Deployment: IaC - Terraform #222

deployment/terraform/aws/main.tf

@@ -0,0 +1,93 @@
+provider "aws" {
+    alias   = "region_1"
+    region  = var.region_1
+}
+
+provider "aws" {
+    alias  = "region_2"
+    region = var.region_2
+}
+
+# Validator
+module "validator" {
+    source    = "./validator"
+    providers = {
+        aws = aws.region_1
+    }
+}
+
+# Private Sentries
+module "private_sentries" {
+    source      = "./private-sentries"
+
+    providers = {
+        aws = aws.region_1
+        aws.peer = aws.region_1
+    }
+
+    peer_vpc = module.validator.vpc
+}
+
+# Public Sentries region 1
+module "public_sentries_1" {
+    source      = "./public-sentries"
+    nodes_count  = 1
+
+    # enable_ipv6 = false
+
+    providers = {
+        aws = aws.region_1
+        aws.peer = aws.region_1
+    }
+
+    region_index = 1
+    peer_vpc = module.private_sentries.vpc
+}
+
+# Public Sentries region 2
+module "public_sentries_2" {
+    source      = "./public-sentries"
+    nodes_count  = 1
+
+    # enable_ipv6 = false
+
+    providers = {
+        aws = aws.region_2
+        aws.peer = aws.region_1
+    }
+
+    region_index = 2
+    peer_vpc = module.private_sentries.vpc
+}
+
+# Observers region 1
+module "observers_1" {
+    source      = "./observers"
+
+    providers = {
+        aws = aws.region_1
+        aws.peer = aws.region_1
+    }
+
+    root_domain_name    = var.root_domain_name
+    enable_tls          = var.enable_tls
+
+    region_index = 1
+    peer_vpc = module.private_sentries.vpc
+}
+
+# Observers region 2
+module "observers_2" {
+    source      = "./observers"
+
+    providers = {
+        aws = aws.region_2
+        aws.peer = aws.region_1
+    }
+
+    root_domain_name    = var.root_domain_name
+    enable_tls          = var.enable_tls
+
+    region_index = 2
+    peer_vpc = module.private_sentries.vpc
+}

deployment/terraform/aws/observers/acm.tf

@@ -0,0 +1,25 @@
+resource "aws_acm_certificate" "this_acm_cert" {
+    count = local.enable_tls ? 1 : 0
+
+    domain_name       = "on.${data.aws_route53_zone.this_zone[0].name}"
+    validation_method = "DNS"
+}
+
+resource "aws_route53_record" "this_acm_val_records" {
+    count = local.enable_tls ? length(aws_acm_certificate.this_acm_cert[0].domain_validation_options) : 0
+
+    name            = tolist(aws_acm_certificate.this_acm_cert[0].domain_validation_options)[count.index].resource_record_name
+    records         = [tolist(aws_acm_certificate.this_acm_cert[0].domain_validation_options)[count.index].resource_record_value]
+    type            = tolist(aws_acm_certificate.this_acm_cert[0].domain_validation_options)[count.index].resource_record_type
+
+    allow_overwrite = true
+    ttl             = 60
+    zone_id         = data.aws_route53_zone.this_zone[0].zone_id
+}
+
+resource "aws_acm_certificate_validation" "this_acm_cert_validation" {
+    count = local.enable_tls ? 1 : 0
+
+    certificate_arn         = aws_acm_certificate.this_acm_cert[0].arn
+    validation_record_fqdns = aws_route53_record.this_acm_val_records[*].fqdn
+}

deployment/terraform/aws/observers/elb.tf

@@ -0,0 +1,162 @@
+resource "aws_lb" "this_nlb" {
+    name               = "observers-network-lb"
+    internal           = false
+    load_balancer_type = "network"
+    subnets            = module.this_vpc.public_subnets
+
+    enable_cross_zone_load_balancing = true
+    # enable_deletion_protection = true
+
+    tags = {
+        Name = "Observers NLB"
+    }
+}
+
+locals {
+    tls_cert_arn    = var.enable_tls ? aws_acm_certificate_validation.this_acm_cert_validation[0].certificate_arn : ""
+    ssl_policy      = "ELBSecurityPolicy-TLS13-1-2-2021-06" # TLS 1.3 (recommended)
+}
+
+resource "aws_lb_listener" "rest" {
+    count = local.enable_tls ? 0 : 1
+
+    load_balancer_arn   = aws_lb.this_nlb.arn
+    port                = "80"
+    protocol            = "TCP"
+
+    default_action {
+        type = "forward"
+        target_group_arn = aws_lb_target_group.rest.arn
+    }
+}
+
+resource "aws_lb_listener" "grpc" {
+    count = local.enable_tls ? 0 : 1
+
+    load_balancer_arn   = aws_lb.this_nlb.arn
+    port                = "9090"
+    protocol            = "TCP"
+
+    default_action {
+        type = "forward"
+        target_group_arn = aws_lb_target_group.grpc.arn
+    }
+}
+
+resource "aws_lb_listener" "rpc" {
+    count = local.enable_tls ? 0 : 1
+
+    load_balancer_arn   = aws_lb.this_nlb.arn
+    port                = "8080"
+    protocol            = "TCP"
+
+    default_action {
+        type = "forward"
+        target_group_arn = aws_lb_target_group.rpc.arn
+    }
+}
+
+resource "aws_lb_listener" "tls_rest" {
+    count = local.enable_tls ? 1 : 0
+
+    load_balancer_arn   = aws_lb.this_nlb.arn
+    port                = "443"
+    protocol            = "TLS"
+    certificate_arn     = local.tls_cert_arn
+    ssl_policy          = local.ssl_policy
+
+    default_action {
+        type = "forward"
+        target_group_arn = aws_lb_target_group.rest.arn
+    }
+
+    depends_on = [
+        aws_acm_certificate_validation.this_acm_cert_validation[0]
+    ]
+}
+
+resource "aws_lb_listener" "tls_grpc" {
+    count = local.enable_tls ? 1 : 0
+
+    load_balancer_arn   = aws_lb.this_nlb.arn
+    port                = "8443"
+    protocol            = "TLS"
+    certificate_arn     = local.tls_cert_arn
+    ssl_policy          = local.ssl_policy
+
+    default_action {
+        type = "forward"
+        target_group_arn = aws_lb_target_group.grpc.arn
+    }
+
+    depends_on = [
+        aws_acm_certificate_validation.this_acm_cert_validation[0]
+    ]
+}
+
+resource "aws_lb_listener" "tls_rpc" {
+    count = local.enable_tls ? 1 : 0
+
+    load_balancer_arn   = aws_lb.this_nlb.arn
+    port                = "26657"
+    protocol            = "TLS"
+    certificate_arn     = local.tls_cert_arn
+    ssl_policy          = local.ssl_policy
+
+    default_action {
+        type = "forward"
+        target_group_arn = aws_lb_target_group.rpc.arn
+    }
+
+    depends_on = [
+        aws_acm_certificate_validation.this_acm_cert_validation[0]
+    ]
+}
+
+resource "aws_lb_target_group" "rest" {
+    name     = "observers-rest-target-group"
+    port     = 1317
+    protocol = "TCP"
+    vpc_id   = module.this_vpc.vpc_id
+    preserve_client_ip = false
+}
+
+resource "aws_lb_target_group" "grpc" {
+    name     = "observers-grpc-target-group"
+    port     = 9090
+    protocol = "TCP"
+    vpc_id   = module.this_vpc.vpc_id
+    preserve_client_ip = false
+}
+
+resource "aws_lb_target_group" "rpc" {
+    name     = "observers-rpc-target-group"
+    port     = 26657
+    protocol = "TCP"
+    vpc_id   = module.this_vpc.vpc_id
+    preserve_client_ip = false
+}
+
+resource "aws_lb_target_group_attachment" "rest_targets" {
+    count = length(aws_instance.this_nodes)
+
+    target_group_arn = aws_lb_target_group.rest.arn
+    target_id        = aws_instance.this_nodes[count.index].id
+    port             = 80
+}
+
+resource "aws_lb_target_group_attachment" "grpc_targets" {
+    count = length(aws_instance.this_nodes)
+
+    target_group_arn = aws_lb_target_group.grpc.arn
+    target_id        = aws_instance.this_nodes[count.index].id
+    port             = 9090
+}
+
+resource "aws_lb_target_group_attachment" "rpc_targets" {
+    count = length(aws_instance.this_nodes)
+
+    target_group_arn = aws_lb_target_group.rpc.arn
+    target_id        = aws_instance.this_nodes[count.index].id
+    port             = 26657
+}

deployment/terraform/aws/observers/locals.tf

@@ -0,0 +1,3 @@
+locals {
+    enable_tls = var.enable_tls && var.root_domain_name != ""
+}

deployment/terraform/aws/observers/main.tf

@@ -0,0 +1,43 @@
+data "aws_ami" "ubuntu" {
+    most_recent = true
+    owners      = ["099720109477"]
+
+    filter {
+        name   = "name"
+        values = ["ubuntu-minimal/images/hvm-ssd/ubuntu-focal-20.04-amd64-minimal-*"]
+    }
+
+    filter {
+        name   = "virtualization-type"
+        values = ["hvm"]
+    }
+}
+
+resource "aws_key_pair" "key_pair" {
+    public_key = file(var.ssh_public_key_path)
+}
+
+resource "aws_instance" "this_nodes" {
+    count = var.nodes_count
+
+    ami           = data.aws_ami.ubuntu.id
+    instance_type = "t3.medium"
+
+    subnet_id              = element(module.this_vpc.public_subnets, count.index % length(module.this_vpc.public_subnets))
+    vpc_security_group_ids = [
+        module.this_dev_sg.security_group_id,
+        module.this_private_sg.security_group_id
+    ]
+
+    key_name   = aws_key_pair.key_pair.id
+    monitoring = true
+
+    tags = {
+        Name = "Observer Node [${count.index}]"
+    }
+
+    root_block_device {
+        encrypted   = true
+        volume_size = 30
+    }
+}

deployment/terraform/aws/observers/provider.tf

@@ -0,0 +1,9 @@
+terraform {
+    required_providers {
+        aws = {
+            source                = "hashicorp/aws"
+            version               = ">= 3.72"
+            configuration_aliases = [aws, aws.peer]
+        }
+    }
+}

deployment/terraform/aws/observers/route53.tf

@@ -0,0 +1,26 @@
+locals {
+    enable_routing = var.root_domain_name == "" ? 0 : 1
+}
+
+data "aws_route53_zone" "this_zone" {
+    count   = local.enable_routing
+    name    = var.root_domain_name
+}
+
+data "aws_region" "current" {}
+
+resource "aws_route53_record" "on" {
+    count   = local.enable_routing
+
+    zone_id = data.aws_route53_zone.this_zone[0].zone_id
+    name    = "on.${data.aws_route53_zone.this_zone[0].name}"
+    type    = "CNAME"
+    ttl     = "300"
+
+    latency_routing_policy {
+        region = data.aws_region.current.name
+    }
+
+    set_identifier = "Observers NLB [${var.region_index}]"
+    records        = ["${aws_lb.this_nlb.dns_name}"]
+}