feat: Add Bastion Project

1ambda · Feb 5, 2022 · aa7bcf9 · aa7bcf9
1 parent cd15a0b
commit aa7bcf9
Show file tree

Hide file tree

Showing 12 changed files with 367 additions and 0 deletions.
diff --git a/project-terraform-aws/aws-root-machine-bastion/_data.ami.tf b/project-terraform-aws/aws-root-machine-bastion/_data.ami.tf
@@ -0,0 +1,30 @@
+data "aws_ami" "ubuntu" {
+  most_recent = true
+  owners      = ["099720109477"] # Canonical
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+}
+
+// https://aws.amazon.com/amazon-linux-2/release-notes/
+data "aws_ami" "amazon_linux_2" {
+  most_recent = true
+  owners      = ["amazon"]
+
+  filter {
+    name   = "owner-alias"
+    values = ["amazon"]
+  }
+
+  filter {
+    name   = "name"
+    values = ["amzn2-ami-hvm-*-x86_64-gp2"]
+  }
+}
diff --git a/project-terraform-aws/aws-root-machine-bastion/_data.state.tf b/project-terraform-aws/aws-root-machine-bastion/_data.state.tf
@@ -0,0 +1,23 @@
+data "terraform_remote_state" "root_iam" {
+  backend = "local"
+
+  config = {
+    path = "../__tf_state/_aws-root-iam/terraform.tfstate"
+  }
+}
+
+data "terraform_remote_state" "root_vpc" {
+  backend = "local"
+
+  config = {
+    path = "../__tf_state/_aws-root-vpc/terraform.tfstate"
+  }
+}
+
+data "terraform_remote_state" "root_sg" {
+  backend = "local"
+
+  config = {
+    path = "../__tf_state/_aws-root-sg/terraform.tfstate"
+  }
+}
diff --git a/project-terraform-aws/aws-root-machine-bastion/_local.tf b/project-terraform-aws/aws-root-machine-bastion/_local.tf
@@ -0,0 +1,11 @@
+locals {
+  environment_common = "common"
+  environment_development = "development"
+  environment_production = "production"
+
+  region_seoul = "ap-northeast-2"
+
+  team_data = "data"
+
+  keypair_infra = "infra-admin"
+}
diff --git a/project-terraform-aws/aws-root-machine-bastion/_provider.tf b/project-terraform-aws/aws-root-machine-bastion/_provider.tf
@@ -0,0 +1,3 @@
+provider "aws" {
+  region = local.region_seoul
+}
diff --git a/project-terraform-aws/aws-root-machine-bastion/_template/template.cloudwatch.sh b/project-terraform-aws/aws-root-machine-bastion/_template/template.cloudwatch.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+cd /root
+
+${installer} update -y
+
+# https://forums.aws.amazon.com/thread.jspa?threadID=149117
+${installer} install -y perl-core
+${installer} install -y perl-Sys-Syslog
+${installer} install -y perl-CGI
+${installer} install -y perl-Switch perl-DateTime perl-LWP-Protocol-https perl-Digest-SHA.x86_64 curl zip unzip
+
+curl https://aws-cloudwatch.s3.amazonaws.com/downloads/CloudWatchMonitoringScripts-${agent_version}.zip -O
+unzip CloudWatchMonitoringScripts-${agent_version}.zip
+chown ${user}:${user} ./aws-scripts-mon
+mv aws-scripts-mon /home/${user}/
+echo "*/1 * * * * /home/${user}/aws-scripts-mon/mon-put-instance-data.pl --mem-util --mem-avail --disk-path=/  -disk-space-util --disk-space-avail --memory-units=megabytes --disk-space-units=gigabytes --from-cron" >> /var/spool/cron/${user}
+chown ${user}:${user} /var/spool/cron/${user}
diff --git a/project-terraform-aws/aws-root-machine-bastion/_terraform.tf b/project-terraform-aws/aws-root-machine-bastion/_terraform.tf
@@ -0,0 +1,19 @@
+terraform {
+  required_version = ">= 1.1.3"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.71.0"
+    }
+  }
+
+  /**
+   * 테스팅 목적으로 Terraform Backend 를 사용하지 않습니다
+   */
+
+  backend "local" {
+    path = "../__tf_state/_aws-root-machine-bastion/terraform.tfstate"
+  }
+}
+
diff --git a/project-terraform-aws/aws-root-machine-bastion/main_bastion_dev.tf b/project-terraform-aws/aws-root-machine-bastion/main_bastion_dev.tf
@@ -0,0 +1,14 @@
+module "module-bastion-data-dev" {
+  source = "./module-bastion-data-dev"
+
+  environment = local.environment_development
+  team = local.team_data
+
+  bastion_ami = data.aws_ami.amazon_linux_2.id
+  bastion_profile = data.terraform_remote_state.root_iam.outputs.profile_id_bastion
+  bastion_keypair = local.keypair_infra
+
+  bastion_sg_id = data.terraform_remote_state.root_sg.outputs.sg_id_bastion_public_data_dev
+
+  bastion_subnet_id = data.terraform_remote_state.root_vpc.outputs.subnet_id_public_az_a_data_dev
+}
diff --git a/project-terraform-aws/aws-root-machine-bastion/module-bastion-data-dev/_data.bootstrap.tf b/project-terraform-aws/aws-root-machine-bastion/module-bastion-data-dev/_data.bootstrap.tf
@@ -0,0 +1,43 @@
+data "template_file" "bastion_template_cloudwatch" {
+  template = file("${path.root}/_template/template.cloudwatch.sh")
+
+  vars = {
+    user                       = "ec2-user"
+    installer                  = "yum"
+    agent_version              = "1.2.2"
+  }
+}
+
+
+data "template_cloudinit_config" "bastion_user_data" {
+  gzip          = false
+  base64_encode = true
+
+  # install patches for Amazon Linux
+  part {
+    content_type = "text/x-shellscript"
+
+    content = <<EOF
+#!/bin/bash
+yum update -y
+EOF
+  }
+
+  # https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/amazon-linux-install.html
+  # install correto8
+  part {
+    content_type = "text/x-shellscript"
+
+    content = <<EOF
+#!/bin/bash
+amazon-linux-extras enable corretto8
+yum install -y java-1.8.0-amazon-corretto-devel
+EOF
+  }
+
+  # install agent for cloudwatch custom metric
+  part {
+    content_type = "text/x-shellscript"
+    content      = data.template_file.bastion_template_cloudwatch.rendered
+  }
+}
diff --git a/project-terraform-aws/aws-root-machine-bastion/module-bastion-data-dev/_local.tf b/project-terraform-aws/aws-root-machine-bastion/module-bastion-data-dev/_local.tf
@@ -0,0 +1,5 @@
+locals {
+  purpose_bastion_public = "bastion-public"
+
+  ebs_root_device_link = "/dev/nvme0n1p1"
+}
diff --git a/project-terraform-aws/aws-root-machine-bastion/module-bastion-data-dev/_variable.tf b/project-terraform-aws/aws-root-machine-bastion/module-bastion-data-dev/_variable.tf
@@ -0,0 +1,9 @@
+variable "environment" {}
+variable "team" {}
+
+variable "bastion_ami" {}
+variable "bastion_profile" {}
+variable "bastion_keypair" {}
+
+variable "bastion_subnet_id" {}
+variable "bastion_sg_id" {}
diff --git a/...erraform-aws/aws-root-machine-bastion/module-bastion-data-dev/dev.bastion-public-01.cw.tf b/...erraform-aws/aws-root-machine-bastion/module-bastion-data-dev/dev.bastion-public-01.cw.tf
@@ -0,0 +1,146 @@
+locals {
+  bastion_instances = [
+    {
+      instanceId = aws_instance.bastion_public_01.id
+      name       = local.purpose_bastion_public
+      index      = "01"
+      rootDevice = local.ebs_root_device_link
+    },
+  ]
+}
+
+resource "aws_cloudwatch_metric_alarm" "bastion_High-CPUUtilization" {
+  count = length(local.bastion_instances)
+
+  alarm_name          = "${lookup(local.bastion_instances[count.index], "name")}-${lookup(local.bastion_instances[count.index], "index")}/${var.environment}-High_CPUUtil"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+
+  period              = "600"
+  evaluation_periods  = "1"
+  datapoints_to_alarm = 1
+
+  # second
+  statistic         = "Average"
+  threshold         = "80"
+  alarm_description = ""
+
+  metric_name = "CPUUtilization"
+  namespace   = "AWS/EC2"
+
+  dimensions = {
+    InstanceId = lookup(local.bastion_instances[count.index], "instanceId")
+  }
+
+  actions_enabled           = false
+  insufficient_data_actions = []
+  ok_actions                = []
+
+  alarm_actions = [
+    // ${var.sns_topic_arn_cloudwatch_alarm},
+  ]
+}
+
+resource "aws_cloudwatch_metric_alarm" "bastion_Has-SystemCheckFailure" {
+  count = length(local.bastion_instances)
+
+  alarm_name          = "${lookup(local.bastion_instances[count.index], "name")}-${lookup(local.bastion_instances[count.index], "index")}/${var.environment}-Has_SysCheckFailure"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+
+  period              = "300"
+  evaluation_periods  = "1"
+  datapoints_to_alarm = 1
+
+  # second
+  statistic         = "Sum"
+  threshold         = "1"
+  alarm_description = ""
+
+  metric_name = "StatusCheckFailed"
+  namespace   = "AWS/EC2"
+
+  dimensions = {
+    InstanceId = lookup(local.bastion_instances[count.index], "instanceId")
+  }
+
+  actions_enabled           = false
+  insufficient_data_actions = []
+  ok_actions                = []
+
+  alarm_actions = [
+    // ${var.sns_topic_arn_cloudwatch_alarm},
+  ]
+}
+
+# EC2 Custom Metric (Disk, Memory)
+
+resource "aws_cloudwatch_metric_alarm" "bastion_High-RootDiskUtil" {
+  count = length(local.bastion_instances)
+
+  alarm_name          = "${lookup(local.bastion_instances[count.index], "name")}-${lookup(local.bastion_instances[count.index], "index")}/${var.environment}-High_RootDiskUtil"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+
+  period              = "300"
+  evaluation_periods  = "1"
+  datapoints_to_alarm = 1
+
+  # second
+  statistic         = "Maximum"
+  threshold         = "80"
+  alarm_description = ""
+
+  metric_name = "DiskSpaceUtilization"
+  namespace   = "System/Linux"
+
+  dimensions = {
+    InstanceId = lookup(local.bastion_instances[count.index], "instanceId")
+    MountPath  = "/"
+    Filesystem = lookup(local.bastion_instances[count.index], "rootDevice")
+  }
+
+  actions_enabled = false
+
+  insufficient_data_actions = [
+    // ${var.sns_topic_arn_cloudwatch_alarm},
+  ]
+
+  ok_actions = []
+
+  alarm_actions = [
+    // ${var.sns_topic_arn_cloudwatch_alarm},
+  ]
+}
+
+resource "aws_cloudwatch_metric_alarm" "bastion_High-MemUtil" {
+  count = length(local.bastion_instances)
+
+  alarm_name          = "${lookup(local.bastion_instances[count.index], "name")}-${lookup(local.bastion_instances[count.index], "index")}/${var.environment}-High_MemUtil"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+
+  period              = "300"
+  evaluation_periods  = "1"
+  datapoints_to_alarm = 1
+
+  # second
+  statistic         = "Maximum"
+  threshold         = "80"
+  alarm_description = ""
+
+  metric_name = "MemoryUtilization"
+  namespace   = "System/Linux"
+
+  dimensions = {
+    InstanceId = lookup(local.bastion_instances[count.index], "instanceId")
+  }
+
+  actions_enabled = false
+
+  insufficient_data_actions = [
+    // ${var.sns_topic_arn_cloudwatch_alarm},
+  ]
+
+  ok_actions = []
+
+  alarm_actions = [
+    // ${var.sns_topic_arn_cloudwatch_alarm},
+  ]
+}
diff --git a/...rraform-aws/aws-root-machine-bastion/module-bastion-data-dev/dev.bastion-public-01.ec2.tf b/...rraform-aws/aws-root-machine-bastion/module-bastion-data-dev/dev.bastion-public-01.ec2.tf
@@ -0,0 +1,47 @@
+resource "aws_instance" "bastion_public_01" {
+  ami = var.bastion_ami
+
+  lifecycle {
+    create_before_destroy = false
+
+    ignore_changes = [
+      ami,
+      user_data,
+    ]
+  }
+
+  instance_type = "t3.small"
+  subnet_id     = var.bastion_subnet_id
+
+  vpc_security_group_ids = [var.bastion_sg_id]
+
+  associate_public_ip_address = true
+  monitoring = true
+
+  key_name             = var.bastion_keypair
+  iam_instance_profile = var.bastion_profile
+
+  root_block_device {
+    volume_type           = "gp3"
+    volume_size           = "100"
+    delete_on_termination = false
+  }
+
+  user_data = data.template_cloudinit_config.bastion_user_data.rendered
+
+  tags = {
+    Terraform   = "true"
+    Environment = var.environment
+    Team        = var.team
+
+    Name = "${local.purpose_bastion_public}-01-${var.environment}"
+  }
+
+  volume_tags = {
+    Terraform   = "true"
+    Environment = var.environment
+    Team        = var.team
+
+    Name = "${local.purpose_bastion_public}-01-${var.environment}"
+  }
+}