more update

Author: sandrampeter

examples/standalone-redis/README.md

@@ -0,0 +1,55 @@
+# Example: Standalone with mTLS Redis
+
+## About this example
+
+This example for Terraform Enterprise creates a TFE installation with the
+following traits:
+
+- External mode
+- a small VM machine type (m5.xlarge)
+- Ubuntu as the VM image
+- a publicly accessible HTTP load balancer with TLS termination
+- an access key for accessing S3
+- Redis VM 
+
+## Pre-requisites
+
+This test assumes the following resources already exist:
+
+- Valid DNS Zone managed in Route53
+- Valid AWS ACM certificate
+- a TFE license on a filepath accessible by tests
+- Valid TLS certs for Redis
+
+## How to Use This Module
+
+### Deployment
+
+ 1. Read the entire [README.md](../../README.md) of the root module.
+ 2. Ensure account meets module prerequisites from above.
+ 3. Clone repository.
+ 4. Change directory into desired example folder.
+ 5. Create a local `terraform.auto.tfvars` file and instantiate the required inputs as required in the respective `./examples/standalone-redis/variables.tf` including the path to the license under the `license_file` variable value.
+ 6. Authenticate against the AWS provider. See [instructions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration).
+ 7. Initialize terraform and apply the module configurations using the commands below:
+
+    NOTE: `terraform plan` will print out the execution plan which describes the actions Terraform will take in order to build your infrastructure to match the module configuration. If anything in the plan seems incorrect or dangerous, it is safe to abort here and not proceed to `terraform apply`.
+
+    ```
+    terraform init
+    terraform plan
+    terraform apply
+    ```
+
+## Post-deployment Tasks
+
+The build should take approximately 10-15 minutes to deploy. Once the module has completed, give the platform another 10 minutes or so prior to attempting to interact with it in order for all containers to start up.
+
+Unless amended, this example will not create an initial admin user using the IACT, but it does output the URL for your convenience. Follow the advice in this document to create the initial admin user, and log into the system using this user in order to configure it for use.
+
+### Connecting to the TFE Application
+
+1. Navigate to the URL supplied via the `login_url` Terraform output. (It may take several minutes for this to be available after initial deployment. You may monitor the progress of cloud init if desired on one of the instances)
+2. Enter a `username`, `email`, and `password` for the initial user.
+3. Click `Create an account`.
+4. After the initial user is created you may access the TFE Application normally using the URL supplied via `login_url` Terraform output.

examples/standalone-redis/data.tf

@@ -0,0 +1,18 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+data "aws_ami" "ubuntu" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  owners = ["099720109477"] # Canonical
+}

examples/standalone-redis/locals.tf

@@ -0,0 +1,7 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+locals {
+  friendly_name_prefix         = random_string.friendly_name.id
+  network_private_subnet_cidrs = ["10.0.32.0/20", "10.0.48.0/20", "10.0.112.0/20"]
+}

examples/standalone-redis/main.tf

@@ -0,0 +1,62 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+# Random string to prepend resources
+# ----------------------------------
+resource "random_string" "friendly_name" {
+  length  = 4
+  upper   = false # Some AWS resources do not accept uppercase characters.
+  numeric = false
+  special = false
+}
+
+# Store TFE License as secret
+# ---------------------------
+module "secrets" {
+  source = "../../fixtures/secrets"
+  tfe_license = {
+    name = "${local.friendly_name_prefix}-tfe-license"
+    path = var.license_file
+  }
+}
+
+# Key Management Service
+# ----------------------
+module "kms" {
+  source    = "../../fixtures/kms"
+  key_alias = "${local.friendly_name_prefix}-key"
+}
+
+# Standalone with redis mTLS
+# --------------------------
+module "standalone_redis" {
+  source = "../../"
+
+  acm_certificate_arn   = var.acm_certificate_arn
+  domain_name           = var.domain_name
+  distribution          = "ubuntu"
+  friendly_name_prefix  = local.friendly_name_prefix
+  tfe_license_secret_id = module.secrets.tfe_license_secret_id
+
+  ami_id                       = data.aws_ami.ubuntu.id
+  bypass_preflight_checks      = true
+  health_check_grace_period    = 3000
+  iact_subnet_list             = ["0.0.0.0/0"]
+  iam_role_policy_arns         = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"]
+  instance_type                = "m5.4xlarge"
+  kms_key_arn                  = module.kms.key
+  load_balancing_scheme        = "PUBLIC"
+  network_private_subnet_cidrs = local.network_private_subnet_cidrs
+  node_count                   = 1
+  operational_mode             = "external"
+  enable_redis_mtls            = true            
+  tfe_subdomain                = local.friendly_name_prefix
+  vm_certificate_secret_id     = var.certificate_pem_secret_id
+  vm_key_secret_id             = var.private_key_pem_secret_id
+  redis_client_key             = var.redis_client_key
+  redis_client_cert            = var.redis_client_cert
+  redis_client_ca              = var.redis_client_ca
+  redis_client_key_path        =  var.redis_client_key_path
+  redis_client_cert_path       = var.redis_client_cert_path
+  redis_client_ca_path         = var.redis_ca_cert_path
+}

examples/standalone-redis/outputs.tf

@@ -0,0 +1,3 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+

examples/standalone-redis/terraform.tfvars.example

@@ -0,0 +1,9 @@
+acm_certificate_arn                   = "arn:aws:acm:<region>:<account_id>:certificate/<certificate_name>"
+certificate_pem_secret_id             = "arn:aws:secretsmanager:<region>:<account_id>:secret:<secret_name>"
+private_key_pem_secret_id             = "arn:aws:secretsmanager:<region>:<account_id>:secret:<secret_name>"
+domain_name                           = "my.domain.com"
+license_file                          = "/files/license.rli"
+aurora_cluster_instance_enable_single = "true"
+aurora_cluster_instance_replica_count = 0
+aurora_db_username                    = "hashicorp"
+aurora_db_password                    = "xxxxxxxxx"

examples/standalone-redis/variables.tf

@@ -0,0 +1,70 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+variable "acm_certificate_arn" {
+  type        = string
+  description = "The ARN of an existing ACM certificate."
+}
+
+variable "domain_name" {
+  type        = string
+  description = "Domain for creating the Terraform Enterprise subdomain on."
+}
+
+variable "license_file" {
+  type        = string
+  description = "The local path to the Terraform Enterprise license."
+}
+
+
+variable "redis_ca_cert_path" {
+  type        = string
+  description = "The secrets manager secret ID of the Base64 & PEM encoded TLS certificate for tfe."
+}
+
+variable "redis_client_cert_path" {
+  type        = string
+  description = "The secrets manager secret ID of the Base64 & PEM encoded TLS certificate for tfe."
+}
+
+variable "redis_client_key_path" {
+  type        = string
+  description = "The secrets manager secret ID of the Base64 & PEM encoded TLS certificate for tfe."
+}
+variable "redis_client_ca" {
+  type        = string
+  description = "The secrets manager secret ID of the Base64 & PEM encoded TLS certificate for tfe."
+}
+variable "redis_client_cert" {
+  type        = string
+  description = "The secrets manager secret ID of the Base64 & PEM encoded TLS certificate for tfe."
+}
+variable "redis_client_key" {
+  type        = string
+  description = "The secrets manager secret ID of the Base64 & PEM encoded TLS certificate for tfe."
+}
+
+variable private_key_pem_secret_id {
+  type        = string
+  description = "The secrets manager secret ID of the Base64 & PEM encoded private key for tfe."
+}
+variable "certificate_pem_secret_id" {
+  type        = string
+  description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for tfe."
+}
+
+variable redis_private_key_pem_secret_id {
+  type        = string
+  description = "The secrets manager secret ID of the Base64 & PEM encoded private key for tfe."
+}
+
+variable "redis_certificate_pem_secret_id" {
+  type        = string
+  description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for tfe."
+}
+
+variable "redis_ca_certificate_pem_secret_id" {
+  type        = string
+  description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for tfe."
+}
+

examples/standalone-redis/versions.tf

@@ -0,0 +1,16 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+terraform {
+  required_version = ">= 0.14"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.1"
+    }
+  }
+}

locals.tf

@@ -65,7 +65,24 @@ locals {
       aws_elasticache_subnet_group_name = null
       aws_security_group_redis          = null
     }
-    ) : try(
+    ) : var.enable_redis_mtls ? try(
+    module.redis_mtls[0],
+    {
+      hostname                          = null
+      password                          = null
+      username                          = null
+      redis_port                        = null
+      use_password_auth                 = null
+      use_tls                           = null
+      sentinel_enabled                  = var.enable_redis_sentinel
+      sentinel_hosts                    = []
+      sentinel_leader                   = null
+      sentinel_username                 = null
+      sentinel_password                 = null
+      aws_elasticache_subnet_group_name = null
+      aws_security_group_redis          = null
+    }
+  ) : try(
     module.redis[0],
     {
       hostname                          = null

main.tf

@@ -115,6 +115,33 @@ module "redis_sentinel" {
   network_private_subnet_cidrs           = local.network_private_subnet_cidrs
 }
 
+# -----------------------------------------------------------------------------
+# Redis Sentinel
+# -----------------------------------------------------------------------------
+
+module "redis_mtls" {
+  count  = var.enable_redis_mtls ? 1 : 0
+  source = "./modules/redis-standalone-mtls"
+  # This module is used to deploy a Redis instance with mTLS enabled.
+
+  domain_name                            = var.domain_name
+  ca_cert                                = var.redis_client_ca
+  fullchain                              = var.redis_client_cert
+  privkey                                = var.redis_client_key
+  redis_authentication_mode              = "NONE" # mTLS does not use password authentication
+  aws_iam_instance_profile               = module.service_accounts.iam_instance_profile.name
+  asg_tags                               = var.asg_tags
+  ec2_launch_template_tag_specifications = var.ec2_launch_template_tag_specifications
+  friendly_name_prefix                   = var.friendly_name_prefix
+  health_check_grace_period              = var.health_check_grace_period
+  health_check_type                      = var.health_check_type
+  instance_type                          = var.instance_type
+  key_name                               = var.key_name
+  network_id                             = local.network_id
+  network_subnets_private                = local.network_private_subnets
+  network_private_subnet_cidrs           = local.network_private_subnet_cidrs
+}
+
 # -----------------------------------------------------------------------------
 # AWS PostreSQL Database
 # -----------------------------------------------------------------------------
@@ -170,7 +197,7 @@ module "aurora_database" {
 # Docker Compose File Config for TFE on instance(s) using Flexible Deployment Options
 # ------------------------------------------------------------------------------------
 module "runtime_container_engine_config" {
-  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/runtime_container_engine_config?ref=main"
+  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/runtime_container_engine_config?ref=redis-standalone"
   count  = var.is_replicated_deployment ? 0 : 1
 
   tfe_license = var.hc_license
@@ -228,6 +255,11 @@ module "runtime_container_engine_config" {
   redis_sentinel_leader_name = local.redis.sentinel_leader
   redis_sentinel_user        = local.redis.sentinel_username
   redis_sentinel_password    = local.redis.sentinel_password
+  redis_use_mtls             = var.enable_redis_mtls
+  redis_ca_cert_path         = "/etc/ssl/private/terraform-enterprise/redis/ca_cert.pem"
+  redis_client_cert_path     = "/etc/ssl/private/terraform-enterprise/redis/cert.pem"
+  redis_client_key_path      = "/etc/ssl/private/terraform-enterprise/redis/key.pem"
+
 
   trusted_proxies = local.trusted_proxies
 
@@ -243,7 +275,7 @@ module "runtime_container_engine_config" {
 # AWS cloud init used to install and configure TFE on instance(s) using Flexible Deployment Options
 # --------------------------------------------------------------------------------------------------
 module "tfe_init_fdo" {
-  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/tfe_init?ref=main"
+  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/tfe_init?ref=redis-standalone"
   count  = var.is_replicated_deployment ? 0 : 1
 
   cloud             = "aws"
@@ -258,6 +290,11 @@ module "tfe_init_fdo" {
   ca_certificate_secret_id = var.ca_certificate_secret_id == null ? null : var.ca_certificate_secret_id
   certificate_secret_id    = var.vm_certificate_secret_id == null ? null : var.vm_certificate_secret_id
   key_secret_id            = var.vm_key_secret_id == null ? null : var.vm_key_secret_id
+ 
+  # redis_use_mtls                 = var.enable_redis_mtls
+  # redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id == null ? null : var.redis_ca_certificate_secret_id
+  # redis_certificate_secret_id    = var.redis_vm_certificate_secret_id == null ? null : var.redis_vm_certificate_secret_id
+  # redis_key_secret_id            = var.redis_vm_key_secret_id == null ? null : var.redis_vm_key_secret_id
 
   proxy_ip       = var.proxy_ip != null ? var.proxy_ip : null
   proxy_port     = var.proxy_ip != null ? var.proxy_port : null
@@ -277,7 +314,7 @@ module "tfe_init_fdo" {
 # TFE and Replicated settings to pass to the tfe_init_replicated module for replicated deployment
 # --------------------------------------------------------------------------------------------
 module "settings" {
-  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/settings?ref=main"
+  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/settings?ref=redis-standalone"
   count  = var.is_replicated_deployment ? 1 : 0
 
   # TFE Base Configuration

modules/redis-standalone-mtls/main.tf

@@ -69,7 +69,7 @@ resource "aws_autoscaling_group" "redis" {
   vpc_zone_identifier = var.network_subnets_private
   target_group_arns = concat(
     [for tg in aws_lb_target_group.redis_tg : tg.arn],
-    [for tg in aws_lb_target_group.redis_tg_redis : tg.arn]
+    [for tg in aws_lb_target_group.redis_tg : tg.arn]
   )
 
   # Increases grace period for any AMI that is not the default Ubuntu