From 0901b0eeb5d83a02b09067e77c3a20c5d9d2ef31 Mon Sep 17 00:00:00 2001 From: Justin Wind Date: Wed, 8 Mar 2017 16:12:33 -0800 Subject: [PATCH] further progress on infrastructure buildout --- .gitignore | 1 + ansible.cfg | 1 + roles/aws-infrastructure/defaults/main.yml | 7 + roles/aws-infrastructure/meta/main.yml | 3 + roles/aws-infrastructure/tasks/main.yml | 314 ++++++++++++-------- roles/aws-vpc-infrastructure/meta/main.yml | 3 + roles/aws-vpc-infrastructure/tasks/main.yml | 71 +++++ roles/aws-vpc/tasks/main.yml | 73 +---- 8 files changed, 281 insertions(+), 192 deletions(-) create mode 100644 .gitignore create mode 100644 roles/aws-infrastructure/defaults/main.yml create mode 100644 roles/aws-infrastructure/meta/main.yml create mode 100644 roles/aws-vpc-infrastructure/meta/main.yml create mode 100644 roles/aws-vpc-infrastructure/tasks/main.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..81bbbae --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +keys/ diff --git a/ansible.cfg b/ansible.cfg index a48806d..c6ee886 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,4 +1,5 @@ [defaults] +retry_files_enabled = False host_key_checking = False inventory = inventory remote_user = ec2-user diff --git a/roles/aws-infrastructure/defaults/main.yml b/roles/aws-infrastructure/defaults/main.yml new file mode 100644 index 0000000..1830f02 --- /dev/null +++ b/roles/aws-infrastructure/defaults/main.yml @@ -0,0 +1,7 @@ +--- +MANAGEMENT_EVENT_QUEUE: management-events +MANAGEMENT_EVENT_QUEUE_SHORT: management +MANAGEMENT_EVENT_FAILURE_QUEUE: "{{ MANAGEMENT_EVENT_QUEUE }}-failed" +MANAGEMENT_NOTICE_TOPIC: management-notifications +MANAGEMENT_NOTICE_TOPIC_SHORT: notices +MANAGEMENT_KEY_NAME: management \ No newline at end of file diff --git a/roles/aws-infrastructure/meta/main.yml b/roles/aws-infrastructure/meta/main.yml new file mode 100644 index 0000000..96ecf5e --- /dev/null +++ b/roles/aws-infrastructure/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: aws-vpc } \ No newline at end of file diff --git a/roles/aws-infrastructure/tasks/main.yml b/roles/aws-infrastructure/tasks/main.yml index 0f1a390..b4663f5 100644 --- a/roles/aws-infrastructure/tasks/main.yml +++ b/roles/aws-infrastructure/tasks/main.yml @@ -1,143 +1,203 @@ -- action: ec2_facts +--- +- assert: + that: + - MANAGEMENT_EVENT_FAILURE_QUEUE != '' + - MANAGEMENT_EVENT_QUEUE != '' + - MANAGEMENT_SUBNET != '' + - DEFAULT_AMI != '' + tags: ['check_vars'] + +- name: Management failure queue. + sqs_queue: + state: present + region: "{{ vpc_region }}" + name: "{{ MANAGEMENT_EVENT_FAILURE_QUEUE }}" + default_visibility_timeout: 30 + message_retention_period: 1209600 + maximum_message_size: 262144 + delivery_delay: 0 + receive_message_wait_time: 0 + register: management_failure_queue + +- debug: + var: management_failure_queue - name: Managment queue. sqs_queue: state: present + region: "{{ vpc_region }}" name: "{{ MANAGEMENT_EVENT_QUEUE }}" default_visibility_timeout: 30 message_retention_period: 345600 maximum_message_size: 262144 delivery_delay: 0 receive_message_wait_time: 20 - -- name: Management failure queue. - sqs_queue: - state: present - name: "{{ MANAGEMENT_EVENT_FAILURE_QUEUE }}" - default_visibility_timeout: 30 - message_retention_period: 1209600 - maximum_message_size: 262144 - delivery_delay: 0 - receive_message_wait_time: 0 + redrive_policy: + maxReceiveCount: 5 + deadLetterTargetArn: "arn:aws:sqs:{{ vpc_region }}:{{ ACCT_ID }}:{{ MANAGEMENT_EVENT_FAILURE_QUEUE }}" +# deadLetterTargetArn: "{{ management_failure_queue.queue_arn }}" + register: management_queue - name: Management topic and subscription. - sns_topic: - state: present - name: "{{ MANAGEMENT_EVENT_QUEUE }}" - display_name: "management" - purge_subscriptions: False - subscriptions: - - endpoint: "arn:aws:sqs:{{ ansible_ec2_placement_region }}:{{ ACCT_ID }}:{{ MANAGEMENT_EVENT_QUEUE }}" - protocol: "sqs" - -- name: Ensure management backup bucket exists. - s3_bucket: + sns_topic: state: present - when: MANAGEMENT_BACKUP_S3_BUCKET|defined - name: "{{ MANAGEMENT_BACKUP_S3_BUCKET }}" + region: "{{ vpc_region }}" + name: "{{ MANAGEMENT_EVENT_QUEUE }}" + display_name: "{{ MANAGEMENT_EVENT_QUEUE_SHORT }}" + purge_subscriptions: False + subscriptions: +# - endpoint: "{{ management_queue.queue_arn }}" + - endpoint: "arn:aws:sqs:{{ vpc_region }}:{{ ACCT_ID }}:{{ MANAGEMENT_EVENT_QUEUE }}" + protocol: "sqs" + register: management_topic + +- name: Management notice topic + sns_topic: + state: present + region: "{{ vpc_region }}" + name: "{{ MANAGEMENT_NOTICE_TOPIC }}" + display_name: "{{ MANAGEMENT_NOTICE_TOPIC_SHORT }}" + purge_subscriptions: False + register: management_notice_topic + +# - name: Ensure management backup bucket exists. +# s3_bucket: +# when: MANAGEMENT_BACKUP_S3_BUCKET is defined +# state: present +# name: "{{ MANAGEMENT_BACKUP_S3_BUCKET }}" - name: sg ssh - ec2_group: - state: present - name: sshOnly - description: "allow ssh from anywhere" - purge_rules: false - rules: - - proto: tcp - from_port: 22 - to_port: 22 - cidr_ip: 0.0.0.0/0 - rules_egress: - - proto: all - cidr_ip: 0.0.0.0/0 - - - name: sg management-elb - ec2_group: - state: present - name: management-elb - description: "sg for internal elb for monitoring management" - purge_rules: false - rules: - - proto: tcp - from_port: 22 - to_port: 22 - cidr_ip: 0.0.0.0/0 - rules_egress: - - proto: all - cidr_ip: 0.0.0.0/0 - - - name: sg management - ec2_group: - state: present - name: management - description: "sg for management" - purge_rules: false - rules: - - proto: all - group_name: management - - proto: all - group_name: management-elb - - - name: elb management-int-elb - ec2_elb_lb: - state: present - name: management-int-elb - cross_az_load_balancing: yes - scheme: internal - subnets: "{{ MANAGEMENT_SUBNET }}" - security_group_names: - - management-elb - listeners: - - protocol: tcp - load_balancer_port: 22 - instance_port: 22 - health_check: - ping_protocol: tcp - ping_port: 22 - response_timeout: 5 - interval: 30 - unhealthy_threshold: 2 - healthy_threshold: 2 - - - name: management iam - iam: - name: management - iam_type: role - state: present - - - name: management lc - ec2_lc: - name: management-0000 - image_id: "{{ DEFAULT_AMI }}" - key_name: management-key - security_groups: - - management - - sshOnly - instance_type: m4.large - volumes: - - device_name: /dev/sda1 - volume_size: 8 - volume_type: gp2 - delete_on_termination: true - - device_name: /dev/sdb - ephemeral: ephemeral0 - - device_name: /dev/sdc - ephemeral: ephemeral1 - - device_name: /dev/sdd - ephemeral: ephemeral2 - - device_name: /dev/sde - ephemeral: ephemeral3 - register: mgmt_lc - - - name: management asg - ec2_asg: - name: management - min_size: 1 - max_size: 1 - desired_capacity: 1 - vpc_zone_identifier: "{{ MANAGEMENT_SUBNET }}" - launch_config_name: "{{ mgmt_lc.something.name }}" - tags: - - module: management - propogate_at_launch: yes + ec2_group: + vpc_id: "{{ vpc.vpc.id }}" + region: "{{ vpc_region }}" + state: present + name: ssh + description: "allow ssh from anywhere" + purge_rules: false + rules: + - proto: tcp + from_port: 22 + to_port: 22 + cidr_ip: 0.0.0.0/0 + rules_egress: + - proto: all + cidr_ip: 0.0.0.0/0 + register: sg_ssh + +- name: sg management-elb + ec2_group: + vpc_id: "{{ vpc.vpc.id }}" + region: "{{ vpc_region }}" + state: present + name: management-elb + description: "sg for internal elb for monitoring management" + purge_rules: false + rules: + - proto: tcp + from_port: 22 + to_port: 22 + cidr_ip: 0.0.0.0/0 + rules_egress: + - proto: all + cidr_ip: 0.0.0.0/0 + +- name: sg management + ec2_group: + vpc_id: "{{ vpc.vpc.id }}" + region: "{{ vpc_region }}" + state: present + name: management + description: "sg for management" + purge_rules: false + rules: + - proto: all + group_name: management + - proto: all + group_name: management-elb + register: sg_management + +- debug: + var: sg_management + +- name: elb management-int-elb + ec2_elb_lb: + region: "{{ vpc_region }}" + state: present + name: management-int-elb + cross_az_load_balancing: yes + scheme: internal + subnets: "{{ MANAGEMENT_SUBNET }}" + security_group_names: + - management-elb + listeners: + - protocol: tcp + load_balancer_port: 22 + instance_port: 22 + health_check: + ping_protocol: tcp + ping_port: 22 + response_timeout: 5 + interval: 30 + unhealthy_threshold: 2 + healthy_threshold: 2 + +- name: management key + ec2_key: + region: "{{ vpc_region }}" + name: "{{ MANAGEMENT_KEY_NAME }}" + key_material: "{{ item }}" + with_file: keys/{{ MANAGEMENT_KEY_NAME }}.pub + +- name: management iam + iam: + name: management + iam_type: role + state: present + +- name: management lc + ec2_lc: + region: "{{ vpc_region }}" + name: management-0000 + image_id: "{{ DEFAULT_AMI }}" + key_name: "{{ MANAGEMENT_KEY_NAME }}" + instance_profile_name: management + security_groups: + - "{{ sg_management.group_id }}" + - "{{ sg_ssh.group_id }}" + instance_type: m4.large + volumes: + - device_name: /dev/sda1 + volume_size: 8 + volume_type: gp2 + delete_on_termination: true + - device_name: /dev/sdb + ephemeral: ephemeral0 + - device_name: /dev/sdc + ephemeral: ephemeral1 + - device_name: /dev/sdd + ephemeral: ephemeral2 + - device_name: /dev/sde + ephemeral: ephemeral3 + register: mgmt_lc + +- debug: + var: mgmt_lc + +- name: management asg + ec2_asg: + region: "{{ vpc_region }}" + name: management + min_size: 1 + max_size: 1 + desired_capacity: 1 + vpc_zone_identifier: "{{ MANAGEMENT_SUBNET }}" + launch_config_name: "{{ mgmt_lc.name }}" + notification_topic: "{{ management_topic.sns_arn }}" + notification_types: + - autoscaling:EC2_INSTANCE_LAUNCH + load_balancers: + - management-int-elb + tags: + - module: management + propogate_at_launch: yes diff --git a/roles/aws-vpc-infrastructure/meta/main.yml b/roles/aws-vpc-infrastructure/meta/main.yml new file mode 100644 index 0000000..96ecf5e --- /dev/null +++ b/roles/aws-vpc-infrastructure/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: aws-vpc } \ No newline at end of file diff --git a/roles/aws-vpc-infrastructure/tasks/main.yml b/roles/aws-vpc-infrastructure/tasks/main.yml new file mode 100644 index 0000000..03923fe --- /dev/null +++ b/roles/aws-vpc-infrastructure/tasks/main.yml @@ -0,0 +1,71 @@ +--- +- assert: + that: + - vpc_region != '' + - vpc_subnets_pub != '' + - vpc_subnets_priv != '' + tags: ['check_vars'] + +- name: IGW + ec2_vpc_igw: + state: present + vpc_id: "{{ vpc.vpc.id }}" + region: "{{ vpc_region }}" + register: igw + +- name: Name IGW + ec2_tag: + state: present + resource: "{{ igw.gateway_id }}" + region: "{{ vpc_region }}" + tags: + Name: "igw-{{ vpc_region }}" + +- name: Subnets + with_items: "{{ vpc_subnets_pub + vpc_subnets_priv }}" + ec2_vpc_subnet: + state: present + vpc_id: "{{ vpc.vpc.id }}" + region: "{{ vpc_region }}" + cidr: "{{ item.cidr }}" + az: "{{ item.az }}" + tags: "{{ item.resource_tags }}" + +- name: Access/NAT EIP + ec2_eip: + in_vpc: yes + region: "{{ vpc_region }}" + reuse_existing_ip_allowed: yes + register: access_eip + +- name: Private route table + ec2_vpc_route_table: + state: present + vpc_id: "{{ vpc.vpc.id }}" + region: "{{ vpc_region }}" + tags: + Name: "Private-Routes-vpc-{{ vpc_region }}" + zone: priv + managed: 'yes' + subnets: "{{ vpc_subnets_priv|map(attribute='cidr')|list }}" + register: private_rt + +- name: Public route table + ec2_vpc_route_table: + state: present + vpc_id: "{{ vpc.vpc.id }}" + region: "{{ vpc_region }}" + tags: + Name: "Public-Routes-vpc-{{ vpc_region }}" + zone: pub + managed: 'no' + subnets: "{{ vpc_subnets_pub|map(attribute='cidr')|list }}" + routes: + - dest: 0.0.0.0/0 + gateway_id: "{{ igw.gateway_id }}" + register: public_rt + +- name: not implemented yet + debug: + msg: | + Change pub-subnets to auto-assign external IPs diff --git a/roles/aws-vpc/tasks/main.yml b/roles/aws-vpc/tasks/main.yml index 26a75ae..e92a53a 100644 --- a/roles/aws-vpc/tasks/main.yml +++ b/roles/aws-vpc/tasks/main.yml @@ -1,72 +1,15 @@ --- +- assert: + that: + - vpc_name != '' + - vpc_cidr != '' + - vpc_region != '' + tags: ['check_vars'] + - name: VPC ec2_vpc_net: state: present name: "{{ vpc_name }}" cidr_block: "{{ vpc_cidr }}" region: "{{ vpc_region }}" - register: vpc - -- name: IGW - ec2_vpc_igw: - state: present - vpc_id: "{{ vpc.vpc.id }}" - region: "{{ vpc_region }}" - register: igw - -- name: Name IGW - ec2_tag: - state: present - resource: "{{ igw.gateway_id }}" - region: "{{ vpc_region }}" - tags: - Name: "igw-{{ vpc_region }}" - -- name: Subnets - with_items: "{{ subnets_pub + subnets_priv }}" - ec2_vpc_subnet: - state: present - vpc_id: "{{ vpc.vpc.id }}" - region: "{{ vpc_region }}" - cidr: "{{ item.cidr }}" - az: "{{ item.az }}" - tags: "{{ item.resource_tags }}" - -- name: Access/NAT EIP - ec2_eip: - in_vpc: yes - region: "{{ vpc_region }}" - reuse_existing_ip_allowed: yes - register: access_eip - -- name: Private route table - ec2_vpc_route_table: - state: present - vpc_id: "{{ vpc.vpc.id }}" - region: "{{ vpc_region }}" - tags: - Name: "Private-Routes-vpc-{{ vpc_region }}" - zone: priv - managed: 'yes' - subnets: "{{ subnets_priv|map(attribute='cidr')|list }}" - register: private_rt - -- name: Public route table - ec2_vpc_route_table: - state: present - vpc_id: "{{ vpc.vpc.id }}" - region: "{{ vpc_region }}" - tags: - Name: "Public-Routes-vpc-{{ vpc_region }}" - zone: pub - managed: 'no' - subnets: "{{ subnets_pub|map(attribute='cidr')|list }}" - routes: - - dest: 0.0.0.0/0 - gateway_id: "{{ igw.gateway_id }}" - register: public_rt - -- name: not implemented yet - debug: - msg: | - Change pub-subnets to auto-assign external IPs + register: vpc \ No newline at end of file -- 2.43.2