prefix - user_supplied_iam_role_name = var.user_supplied_iam_role_name - s3_bucket_name = module.s3.backup_bucket_name - route53_zone_id = module.dns.zone_id + resource_name_prefix = var.resource_name_prefix + iam_role_id = module.iam.iam_role_id } module "config" { @@ -48,9 +55,8 @@ module "load_balancer" { lb_health_check_path = var.lb_health_check_path lb_health_check_interval = var.lb_health_check_interval lb_enable_deletion_protection = var.prevent_resource_deletion - tls_enabled = var.tls_enabled - tls_certificate_arn = var.tls_certificate_arn - tls_policy = var.tls_policy + lb_tls_certificate_arn = var.lb_tls_certificate_arn + lb_tls_policy = var.lb_tls_policy } module "user_data" { @@ -60,10 +66,10 @@ module "user_data" { resource_name_prefix = var.resource_name_prefix user_supplied_userdata_path = var.user_supplied_userdata_path device_name = var.device_name - backup_schedule = var.backup_schedule - backup_retention_count = var.backup_retention_count - backup_iam_key_id = module.iam.backups_bucket_key_id - backup_iam_key_secret = module.iam.backups_bucket_key_secret + + backup_schedule = var.backup_schedule + backup_retention_count = var.backup_retention_count + backup_bucket_name = module.backup.bucket_name ebs_volume_type = var.ebs_volume_type ebs_volume_size = var.ebs_volume_size @@ -77,20 +83,13 @@ module "user_data" { instance_type = var.instance_type depends_on = [ - module.config, + module.config ] } -module "s3" { - source = "./modules/s3" - - resource_name_prefix = var.resource_name_prefix - access_log_bucket = var.s3_access_log_bucket -} - locals { graphdb_target_group_arns = concat( - [module.load_balancer.lb_target_group_arn], + [module.load_balancer.lb_target_group_arn] ) } @@ -99,8 +98,8 @@ module "vm" { allowed_inbound_cidrs = var.allowed_inbound_cidrs_lb allowed_inbound_cidrs_ssh = var.allowed_inbound_cidrs_ssh - aws_iam_instance_profile = module.iam.aws_iam_instance_profile - common_tags = var.common_tags + iam_instance_profile = module.iam.iam_instance_profile + iam_role_id = module.iam.iam_role_id instance_type = var.instance_type key_name = var.key_name lb_subnets = var.lb_internal ? var.private_subnet_ids : var.public_subnet_ids diff --git a/modules/backup/README.md b/modules/backup/README.md new file mode 100644 index 0000000..a062a61 --- /dev/null +++ b/modules/backup/README.md @@ -0,0 +1 @@ +# GraphDB Backups Module diff --git a/modules/s3/main.tf b/modules/backup/main.tf similarity index 60% rename from modules/s3/main.tf rename to modules/backup/main.tf index be31a05..20c9d8d 100644 --- a/modules/s3/main.tf +++ b/modules/backup/main.tf @@ -1,5 +1,11 @@ +data "aws_caller_identity" "current" {} + +locals { + account_id = data.aws_caller_identity.current.account_id +} + resource "aws_s3_bucket" "backup" { - bucket = "${var.resource_name_prefix}-graphdb-backup" + bucket = "${var.resource_name_prefix}-graphdb-backup-${local.account_id}" } # Explicitly disable public access @@ -33,13 +39,6 @@ resource "aws_s3_bucket_versioning" "backup" { } } -resource "aws_s3_bucket_logging" "backup" { - count = var.access_log_bucket != null ? 1 : 0 - bucket = aws_s3_bucket.backup.id - target_bucket = var.access_log_bucket - target_prefix = "${var.resource_name_prefix}-graphdb-backup-access-logs/" -} - resource "aws_s3_bucket_policy" "disallow-non-tls-access-to-bucket" { bucket = aws_s3_bucket.backup.id policy = data.aws_iam_policy_document.disallow-non-tls-access-to-bucket.json @@ -67,3 +66,30 @@ data "aws_iam_policy_document" "disallow-non-tls-access-to-bucket" { } } } + +resource "aws_iam_role_policy" "s3_crud" { + name = "${var.resource_name_prefix}-graphdb-s3-crud" + role = var.iam_role_id + policy = data.aws_iam_policy_document.backup_s3_crud.json +} + +data "aws_iam_policy_document" "backup_s3_crud" { + statement { + effect = "Allow" + actions = [ + "s3:ListBucket", + "s3:DeleteObject", + "s3:GetObject", + "s3:ListObjects", + "s3:PutObject", + "s3:GetAccelerateConfiguration", + "s3:ListMultipartUploadParts", + "s3:AbortMultipartUpload" + ] + resources = [ + # the exact ARN is needed for the list bucket action, star for put,get,delete + "arn:aws:s3:::${aws_s3_bucket.backup.bucket}", + "arn:aws:s3:::${aws_s3_bucket.backup.bucket}/*" + ] + } +} diff --git a/modules/backup/outputs.tf b/modules/backup/outputs.tf new file mode 100644 index 0000000..3cbfd66 --- /dev/null +++ b/modules/backup/outputs.tf @@ -0,0 +1,14 @@ +output "bucket_name" { + description = "Name of the S3 bucket for storing GraphDB backups" + value = aws_s3_bucket.backup.bucket +} + +output "bucket_id" { + description = "ID of the S3 bucket for storing GraphDB backups" + value = aws_s3_bucket.backup.id +} + +output "bucket_arn" { + description = "ARN of the S3 bucket for storing GraphDB backups" + value = aws_s3_bucket.backup.arn +} diff --git a/modules/s3/variables.tf b/modules/backup/variables.tf similarity index 50% rename from modules/s3/variables.tf rename to modules/backup/variables.tf index 01ad6a6..ab3e68d 100644 --- a/modules/s3/variables.tf +++ b/modules/backup/variables.tf @@ -1,20 +1,15 @@ -# REQUIRED parameters - variable "resource_name_prefix" { description = "Resource name prefix used for tagging and naming AWS resources" type = string } -# OPTIONAL parameters - -variable "kms_key_arn" { - description = "KMS key to use for bucket encryption." +variable "iam_role_id" { + description = "IAM role ID to attach permission policies to" type = string - default = null } -variable "access_log_bucket" { - description = "S3 bucket ID for storing access logs of the GraphDB backup bucket" +variable "kms_key_arn" { + description = "KMS key to use for bucket encryption. If left empty, it will use the account's default for S3." type = string default = null } diff --git a/modules/s3/versions.tf b/modules/backup/versions.tf similarity index 100% rename from modules/s3/versions.tf rename to modules/backup/versions.tf diff --git a/modules/s3/README.md b/modules/dns/README.md similarity index 100% rename from modules/s3/README.md rename to modules/dns/README.md diff --git a/modules/dns/main.tf b/modules/dns/main.tf index 39afd62..0329d5f 100644 --- a/modules/dns/main.tf +++ b/modules/dns/main.tf @@ -1,9 +1,28 @@ resource "aws_route53_zone" "zone" { name = var.zone_dns_name + # Allows for Terraform to destroy it. force_destroy = true vpc { vpc_id = var.vpc_id } } + +resource "aws_iam_role_policy" "route53_instance_registration" { + name = "${var.resource_name_prefix}-graphdb-route53-instance-registration" + role = var.iam_role_id + policy = data.aws_iam_policy_document.route53_instance_registration.json +} + +data "aws_iam_policy_document" "route53_instance_registration" { + statement { + effect = "Allow" + + actions = [ + "route53:ChangeResourceRecordSets" + ] + + resources = ["arn:aws:route53:::hostedzone/${aws_route53_zone.zone.zone_id}"] + } +} diff --git a/modules/dns/outputs.tf b/modules/dns/outputs.tf index 107512c..5fa5757 100644 --- a/modules/dns/outputs.tf +++ b/modules/dns/outputs.tf @@ -1,3 +1,4 @@ output "zone_id" { - value = aws_route53_zone.zone.zone_id + description = "ID of the private hosted zone for GraphDB DNS resolving" + value = aws_route53_zone.zone.zone_id } diff --git a/modules/dns/variables.tf b/modules/dns/variables.tf index 9a5e689..3350f88 100644 --- a/modules/dns/variables.tf +++ b/modules/dns/variables.tf @@ -3,7 +3,17 @@ variable "vpc_id" { type = string } +variable "resource_name_prefix" { + description = "Resource name prefix used for tagging and naming AWS resources" + type = string +} + variable "zone_dns_name" { description = "DNS name for the private hosted zone in Route 53" type = string } + +variable "iam_role_id" { + description = "IAM role ID to attach permission policies to" + type = string +} diff --git a/modules/iam/main.tf b/modules/iam/main.tf index 4a6597e..ee17888 100644 --- a/modules/iam/main.tf +++ b/modules/iam/main.tf @@ -1,9 +1,9 @@ resource "aws_iam_instance_profile" "graphdb" { name_prefix = "${var.resource_name_prefix}-graphdb" - role = var.user_supplied_iam_role_name != null ? var.user_supplied_iam_role_name : aws_iam_role.instance_role[0].name + role = var.user_supplied_iam_role_name != null ? var.user_supplied_iam_role_name : aws_iam_role.graphdb[0].name } -resource "aws_iam_role" "instance_role" { +resource "aws_iam_role" "graphdb" { count = var.user_supplied_iam_role_name != null ? 0 : 1 name_prefix = "${var.resource_name_prefix}-graphdb-" permissions_boundary = var.permissions_boundary @@ -14,7 +14,7 @@ data "aws_iam_policy_document" "instance_role" { statement { effect = "Allow" actions = [ - "sts:AssumeRole", + "sts:AssumeRole" ] principals { @@ -23,124 +23,3 @@ data "aws_iam_policy_document" "instance_role" { } } } - -resource "aws_iam_role_policy" "s3_crud" { - count = var.user_supplied_iam_role_name != null ? 0 : 1 - name = "${var.resource_name_prefix}-graphdb-s3-crud" - role = aws_iam_role.instance_role[0].id - policy = data.aws_iam_policy_document.s3_crud.json -} - -resource "aws_iam_role_policy" "instance_volume" { - count = var.user_supplied_iam_role_name != null ? 0 : 1 - name = "${var.resource_name_prefix}-graphdb-instance-volume" - role = aws_iam_role.instance_role[0].id - policy = data.aws_iam_policy_document.instance_volume.json -} - -resource "aws_iam_role_policy" "instance_volume_tagging" { - count = var.user_supplied_iam_role_name != null ? 0 : 1 - name = "${var.resource_name_prefix}-graphdb-instance-volume-tagging" - role = aws_iam_role.instance_role[0].id - policy = data.aws_iam_policy_document.instance_volume_tagging.json -} - -resource "aws_iam_role_policy" "route53_instance_registration" { - count = var.user_supplied_iam_role_name != null ? 0 : 1 - name = "${var.resource_name_prefix}-graphdb-route53-instance-registration" - role = aws_iam_role.instance_role[0].id - policy = data.aws_iam_policy_document.route53_instance_registration.json -} - -data "aws_iam_policy_document" "s3_crud" { - statement { - effect = "Allow" - actions = [ - "s3:ListBucket", - "s3:DeleteObject", - "s3:GetObject", - "s3:ListObjects", - "s3:PutObject", - "s3:GetAccelerateConfiguration", - "s3:ListMultipartUploadParts", - "s3:AbortMultipartUpload" - ] - resources = [ - # the exact ARN is needed for the list bucket action, star for put,get,delete - "arn:aws:s3:::${var.s3_bucket_name}", - "arn:aws:s3:::${var.s3_bucket_name}/*" - ] - } -} - -data "aws_iam_policy_document" "instance_volume" { - statement { - effect = "Allow" - - actions = [ - "ec2:CreateVolume", - "ec2:AttachVolume", - "ec2:DescribeVolumes", - ] - - resources = ["*"] - } -} - -data "aws_iam_policy_document" "instance_volume_tagging" { - statement { - effect = "Allow" - - actions = [ - "ec2:CreateTags" - ] - - resources = [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*", - ] - - condition { - test = "StringEquals" - variable = "ec2:CreateAction" - values = [ - "CreateVolume", - "CreateSnapshot", - ] - } - } -} - -data "aws_iam_policy_document" "route53_instance_registration" { - statement { - effect = "Allow" - - actions = [ - "route53:ChangeResourceRecordSets" - ] - - resources = ["arn:aws:route53:::hostedzone/${var.route53_zone_id}"] - } -} - -resource "aws_iam_role_policy_attachment" "systems-manager-policy" { - role = aws_iam_role.instance_role[0].id - policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" -} - -# IAM user needed for the backup upload to S3 - -resource "aws_iam_user" "this" { - name = "${var.resource_name_prefix}-backup" - path = "/system/" -} - -resource "aws_iam_access_key" "this" { - user = aws_iam_user.this.name -} - -resource "aws_iam_user_policy" "this" { - name = "${var.resource_name_prefix}-s3backups" - user = aws_iam_user.this.name - policy = data.aws_iam_policy_document.s3_crud.json -} diff --git a/modules/iam/outputs.tf b/modules/iam/outputs.tf index de29870..e52f0b8 100644 --- a/modules/iam/outputs.tf +++ b/modules/iam/outputs.tf @@ -1,12 +1,9 @@ -output "aws_iam_instance_profile" { - value = aws_iam_instance_profile.graphdb.name +output "iam_instance_profile" { + description = "Instance profile to use for EC2" + value = aws_iam_instance_profile.graphdb.name } -output "backups_bucket_key_id" { - value = aws_iam_access_key.this.id -} - -output "backups_bucket_key_secret" { - value = aws_iam_access_key.this.secret - sensitive = true +output "iam_role_id" { + description = "IAM role ID to use for policies" + value = var.user_supplied_iam_role_name != null ? var.user_supplied_iam_role_name : aws_iam_role.graphdb[0].id } diff --git a/modules/iam/variables.tf b/modules/iam/variables.tf index fc48b48..a2e8fc3 100644 --- a/modules/iam/variables.tf +++ b/modules/iam/variables.tf @@ -1,17 +1,8 @@ -# REQUIRED parameters - variable "resource_name_prefix" { description = "Resource name prefix used for tagging and naming AWS resources" type = string } -variable "route53_zone_id" { - description = "ID of the Route 53 hosted zone, where GraphDB instances are registered" - type = string -} - -# OPTIONAL parameters - variable "permissions_boundary" { description = "(Optional) IAM Managed Policy to serve as permissions boundary for IAM Role" type = string @@ -23,9 +14,3 @@ variable "user_supplied_iam_role_name" { type = string default = null } - -variable "s3_bucket_name" { - description = "Name of the S3 bucket, where GraphDB backups are stored." - type = string - default = null -} diff --git a/modules/load_balancer/main.tf b/modules/load_balancer/main.tf index 9ee5225..bfc9db1 100644 --- a/modules/load_balancer/main.tf +++ b/modules/load_balancer/main.tf @@ -1,5 +1,6 @@ locals { - lb_name = "${var.resource_name_prefix}-graphdb" + lb_name = "${var.resource_name_prefix}-graphdb" + lb_tls_enabled = var.lb_tls_certificate_arn != null ? true : false } resource "aws_lb" "graphdb" { @@ -8,6 +9,7 @@ resource "aws_lb" "graphdb" { load_balancer_type = "network" subnets = var.lb_subnets enable_deletion_protection = var.lb_enable_deletion_protection + security_groups = var.lb_security_groups } resource "aws_lb_target_group" "graphdb" { @@ -20,8 +22,8 @@ resource "aws_lb_target_group" "graphdb" { deregistration_delay = var.lb_deregistration_delay health_check { - healthy_threshold = 3 - unhealthy_threshold = 3 + healthy_threshold = var.lb_healthy_threshold + unhealthy_threshold = var.lb_unhealthy_threshold protocol = "HTTP" port = 7201 path = var.lb_health_check_path @@ -30,7 +32,7 @@ resource "aws_lb_target_group" "graphdb" { } resource "aws_lb_listener" "graphdb" { - count = var.tls_enabled ? 0 : 1 + count = local.lb_tls_enabled ? 0 : 1 load_balancer_arn = aws_lb.graphdb.id port = 80 @@ -43,13 +45,13 @@ resource "aws_lb_listener" "graphdb" { } resource "aws_lb_listener" "graphdb_tls" { - count = var.tls_enabled ? 1 : 0 + count = local.lb_tls_enabled ? 1 : 0 load_balancer_arn = aws_lb.graphdb.id port = 443 protocol = "TLS" - certificate_arn = var.tls_certificate_arn - ssl_policy = var.tls_policy + certificate_arn = var.lb_tls_certificate_arn + ssl_policy = var.lb_tls_policy default_action { type = "forward" diff --git a/modules/load_balancer/outputs.tf b/modules/load_balancer/outputs.tf index de106fa..b407718 100644 --- a/modules/load_balancer/outputs.tf +++ b/modules/load_balancer/outputs.tf @@ -1,19 +1,19 @@ output "lb_arn" { - description = "ARN of GraphDB load balancer" + description = "ARN of the GraphDB load balancer" value = aws_lb.graphdb.arn } output "lb_dns_name" { - description = "DNS name of GraphDB load balancer" + description = "DNS name of the GraphDB load balancer" value = aws_lb.graphdb.dns_name } output "lb_zone_id" { - description = "Zone ID of GraphDB load balancer" + description = "Route 53 zone ID of the GraphDB load balancer" value = aws_lb.graphdb.zone_id } output "lb_target_group_arn" { - description = "Target group ARN to register GraphDB nodes with" + description = "Target group ARN of the registered GraphDB nodes" value = aws_lb_target_group.graphdb.arn } diff --git a/modules/load_balancer/variables.tf b/modules/load_balancer/variables.tf index c59bc2b..3cf1836 100644 --- a/modules/load_balancer/variables.tf +++ b/modules/load_balancer/variables.tf @@ -1,5 +1,3 @@ -# REQUIRED parameters - variable "vpc_id" { description = "Identifier of the VPC where GraphDB will be deployed." type = string @@ -15,7 +13,11 @@ variable "lb_subnets" { type = list(string) } -# OPTIONAL parameters +variable "lb_security_groups" { + description = "(Optional) Security groups to assign when the LB is internal." + type = list(string) + default = [] +} variable "lb_internal" { description = "(Optional) Whether the load balancer will be internal or internet-facing. Defaults to true." @@ -29,6 +31,18 @@ variable "lb_deregistration_delay" { default = 300 } +variable "lb_healthy_threshold" { + description = "(Optional) Number of consecutive health check successes required to consider GraphDB target healthy" + type = number + default = 3 +} + +variable "lb_unhealthy_threshold" { + description = "(Optional) Number of consecutive health check failures required before considering a GraphDB target unhealthy" + type = number + default = 3 +} + variable "lb_health_check_path" { description = "(Optional) The endpoint to check for GraphDB's health status. Defaults to /protocol." type = string @@ -47,20 +61,16 @@ variable "lb_enable_deletion_protection" { default = true } -variable "tls_enabled" { - description = "If enabled, a certificate must be imported in ACM and its ARN to set in tls_certificate_arn. Certificates with RSA keys larger than 2048-bit or EC keys cannot be used." - type = bool - default = false +# TLS + +variable "lb_tls_certificate_arn" { + description = "ARN of the TLS certificate, imported in ACM, which will be used for the TLS listener on the load balancer." + type = string + default = null } -variable "tls_policy" { +variable "lb_tls_policy" { description = "TLS security policy on the listener." type = string default = "ELBSecurityPolicy-TLS13-1-2-2021-06" } - -variable "tls_certificate_arn" { - description = "ARN of the certificate, imported in ACM, which will be used for the TLS listener on the load balancer." - type = string - default = null -} \ No newline at end of file diff --git a/modules/s3/outputs.tf b/modules/s3/outputs.tf deleted file mode 100644 index 01ac902..0000000 --- a/modules/s3/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "backup_bucket_name" { - value = aws_s3_bucket.backup.bucket -} diff --git a/modules/user_data/main.tf b/modules/user_data/main.tf index 6bc9b2a..643d7c5 100644 --- a/modules/user_data/main.tf +++ b/modules/user_data/main.tf @@ -14,9 +14,8 @@ locals { device_name = var.device_name backup_schedule = var.backup_schedule - backup_iam_key_id = var.backup_iam_key_id - backup_iam_key_secret = var.backup_iam_key_secret backup_retention_count = var.backup_retention_count + backup_bucket_name = var.backup_bucket_name ebs_volume_type = var.ebs_volume_type ebs_volume_size = var.ebs_volume_size diff --git a/modules/user_data/templates/start_graphdb.sh.tpl b/modules/user_data/templates/start_graphdb.sh.tpl index 98a54da..895860a 100644 --- a/modules/user_data/templates/start_graphdb.sh.tpl +++ b/modules/user_data/templates/start_graphdb.sh.tpl @@ -196,20 +196,20 @@ function trigger_backup { --data-binary @- <<-DATA { "backupOptions": { "backupSystemData": true }, - "bucketUri": "s3:///${name}-graphdb-backup/\$backup_name?region=${region}&AWS_ACCESS_KEY_ID=${backup_iam_key_id}&AWS_SECRET_ACCESS_KEY=${backup_iam_key_secret}" + "bucketUri": "s3:///${backup_bucket_name}/\$backup_name?region=${region}" } DATA } function rotate_backups { - all_files="\$(aws --cli-connect-timeout 300 s3api list-objects --bucket ${name}-graphdb-backup --query 'Contents' | jq .)" + all_files="\$(aws --cli-connect-timeout 300 s3api list-objects --bucket ${backup_bucket_name} --query 'Contents' | jq .)" count="\$(echo \$all_files | jq length)" delete_count="\$((count - ${backup_retention_count} - 1))" for i in \$(seq 0 \$delete_count); do key="\$(echo \$all_files | jq -r .[\$i].Key)" - aws --cli-connect-timeout 300 s3 rm s3://${name}-graphdb-backup/\$key + aws --cli-connect-timeout 300 s3 rm s3://${backup_bucket_name}/\$key done } diff --git a/modules/user_data/variables.tf b/modules/user_data/variables.tf index 41318e6..f8cb303 100644 --- a/modules/user_data/variables.tf +++ b/modules/user_data/variables.tf @@ -20,13 +20,8 @@ variable "backup_schedule" { type = string } -variable "backup_iam_key_id" { - description = "Access key id of the IAM user to be used when uploading the backup to S3." - type = string -} - -variable "backup_iam_key_secret" { - description = "Access key secret of the IAM user to be used when uploading the backup to S3." +variable "backup_bucket_name" { + description = "Name of the S3 bucket for storing GraphDB backups" type = string } diff --git a/modules/vm/iam.tf b/modules/vm/iam.tf new file mode 100644 index 0000000..4480c4b --- /dev/null +++ b/modules/vm/iam.tf @@ -0,0 +1,54 @@ +resource "aws_iam_role_policy" "instance_volume" { + name = "${var.resource_name_prefix}-graphdb-instance-volume" + role = var.iam_role_id + policy = data.aws_iam_policy_document.instance_volume.json +} + +resource "aws_iam_role_policy" "instance_volume_tagging" { + name = "${var.resource_name_prefix}-graphdb-instance-volume-tagging" + role = var.iam_role_id + policy = data.aws_iam_policy_document.instance_volume_tagging.json +} + +resource "aws_iam_role_policy_attachment" "systems-manager-policy" { + role = var.iam_role_id + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" +} + +data "aws_iam_policy_document" "instance_volume" { + statement { + effect = "Allow" + + actions = [ + "ec2:CreateVolume", + "ec2:AttachVolume", + "ec2:DescribeVolumes" + ] + + resources = ["*"] + } +} + +data "aws_iam_policy_document" "instance_volume_tagging" { + statement { + effect = "Allow" + + actions = [ + "ec2:CreateTags" + ] + + resources = [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + + condition { + test = "StringEquals" + variable = "ec2:CreateAction" + values = [ + "CreateVolume", + "CreateSnapshot" + ] + } + } +} diff --git a/modules/vm/main.tf b/modules/vm/main.tf index 8dff832..a931ace 100644 --- a/modules/vm/main.tf +++ b/modules/vm/main.tf @@ -127,7 +127,7 @@ resource "aws_launch_template" "graphdb" { ebs_optimized = "true" iam_instance_profile { - name = var.aws_iam_instance_profile + name = var.iam_instance_profile } metadata_options { diff --git a/modules/vm/variables.tf b/modules/vm/variables.tf index 8541811..236b934 100644 --- a/modules/vm/variables.tf +++ b/modules/vm/variables.tf @@ -5,13 +5,18 @@ variable "vpc_id" { type = string } -variable "aws_iam_instance_profile" { +variable "resource_name_prefix" { + description = "Resource name prefix used for tagging and naming AWS resources" + type = string +} + +variable "iam_instance_profile" { description = "IAM instance profile name to use for GraphDB instances" type = string } -variable "resource_name_prefix" { - description = "Resource name prefix used for tagging and naming AWS resources" +variable "iam_role_id" { + description = "IAM role ID to attach permission policies to" type = string } @@ -65,12 +70,6 @@ variable "allowed_inbound_cidrs_ssh" { default = null } -variable "common_tags" { - description = "(Optional) Map of common tags for all taggable AWS resources." - type = map(string) - default = {} -} - variable "key_name" { description = "key pair to use for SSH access to instance" type = string @@ -80,5 +79,5 @@ variable "key_name" { variable "node_count" { description = "Number of GraphDB nodes to deploy in ASG" type = number - default = 5 + default = 3 } diff --git a/outputs.tf b/outputs.tf index 63100fe..d81bd65 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,3 +1,8 @@ +output "backup_bucket_name" { + description = "Name of the S3 bucket for storing GraphDB backups" + value = module.backup.bucket_name +} + output "asg_name" { value = module.vm.asg_name } diff --git a/variables.tf b/variables.tf index 9e98523..6098808 100644 --- a/variables.tf +++ b/variables.tf @@ -1,14 +1,4 @@ -variable "allowed_inbound_cidrs_lb" { - type = list(string) - description = "(Optional) List of CIDR blocks to permit inbound traffic from to load balancer" - default = null -} - -variable "allowed_inbound_cidrs_ssh" { - type = list(string) - description = "(Optional) List of CIDR blocks to permit for SSH to GraphDB nodes" - default = null -} +# Common configurations variable "common_tags" { type = map(string) @@ -16,17 +6,26 @@ variable "common_tags" { default = {} } -variable "instance_type" { +# Backup configurations + +variable "backup_schedule" { + description = "Cron expression for the backup job." type = string - default = "r6g.2xlarge" - description = "EC2 instance type" - nullable = false + default = "0 0 * * *" } -variable "key_name" { - type = string - default = null - description = "(Optional) key pair to use for SSH access to instance" +variable "backup_retention_count" { + description = "Number of backups to keep." + type = number + default = 7 +} + +# Load balancer & TLS + +variable "lb_internal" { + description = "Whether the load balancer will be internal or public" + type = bool + default = false } variable "lb_deregistration_delay" { @@ -47,10 +46,43 @@ variable "lb_health_check_interval" { default = 10 } -variable "lb_internal" { - description = "Whether the load balancer will be internal or public" - type = bool - default = false +variable "lb_tls_certificate_arn" { + description = "ARN of the TLS certificate, imported in ACM, which will be used for the TLS listener on the load balancer." + type = string + default = null +} + +variable "lb_tls_policy" { + description = "TLS security policy on the listener." + type = string + default = "ELBSecurityPolicy-TLS13-1-2-2021-06" +} + +# + +variable "allowed_inbound_cidrs_lb" { + type = list(string) + description = "(Optional) List of CIDR blocks to permit inbound traffic from to load balancer" + default = null +} + +variable "allowed_inbound_cidrs_ssh" { + type = list(string) + description = "(Optional) List of CIDR blocks to permit for SSH to GraphDB nodes" + default = null +} + +variable "instance_type" { + type = string + default = "r6g.2xlarge" + description = "EC2 instance type" + nullable = false +} + +variable "key_name" { + type = string + default = null + description = "(Optional) key pair to use for SSH access to instance" } variable "node_count" { @@ -89,7 +121,7 @@ variable "ami_id" { variable "graphdb_version" { description = "GraphDB version" type = string - default = "10.3.3" + default = "10.4.0-RC5" nullable = false } @@ -116,24 +148,6 @@ variable "device_name" { default = "/dev/sdf" } -variable "backup_schedule" { - description = "Cron expression for the backup job." - type = string - default = "0 0 * * *" -} - -variable "backup_retention_count" { - description = "Number of backups to keep." - type = number - default = 7 -} - -variable "s3_access_log_bucket" { - description = "S3 bucket ID for storing access logs of the GraphDB backup bucket" - type = string - default = null -} - variable "ebs_volume_type" { description = "Type of the EBS volumes, used by the GraphDB nodes." type = string @@ -181,21 +195,3 @@ variable "zone_dns_name" { type = string default = "graphdb.cluster" } - -variable "tls_enabled" { - description = "If enabled, a certificate must be imported in ACM and its ARN set in the tls_certificate_arn variable. Certificates with RSA keys larger than 2048-bit or EC keys cannot be used." - type = bool - default = false -} - -variable "tls_policy" { - description = "TLS security policy on the listener." - type = string - default = "ELBSecurityPolicy-TLS13-1-2-2021-06" -} - -variable "tls_certificate_arn" { - description = "ARN of the certificate, imported in ACM, which will be used for the TLS listener on the load balancer." - type = string - default = null -} \ No newline at end of file