Merge pull request #143 from NetApp/update_terraform_fsxn

Updated to use Secrets Manager, and some other updates.

Author: kcantrel

Terraform/deploy-fsx-ontap/module/README.md

@@ -21,15 +21,23 @@ Calling this terraform module will result the following:
 * Create a new AWS Security Group in your VPC with the following rules:
     - **Ingress** allow all ICMP traffic
     - **Ingress** allow nfs port 111 (both TCP and UDP)
-    - **Ingress** allow cifc TCP port 139
+    - **Ingress** allow cifs TCP port 139
     - **Ingress** allow snmp ports 161-162 (both TCP and UDP)
     - **Ingress** allow smb cifs TCP port 445
-    - **Ingress** alloe bfs mount port 635 (both TCP and UDP)
+    - **Ingress** allow nfs mount port 635 (both TCP and UDP)
+    - **Ingress** allow kerberos TCP port 749
+    - **Ingress** allow nfs port 2049 (both TCP and UDP)
+    - **Ingress** allow nfs lock and monitoring 4045-4046 (both TCP and UDP)
+    - **Ingress** allow nfs quota TCP 4049
+    - **Ingress** allow Snapmirror Intercluster communication TCP port 11104
+    - **Ingress** allow Snapmirror data transfer TCP port 11105
+    - **Ingress** allow ssh port 22
+    - **Ingress** allow https port 443
     - **Egress** allow all traffic
 * Create a new FSx for Netapp ONTAP file-system in your AWS account named "_terraform-fsxn_". The file-system will be created with the following configuration parameters:
     * 1024Gb of storage capacity
     * Multi AZ deployment type
-    * 256Mbps of throughput capacity 
+    * 128Mbps of throughput capacity 
 
 * Create a Storage Virtual Maching (SVM) in this new file-system named "_first_svm_"
 * Create a new FlexVol volume in this SVM named "_vol1_" with the following configuration parameters:
@@ -49,8 +57,8 @@ Calling this terraform module will result the following:
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6.6 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.25 |
+| terraform | >= 1.6.6 |
+| aws provider | >= 5.25 |
 
 ### AWS Account Setup
 
@@ -68,24 +76,23 @@ Calling this terraform module will result the following:
 > [!NOTE]
 > In this sample, the AWS Credentials were configured through [AWS CLI](https://aws.amazon.com/cli/), which adds them to a shared configuration file (option 4 above). Therefore, this documentation only provides guidance on setting-up the AWS credentials with shared configuration file using AWS CLI.
 
-    #### Configure AWS Credentials using AWS CLI
+#### Configure AWS Credentials using AWS CLI
 
-    The AWS Provider can source credentials and other settings from the shared configuration and credentials files. By default, these files are located at `$HOME/.aws/config` and `$HOME/.aws/credentials` on Linux and macOS, and `"%USERPROFILE%\.aws\credentials"` on Windows.
+The AWS Provider can source credentials and other settings from the shared configuration and credentials files. By default, these files are located at `$HOME/.aws/config` and `$HOME/.aws/credentials` on Linux and macOS, and `"%USERPROFILE%\.aws\credentials"` on Windows.
 
-    There are several ways to set your credentials and configuration setting using AWS CLI. We will use [`aws configure`](https://docs.aws.amazon.com/cli/latest/reference/configure/index.html) command:
+There are several ways to set your credentials and configuration setting using AWS CLI. We will use [`aws configure`](https://docs.aws.amazon.com/cli/latest/reference/configure/index.html) command:
 
-    Run the following command to quickly set and view your credentails, region, and output format. The following example shows sample values:
+Run the following command to quickly set and view your credentails, region, and output format. The following example shows sample values:
 
-    ```shell
-    $ aws configure
-    AWS Access Key ID [None]: < YOUR-ACCESS-KEY-ID >
-    AWS Secret Access Key [None]: < YOUR-SECRET-ACCESS-KE >
-    Default region name [None]: < YOUR-PREFERRED-REGION >
-    Default output format [None]: json
-    ```
-
-    To list configuration data, use the [`aws configire list`](https://docs.aws.amazon.com/cli/latest/reference/configure/list.html) command. This command lists the profile, access key, secret key, and region configuration information used for the specified profile. For each configuration item, it shows the value, where the configuration value was retrieved, and the configuration variable name.
+```shell
+$ aws configure
+AWS Access Key ID [None]: < YOUR-ACCESS-KEY-ID >
+AWS Secret Access Key [None]: < YOUR-SECRET-ACCESS-KE >
+Default region name [None]: < YOUR-PREFERRED-REGION >
+Default output format [None]: json
+```
 
+To list configuration data, use the [`aws configire list`](https://docs.aws.amazon.com/cli/latest/reference/configure/list.html) command. This command lists the profile, access key, secret key, and region configuration information used for the specified profile. For each configuration item, it shows the value, where the configuration value was retrieved, and the configuration variable name.
 
 ## Usage
 
@@ -250,27 +257,27 @@ terraform apply -y
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| fsx_admin_password | The ONTAP administrative password for the fsxadmin user that you can use to administer your file system using the ONTAP CLI and REST API | `string` | n/a | yes |
 | backup_retention_days | The number of days to retain automatic backups. Setting this to 0 disables automatic backups. You can retain automatic backups for a maximum of 90 days. | `number` | `0` | no |
-| cidr_for_sg | cide block to be used for the ingress rules | `string` | `"0.0.0.0/0"` | no |
-| create_sg | Determines whether the SG should be deployed as part of this execution or not | `bool` | `false` | no |
+| cidr_for_sg | cidr block to be used for the created security ingress rules. | `string` | `"10.0.0.0/8"` | no |
+| create_sg | Determines whether the SG should be deployed as part of this execution or not | `bool` | `true` | no |
 | daily_backup_start_time | A recurring daily time, in the format HH:MM. HH is the zero-padded hour of the day (0-23), and MM is the zero-padded minute of the hour. Requires automatic_backup_retention_days to be set. | `string` | `"00:00"` | no |
-| disk_iops_configuration | The SSD IOPS configuration for the Amazon FSx for NetApp ONTAP file system | `map(any)` | `null` | no |
+| disk_iops_configuration | The SSD IOPS configuration for the Amazon FSx for NetApp ONTAP file system | `map(any)` | <pre>{<br>  "mode": "AUTOMATIC"<br>}</pre> | no |
 | fsx_capacity_size_gb | The storage capacity (GiB) of the FSxN file system. Valid values between 1024 and 196608 | `number` | `1024` | no |
 | fsx_deploy_type | The filesystem deployment type. Supports MULTI_AZ_1 and SINGLE_AZ_1 | `string` | `"MULTI_AZ_1"` | no |
 | fsx_maintenance_start_time | The preferred start time (in d:HH:MM format) to perform weekly maintenance, in the UTC time zone. | `string` | `"1:00:00"` | no |
-| fsx_name | The deployed filesystem name | `string` | `"terraform-fsxn"` | no |
-| fsx_subnets | A list of IDs for the subnets that the file system will be accessible from. Up to 2 subnets can be provided. | `map(any)` | <pre>{<br>  "primarysub": "",<br>  "secondarysub": ""<br>}</pre> | no |
-| fsx_tput_in_MBps | The throughput capacity (in MBps) for the file system. Valid values are 128, 256, 512, 1024, 2048, and 4096. | `number` | `256` | no |
+| fsx_secret_name | The name of the secure where the FSxN passwood is stored | `string` | `""` | no |
+| fsx_subnets | The subnets from where the file system will be accessible from. For MULTI_AZ_1 deployment type, provide both primvary and secondary subnets. For SINGLE_AZ_1 deployment type, only the primary subnet is used. | `map(string)` | <pre>{<br>  "primarysub": "subnet-111111111",<br>  "secondarysub": "subnet-222222222"<br>}</pre> | no |
+| fsx_tput_in_MBps | The throughput capacity (in MBps) for the file system. Valid values are 128, 256, 512, 1024, 2048, and 4096. | `number` | `128` | no |
 | kms_key_id | ARN for the KMS Key to encrypt the file system at rest, Defaults to an AWS managed KMS Key. | `string` | `null` | no |
-| root_vol_sec_style | Specifies the root volume security style, Valid values are UNIX, NTFS, and MIXED. All volumes created under this SVM will inherit the root security style unless the security style is specified on the volume. | `string` | `"UNIX"` | no |
+| root_vol_sec_style | Specifies the root volume security style, Valid values are UNIX, NTFS, and MIXED (although MIXED is not recommended). All volumes created under this SVM will inherit the root security style unless the security style is specified on the volume. | `string` | `"UNIX"` | no |
 | route_table_ids | Specifies the VPC route tables in which your file system's endpoints will be created. You should specify all VPC route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table. | `list(any)` | `null` | no |
-| storage_type | The filesystem storage type | `string` | `"SSD"` | no |
+| security_group_id | If you are not creating the SG, provide the ID of the SG to be used | `string` | `""` | no |
+| source_security_group_id | The ID of the security group to allow access to the FSxN file system. | `string` | `""` | no |
 | svm_name | The name of the Storage Virtual Machine | `string` | `"first_svm"` | no |
 | tags | Tags to be applied to the resources | `map(any)` | <pre>{<br>  "Name": "terraform-fsxn"<br>}</pre> | no |
 | vol_info | Details for the volume creation | `map(any)` | <pre>{<br>  "bypass_sl_retention": false,<br>  "cooling_period": 31,<br>  "copy_tags_to_backups": false,<br>  "efficiency": true,<br>  "junction_path": "/vol1",<br>  "sec_style": "UNIX",<br>  "size_mg": 1024,<br>  "skip_final_backup": false,<br>  "tier_policy_name": "AUTO",<br>  "vol_name": "vol1",<br>  "vol_type": "RW"<br>}</pre> | no |
 | vol_snapshot_policy | Specifies the snapshot policy for the volume | `map(any)` | `null` | no |
-| vpc_id | The ID of the VPC in which the FSxN fikesystem should be deployed | `string` | `"vpc-111111111"` | no |
+| vpc_id | The ID of the VPC in which the FSxN fikesystem should be deployed | `string` | `""` | no |
 
 ### Outputs
 
@@ -297,4 +304,4 @@ See the License for the specific language governing permissions and limitations
 
 <!-- END_TF_DOCS -->
 
-© 2024 NetApp, Inc. All Rights Reserved.
+© 2024 NetApp, Inc. All Rights Reserved.

Terraform/deploy-fsx-ontap/module/main.tf

@@ -1,162 +1,52 @@
-// TODO add SG rule for SnapMirror
-
 # Copyright (c) NetApp, Inc.
 # SPDX-License-Identifier: Apache-2.0
 
-/* 
-  The following resources are a Security Group followed by ingress and egress rules for FSx ONTAP. 
-  The Security Group is not required for deploying FSx ONTAP, but is included here for completeness.
-
-  - If you wish to skip this resource, pass the variable "create_sg" as false to the module block. Otherwise, pass true.
-
-  - If you wish to use the Security Group, choose the relevant source for the ingress rules as cidr block and pass the variable "cidr_for_sg" to the module block.
-
-  Note that a source reference for a Security Group is optional, but is considered to be a best practice.
-  The rules below are just a suggestion for basic functionality.
-*/
-
-resource "aws_security_group" "fsx_sg" {
-  count       = var.create_sg ? 1 : 0
-  name        = "fsx_sg"
-  description = "Allow FSx ONTAP required ports"
-  vpc_id      = var.vpc_id
-}
-
-resource "aws_vpc_security_group_ingress_rule" "all_icmp" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "Allow all ICMP traffic"
-  cidr_ipv4         = "0.0.0.0/0"
-  from_port         = -1
-  to_port           = -1
-  ip_protocol       = "icmp"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "nfs_tcp" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "Remote procedure call for NFS"
-  cidr_ipv4         = var.cidr_for_sg
-  from_port         = 111
-  to_port           = 111
-  ip_protocol       = "tcp"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "nfs_udp" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "Remote procedure call for NFS"
-  cidr_ipv4         = var.cidr_for_sg
-  from_port         = 111
-  to_port           = 111
-  ip_protocol       = "udp"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "cifs" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "NetBIOS service session for CIFS"
-  cidr_ipv4         = var.cidr_for_sg
-  from_port         = 139
-  to_port           = 139
-  ip_protocol       = "tcp"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "snmp_tcp" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "Simple network management protocol for log collection"
-  cidr_ipv4         = var.cidr_for_sg
-  from_port         = 161
-  to_port           = 162
-  ip_protocol       = "tcp"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "snmp_udp" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "Simple network management protocol for log collection"
-  cidr_ipv4         = var.cidr_for_sg
-  from_port         = 161
-  to_port           = 162
-  ip_protocol       = "udp"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "smb_cifs" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "Microsoft SMB/CIFS over TCP with NetBIOS framing"
-  cidr_ipv4         = var.cidr_for_sg
-  from_port         = 445
-  to_port           = 445
-  ip_protocol       = "tcp"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "nfs_mount_tcp" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "NFS mount"
-  cidr_ipv4         = var.cidr_for_sg
-  from_port         = 635
-  to_port           = 635
-  ip_protocol       = "tcp"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "nfs_mount_udp" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "NFS mount"
-  cidr_ipv4         = var.cidr_for_sg
-  from_port         = 635
-  to_port           = 635
-  ip_protocol       = "udp"
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_all_traffic" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  cidr_ipv4         = "0.0.0.0/0"
-  ip_protocol       = "-1"
-}
-
 /*
-  The following resources are for deploying a complete FSx ONTAP file system. 
-  The code below deploys the following resources in this order:
-  1. A file system 
-  2. A storage virtual machine
-  3. A volume within the storage virtual machine
-
-  Every resource include both optional and required parameters, separated by a comment line.
-  Feel free to add or remove optional parameters as needed.
-  The current settings are just a suggestion for basic functionality.
-*/
+   The following resources are for deploying a complete FSx ONTAP file system. 
+   The code below deploys the following resources in this order:
+   1. A file system 
+   2. A storage virtual machine
+   3. A volume within the storage virtual machine
+  
+   Every resource include both optional and required parameters, separated by a comment line.
+   Feel free to add or remove optional parameters as needed.
+ */
 
 resource "aws_fsx_ontap_file_system" "terraform-fsxn" {
   // REQUIRED PARAMETERS 
-  subnet_ids          = [var.fsx_subnets["primarysub"], var.fsx_subnets["secondarysub"]]
+  subnet_ids = (var.fsx_deploy_type == "MULTI_AZ_1" ? [var.fsx_subnets["primarysub"], var.fsx_subnets["secondarysub"]] : [var.fsx_subnets["primarysub"]])
   preferred_subnet_id = var.fsx_subnets["primarysub"]
 
   // OPTIONAL PARAMETERS
   storage_capacity                  = var.fsx_capacity_size_gb
-  security_group_ids                = var.create_sg ? [element(aws_security_group.fsx_sg.*.id, 0)] : []
+  security_group_ids                = var.create_sg ? [element(aws_security_group.fsx_sg.*.id, 0)] : [var.security_group_id]
   deployment_type                   = var.fsx_deploy_type
   throughput_capacity               = var.fsx_tput_in_MBps
   weekly_maintenance_start_time     = var.fsx_maintenance_start_time
   kms_key_id                        = var.kms_key_id
   automatic_backup_retention_days   = var.backup_retention_days
   daily_automatic_backup_start_time = var.daily_backup_start_time
-  storage_type                      = var.storage_type
-  fsx_admin_password = var.fsx_admin_password
-  route_table_ids    = var.route_table_ids
-  tags               = var.tags
+  fsx_admin_password                = data.aws_secretsmanager_secret_version.fsx_password.secret_string
+  route_table_ids                   = var.route_table_ids
+  tags                              = var.tags
   dynamic "disk_iops_configuration" {
     for_each = var.disk_iops_configuration != null ? [var.disk_iops_configuration] : []
     content {
       iops = disk_iops_configuration.value["iops"]
       mode = disk_iops_configuration.value["mode"]
     }
   }
-  # endpoint_ip_address_range = ""
+
+  lifecycle {
+    precondition {
+      condition = !var.create_sg || (var.cidr_for_sg != "" && var.source_security_group_id == "" || var.cidr_for_sg == "" && var.source_security_group_id != "")
+      error_message = "You must specify EITHER cidr_block OR source_security_group_id when creating a security group, not both."
+    }
+    precondition {
+      condition = var.create_sg || var.security_group_id != ""
+      error_message = "You must specify a security group ID when not creating a security group."
+    }
+  }
 }
 
 resource "aws_fsx_ontap_storage_virtual_machine" "mysvm" {
@@ -166,7 +56,6 @@ resource "aws_fsx_ontap_storage_virtual_machine" "mysvm" {
 
   // OPTIONAL PARAMETERS
   root_volume_security_style = var.root_vol_sec_style
-  tags                       = var.tags
   # active_directory_configuration {}
 }
 
@@ -190,5 +79,12 @@ resource "aws_fsx_ontap_volume" "myvol" {
   skip_final_backup                    = var.vol_info["skip_final_backup"]
   # snaplock_configuration {}
   # snapshot_policy {}
-  tags            = var.tags
+}
+#
+# The next two data blocks retrieve the secret from Secrets Manager.
+data "aws_secretsmanager_secret" "fsx_secret" {
+  name = var.fsx_secret_name
+}
+data "aws_secretsmanager_secret_version" "fsx_password" {
+  secret_id = data.aws_secretsmanager_secret.fsx_secret.id
 }