github.com/hernad/nomad@v1.6.112/e2e/terraform/network.tf (about) 1 # Copyright (c) HashiCorp, Inc. 2 # SPDX-License-Identifier: MPL-2.0 3 4 data "aws_vpc" "default" { 5 default = true 6 } 7 8 data "aws_subnet" "default" { 9 availability_zone = var.availability_zone 10 vpc_id = data.aws_vpc.default.id 11 default_for_az = true 12 } 13 14 data "aws_subnet" "secondary" { 15 availability_zone = var.availability_zone 16 vpc_id = data.aws_vpc.default.id 17 default_for_az = false 18 tags = { 19 Secondary = "true" 20 } 21 } 22 23 # using a dns lookup instead of http, because it's faster 24 # and should be more reliable. 25 data "external" "my_public_ipv4" { 26 program = ["/bin/sh", "-c", <<-EOT 27 ip="$(dig @resolver4.opendns.com myip.opendns.com +short -4)" 28 echo '{"ip": "'$ip'"}' 29 EOT 30 ] 31 } 32 33 locals { 34 ingress_cidr = var.restrict_ingress_cidrblock ? "${chomp(data.external.my_public_ipv4.result["ip"])}/32" : "0.0.0.0/0" 35 } 36 37 resource "aws_security_group" "servers" { 38 name = "${local.random_name}-servers" 39 vpc_id = data.aws_vpc.default.id 40 41 # SSH from test runner 42 ingress { 43 from_port = 22 44 to_port = 22 45 protocol = "tcp" 46 cidr_blocks = [local.ingress_cidr] 47 } 48 49 # Nomad HTTP and RPC from test runner 50 ingress { 51 from_port = 4646 52 to_port = 4647 53 protocol = "tcp" 54 cidr_blocks = [local.ingress_cidr] 55 } 56 57 # Nomad HTTP and RPC from clients 58 ingress { 59 from_port = 4646 60 to_port = 4647 61 protocol = "tcp" 62 security_groups = [aws_security_group.clients.id] 63 } 64 65 # Nomad serf is covered here: only allowed between hosts in the servers own 66 # security group so that clients can't accidentally use serf address 67 ingress { 68 from_port = 0 69 to_port = 0 70 protocol = "-1" 71 self = true 72 } 73 74 # allow all outbound 75 egress { 76 from_port = 0 77 to_port = 0 78 protocol = "-1" 79 cidr_blocks = ["0.0.0.0/0"] 80 } 81 } 82 83 # the secondary VPC security group is intended only for internal traffic 84 # and so that we can exercise behaviors with multiple IPs 85 resource "aws_security_group" "servers_secondary" { 86 name = "${local.random_name}-servers-secondary" 87 vpc_id = data.aws_vpc.default.id 88 89 ingress { 90 from_port = 0 91 to_port = 0 92 protocol = "-1" 93 self = true 94 } 95 96 # allow all outbound 97 egress { 98 from_port = 0 99 to_port = 0 100 protocol = "-1" 101 cidr_blocks = ["0.0.0.0/0"] 102 } 103 } 104 105 resource "aws_security_group" "clients" { 106 name = "${local.random_name}-clients" 107 vpc_id = data.aws_vpc.default.id 108 109 # SSH from test runner 110 ingress { 111 from_port = 22 112 to_port = 22 113 protocol = "tcp" 114 cidr_blocks = [local.ingress_cidr] 115 } 116 117 # Nomad HTTP and RPC from test runner 118 ingress { 119 from_port = 4646 120 to_port = 4647 121 protocol = "tcp" 122 cidr_blocks = [local.ingress_cidr] 123 } 124 125 # UI reverse proxy from test runner 126 ingress { 127 from_port = 6464 128 to_port = 6464 129 protocol = "tcp" 130 cidr_blocks = [local.ingress_cidr] 131 } 132 133 # Fabio from test runner 134 ingress { 135 from_port = 9998 136 to_port = 9999 137 protocol = "tcp" 138 cidr_blocks = [local.ingress_cidr] 139 } 140 141 # allow all client-to-client 142 ingress { 143 from_port = 0 144 to_port = 0 145 protocol = "-1" 146 self = true 147 } 148 149 # allow all outbound 150 egress { 151 from_port = 0 152 to_port = 0 153 protocol = "-1" 154 cidr_blocks = ["0.0.0.0/0"] 155 } 156 } 157 158 # the secondary VPC security group is intended only for internal traffic 159 # and so that we can exercise behaviors with multiple IPs 160 resource "aws_security_group" "clients_secondary" { 161 name = "${local.random_name}-clients-secondary" 162 vpc_id = data.aws_vpc.default.id 163 164 ingress { 165 from_port = 0 166 to_port = 0 167 protocol = "-1" 168 self = true 169 } 170 171 # allow all outbound 172 egress { 173 from_port = 0 174 to_port = 0 175 protocol = "-1" 176 cidr_blocks = ["0.0.0.0/0"] 177 } 178 } 179 180 resource "aws_security_group" "nfs" { 181 count = var.volumes ? 1 : 0 182 name = "${local.random_name}-nfs" 183 vpc_id = data.aws_vpc.default.id 184 185 ingress { 186 from_port = 2049 187 to_port = 2049 188 protocol = "tcp" 189 security_groups = [aws_security_group.clients.id] 190 } 191 } 192 193 # every server gets a ENI 194 resource "aws_network_interface" "servers_secondary" { 195 subnet_id = data.aws_subnet.secondary.id 196 security_groups = [aws_security_group.servers_secondary.id] 197 198 count = var.server_count 199 attachment { 200 instance = aws_instance.server[count.index].id 201 device_index = 1 202 } 203 } 204 205 # every Linux client gets a ENI 206 resource "aws_network_interface" "clients_secondary" { 207 subnet_id = data.aws_subnet.secondary.id 208 security_groups = [aws_security_group.clients_secondary.id] 209 210 count = var.client_count_ubuntu_jammy_amd64 211 attachment { 212 instance = aws_instance.client_ubuntu_jammy_amd64[count.index].id 213 device_index = 1 214 } 215 }