Commit df069c9c authored by McDonnell, Marshall's avatar McDonnell, Marshall
Browse files

Initial commit for Vault load balancer

parents
# Created by https://www.gitignore.io/api/terraform
# Edit at https://www.gitignore.io/?templates=terraform
### Terraform ###
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
# .tfvars files are managed as part of configuration and so should be included in
# version control.
#
# example.tfvars
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# End of https://www.gitignore.io/api/terraform
# OpenStack RC files
*openrc*
# swap files
*.swp
# Load balancer for HashiCorp's Vault Cluster
This Terraform setup creates a load balancer for a
[Vault](https://www.vaultproject.io/).
The target cloud platform is CADES OpenStack.
The [HashiCorp Vault Load Balancer AWS
Module](https://github.com/hashicorp-modules/vault-lb-aws)
was used to develop this OpenStack version of the module.
The [CADES HAProxy Load Balancer Module](https://code.ornl.gov/rse-terraform-modules/cades-load-balancer-haproxy)
was used for the load balancer itself.
The requirements for each port are described in the
[Vault Reference Architecture](https://learn.hashicorp.com/tutorials/vault/reference-architecture) docs.
The steps are:
1. Setup the security group for the load balancer
2. Add rules to the security group
3. Setup the load balancer with following port map:
| frontend | backend |
|----------|---------|
| 80 | 8200 |
| 443 | 8200 |
| 8200 | 8200 |
The only inputs are:
1. `name` - name of the load balancer instance
2. `vault_servers` - list of IPs for the backend servers of the Vault cluster
**NOTE:** - Must have the backend servers listen on ports 8200
and have a security group that allows for access to those ports.
See the `examples` directory for a working example.
terraform {
required_providers {
openstack = {
source = "terraform-providers/openstack"
}
}
required_version = ">= 0.13"
}
variable "network_name" {
default = "or_provider_general_intnetwork1"
}
variable "backend_sg_name" {
default = "vault-lb-backend-sg"
}
resource "openstack_networking_secgroup_v2" "backend_sg" {
name = var.backend_sg_name
description = "Security group for backend servers of demo Vault LB"
}
resource "openstack_networking_secgroup_rule_v2" "backend_allow_all_outbound_ip4" {
direction = "egress"
ethertype = "IPv4"
remote_group_id = openstack_networking_secgroup_v2.backend_sg.id
security_group_id = openstack_networking_secgroup_v2.backend_sg.id
}
resource "openstack_networking_secgroup_rule_v2" "backend_allow_all_outbound_ip6" {
direction = "egress"
ethertype = "IPv6"
remote_group_id = openstack_networking_secgroup_v2.backend_sg.id
security_group_id = openstack_networking_secgroup_v2.backend_sg.id
}
resource "openstack_networking_secgroup_rule_v2" "server_port_8200" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 8200
port_range_max = 8200
remote_ip_prefix = "0.0.0.0/0"
security_group_id = openstack_networking_secgroup_v2.backend_sg.id
}
resource "openstack_compute_instance_v2" "mock_vault_servers" {
name = "vault-lb-backend-${count.index}"
image_name = "CADES_CentOS-8.1_AppStream_v20200414_1"
flavor_name = "m1.tiny"
security_groups = [var.backend_sg_name]
count = 2
network {
name = var.network_name
}
user_data = templatefile("${path.module}/server-install.sh.tpl", {
server_ports = [8200]
})
}
module "cades_vault_lb" {
source = "git::https://code.ornl.gov/rse-terraform-modules/cades-vault-lb//modules/cades-vault-lb"
name = "demo"
vault_servers = openstack_compute_instance_v2.mock_vault_servers.*.access_ip_v4
}
output "lb" {
value = module.cades_vault_lb.vault_load_balancer
}
output "servers" {
value = module.cades_vault_lb.vault_servers
}
output "lb_ports" {
value = module.cades_vault_lb.lb_ports
}
output "server_ports" {
value = module.cades_vault_lb.server_ports
}
#!/bin/bash
sudo dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
sudo dnf install docker-ce -y --nobest
sudo systemctl enable --now docker
%{ for server_port in server_ports ~}
sudo docker run -d -p ${server_port}:8000 -t jwilder/whoami
%{ endfor ~}
variable "name" {
type = string
default = "vault-lb"
}
variable "vault_servers" {}
terraform {
required_providers {
openstack = {
source = "terraform-providers/openstack"
}
}
required_version = ">= 0.13"
}
resource "openstack_networking_secgroup_v2" "secgroup" {
name = "${var.name}-vault-lb-sg"
description = "Security group for vault ${var.name} LB"
}
resource "openstack_networking_secgroup_rule_v2" "allow_all_outbound_ip4" {
direction = "egress"
ethertype = "IPv4"
remote_group_id = openstack_networking_secgroup_v2.secgroup.id
security_group_id = openstack_networking_secgroup_v2.secgroup.id
}
resource "openstack_networking_secgroup_rule_v2" "allow_all_outbound_ip6" {
direction = "egress"
ethertype = "IPv6"
remote_group_id = openstack_networking_secgroup_v2.secgroup.id
security_group_id = openstack_networking_secgroup_v2.secgroup.id
}
resource "openstack_networking_secgroup_rule_v2" "vault_lb_http_80" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 80
port_range_max = 80
remote_ip_prefix = "0.0.0.0/0"
security_group_id = openstack_networking_secgroup_v2.secgroup.id
}
resource "openstack_networking_secgroup_rule_v2" "vault_lb_https_443" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 443
port_range_max = 443
remote_ip_prefix = "0.0.0.0/0"
security_group_id = openstack_networking_secgroup_v2.secgroup.id
}
resource "openstack_networking_secgroup_rule_v2" "vault_lb_tcp_8200" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 8200
port_range_max = 8200
remote_ip_prefix = "0.0.0.0/0"
security_group_id = openstack_networking_secgroup_v2.secgroup.id
}
module "cades_lb_haproxy" {
source = "git::https://code.ornl.gov/rse-terraform-modules/cades-load-balancer-haproxy//modules/cades-load-balancer-haproxy?ref=v0.3"
name = "${var.name}-vault-lb-haproxy"
server_ip_list = var.vault_servers
security_groups = [openstack_networking_secgroup_v2.secgroup.name]
ports = [
{
name = "vault_80"
frontend = 80
backend = 8200
},
{
name = "vault_8200"
frontend = 8200
backend = 8200
},
{
name = "vault_443"
frontend = 443
backend = 8200
}
]
}
output "vault_load_balancer" {
value = module.cades_lb_haproxy.lb_ip
}
output "vault_servers" {
value = module.cades_lb_haproxy.server_ip_list
}
output "lb_ports" {
value = module.cades_lb_haproxy.frontend_ports
}
output "server_ports" {
value = module.cades_lb_haproxy.backend_ports
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment