-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathfreeipa.tf
133 lines (123 loc) · 6.55 KB
/
freeipa.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#-------------------------------------------------------------------------------
# Configure the master and replica modules.
#-------------------------------------------------------------------------------
locals {
# The subnets where the IPA servers are to be placed
subnet_cidrs = keys(data.terraform_remote_state.networking.outputs.private_subnets)
# The IP addresses of the IPA servers. AWS reserves the first four
# and the last IP address in each subnet.
#
# cisagov/freeipa-server-tf-module now requires us to assign IPs in
# order to break the dependency of DNS record resources on the
# corresponding EC2 instance resources; otherwise, it is not
# possible to recreate the IPA servers one by one as is required
# when a new FreeIPA AMI is made available.
ipa_ips = [for cidr in local.subnet_cidrs : cidrhost(cidr, 4)]
}
# Create the IPA client and server security groups
module "security_groups" {
providers = {
aws = aws.sharedservicesprovisionaccount
}
source = "./security_groups"
trusted_cidr_blocks = var.trusted_cidr_blocks
vpc_id = data.terraform_remote_state.networking.outputs.vpc.id
}
# Create the IPA servers
module "ipa0" {
providers = {
aws = aws.sharedservicesprovisionaccount_ipa0
aws.provision_ssm_parameter_read_role = aws.provision_ssm_parameter_read_role
}
source = "github.com/cisagov/freeipa-server-tf-module"
ami_owner_account_id = local.images_account_id
crowdstrike_falcon_sensor_customer_id_key = var.crowdstrike_falcon_sensor_customer_id_key
crowdstrike_falcon_sensor_tags_key = var.crowdstrike_falcon_sensor_tags_key
domain = var.cool_domain
hostname = "ipa0.${var.cool_domain}"
ip = local.ipa_ips[0]
nessus_hostname_key = var.nessus_hostname_key
nessus_key_key = var.nessus_key_key
nessus_port_key = var.nessus_port_key
netbios_name = var.netbios_name
realm = upper(var.cool_domain)
root_disk_size = var.root_disk_size
security_group_ids = [
module.security_groups.server.id,
data.terraform_remote_state.cdm.outputs.cdm_security_group.id,
data.terraform_remote_state.networking.outputs.cloudwatch_agent_endpoint_client_security_group.id,
data.terraform_remote_state.networking.outputs.ssm_agent_endpoint_client_security_group.id,
# Used to pull the CDM agent parameters from SSM
data.terraform_remote_state.networking.outputs.ssm_endpoint_client_security_group.id,
]
subnet_id = data.terraform_remote_state.networking.outputs.private_subnets[local.subnet_cidrs[0]].id
}
module "ipa1" {
providers = {
aws = aws.sharedservicesprovisionaccount_ipa1
aws.provision_ssm_parameter_read_role = aws.provision_ssm_parameter_read_role
}
source = "github.com/cisagov/freeipa-server-tf-module"
ami_owner_account_id = local.images_account_id
crowdstrike_falcon_sensor_customer_id_key = var.crowdstrike_falcon_sensor_customer_id_key
crowdstrike_falcon_sensor_tags_key = var.crowdstrike_falcon_sensor_tags_key
domain = var.cool_domain
hostname = "ipa1.${var.cool_domain}"
ip = local.ipa_ips[1]
nessus_hostname_key = var.nessus_hostname_key
nessus_key_key = var.nessus_key_key
nessus_port_key = var.nessus_port_key
netbios_name = var.netbios_name
root_disk_size = var.root_disk_size
security_group_ids = [
module.security_groups.server.id,
data.terraform_remote_state.cdm.outputs.cdm_security_group.id,
data.terraform_remote_state.networking.outputs.cloudwatch_agent_endpoint_client_security_group.id,
data.terraform_remote_state.networking.outputs.ssm_agent_endpoint_client_security_group.id,
# Used to pull the CDM agent parameters from SSM
data.terraform_remote_state.networking.outputs.ssm_endpoint_client_security_group.id,
]
subnet_id = data.terraform_remote_state.networking.outputs.private_subnets[local.subnet_cidrs[1]].id
}
module "ipa2" {
providers = {
aws = aws.sharedservicesprovisionaccount_ipa2
aws.provision_ssm_parameter_read_role = aws.provision_ssm_parameter_read_role
}
source = "github.com/cisagov/freeipa-server-tf-module"
ami_owner_account_id = local.images_account_id
crowdstrike_falcon_sensor_customer_id_key = var.crowdstrike_falcon_sensor_customer_id_key
crowdstrike_falcon_sensor_tags_key = var.crowdstrike_falcon_sensor_tags_key
domain = var.cool_domain
hostname = "ipa2.${var.cool_domain}"
ip = local.ipa_ips[2]
nessus_hostname_key = var.nessus_hostname_key
nessus_key_key = var.nessus_key_key
nessus_port_key = var.nessus_port_key
netbios_name = var.netbios_name
root_disk_size = var.root_disk_size
security_group_ids = [
module.security_groups.server.id,
data.terraform_remote_state.cdm.outputs.cdm_security_group.id,
data.terraform_remote_state.networking.outputs.cloudwatch_agent_endpoint_client_security_group.id,
data.terraform_remote_state.networking.outputs.ssm_agent_endpoint_client_security_group.id,
# Used to pull the CDM agent parameters from SSM
data.terraform_remote_state.networking.outputs.ssm_endpoint_client_security_group.id,
]
subnet_id = data.terraform_remote_state.networking.outputs.private_subnets[local.subnet_cidrs[2]].id
}
# CloudWatch alarms for the FreeIPA instances
module "cw_alarms_ipa" {
providers = {
aws = aws.sharedservicesprovisionaccount
}
source = "github.com/cisagov/instance-cw-alarms-tf-module"
alarm_actions = [data.terraform_remote_state.sharedservices.outputs.cw_alarm_sns_topic.arn]
instance_ids = [
module.ipa0.server.id,
module.ipa1.server.id,
module.ipa2.server.id,
]
insufficient_data_actions = [data.terraform_remote_state.sharedservices.outputs.cw_alarm_sns_topic.arn]
ok_actions = [data.terraform_remote_state.sharedservices.outputs.cw_alarm_sns_topic.arn]
}