chore: limit access to cidr ranges and optimize nat egress (#44)

* chore: disable aws provider and move to override

* chore: allow limiting access to cidr ranges

* fix: script adjustments and ssh within vpc

* fix: allow ec2 instances to pull outside data

* chore: update golden file + recreation

* chore: add requestTimeout to zbctl command

* fix: properly configure security groups for nlb

* chore: restructure ports and remove duplicate egress

* chore: remove commented egress rule

forgot to completly remove it in the last commit

Author: Langleu

.github/workflows/aws_ec2_golden.yml

@@ -59,6 +59,9 @@ jobs:
                   aws configure set aws_access_key_id ${{ steps.secrets.outputs.AWS_ACCESS_KEY }} --profile ${{ env.AWS_PROFILE }}
                   aws configure set aws_secret_access_key ${{ steps.secrets.outputs.AWS_SECRET_KEY }} --profile ${{ env.AWS_PROFILE }}
                   aws configure set region ${{ env.AWS_REGION }} --profile ${{ env.AWS_PROFILE }}
+            - name: Copy provider override
+              run: |
+                  cp "${{ github.workspace }}/aws/ec2/test/fixtures/provider_override.tf" "${TF_PATH}/provider_override.tf"
             - name: Run Terraform plan
               working-directory: aws/ec2/terraform
               run: |

.github/workflows/aws_ec2_tests.yml

@@ -80,7 +80,7 @@ jobs:
             # yamllint disable rule:line-length
             - name: Configure Terraform Backend
               run: |
-                  cp ${{ github.workspace }}/aws/ec2/test/fixtures/override.tf ${{ github.workspace }}/aws/ec2/terraform/override.tf
+                  cp ${{ github.workspace }}/aws/ec2/test/fixtures/*.tf ${{ github.workspace }}/aws/ec2/terraform/
                   echo "TF_CLI_ARGS_init=-backend-config='bucket=${{ env.S3_BACKEND_BUCKET }}' -backend-config='key=state/${{ env.TF_PREFIX }}/terraform.tfstate' -backend-config='region=${{ env.S3_BUCKET_REGION }}' -backend-config='encrypt=true'" >> "$GITHUB_ENV"
             # yamllint enable rule:line-length
             - name: Set Camunda version
@@ -103,10 +103,6 @@ jobs:
                   mkdir /home/runner/.ssh
                   touch /home/runner/.ssh/config
 
-                  # go install github.com/jstemmer/go-junit-report/v2@latest
-                  # go test -v -failfast -timeout 120m | go-junit-report -iocopy -set-exit-code -out report.xml
-                  # go install github.com/ctrf-io/go-ctrf-json-reporter/cmd/go-ctrf-json-reporter@latest
-                  # go test -v -failfast -timeout 120m -json | go-ctrf-json-reporter -output report.json -verbose
                   go install gotest.tools/gotestsum@latest
                   go run gotest.tools/gotestsum@latest --junitfile tests.xml -- --timeout=120m
            ################ Cleanup ##################

.gitignore

@@ -71,8 +71,8 @@ crash.*.log
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
+override.tf
 override.tf.json
-*_override.tf
 *_override.tf.json
 
 # Include override files you do wish to add to version control using negated pattern

.pre-commit-config.yaml

@@ -45,6 +45,7 @@ repos:
       hooks:
           - id: terraform_fmt
           - id: terraform_tflint
+            exclude: (_override.tf)
           - id: terraform_docs
             args:
                 - --hook-config=--path-to-file=README.md

README.md

@@ -48,9 +48,12 @@ if [ -z "${IPS+x}" ]; then
     IPS_JSON=$(terraform -chdir="${CURRENT_DIR}/../terraform" output -json camunda_ips)
     cleaned_str=$(echo "${IPS_JSON}" | tr -d '[]"')
     read -r -a IPS <<< "$(echo "${cleaned_str}" | tr ',' ' ')"
+else
+    # IPS env var can be supplied as "IP1 IP2 IP3"
+    read -r -a IPS <<< "${IPS[@]}"
 fi
 
-echo "[INFO] Detected following values for IPS: ${cleaned_str}"
+echo "[INFO] Detected following values for IPS: ${IPS[*]}"
 
 if [ -z "${BASTION_IP+x}" ]; then
     echo "[INFO] BASTION_IP was not overwritten via env vars... pulling from Terraform state file."

aws/ec2/scripts/all-in-one-install.sh

@@ -122,37 +122,38 @@ SECURITY: The default is false. If set to true will use self-signed certificates
 
 | Name | Type |
 |------|------|
-| [aws_ebs_volume.camunda](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/ebs_volume) | resource |
-| [aws_iam_instance_profile.cloudwatch_instance_profile](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/iam_instance_profile) | resource |
-| [aws_iam_policy.cloudwatch_policy](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/iam_policy) | resource |
-| [aws_iam_role.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.cloudwatch_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_instance.bastion](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/instance) | resource |
-| [aws_instance.camunda](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/instance) | resource |
-| [aws_key_pair.main](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/key_pair) | resource |
-| [aws_kms_key.main](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/kms_key) | resource |
-| [aws_lb.grpc](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/lb) | resource |
-| [aws_lb.main](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/lb) | resource |
-| [aws_lb_listener.grpc_26500](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/lb_listener) | resource |
-| [aws_lb_listener.http_8080](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/lb_listener) | resource |
-| [aws_lb_listener.http_9090](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/lb_listener) | resource |
-| [aws_lb_target_group.connectors](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/lb_target_group) | resource |
-| [aws_lb_target_group.grpc](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/lb_target_group) | resource |
-| [aws_lb_target_group.main](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/lb_target_group) | resource |
-| [aws_lb_target_group_attachment.connectors](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/lb_target_group_attachment) | resource |
-| [aws_lb_target_group_attachment.grpc](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/lb_target_group_attachment) | resource |
-| [aws_lb_target_group_attachment.main](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/lb_target_group_attachment) | resource |
-| [aws_security_group.allow_necessary_camunda_ports_within_vpc](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/security_group) | resource |
-| [aws_security_group.allow_remote_80_443](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/security_group) | resource |
-| [aws_security_group.allow_remote_9090](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/security_group) | resource |
-| [aws_security_group.allow_remote_grpc](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/security_group) | resource |
-| [aws_security_group.allow_ssh](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/security_group) | resource |
-| [aws_volume_attachment.ebs_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/resources/volume_attachment) | resource |
-| [tls_private_key.testing](https://registry.terraform.io/providers/hashicorp/tls/4.0.6/docs/resources/private_key) | resource |
-| [aws_ami.debian](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/data-sources/ami) | data source |
-| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/data-sources/availability_zones) | data source |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/data-sources/caller_identity) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/5.73.0/docs/data-sources/region) | data source |
+| [aws_ebs_volume.camunda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume) | resource |
+| [aws_iam_instance_profile.cloudwatch_instance_profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
+| [aws_iam_policy.cloudwatch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.cloudwatch_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_instance.bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
+| [aws_instance.camunda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
+| [aws_key_pair.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
+| [aws_kms_key.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_lb.grpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
+| [aws_lb.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
+| [aws_lb_listener.grpc_26500](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
+| [aws_lb_listener.http_8080](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
+| [aws_lb_listener.http_9090](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
+| [aws_lb_target_group.connectors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
+| [aws_lb_target_group.grpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
+| [aws_lb_target_group.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
+| [aws_lb_target_group_attachment.connectors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |
+| [aws_lb_target_group_attachment.grpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |
+| [aws_lb_target_group_attachment.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |
+| [aws_security_group.allow_necessary_camunda_ports_within_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.allow_package_80_443](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.allow_remote_80_443](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.allow_remote_9090](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.allow_remote_grpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.allow_ssh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_volume_attachment.ebs_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/volume_attachment) | resource |
+| [tls_private_key.testing](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [aws_ami.debian](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 ## Inputs
 
 | Name | Description | Type | Default | Required |
@@ -170,11 +171,13 @@ SECURITY: The default is false. If set to true will use self-signed certificates
 | <a name="input_enable_vpc_logging"></a> [enable\_vpc\_logging](#input\_enable\_vpc\_logging) | Enable VPC flow logging to CloudWatch Logs | `bool` | `false` | no |
 | <a name="input_generate_ssh_key_pair"></a> [generate\_ssh\_key\_pair](#input\_generate\_ssh\_key\_pair) | Generate an SSH key pair for the EC2 instances over the use of pub\_key\_path. Meant for testing purposes / temp environments. | `bool` | `false` | no |
 | <a name="input_instance_count"></a> [instance\_count](#input\_instance\_count) | The number of instances to create | `number` | `3` | no |
+| <a name="input_limit_access_to_cidrs"></a> [limit\_access\_to\_cidrs](#input\_limit\_access\_to\_cidrs) | List of CIDR blocks to allow access to ssh of Bastion and LoadBalancer | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
 | <a name="input_opensearch_disk_size"></a> [opensearch\_disk\_size](#input\_opensearch\_disk\_size) | The size of the OpenSearch disk in GiB | `number` | `50` | no |
 | <a name="input_opensearch_engine_version"></a> [opensearch\_engine\_version](#input\_opensearch\_engine\_version) | The engine version of the OpenSearch cluster | `string` | `"2.15"` | no |
 | <a name="input_opensearch_instance_count"></a> [opensearch\_instance\_count](#input\_opensearch\_instance\_count) | The number of instances to create | `number` | `3` | no |
 | <a name="input_opensearch_instance_type"></a> [opensearch\_instance\_type](#input\_opensearch\_instance\_type) | The instance type to use for the OpenSearch instances | `string` | `"t3.small.search"` | no |
 | <a name="input_opensearch_log_types"></a> [opensearch\_log\_types](#input\_opensearch\_log\_types) | The types of logs to publish to CloudWatch Logs | `list(string)` | <pre>[<br/>  "SEARCH_SLOW_LOGS",<br/>  "INDEX_SLOW_LOGS",<br/>  "ES_APPLICATION_LOGS"<br/>]</pre> | no |
+| <a name="input_ports"></a> [ports](#input\_ports) | The ports to open for the security groups within the VPC | `map(number)` | <pre>{<br/>  "camunda_metrics_endpoint": 9600,<br/>  "camunda_web_ui": 8080,<br/>  "connectors_port": 9090,<br/>  "opensearch_https": 443,<br/>  "ssh": 22,<br/>  "zeebe_broker_network_command_api_port": 26501,<br/>  "zeebe_gateway_cluster_port": 26502,<br/>  "zeebe_gateway_network_port": 26500<br/>}</pre> | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix to use for names of resources | `string` | `"camunda"` | no |
 | <a name="input_pub_key_path"></a> [pub\_key\_path](#input\_pub\_key\_path) | The path to the public key to use for the EC2 instances for SSH access | `string` | `"~/.ssh/id_rsa.pub"` | no |
 ## Outputs
@@ -187,6 +190,7 @@ SECURITY: The default is false. If set to true will use self-signed certificates
 | <a name="output_bastion_ip"></a> [bastion\_ip](#output\_bastion\_ip) | (Optional) The public IP address of the Bastion instance. |
 | <a name="output_camunda_ips"></a> [camunda\_ips](#output\_camunda\_ips) | The private IP addresses of the Camunda instances. |
 | <a name="output_nlb_endpoint"></a> [nlb\_endpoint](#output\_nlb\_endpoint) | (Optional) The DNS name of the Network Load Balancer (NLB) to access the Camunda REST API. |
+| <a name="output_ports"></a> [ports](#output\_ports) | The ports to open in the security group within the VPC. For easier consumption in scripts. |
 | <a name="output_private_key"></a> [private\_key](#output\_private\_key) | (Optional) This private key is meant for testing purposes only and enabled via the variable `generate_ssh_key_pair`. |
 | <a name="output_public_key"></a> [public\_key](#output\_public\_key) | (Optional) This public key is meant for testing purposes only and enabled via the variable `generate_ssh_key_pair`. Please supply your own public key via the variable `pub_key_path`. |
 <!-- END_TF_DOCS -->

aws/ec2/terraform/README.md

@@ -7,21 +7,23 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "5.73.0"
+      version = "~> 5.74"
     }
     tls = {
       source  = "hashicorp/tls"
-      version = "4.0.6"
+      version = "~> 4.0"
     }
   }
 }
 
-provider "aws" {
-  # set region via $AWS_REGION environment variable
+# Uncomment if used as reference architecture
+# If used as module, a provider configuration is not allowed to be defined
+# provider "aws" {
+#   # set region via $AWS_REGION environment variable
 
-  default_tags {
-    tags = {
-      managed_by = "Terraform"
-    }
-  }
-}
+#   default_tags {
+#     tags = {
+#       managed_by = "Terraform"
+#     }
+#   }
+# }

aws/ec2/terraform/config.tf

@@ -9,7 +9,7 @@ resource "aws_instance" "camunda" {
 
   vpc_security_group_ids = [
     aws_security_group.allow_necessary_camunda_ports_within_vpc.id,
-    aws_security_group.allow_remote_80_443.id,
+    aws_security_group.allow_package_80_443.id,
     aws_security_group.allow_remote_grpc.id,
   ]
 

aws/ec2/terraform/ec2.tf

@@ -139,6 +139,10 @@ resource "aws_lb" "grpc" {
   name               = "${var.prefix}-nlb-grpc"
   internal           = false
   load_balancer_type = "network"
+  security_groups = [
+    aws_security_group.allow_remote_grpc.id,
+    aws_security_group.allow_necessary_camunda_ports_within_vpc.id,
+  ]
 
   subnets = module.vpc.public_subnets
 }
@@ -147,7 +151,7 @@ resource "aws_lb_listener" "grpc_26500" {
   count = var.enable_nlb ? 1 : 0
 
   load_balancer_arn = aws_lb.grpc[0].arn
-  port              = "80"
+  port              = "26500"
   protocol          = "TCP"
 
   default_action {