working boundary LB + nomad vault integration

Author: GuyBarros

main.tf

@@ -1,6 +1,6 @@
 //--------------------------EMEA-SE_PLAYGROUND-2019-----------------------------------------
 # Using a single workspace:
-  
+
 terraform {
   backend "remote" {
     hostname     = "app.terraform.io"
@@ -95,7 +95,7 @@ module "primarycluster" {
   nomad_gossip_key      = data.terraform_remote_state.tls.outputs.nomad_gossip_key
 }
 
-
+/*
 module "secondarycluster" {
   providers = {
     aws.demostack = aws.secondary
@@ -139,7 +139,7 @@ module "secondarycluster" {
   consul_master_token   = data.terraform_remote_state.tls.outputs.consul_master_token
   nomad_gossip_key      = data.terraform_remote_state.tls.outputs.nomad_gossip_key
 }
-
+*/
 
 /*
 module "tertiarycluster" {

modules/aws.tf

@@ -138,10 +138,10 @@ resource "aws_security_group" "demostack" {
   }
 
 
-  #Consul and Vault ports
+  #Consul and Vault and Boundary ports
   ingress {
     from_port   = 8000
-    to_port     = 9200
+    to_port     = 9300
     protocol    = "tcp"
     cidr_blocks = ["0.0.0.0/0"]
   }

modules/boundary-lb.tf

@@ -1,82 +1,51 @@
-resource "aws_alb" "boundary" {
-  name = "${var.namespace}-boundary"
-
-  security_groups = [aws_security_group.demostack.id]
-  subnets         = aws_subnet.demostack.*.id
-
-  tags = {
-    Name           = "${var.namespace}-boundary"
+resource "aws_lb" "boundary-controller" {
+   name = "${var.namespace}-boundary-controller"
+  load_balancer_type = "network"
+  internal           = false
+subnets         = aws_subnet.demostack.*.id
+
+ tags = {
+    Name           = "${var.namespace}-boundary-controller"
     owner          = var.owner
     created-by     = var.created-by
     sleep-at-night = var.sleep-at-night
     TTL            = var.TTL
   }
 }
 
-resource "aws_alb_target_group" "boundary" {
-  name     = "${var.namespace}-boundary"
-  port     = "9202"
-  vpc_id   = aws_vpc.demostack.id
-  protocol = "HTTP"
-
-}
-
-resource "aws_alb_target_group" "boundary-ui" {
-  name     = "${var.namespace}-boundary-ui"
-  port     = "9200"
+resource "aws_lb_target_group" "boundary-controller" {
+  name     = "${var.namespace}-boundary-controller"
+  port     = 9200
+  protocol = "TCP"
   vpc_id   = aws_vpc.demostack.id
-  protocol = "HTTP"
-
-}
-
-resource "aws_alb_listener" "boundary" {
-  load_balancer_arn = aws_alb.boundary.arn
 
-  port     = "9202"
-  protocol = "HTTP"
-
-  default_action {
-    target_group_arn = aws_alb_target_group.boundary.arn
-    type             = "forward"
+  stickiness  {
+    enabled = false
+     type    = "lb_cookie"
+  }
+  tags = {
+    Name           = "${var.namespace}-boundary-controller"
+    owner          = var.owner
+    created-by     = var.created-by
+    sleep-at-night = var.sleep-at-night
+    TTL            = var.TTL
   }
 }
 
-resource "aws_alb_listener" "boundary-ui" {
-  load_balancer_arn = aws_alb.boundary.arn
+resource "aws_lb_target_group_attachment" "boundary-controller" {
+  count            = var.servers
+  target_group_arn = aws_lb_target_group.boundary-controller.arn
+  target_id        = aws_instance.servers[count.index].id
+  port             = 9200
+}
 
-  port     = "9200"
-  protocol = "HTTP"
+resource "aws_lb_listener" "boundary-controller" {
+  load_balancer_arn = aws_lb.boundary-controller.arn
+  port              = "9200"
+  protocol          = "TCP"
 
   default_action {
-    target_group_arn = aws_alb_target_group.boundary-ui.arn
     type             = "forward"
+    target_group_arn = aws_lb_target_group.boundary-controller.arn
   }
 }
-
-resource "aws_alb_target_group_attachment" "boundary-workers" {
-  count            = var.workers
-  target_group_arn = aws_alb_target_group.boundary.arn
-  target_id        = element(aws_instance.workers.*.id, count.index)
-  port             = "9202"
-}
-
-resource "aws_alb_target_group_attachment" "boundary-ui-workers" {
-  count            = var.workers
-  target_group_arn = aws_alb_target_group.boundary-ui.arn
-  target_id        = element(aws_instance.workers.*.id, count.index)
-  port             = "9200"
-}
-
-resource "aws_alb_target_group_attachment" "boundary-servers" {
-  count            = var.servers
-  target_group_arn = aws_alb_target_group.boundary.arn
-  target_id        = element(aws_instance.servers.*.id, count.index)
-  port             = "9202"
-}
-
-resource "aws_alb_target_group_attachment" "boundary-ui-servers" {
-  count            = var.servers
-  target_group_arn = aws_alb_target_group.boundary-ui.arn
-  target_id        = element(aws_instance.servers.*.id, count.index)
-  port             = "9200"
-}

modules/dns.tf

@@ -5,7 +5,7 @@ resource "aws_route53_record" "boundary" {
   name    = "boundary.${var.namespace}"
   #name    = "traefik"
   type    = "CNAME"
-  records = [aws_alb.boundary.dns_name]
+  records = [aws_lb.boundary-controller.dns_name]
   ttl     = "300"
 }
 

modules/templates/server/nomad.sh

@@ -88,7 +88,7 @@ client {
     path      = "/opt/shared/data/"
     read_only = false
   }
-  
+
 }
 tls {
   rpc  = true
@@ -151,7 +151,7 @@ Requires=network-online.target
 After=network-online.target
 
 [Service]
-Environment=VAULT_TOKEN=$(consul kv put service/vault/${node_name}-token)
+Environment=VAULT_TOKEN=$NOMAD_VAULT_TOKEN
 ExecStart=/usr/local/bin/nomad agent -config="/etc/nomad.d"
 ExecReload=/bin/kill -HUP $MAINPID
 KillSignal=SIGINT

modules/templates/server/vault.sh

@@ -81,7 +81,7 @@ sudo systemctl start vault
 sleep 8
 
 echo "--> Initializing vault"
-consul lock tmp/vault/lock "$(cat <<"EOF"
+consul lock -name=vault-init tmp/vault/lock "$(cat <<"EOF"
 set -e
 sleep 2
 export VAULT_ADDR="https://127.0.0.1:8200"

outputs.tf

@@ -92,6 +92,7 @@ output "Primary_k8s_eks_ca"{
 **/
 
 // Secondary
+/*
 output "Secondary_Region" {
   value = var.secondary_region
 }
@@ -125,7 +126,7 @@ output "Secondary_nomad_tag_workers" {
 output "Secondary_nomad_tag_servers" {
   value = module.secondarycluster.nomad_tag_servers
 }
-
+*/
 
 
 // Tertiary