Configured dynamic ingress rule creation for mysql and redis SGs

burmek · burmek · commit 2608d8f5cdff · 2023-06-05T21:10:44.000-04:00
diff --git a/.terraform/modules/comet_eks.eks b/.terraform/modules/comet_eks.eks
@@ -0,0 +1 @@
+Subproject commit b6fa04f65bdcb26869215fb840f5ee088a096bc8
diff --git a/.terraform/modules/comet_eks.eks.kms b/.terraform/modules/comet_eks.eks.kms
@@ -0,0 +1 @@
+Subproject commit b026981f6b80240f8d22ca7ebcee61d67d1e9256
diff --git a/.terraform/modules/comet_eks.irsa-ebs-csi b/.terraform/modules/comet_eks.irsa-ebs-csi
@@ -0,0 +1 @@
+Subproject commit cab883e39115c1e740bddeb8021c1a8c6f73ef52
diff --git a/.terraform/modules/modules.json b/.terraform/modules/modules.json
diff --git a/main.tf b/main.tf
@@ -51,7 +51,7 @@ module "vpc" {
 
 module "comet_ec2" {
   source = "./modules/comet_ec2"
-  count  = var.enable_comet_ec2 ? 1 : 0
+  count  = var.enable_ec2 ? 1 : 0
   
   vpc_id = module.vpc.vpc_id
   allinone_ami = "ami-05842f1afbf311a43"
@@ -74,25 +74,31 @@ module "comet_elasticache" {
   source = "./modules/comet_elasticache"
   count  = var.enable_elasticache ? 1 : 0
 
+  ec2_enabled = var.enable_ec2
+  eks_enabled = var.enable_eks
+
   vpc_id              = module.vpc.vpc_id
   vpc_private_subnets = module.vpc.private_subnets
 
-  # need to get SGs from comet_ec2 or comet_eks, depending on which is used
-  # index is used on the comet_ec2 becuase of the count usage in the toggle: "After the count apply the resource becomes a group, so later in the reference use 0-index of the group"
-  elasticache_rds_allowfrom_sg = module.comet_ec2[0].allinone_sg_id
+  # index is used on the module refs becuase of the count usage in the toggle: "After the count apply the resource becomes a group, so later in the reference use 0-index of the group"
+  elasticache_allow_ec2_sg = var.enable_ec2 ? module.comet_ec2[0].allinone_sg_id : null
+  elasticache_allow_eks_sg = var.enable_eks ? module.comet_eks[0].nodegroup_sg_id : null
 }
 
 module "comet_rds" {
   source = "./modules/comet_rds"
   count  = var.enable_rds ? 1 : 0
 
+  ec2_enabled = var.enable_ec2
+  eks_enabled = var.enable_eks
+
   availability_zones = local.azs
   vpc_id              = module.vpc.vpc_id
   vpc_private_subnets = module.vpc.private_subnets
 
-  # need to get SGs from comet_ec2 or comet_eks, depending on which is used
-  # index is used on the comet_ec2 becuase of the count usage in the toggle: "After the count apply the resource becomes a group, so later in the reference use 0-index of the group"
-  elasticache_rds_allowfrom_sg = module.comet_ec2[0].allinone_sg_id
+  # index is used on the module refs becuase of the count usage in the toggle: "After the count apply the resource becomes a group, so later in the reference use 0-index of the group"
+  rds_allow_ec2_sg = var.enable_ec2 ? module.comet_ec2[0].allinone_sg_id : null
+  rds_allow_eks_sg = var.enable_eks ? module.comet_eks[0].nodegroup_sg_id : null
   
 }
 
diff --git a/modules/comet_ec2/main.tf b/modules/comet_ec2/main.tf
@@ -38,34 +38,9 @@ resource "aws_instance" "allinone" {
 }
 
 resource "aws_security_group" "allinone_sg" {
-  name        = "${var.environment}-allinone_sg"
-  description = "Comet.ML AllInOne Security Group"
+  name        = "comet_${var.environment}_ec2_sg"
+  description = "Comet EC2 instance security group"
   vpc_id      = var.vpc_id
-  /* remove inline rules in favor of separate resource declarations
-  ingress {
-    from_port   = local.ssh_port
-    to_port     = local.ssh_port
-    protocol    = "tcp"
-    # We recommend restricting that to your company IP or by Using a bastion host
-    #security_groups = [aws_security_group.bastion_inbound_sg.id]
-    cidr_blocks = [local.cidr_anywhere]
-
-  }
-
-  ingress {
-    from_port   = local.http_port
-    to_port     = local.http_port
-    protocol    = "tcp"
-    security_groups = [aws_security_group.lb_inbound_sg.id]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = [local.cidr_anywhere]
-  }
-  */
 }
 
 resource "aws_vpc_security_group_ingress_rule" "allinone_ingress_ssh" {
@@ -74,8 +49,6 @@ resource "aws_vpc_security_group_ingress_rule" "allinone_ingress_ssh" {
   from_port   = local.ssh_port
   to_port     = local.ssh_port
   ip_protocol    = "tcp"
-  # We recommend restricting that to your company IP or by Using a bastion host
-  #security_groups = [aws_security_group.bastion_inbound_sg.id]
   cidr_ipv4 = local.cidr_anywhere
 }
 
@@ -103,10 +76,6 @@ resource "aws_vpc_security_group_ingress_rule" "allinone_ingress_http" {
 
 resource "aws_vpc_security_group_egress_rule" "allinone_egress_any" {
   security_group_id = aws_security_group.allinone_sg.id
-  /* no port ranges permitted when specifying all protocols
-  from_port   = local.any_port
-  to_port     = local.any_port
-  */
   ip_protocol    = "-1"
   cidr_ipv4 = local.cidr_anywhere
 }
diff --git a/modules/comet_eks/main.tf b/modules/comet_eks/main.tf
@@ -15,12 +15,6 @@ data "aws_iam_policy" "ebs_csi_policy" {
   arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
 }
 
-/*
-data "aws_iam_policy" "administrator_access" {
-  arn = "arn:aws:iam::aws:policy/AdministratorAccess"
-}
-*/
-
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
   version = "~> 19.9"
diff --git a/modules/comet_eks/outputs.tf b/modules/comet_eks/outputs.tf
@@ -10,3 +10,6 @@ output "cluster_certificate_authority_data" {
   value = module.eks.cluster_certificate_authority_data
 }
 
+output "nodegroup_sg_id" {
+  value = module.eks.node_security_group_id
+}
diff --git a/modules/comet_elasticache/main.tf b/modules/comet_elasticache/main.tf
@@ -31,12 +31,22 @@ resource "aws_security_group" "redis_inbound_sg" {
   vpc_id = var.vpc_id
 }
 
-resource "aws_vpc_security_group_ingress_rule" "redis_port_inbound_allow" {
+resource "aws_vpc_security_group_ingress_rule" "redis_port_inbound_ec2" {
+  count = var.ec2_enabled ? 1 : 0
   security_group_id = aws_security_group.redis_inbound_sg.id
 
   from_port   = local.redis_port
   to_port     = local.redis_port
   ip_protocol    = "tcp"
-  # security groups need to change depending on whether Cx is using eks or ec2 deployment; hard-coded index won't work
-  referenced_security_group_id = var.elasticache_rds_allowfrom_sg
+  referenced_security_group_id = var.elasticache_allow_ec2_sg
+}
+
+resource "aws_vpc_security_group_ingress_rule" "redis_port_inbound_eks" {
+  count = var.eks_enabled ? 1 : 0
+  security_group_id = aws_security_group.redis_inbound_sg.id
+
+  from_port   = local.redis_port
+  to_port     = local.redis_port
+  ip_protocol    = "tcp"
+  referenced_security_group_id = var.elasticache_allow_eks_sg
 }
diff --git a/modules/comet_elasticache/variables.tf b/modules/comet_elasticache/variables.tf
@@ -46,8 +46,26 @@ variable "vpc_private_subnets" {
   default     = []
 }
 
-variable "elasticache_rds_allowfrom_sg" {
-  description = "Security group(s) attached to the Comet instance(s); Specified in the ingress allow rules on the Elasticache and RDS security groups"
+variable "elasticache_allow_ec2_sg" {
+  description = "Security group associated with EC2 compute, if provisioned"
   type        = string
   default     = ""
+}
+
+variable "elasticache_allow_eks_sg" {
+  description = "Security group associated with EKS compute, if provisioned"
+  type        = string
+  default     = ""
+}
+
+variable "ec2_enabled" {
+  description = "Indicates if EC2 compute has been provisioned for Comet"
+  type        = bool
+  default     = null
+}
+
+variable "eks_enabled" {
+  description = "Indicates if EKS compute has been provisioned for Comet"
+  type        = bool
+  default     = null
 }
diff --git a/modules/comet_rds/main.tf b/modules/comet_rds/main.tf
@@ -7,22 +7,6 @@ locals {
   }
 }
 
-resource "aws_security_group" "aurora_inbound_sg" {
-  name        = "${var.environment}_aurora_inbound_sg"
-  description = "Aurora Mysql RDS Security Group"
-  vpc_id = var.vpc_id
-}
-
-resource "aws_vpc_security_group_ingress_rule" "aurora_port_inbound_allow" {
-  security_group_id = aws_security_group.aurora_inbound_sg.id
-
-  from_port   = local.mysql_port
-  to_port     = local.mysql_port
-  ip_protocol    = "tcp"
-  # security groups need to change depending on whether Cx is using eks or ec2 deployment; hard-coded index won't work
-  referenced_security_group_id = var.elasticache_rds_allowfrom_sg
-}
-
 resource "aws_db_subnet_group" "comet-ml-rds-subnet" {
   name = "cometml_rds_sgn_${var.environment}"
   subnet_ids = var.vpc_private_subnets
@@ -55,7 +39,7 @@ resource "aws_rds_cluster" "comet-ml-cluster" {
   backup_retention_period             = 7
   final_snapshot_identifier           = "comet-ml-rds-backup-${var.environment}"
   preferred_backup_window             = "07:00-09:00"
-  vpc_security_group_ids              = [aws_security_group.aurora_inbound_sg.id]
+  vpc_security_group_ids              = [aws_security_group.mysql_sg.id]
   db_cluster_parameter_group_name     = aws_rds_cluster_parameter_group.comet-ml-cluster-pg.name
 }
 
@@ -114,4 +98,30 @@ resource "aws_rds_cluster_parameter_group" "comet-ml-cluster-pg" {
     name  = "thread_stack"
     value = "2000000"
   }
+}
+
+resource "aws_security_group" "mysql_sg" {
+  name        = "${var.environment}_mysql_sg"
+  description = "Aurora MySQL RDS Security Group"
+  vpc_id = var.vpc_id
+}
+
+resource "aws_vpc_security_group_ingress_rule" "mysql_port_inbound_ec2" {
+  count = var.ec2_enabled ? 1 : 0
+  security_group_id = aws_security_group.mysql_sg.id
+
+  from_port   = local.mysql_port
+  to_port     = local.mysql_port
+  ip_protocol    = "tcp"
+  referenced_security_group_id = var.rds_allow_ec2_sg
+}
+
+resource "aws_vpc_security_group_ingress_rule" "mysql_port_inbound_eks" {
+  count = var.eks_enabled ? 1 : 0
+  security_group_id = aws_security_group.mysql_sg.id
+
+  from_port   = local.mysql_port
+  to_port     = local.mysql_port
+  ip_protocol    = "tcp"
+  referenced_security_group_id = var.rds_allow_eks_sg
 }
diff --git a/modules/comet_rds/variables.tf b/modules/comet_rds/variables.tf
@@ -52,8 +52,26 @@ variable "availability_zones" {
   default     = []
 }
 
-variable "elasticache_rds_allowfrom_sg" {
-  description = "Security group(s) attached to the Comet instance(s); Specified in the ingress allow rules on the Elasticache and RDS security groups"
+variable "rds_allow_ec2_sg" {
+  description = "Security group associated with EC2 compute, if provisioned"
   type        = string
   default     = ""
+}
+
+variable "rds_allow_eks_sg" {
+  description = "Security group associated with EKS compute, if provisioned"
+  type        = string
+  default     = ""
+}
+
+variable "ec2_enabled" {
+  description = "Indicates if EC2 compute has been provisioned for Comet"
+  type        = bool
+  default     = null
+}
+
+variable "eks_enabled" {
+  description = "Indicates if EKS compute has been provisioned for Comet"
+  type        = bool
+  default     = null
 }
diff --git a/terraform.tfstate b/terraform.tfstate
diff --git a/terraform.tfstate.backup b/terraform.tfstate.backup
diff --git a/terraform.tfvars b/terraform.tfvars

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Subproject commit b6fa04f65bdcb26869215fb840f5ee088a096bc8`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Subproject commit b026981f6b80240f8d22ca7ebcee61d67d1e9256`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Subproject commit cab883e39115c1e740bddeb8021c1a8c6f73ef52`
Original file line number	Diff line number	Diff line change
`@@ -10,3 +10,6 @@ output "cluster_certificate_authority_data" {`
`10`	`10`	`value = module.eks.cluster_certificate_authority_data`
`11`	`11`	`}`
`12`	`12`
	`13`	`+output "nodegroup_sg_id" {`
	`14`	`+ value = module.eks.node_security_group_id`
	`15`	`+}`