Add PostgREST ALB for SSL termination, add domain support to tunnel.sh

2019-01-31 00:54:52 +00:00 · 2019-01-31 00:54:52 +00:00 · d752f31083
--- a/bin/tunnel.sh
+++ b/bin/tunnel.sh
@ -25,7 +25,9 @@ EC2_INFO=$(aws ec2 --region $REGION describe-instances)
 BASTION_IP=$(echo $EC2_INFO | jq -r ".Reservations | map(.Instances) | flatten | map(select(any(.State ; .Name == \"running\"))) | map(select(any(.Tags // [] | from_entries ; .[\"host-type\"] == \"${ENVIRONMENT}-bastion\"))) | .[] .PublicIpAddress" | shuf | head -n1)
 echo $BASTION_IP

-if [[ $HOST_TYPE_OR_NAME == *"-"* ]] ; then
+if [[ $HOST_TYPE_OR_NAME == *"."* ]] ; then
+  TARGET_IP=$(dig +short $HOST_TYPE_OR_NAME | shuf | head -n1)
+elif [[ $HOST_TYPE_OR_NAME == *"-"* ]] ; then
  # it's a hostname
  TARGET_IP=$(echo $EC2_INFO | jq -r ".Reservations | map(.Instances) | flatten | map(select(any(.State ; .Name == \"running\"))) | map(select(any(.Tags // [] | from_entries ; .[\"Name\"] == \"${HOST_TYPE_OR_NAME}\"))) | .[] | .PrivateIpAddress" | shuf | head -n1)
 else
--- a/terraform/live/dev/postgrest/terraform.tfvars
+++ b/terraform/live/dev/postgrest/terraform.tfvars
@ -12,6 +12,8 @@ terragrunt = {
  }
 }

+postgrest_domain = "reticulum.io"
+postgrest_dns_prefix = "postgrest."
 postgrest_instance_type = "m3.medium"
 postgrest_http_port = 3000
 postgrest_restart_strategy = "at-once"
--- a/terraform/live/prod/postgrest/terraform.tfvars
+++ b/terraform/live/prod/postgrest/terraform.tfvars
@ -12,6 +12,8 @@ terragrunt = {
  }
 }

+postgrest_domain = "reticulum.io"
+postgrest_dns_prefix = "postgrest."
 postgrest_instance_type = "m3.medium"
 postgrest_http_port = 3000
 postgrest_restart_strategy = "at-once"
--- a/terraform/modules/postgrest/main.tf
+++ b/terraform/modules/postgrest/main.tf
@ -11,6 +11,10 @@ data "terraform_remote_state" "hab" { backend = "s3", config = { key = "hab/terr
 data "terraform_remote_state" "ret-db" { backend = "s3", config = { key = "ret-db/terraform.tfstate", bucket = "${var.shared["state_bucket"]}", region = "${var.shared["region"]}", dynamodb_table = "${var.shared["dynamodb_table"]}", encrypt = "true" } }
 data "terraform_remote_state" "ret" { backend = "s3", config = { key = "ret/terraform.tfstate", bucket = "${var.shared["state_bucket"]}", region = "${var.shared["region"]}", dynamodb_table = "${var.shared["dynamodb_table"]}", encrypt = "true" } }

+data "aws_route53_zone" "postgrest-zone" {
+  name = "${var.postgrest_domain}."
+}
+
 data "aws_ami" "hab-base-ami" {
  most_recent = true
  owners = ["self"]
@ -21,6 +25,84 @@ data "aws_ami" "hab-base-ami" {
  }
 }

+data "aws_acm_certificate" "postgrest-alb-listener-cert" {
+  domain = "*.${var.postgrest_domain}"
+  statuses = ["ISSUED"]
+  most_recent = true
+}
+
+data "aws_acm_certificate" "postgrest-alb-listener-cert-east" {
+  provider = "aws.east"
+  domain = "*.${var.postgrest_domain}"
+  statuses = ["ISSUED"]
+  most_recent = true
+}
+
+resource "aws_security_group" "postgrest-alb" {
+  name = "${var.shared["env"]}-postgrest-alb"
+  vpc_id = "${data.terraform_remote_state.vpc.vpc_id}"
+
+  ingress {
+    from_port = "${var.postgrest_http_port}"
+    to_port = "${var.postgrest_http_port}"
+    protocol = "tcp"
+    security_groups = ["${data.terraform_remote_state.bastion.bastion_security_group_id}"]
+  }
+}
+
+resource "aws_security_group_rule" "postgrest-alb-egress" {
+  type = "egress"
+  from_port = "${var.postgrest_http_port}"
+  to_port = "${var.postgrest_http_port}"
+  protocol = "tcp"
+  security_group_id = "${aws_security_group.postgrest-alb.id}"
+  source_security_group_id = "${aws_security_group.postgrest.id}"
+}
+
+resource "aws_alb" "postgrest-alb" {
+  name = "${var.shared["env"]}-postgrest-alb"
+
+  security_groups = [
+    "${aws_security_group.postgrest-alb.id}"
+  ]
+
+  subnets = ["${data.terraform_remote_state.vpc.private_subnet_ids}"]
+  internal = true
+
+  lifecycle { create_before_destroy = true }
+}
+
+resource "aws_alb_target_group" "postgrest-alb-group-http" {
+  name = "${var.shared["env"]}-postgrest-alb-group-http"
+  vpc_id = "${data.terraform_remote_state.vpc.vpc_id}"
+  port = "${var.postgrest_http_port}"
+  protocol = "HTTP"
+  deregistration_delay = 0
+
+  health_check {
+    path = "/"
+    healthy_threshold = 2
+    unhealthy_threshold = 2
+    interval = 10
+    timeout = 5
+  }
+}
+
+resource "aws_alb_listener" "postgrest-ssl-alb-listener" {
+  load_balancer_arn = "${aws_alb.postgrest-alb.arn}"
+  port = "${var.postgrest_http_port}"
+
+  protocol = "HTTPS"
+  ssl_policy = "ELBSecurityPolicy-2015-05"
+
+  certificate_arn = "${data.aws_acm_certificate.postgrest-alb-listener-cert.arn}"
+
+  default_action {
+    target_group_arn = "${aws_alb_target_group.postgrest-alb-group-http.arn}"
+    type = "forward"
+  }
+}
+
 resource "aws_security_group" "postgrest" {
  name = "${var.shared["env"]}-postgrest"
  vpc_id = "${data.terraform_remote_state.vpc.vpc_id}"
@ -44,7 +126,7 @@ resource "aws_security_group" "postgrest" {
    from_port = "${var.postgrest_http_port}"
    to_port = "${var.postgrest_http_port}"
    protocol = "tcp"
-    security_groups = ["${data.terraform_remote_state.bastion.bastion_security_group_id}"]
+    security_groups = ["${aws_security_group.postgrest-alb.id}"]
  }

  # SSH
@ -112,8 +194,22 @@ resource "aws_autoscaling_group" "postgrest" {
  min_size = "1"
  max_size = "1"

+  target_group_arns = ["${aws_alb_target_group.postgrest-alb-group-http.arn}"]
+
  lifecycle { create_before_destroy = true }
  tag { key = "env", value = "${var.shared["env"]}", propagate_at_launch = true }
  tag { key = "host-type", value = "${var.shared["env"]}-postgrest", propagate_at_launch = true }
  tag { key = "hab-ring", value = "${var.shared["env"]}", propagate_at_launch = true }
 }
+
+resource "aws_route53_record" "postgrest-dns" {
+  zone_id = "${data.aws_route53_zone.postgrest-zone.zone_id}"
+  name = "${var.postgrest_dns_prefix}${data.aws_route53_zone.postgrest-zone.name}"
+  type = "A"
+
+  alias {
+    name = "${aws_alb.postgrest-alb.dns_name}"
+    zone_id = "${aws_alb.postgrest-alb.zone_id}"
+    evaluate_target_health = true
+  }
+}
--- a/terraform/modules/postgrest/output.tf
+++ b/terraform/modules/postgrest/output.tf
@ -1,3 +1,11 @@
+output "postgrest_target_group_id" {
+  value = "${aws_alb_target_group.postgrest-alb-group-http.arn}"
+}
+
 output "postgrest_security_group_id" {
  value = "${aws_security_group.postgrest.id}"
 }
+
+output "postgrest_alb_id" {
+  value = "${aws_alb.postgrest-alb.id}"
+}
--- a/terraform/modules/postgrest/vars.tf
+++ b/terraform/modules/postgrest/vars.tf
@ -13,3 +13,13 @@ variable "postgrest_channel" {
 variable "postgrest_restart_strategy" {
  description = "Habitat restart strategy for PostgREST"
 }
+
+variable "postgrest_domain" {
+  description = "Domain name being used for PostgREST server (ex reticulum.io)"
+}
+
+variable "postgrest_dns_prefix" {
+  description = "Prefix before domain for DNS entry"
+}
+
+