Merge pull request #197 from input-output-hk/zt

misc: monitoring update, token ttl adjustments, tf transit gateway

Author: johnalotoski

lib/security-group-rules.nix

@@ -90,4 +90,28 @@ in {
     protocols = ["tcp" "udp"];
     cidrs = global;
   };
+
+  ziti-controller-rest = {
+    port = 1280;
+    protocols = ["tcp"];
+    cidrs = global;
+  };
+
+  ziti-controller-mgmt = {
+    port = 6262;
+    protocols = ["tcp"];
+    cidrs = global;
+  };
+
+  ziti-router-edge = {
+    port = 3022;
+    protocols = ["tcp"];
+    cidrs = global;
+  };
+
+  ziti-router-fabric = {
+    port = 10080;
+    protocols = ["tcp"];
+    cidrs = global;
+  };
 }

lib/terralib.nix

@@ -33,6 +33,37 @@ in rec {
   nullRoute = nullRoute' // {destination_ipv6_cidr_block = null;};
 
   aws = {
+    # asgVpcs returns a vpc attr struct when provided config.cluster.
+    # Example attr struct:
+    #  [
+    #    {
+    #      "cidr": "10.24.0.0/16",
+    #      "id": "${data.aws_vpc.bitte-world-eu-central-1-asgs.id}",
+    #      "name": "bitte-world-eu-central-1-asgs",
+    #      "region": "eu-central-1",
+    #      "subnets": {
+    #        "a": {
+    #          "availabilityZone": "${element(module.instance_types_to_azs_eu-central-1.availability_zones, 0)}",
+    #          "cidr": "10.24.0.0/18",
+    #          "id": "${aws_subnet.a.id}",
+    #          "name": "a"
+    #        },
+    #        "b": {
+    #          "availabilityZone": "${element(module.instance_types_to_azs_eu-central-1.availability_zones, 1)}",
+    #          "cidr": "10.24.64.0/18",
+    #          "id": "${aws_subnet.b.id}",
+    #          "name": "b"
+    #        },
+    #        "c": {
+    #          "availabilityZone": "${element(module.instance_types_to_azs_eu-central-1.availability_zones, 2)}",
+    #          "cidr": "10.24.128.0/18",
+    #          "id": "${aws_subnet.c.id}",
+    #          "name": "c"
+    #        }
+    #      }
+    #    },
+    #    ...
+    #  ]
     asgVpcs = cluster:
       lib.forEach (builtins.attrValues cluster.awsAutoScalingGroups) (asg: asg.vpc);
 

modules/monitoring.nix

@@ -522,14 +522,14 @@ in {
           httpListenAddr = "0.0.0.0:8880";
           externalUrl = "https://monitoring.${domain}";
           httpPathPrefix = "/vmalert-vm";
-          externalAlertSource = ''explore?left=%%7B%%22datasource%%22:%%22VictoriaMetrics%%22,%%22queries%%22:%%5B%%7B%%22refId%%22:%%22A%%22,%%22expr%%22:%%22{{$expr|quotesEscape|crlfEscape|pathEscape}}%%22,%%22range%%22:true,%%22editorMode%%22:%%22code%%22%%7D%%5D,%%22range%%22:%%7B%%22from%%22:%%22now-1h%%22,%%22to%%22:%%22now%%22%%7D%%7D&orgId=1'';
+          externalAlertSource = ''explore?left=%%7B%%22datasource%%22:%%22VictoriaMetrics%%22,%%22queries%%22:%%5B%%7B%%22refId%%22:%%22A%%22,%%22expr%%22:%%22{{$expr|quotesEscape|pathEscape}}%%22,%%22range%%22:true,%%22editorMode%%22:%%22code%%22%%7D%%5D,%%22range%%22:%%7B%%22from%%22:%%22now-1h%%22,%%22to%%22:%%22now%%22%%7D%%7D&orgId=1'';
         };
         loki = {
           datasourceUrl = "http://127.0.0.1:3100/loki";
           httpListenAddr = "0.0.0.0:8881";
           externalUrl = "https://monitoring.${domain}";
           httpPathPrefix = "/vmalert-loki";
-          externalAlertSource = ''explore?left=%%7B%%22datasource%%22:%%22Loki%%22,%%22queries%%22:%%5B%%7B%%22refId%%22:%%22A%%22,%%22expr%%22:%%22{{$expr|quotesEscape|crlfEscape|pathEscape}}%%22,%%22range%%22:true,%%22editorMode%%22:%%22code%%22%%7D%%5D,%%22range%%22:%%7B%%22from%%22:%%22now-1h%%22,%%22to%%22:%%22now%%22%%7D%%7D&orgId=1'';
+          externalAlertSource = ''explore?left=%%7B%%22datasource%%22:%%22Loki%%22,%%22queries%%22:%%5B%%7B%%22refId%%22:%%22A%%22,%%22expr%%22:%%22{{$expr|quotesEscape|pathEscape}}%%22,%%22range%%22:true,%%22editorMode%%22:%%22code%%22%%7D%%5D,%%22range%%22:%%7B%%22from%%22:%%22now-1h%%22,%%22to%%22:%%22now%%22%%7D%%7D&orgId=1'';
           # Loki uses PromQL type queries that do not strictly comply with PromQL
           # Ref: https://github.com/VictoriaMetrics/VictoriaMetrics/issues/780
           ruleValidateExpressions = false;

modules/terraform.nix

@@ -482,6 +482,51 @@
             self.inputs;
         };
 
+        transitGateway = lib.mkOption {
+          type = with lib.types;
+            submodule ({name, ...} @ this: {
+              options = {
+                enable = lib.mkOption {
+                  type = with lib.types; bool;
+                  default = false;
+                  description = ''
+                    Whether to enable a star topology transit gateway network to allow custom packet routing
+                    through a multi-region cluster.  Applicable to zero-trust tunneling in a ZTNA model.
+                    See the transitGateway description for more detail.
+                  '';
+                };
+
+                transitRoutes = lib.mkOption {
+                  type = with lib.types; addCheck (listOf attrs) (x: x != []);
+                  default = [];
+                  description = ''
+                    A list containing elements of attrs with attribute gatewayCoreNodeName and cidrRange.
+                    Each CIDR range forwards to the respective gatewayCoreNode for zero trust tunneling
+                    in the core VPC.
+
+                    Note that the CIDR ranges cannot overlap with existing VPC, subnet CIDRs or themselves.
+                    Note also that the listed gatewayCoreNode machines must already exist.
+
+                    Example:
+                      [
+                        { gatewayCoreNodeName = "zt1"; cidrRange = "10.10.0.0/24"; }
+                        { gatewayCoreNodeName = "zt2"; cidrRange = "10.11.0.0/24"; }
+                      ]
+                  '';
+                };
+              };
+            });
+          default = {};
+          description = ''
+            Declaring config.cluster.transitGateway options and plan/applying the terraform clients
+            workspace will provision and configure AWS resources for a peered transit gateway in a star
+            topology with the core VPC at the center and the asg VPCs at the edge.
+
+            This enables routing traffic intended for ZT tunneling across the VPCs in private network
+            CIDRs that are outside the configured VPC CIDR ranges to the core VPC.
+          '';
+        };
+
         vaultBackend = lib.mkOption {
           type = with lib.types; str;
           default = "https://vault.infra.aws.iohkdev.io";
@@ -1012,6 +1057,11 @@
           default = {};
         };
 
+        sourceDestCheck = lib.mkOption {
+          type = with lib.types; bool;
+          default = true;
+        };
+
         initialVaultSecrets = lib.mkOption {
           type = with lib.types; initialVaultSecretsType;
           default = {};