terraform/nuxeo/main.tf

/*
* 1) Create Public Subnet with a /24 size (HA: create one in at least 3 different availability zones)

* 2) Create a NAT Gateway in one of the Public Subnets
* 3) Create a Route with the Internet Gateway as default route, associate it with the Public Subnet(s)
* 4) Create a Route with the NAT Gateway as default route, *that should be associated to all Private Subnets when they are created*
* 5) Create a Security Group for Bastion Hosts that accepts SSH from anywhere
* 6) Create a Security Group for ELBs that accepts HTTP and HTTPS from anywhere
* 7) Create a Bastion Host with bastion host SG associated to ti, install NTP and Userify on it
*/

#-------------------
# VARIABLES
#-------------------
variable "stack_name" {
	default = "Name for this stack like customer-Name or project-name"
}
variable "aws_region" {}
variable "vpc_id" {}

// Variables for providers used in this module
variable "aws_access_key" {}
variable "aws_secret_key" {}

// Deployer SSH Pub SSH keys
variable "public_key_path" {}
variable "public_subnets" {
  description = "A list of public subnets inside the VPC."
  default     = ["10.0.10.0/24"]
}

variable "private_subnets" {
  description = "A list of private subnets inside the VPC."
  default     = ["10.0.11.0/24"]
}

variable "private_db_subnets" {
  description = "A list of private subnets inside the VPC for the RDS Postgres"
  default     = ["10.0.100.0/24","10.0.101.0/24"]
}


variable "azs" {
  description = "A list of Availability zones in the region"
  default     = ["a","b","c"]
}

variable "enable_nat_gateway" {
  description = "should be true if you want to provision NAT Gateways for each of your private networks"
  default     = false
}
variable "private_propagating_vgws" {
  description = "A list of VGWs the private route table should propagate."
  default     = []
}

variable "public_propagating_vgws" {
  description = "A list of VGWs the public route table should propagate."
  default     = []
}

variable "ssl_certificate_id" {
  description = "SSL Certificate ID on AWS for nuxeocloud.com"
  default = "ASCAI627UM4G2NSLWDTMM"
}

// RDS Instance Variables

variable "rds_instance_name" {
	default = "nuxeo"
}

variable "rds_is_multi_az" {
    default = "false"
}

variable "rds_storage_type" {
    default = "standard"
}

variable "rds_allocated_storage" {
    description = "The allocated storage in GBs"
    // You just give it the number, e.g. 10
}

variable "rds_engine_version" {
    // For valid engine versions, see:
    // See http://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html
    // --engine-version

}

variable "rds_instance_class" {
	default = "db.t2.micro"
}

variable "database_name" {
    description = "The name of the database to create"
}

variable "database_user" {}
variable "database_password" {}


variable "db_parameter_group" {
    default = "default.mysql5.6"
}

// RDS Subnet Group Variables
#variable "subnet_az1" {}
#variable "subnet_az2" {}


#-------------
# AWS Provider
#-------------
provider "aws" {
  access_key = "${var.aws_access_key}"
  secret_key = "${var.aws_secret_key}"
  region     = "${var.aws_region}"
}

data "aws_availability_zones" "all" {}
///////////////////////////////////////////////////////////////////////
// RESOURCES
///////////////////////////////////////////////////////////////////////

#-------------
# DNS Entry for Cloud Customer
#-------------
#resource "aws_route53_record" "dns" {
#   zone_id = "Z1EFT3O5K9NMCJ" // Zone ID for nuxeocloud.com
#   name = "${name}"
#   type = "CNAME"
#   ttl = "300"
#   weighted_routing_policy {
#    weight = 90
#   }
#  set_identifier = "${var.stack_name}"
#  records = ["${var.stack_name}.nuxeocloud.com"]
#}

#-------------
# S3 Bucket
#-------------
resource "random_id" "customer" {
  byte_length = 8
}

resource "aws_s3_bucket" "bucket" {
    bucket = "nuxeo-${random_id.customer.hex}"
    acl = "private"

  tags {
    Name 		= "cloud-${random_id.customer.b64}"
    billing-category    = "customers"
    billing-subcategory = "${var.stack_name}"
    role                = "nuxeo.aws-s3"
  }
}
#-------------
# CREATE SUBNETS
#-------------

resource "aws_subnet" "public" {
  vpc_id            = "${var.vpc_id}"
  cidr_block        = "${var.public_subnets[count.index]}"
  availability_zone = "${var.aws_region}${var.azs[count.index]}"
  count             = "${length(var.public_subnets)}"
  tags {
    Name 		= "${var.stack_name}-subnet-public-${var.aws_region}${element(var.azs, count.index)}"
    billing-category    = "customers"
    billing-subcategory = "${var.stack_name}"
    role                = "nuxeo.aws-subnet"
  }
  map_public_ip_on_launch = "true"
}

resource "aws_subnet" "private" {
  vpc_id            = "${var.vpc_id}"
  cidr_block        = "${var.private_subnets[count.index]}"
  availability_zone = "${var.aws_region}${var.azs[count.index]}"
  count             = "${length(var.private_subnets)}"
  tags {
    Name 		= "${var.stack_name}-subnet-private-${var.aws_region}${element(var.azs, count.index)}"
    billing-category    = "customers"
    billing-subcategory = "${var.stack_name}"
    role                = "nuxeo.aws-subnet"
  }
}

resource "aws_subnet" "db_private" {
  vpc_id            = "${var.vpc_id}"
  cidr_block        = "${var.private_db_subnets[count.index]}"
  availability_zone = "${var.aws_region}${var.azs[count.index]}"
  count             = "${length(var.private_db_subnets)}"
  tags {
    Name 		= "${var.stack_name}-db-subnet-private-${var.aws_region}${element(var.azs, count.index)}"
    billing-category    = "customers"
    billing-subcategory = "${var.stack_name}"
    role                = "nuxeo.aws-subnet"
  }
}

#-------------
# CREATE NAT GATEWAY
#-------------
# > Create EIP to associate to NAT GW
resource "aws_eip" "nateip" {
  vpc   = true
  count = "${length(var.private_subnets) * lookup(map(var.enable_nat_gateway, 1), "true", 0)}"
  tags {
    Name                = "${var.vpc_id}-nat-eip"
    billing-category    = "customers"
    role                = "nuxeo.aws-nat_eip"
  }
}

# > Create NAT GW
resource "aws_nat_gateway" "natgw" {
  allocation_id = "${element(aws_eip.nateip.*.id, count.index)}"
  subnet_id     = "${element(aws_subnet.public.*.id, count.index)}"
  count         = "${length(var.private_subnets) * lookup(map(var.enable_nat_gateway, 1), "true", 0)}"
  tags {
    Name                = "${var.stack_name}-natgw"
    billing-category    = "customers"
    billing-subcategory = "${var.stack_name}"
    role                = "nuxeo.aws-natgw"
  }
  depends_on = ["aws_internet_gateway.igw"]
}

# > Create IGW
resource "aws_internet_gateway" "igw" {
  vpc_id = "${var.vpc_id}"
}

#-------------
# CREATE ROUTES
#-------------

# > Route Tables

# >> Route Table for Public Subnets
resource "aws_route_table" "public" {
  vpc_id           = "${var.vpc_id}"
  propagating_vgws = ["${var.public_propagating_vgws}"]
  tags {
    Name 		= "${var.stack_name}-rt-public"
    billing-category    = "customers"
    billing-subcategory = "${var.stack_name}"
    role                = "nuxeo.aws-rtb"
  }
}

# >> Route Table for Private Subnets
resource "aws_route_table" "private" {
  vpc_id           = "${var.vpc_id}"
  propagating_vgws = ["${var.private_propagating_vgws}"]
  count            = "${length(var.private_subnets)}"
  tags {
    Name 		= "${var.stack_name}-rt-private-${element(var.azs, count.index)}"
    billing-category    = "customers"
    billing-subcategory = "${var.stack_name}"
    role                = "nuxeo.aws-rtb"
  }
}

# > Associations
# >> for Private Subnets
resource "aws_route_table_association" "private" {
  count          = "${length(var.private_subnets)}"
  subnet_id      = "${element(aws_subnet.private.*.id, count.index)}"
  route_table_id = "${element(aws_route_table.private.*.id, count.index)}"
}

# >> for Public Subnets
resource "aws_route_table_association" "public" {
  count          = "${length(var.public_subnets)}"
  subnet_id      = "${element(aws_subnet.public.*.id, count.index)}"
  route_table_id = "${aws_route_table.public.id}"
}

# > Routes
# >> Route for IGW
resource "aws_route" "public_internet_gateway" {
  route_table_id         = "${aws_route_table.public.id}"
  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = "${aws_internet_gateway.igw.id}"
}

# Route for NAT GW
resource "aws_route" "private_nat_gateway" {
  route_table_id         = "${element(aws_route_table.private.*.id, count.index)}"
  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id         = "${element(aws_nat_gateway.natgw.*.id, count.index)}"
  count                  = "${length(var.private_subnets) * lookup(map(var.enable_nat_gateway, 1), "true", 0)}"
}


#-------------------
# Security Groups
#-------------------
resource "aws_security_group" "sg_external_elb" {
  name        = "${format("%s-sg-external-elb", var.stack_name)}"
  vpc_id      = "${var.vpc_id}"
  description = "Allows external ELB traffic"

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = -1
    cidr_blocks = ["0.0.0.0/0"]
  }

  lifecycle {
    create_before_destroy = true
  }
  tags {
    Name                = "${format("%s external elb", var.stack_name)}"
    billing-category    = "customers"
    billing-subcategory = "${var.stack_name}"
    role                = "nuxeo.aws-sg.external"
  }
}

resource "aws_security_group" "sg_internal" {
  name        = "${format("%s-sg-internal-elb", var.stack_name)}"
  vpc_id      = "${var.vpc_id}"
  description = "Allows external ELB traffic"

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    security_groups = ["${aws_security_group.sg_external_elb.id}"]
  }

  ingress {
    from_port   = 8080
    to_port     = 8080
    protocol    = "tcp"
    security_groups = ["${aws_security_group.sg_external_elb.id}"]
  }

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    # TOFIX to replace by bastion host
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = -1
    cidr_blocks = ["0.0.0.0/0"]
  }

  lifecycle {
    create_before_destroy = true
  }
  tags {
    Name        	= "${format("%s internal elb", var.stack_name)}"
    billing-category	= "customers"
    billing-subcategory = "${var.stack_name}"
    role		= "nuxeo.aws-sg.internal"
  }
}

resource "aws_security_group" "external_ssh" {
  name        = "${format("%s-sg-external-ssh", var.stack_name)}"
  description = "Allows ssh from the world"
  vpc_id      = "${var.vpc_id}"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  lifecycle {
    create_before_destroy = true
  }
    tags {
      Name        = "${format("%s external ssh", var.stack_name)}"
      billing-category = "customers"
      billing-subcategory = "${var.stack_name}"
      role= "nuxeo.aws-sg-ssh"
    }
  tags {
  }
}

#-------------------
# ELB
#-------------------
resource "aws_elb" "elb" {
  name = "elb-${var.stack_name}"

  internal                  = true
  cross_zone_load_balancing = true
  subnets                   = ["${aws_subnet.public.id}"]
  security_groups 	    = ["${aws_security_group.sg_external_elb.id}"]

  idle_timeout                = 30
  connection_draining         = true
  connection_draining_timeout = 15

  listener {
    lb_port           = 80
    lb_protocol       = "http"
    instance_port     = 80
    instance_protocol = "http"
  }

#  listener {
#    lb_port           = 443
#    lb_protocol       = "https"
#    instance_port     = 80
#    instance_protocol = "http"
#    #ssl_certificate_id = "${var.ssl_certificate_id}"
#  }

  health_check {
    healthy_threshold   = 2
    unhealthy_threshold = 2
    timeout             = 5
    target              = "TCP:8080"
    interval            = 30
  }

#  access_logs {
#    bucket = "${var.log_bucket}"
#  }
   tags {
     Name        = "elb-${var.stack_name}"
     billing-category = "customers"
     billing-subcategory = "${var.stack_name}"
     role= "nuxeo.elb"
   }
  tags {
  }
}


#-------------------
# RDS Postgresql Database
#-------------------
resource "aws_db_instance" "main_rds_instance" {
    identifier = "db-${var.stack_name}"
    allocated_storage = "${var.rds_allocated_storage}"
    engine = "postgres"
    engine_version = "${var.rds_engine_version}"
    instance_class = "${var.rds_instance_class}"
    name = "${var.stack_name}"
    username = "${var.database_user}"
    password = "${var.database_password}"
    // Because we're assuming a VPC, we use this option, but only one SG id
    vpc_security_group_ids = ["${aws_security_group.sg_internal.id}"]
    // We're creating a subnet group in the module and passing in the name
    db_subnet_group_name = "${var.stack_name}-db-subnet-group"
    parameter_group_name = "default.postgres9.4"
    // We want the multi-az setting to be toggleable, but off by default
    multi_az = "${var.rds_is_multi_az}"
    storage_type = "${var.rds_storage_type}"
    tags {
      Name = "${var.stack_name} - Nuxeo Postgres Database"
      billing-category = "customers"
      billing-subcategory = "${var.stack_name}"
      role= "nuxeo.db"
    }
}

resource "aws_db_subnet_group" "main_db_subnet_group" {
  name        = "${var.stack_name}-db-subnet-group"
  description = "RDS private subnet group"
  subnet_ids  = ["${aws_subnet.db_private.0.id}", "${aws_subnet.db_private.1.id}"]
}


#-------------------
# Elastic Cache Redis
#-------------------
resource "aws_elasticache_cluster" "redis" {
  cluster_id		= "${var.stack_name}"
  engine		= "redis"
  engine_version       = "3.2.4"
  node_type		= "cache.t2.micro"
  port			= "6379"
  num_cache_nodes	= 1
  parameter_group_name	= "default.redis3.2"
  subnet_group_name    = "${aws_elasticache_subnet_group.redis.name}"
  security_group_ids   =  ["${aws_security_group.sg_internal.id}"]
  tags {
    Name = "Redis ElasticCache"
    billing-category = "customers"
    billing-subcategory = "${var.stack_name}"
    role= "nuxeo.redis"
  }
}

resource "aws_elasticache_subnet_group" "redis" {
  name        = "${var.stack_name}-redis-subnet-group"
  description = "Private subnets for the ElastiCache instances"
  subnet_ids  = ["${aws_subnet.db_private.0.id}", "${aws_subnet.db_private.1.id}"]
}

#-------------------
# Create Nuxeo Ubuntu Instance
#-------------------
# Create a new instance of the latest Ubuntu on an
# t2.micro node with an AWS Tag naming it "Nuxeo"
data "aws_ami" "ubuntu" {
  most_recent = true
  filter {
    name = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
  }
  filter {
    name = "virtualization-type"
    values = ["hvm"]
  }
  owners = ["099720109477"] # Canonical
}

resource "aws_instance" "nuxeo" {
    ami = "${data.aws_ami.ubuntu.id}"
    instance_type = "t2.micro"
    key_name = "${aws_key_pair.deployer.id}"
    subnet_id   = "${aws_subnet.private.id}"
    tags {
      Name = "Nuxeo"
      billing-category = "customers"
      billing-subcategory = "${var.stack_name}"
      role= "nuxeo.instance"
    }
}


#---------------------
# Deployer SSH keys 
#--------------------
resource "aws_key_pair" "deployer" {
  key_name = "deployer-key" 
  public_key = "${file(var.public_key_path)}"
}