diff --git a/terraform-unity/modules/terraform-unity-sps-airflow/README.md b/terraform-unity/modules/terraform-unity-sps-airflow/README.md index ad4d819..2314b4b 100644 --- a/terraform-unity/modules/terraform-unity-sps-airflow/README.md +++ b/terraform-unity/modules/terraform-unity-sps-airflow/README.md @@ -41,6 +41,7 @@ No modules. | [aws_lambda_invocation.unity_proxy_lambda_invocation](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/lambda_invocation) | resource | | [aws_s3_bucket.airflow_logs](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/s3_bucket) | resource | | [aws_security_group.airflow_efs](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/security_group) | resource | +| [aws_security_group.airflow_ingress_sg](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/security_group) | resource | | [aws_security_group_rule.airflow_efs](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/security_group_rule) | resource | | [aws_ssm_parameter.airflow_api_health_check_endpoint](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/ssm_parameter) | resource | | [aws_ssm_parameter.airflow_api_url](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/ssm_parameter) | resource | @@ -48,6 +49,8 @@ No modules. | [aws_ssm_parameter.airflow_ui_health_check_endpoint](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/ssm_parameter) | resource | | [aws_ssm_parameter.airflow_ui_url](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/ssm_parameter) | resource | | [aws_ssm_parameter.unity_proxy_airflow_ui](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/ssm_parameter) | resource | +| [aws_vpc_security_group_ingress_rule.airflow_ingress_sg_jpl_rule](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/vpc_security_group_ingress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.airflow_ingress_sg_proxy_rule](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/vpc_security_group_ingress_rule) | resource | | [helm_release.airflow](https://registry.terraform.io/providers/hashicorp/helm/2.13.1/docs/resources/release) | resource | | [helm_release.keda](https://registry.terraform.io/providers/hashicorp/helm/2.13.1/docs/resources/release) | resource | | [kubernetes_ingress_v1.airflow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/2.29.0/docs/resources/ingress_v1) | resource | @@ -68,7 +71,9 @@ No modules. | [aws_db_instance.db](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/data-sources/db_instance) | data source | | [aws_efs_file_system.efs](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/data-sources/efs_file_system) | data source | | [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/data-sources/eks_cluster) | data source | +| [aws_lambda_functions.lambda_check_all](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/data-sources/lambda_functions) | data source | | [aws_secretsmanager_secret_version.db](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/data-sources/secretsmanager_secret_version) | data source | +| [aws_security_groups.venue_proxy_sg](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/data-sources/security_groups) | data source | | [aws_ssm_parameter.subnet_ids](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/data-sources/ssm_parameter) | data source | | [aws_vpc.cluster_vpc](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/data-sources/vpc) | data source | | [kubernetes_ingress_v1.airflow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/2.29.0/docs/data-sources/ingress_v1) | data source | diff --git a/terraform-unity/modules/terraform-unity-sps-airflow/locals.tf b/terraform-unity/modules/terraform-unity-sps-airflow/locals.tf index 810e34c..58f31a8 100644 --- a/terraform-unity/modules/terraform-unity-sps-airflow/locals.tf +++ b/terraform-unity/modules/terraform-unity-sps-airflow/locals.tf @@ -13,6 +13,7 @@ locals { mission = var.project Stack = "" } + load_balancer_port = 5000 oidc_provider_url = replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "") airflow_metadata_kubernetes_secret = "airflow-metadata-secret" airflow_webserver_kubernetes_secret = "airflow-webserver-secret" diff --git a/terraform-unity/modules/terraform-unity-sps-airflow/main.tf b/terraform-unity/modules/terraform-unity-sps-airflow/main.tf index cc4bfba..6bfa181 100644 --- a/terraform-unity/modules/terraform-unity-sps-airflow/main.tf +++ b/terraform-unity/modules/terraform-unity-sps-airflow/main.tf @@ -403,16 +403,60 @@ resource "helm_release" "airflow" { ] } +resource "aws_security_group" "airflow_ingress_sg" { + name = "${var.project}-${var.venue}-airflow-ingress-sg" + description = "SecurityGroup for Airflow LoadBalancer ingress" + vpc_id = data.aws_vpc.cluster_vpc.id + tags = merge(local.common_tags, { + Name = format(local.resource_name_prefix, "AirflowLBSg") + Component = "airflow" + Stack = "airflow" + }) +} + +#tfsec:ignore:AVD-AWS-0107 +resource "aws_vpc_security_group_ingress_rule" "airflow_ingress_sg_jpl_rule" { + for_each = toset(["128.149.0.0/16", "137.78.0.0/16", "137.79.0.0/16"]) + security_group_id = aws_security_group.airflow_ingress_sg.id + description = "SecurityGroup ingress rule for JPL-local addresses" + ip_protocol = "tcp" + from_port = local.load_balancer_port + to_port = local.load_balancer_port + cidr_ipv4 = each.key +} + +data "aws_security_groups" "venue_proxy_sg" { + filter { + name = "group-name" + values = ["${var.project}-${var.venue}-ecs_service_sg"] + } + tags = { + Service = "U-CS" + } +} + +resource "aws_vpc_security_group_ingress_rule" "airflow_ingress_sg_proxy_rule" { + count = length(data.aws_security_groups.venue_proxy_sg.ids) > 0 ? 1 : 0 + security_group_id = aws_security_group.airflow_ingress_sg.id + description = "SecurityGroup ingress rule for venue-services proxy" + ip_protocol = "tcp" + from_port = local.load_balancer_port + to_port = local.load_balancer_port + referenced_security_group_id = data.aws_security_groups.venue_proxy_sg.ids[0] +} + resource "kubernetes_ingress_v1" "airflow_ingress" { metadata { name = "airflow-ingress" namespace = data.kubernetes_namespace.service_area.metadata[0].name annotations = { - "alb.ingress.kubernetes.io/scheme" = "internet-facing" - "alb.ingress.kubernetes.io/target-type" = "ip" - "alb.ingress.kubernetes.io/subnets" = join(",", jsondecode(data.aws_ssm_parameter.subnet_ids.value)["public"]) - "alb.ingress.kubernetes.io/listen-ports" = "[{\"HTTP\": 5000}]" - "alb.ingress.kubernetes.io/healthcheck-path" = "/health" + "alb.ingress.kubernetes.io/scheme" = "internet-facing" + "alb.ingress.kubernetes.io/target-type" = "ip" + "alb.ingress.kubernetes.io/subnets" = join(",", jsondecode(data.aws_ssm_parameter.subnet_ids.value)["public"]) + "alb.ingress.kubernetes.io/listen-ports" = "[{\"HTTP\": ${local.load_balancer_port}}]" + "alb.ingress.kubernetes.io/security-groups" = aws_security_group.airflow_ingress_sg.id + "alb.ingress.kubernetes.io/manage-backend-security-group-rules" = "true" + "alb.ingress.kubernetes.io/healthcheck-path" = "/health" } } spec { diff --git a/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/README.md b/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/README.md index 485271a..05e6521 100644 --- a/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/README.md +++ b/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/README.md @@ -23,19 +23,25 @@ No modules. | Name | Type | |------|------| | [aws_lambda_invocation.unity_proxy_lambda_invocation](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/lambda_invocation) | resource | +| [aws_security_group.ogc_ingress_sg](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/security_group) | resource | | [aws_ssm_parameter.ogc_processes_api_health_check_endpoint](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/ssm_parameter) | resource | | [aws_ssm_parameter.ogc_processes_api_url](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/ssm_parameter) | resource | | [aws_ssm_parameter.ogc_processes_ui_url](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/ssm_parameter) | resource | | [aws_ssm_parameter.unity_proxy_ogc_api](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/ssm_parameter) | resource | +| [aws_vpc_security_group_ingress_rule.ogc_ingress_sg_jpl_rule](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/vpc_security_group_ingress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.ogc_ingress_sg_proxy_rule](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/vpc_security_group_ingress_rule) | resource | | [kubernetes_deployment.ogc_processes_api](https://registry.terraform.io/providers/hashicorp/kubernetes/2.29.0/docs/resources/deployment) | resource | | [kubernetes_deployment.redis](https://registry.terraform.io/providers/hashicorp/kubernetes/2.29.0/docs/resources/deployment) | resource | | [kubernetes_ingress_v1.ogc_processes_api_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/2.29.0/docs/resources/ingress_v1) | resource | | [kubernetes_service.ogc_processes_api](https://registry.terraform.io/providers/hashicorp/kubernetes/2.29.0/docs/resources/service) | resource | | [kubernetes_service.redis](https://registry.terraform.io/providers/hashicorp/kubernetes/2.29.0/docs/resources/service) | resource | | [aws_db_instance.db](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/data-sources/db_instance) | data source | +| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/data-sources/eks_cluster) | data source | | [aws_lambda_functions.lambda_check_all](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/data-sources/lambda_functions) | data source | | [aws_secretsmanager_secret_version.db](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/data-sources/secretsmanager_secret_version) | data source | +| [aws_security_groups.venue_proxy_sg](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/data-sources/security_groups) | data source | | [aws_ssm_parameter.subnet_ids](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/data-sources/ssm_parameter) | data source | +| [aws_vpc.cluster_vpc](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/data-sources/vpc) | data source | | [kubernetes_ingress_v1.ogc_processes_api_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/2.29.0/docs/data-sources/ingress_v1) | data source | | [kubernetes_namespace.service_area](https://registry.terraform.io/providers/hashicorp/kubernetes/2.29.0/docs/data-sources/namespace) | data source | | [kubernetes_persistent_volume_claim.airflow_deployed_dags](https://registry.terraform.io/providers/hashicorp/kubernetes/2.29.0/docs/data-sources/persistent_volume_claim) | data source | diff --git a/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/data.tf b/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/data.tf index 0858e9a..0a9922b 100644 --- a/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/data.tf +++ b/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/data.tf @@ -4,6 +4,14 @@ data "kubernetes_namespace" "service_area" { } } +data "aws_eks_cluster" "cluster" { + name = format(local.resource_name_prefix, "eks") +} + +data "aws_vpc" "cluster_vpc" { + id = data.aws_eks_cluster.cluster.vpc_config[0].vpc_id +} + data "aws_ssm_parameter" "subnet_ids" { name = "/unity/account/network/subnet_list" } diff --git a/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/locals.tf b/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/locals.tf index e61981e..42a5000 100644 --- a/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/locals.tf +++ b/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/locals.tf @@ -13,4 +13,5 @@ locals { mission = var.project Stack = "" } + load_balancer_port = 5001 } diff --git a/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/main.tf b/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/main.tf index 60fe0c6..48adbd4 100644 --- a/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/main.tf +++ b/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/main.tf @@ -206,16 +206,60 @@ resource "kubernetes_service" "ogc_processes_api" { } } +resource "aws_security_group" "ogc_ingress_sg" { + name = "${var.project}-${var.venue}-ogc-ingress-sg" + description = "SecurityGroup for OGC API LoadBalancer ingress" + vpc_id = data.aws_vpc.cluster_vpc.id + tags = merge(local.common_tags, { + Name = format(local.resource_name_prefix, "OgcLBSg") + Component = "ogc" + Stack = "ogc" + }) +} + +#tfsec:ignore:AVD-AWS-0107 +resource "aws_vpc_security_group_ingress_rule" "ogc_ingress_sg_jpl_rule" { + for_each = toset(["128.149.0.0/16", "137.78.0.0/16", "137.79.0.0/16"]) + security_group_id = aws_security_group.ogc_ingress_sg.id + description = "SecurityGroup ingress rule for JPL-local addresses" + ip_protocol = "tcp" + from_port = local.load_balancer_port + to_port = local.load_balancer_port + cidr_ipv4 = each.key +} + +data "aws_security_groups" "venue_proxy_sg" { + filter { + name = "group-name" + values = ["${var.project}-${var.venue}-ecs_service_sg"] + } + tags = { + Service = "U-CS" + } +} + +resource "aws_vpc_security_group_ingress_rule" "ogc_ingress_sg_proxy_rule" { + count = length(data.aws_security_groups.venue_proxy_sg.ids) > 0 ? 1 : 0 + security_group_id = aws_security_group.ogc_ingress_sg.id + description = "SecurityGroup ingress rule for venue-services proxy" + ip_protocol = "tcp" + from_port = local.load_balancer_port + to_port = local.load_balancer_port + referenced_security_group_id = data.aws_security_groups.venue_proxy_sg.ids[0] +} + resource "kubernetes_ingress_v1" "ogc_processes_api_ingress" { metadata { name = "ogc-processes-api-ingress" namespace = data.kubernetes_namespace.service_area.metadata[0].name annotations = { - "alb.ingress.kubernetes.io/scheme" = "internet-facing" - "alb.ingress.kubernetes.io/target-type" = "ip" - "alb.ingress.kubernetes.io/subnets" = join(",", jsondecode(data.aws_ssm_parameter.subnet_ids.value)["public"]) - "alb.ingress.kubernetes.io/listen-ports" = "[{\"HTTP\": 5001}]" - "alb.ingress.kubernetes.io/healthcheck-path" = "/health" + "alb.ingress.kubernetes.io/scheme" = "internet-facing" + "alb.ingress.kubernetes.io/target-type" = "ip" + "alb.ingress.kubernetes.io/subnets" = join(",", jsondecode(data.aws_ssm_parameter.subnet_ids.value)["public"]) + "alb.ingress.kubernetes.io/listen-ports" = "[{\"HTTP\": ${local.load_balancer_port}}]" + "alb.ingress.kubernetes.io/security-groups" = aws_security_group.ogc_ingress_sg.id + "alb.ingress.kubernetes.io/manage-backend-security-group-rules" = "true" + "alb.ingress.kubernetes.io/healthcheck-path" = "/health" } } spec {