fleet/infrastructure/loadtesting/terraform/infra/main.tf

data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

data "git_repository" "tf" {
  directory = "${path.module}/../../../../"
}

data "aws_acm_certificate" "certificate" {
  domain      = "*.${data.aws_route53_zone.main.name}"
  statuses    = ["ISSUED"]
  types       = ["AMAZON_ISSUED"]
  most_recent = true
}

data "aws_route53_zone" "main" {
  name         = "loadtest.fleetdm.com."
  private_zone = false
}

resource "aws_route53_record" "main" {
  zone_id = data.aws_route53_zone.main.id
  name    = "${local.customer}.loadtest.fleetdm.com"
  type    = "A"

  alias {
    name                   = module.loadtest.byo-db.alb.lb_dns_name
    zone_id                = module.loadtest.byo-db.alb.lb_zone_id
    evaluate_target_health = true
  }
}

module "loadtest" {
  source = "github.com/fleetdm/fleet-terraform//byo-vpc?ref=tf-mod-root-v1.18.3"
  vpc_config = {
    name   = local.customer
    vpc_id = data.terraform_remote_state.shared.outputs.vpc.vpc_id
    networking = {
      subnets = data.terraform_remote_state.shared.outputs.vpc.private_subnets
    }
  }
  rds_config = {
    name                         = local.customer
    instance_class               = var.database_instance_size
    replicas                     = var.database_instance_count
    engine_version               = "8.0.mysql_aurora.3.10.3"
    snapshot_identifier          = "arn:aws:rds:us-east-2:917007347864:cluster-snapshot:cleaned-8-0-teams-fixes-v4-55-0-minimum"
    preferred_maintenance_window = "fri:04:00-fri:05:00"
    # VPN
    subnets             = data.terraform_remote_state.shared.outputs.vpc.database_subnets
    allowed_cidr_blocks = concat(data.terraform_remote_state.shared.outputs.vpc.private_subnets_cidr_blocks, local.vpn_cidr_blocks)
    db_parameters = {
      # 8mb up from 262144 (256k) default
      sort_buffer_size = 8388608
    }
    db_cluster_parameters = {
      require_secure_transport = "ON"
    }
  }
  redis_config = {
    name                          = local.customer
    instance_type                 = var.redis_instance_size
    cluster_size                  = var.redis_instance_count
    subnets                       = data.terraform_remote_state.shared.outputs.vpc.private_subnets
    elasticache_subnet_group_name = data.terraform_remote_state.shared.outputs.vpc.elasticache_subnet_group_name
    allowed_cidrs                 = concat(data.terraform_remote_state.shared.outputs.vpc.private_subnets_cidr_blocks, local.vpn_cidr_blocks)
    # fleet-vpc has subnets in all 3 availability zones
    availability_zones = ["us-east-2a", "us-east-2b", "us-east-2c"]
    parameter = [
      { name = "client-output-buffer-limit-pubsub-hard-limit", value = 0 },
      { name = "client-output-buffer-limit-pubsub-soft-limit", value = 0 },
      { name = "client-output-buffer-limit-pubsub-soft-seconds", value = 0 },
    ]
  }
  ecs_cluster = {
    cluster_name = local.customer
  }
  fleet_config = {
    image               = local.fleet_image
    family              = local.customer
    mem                 = var.fleet_task_memory
    cpu                 = var.fleet_task_cpu
    security_group_name = local.customer
    networking = {
      ingress_sources = {
        security_groups = [
          resource.aws_security_group.internal.id,
        ]
      }
    }
    extra_load_balancers = [{
      target_group_arn = resource.aws_lb_target_group.internal.arn
      container_name   = "fleet"
      container_port   = 8080
    }]
    autoscaling = {
      min_capacity                 = var.fleet_task_count
      max_capacity                 = var.fleet_task_count
      cpu_tracking_target_value    = 70
      memory_tracking_target_value = 70
    }
    awslogs = {
      name      = local.customer
      retention = 365
    }
    iam = {
      role = {
        name        = "${local.customer}-role"
        policy_name = "${local.customer}-iam-policy"
      }
      execution = {
        name        = "${local.customer}-execution-role"
        policy_name = "${local.customer}-iam-policy-execution"
      }
    }
    extra_iam_policies = concat(
      module.osquery-carve.fleet_extra_iam_policies,
      module.ses.fleet_extra_iam_policies,
      # module.logging_firehose.fleet_extra_iam_policies,
    )
    # Add these for MDM or cloudfront
    extra_execution_iam_policies = concat(
      module.mdm.extra_execution_iam_policies,
      # module.cloudfront-software-installers.extra_execution_iam_policies,
      [
        resource.aws_iam_policy.license.arn
      ],
    )
    extra_environment_variables = merge(
      module.osquery-carve.fleet_extra_environment_variables,
      module.vuln-processing.extra_environment_variables,
      module.ses.fleet_extra_environment_variables,
      # module.logging_firehose.fleet_extra_environment_variables,
      local.extra_environment_variables,
    )
    extra_secrets = merge(
      module.mdm.extra_secrets,
      # module.cloudfront-software-installers.extra_secrets,
      local.extra_secrets
    )
    private_key_secret_name = "${local.customer}-fleet-server-private-key"
    software_installers = {
      # bucket_prefix shortened to allow for terraform.workspace values with longer names
      bucket_prefix  = "${terraform.workspace}-sw-inst-"
      create_kms_key = true
      kms_alias      = "${terraform.workspace}-software-installers"
    }
    volumes = [
      {
        name = "rds-tls-certs"
      }
    ]
    mount_points = [
      {
        sourceVolume  = "rds-tls-certs",
        containerPath = local.rds_container_path
      }
    ]
    depends_on = [
      {
        containerName = "rds-tls-ca-retriever"
        condition     = "SUCCESS"
      },
      # {
      #   containerName = "prometheus-exporter"
      #   condition     = "START"
      # }
    ]
    sidecars = local.sidecars
  }
  alb_config = {
    name                       = local.customer
    enable_deletion_protection = false
    certificate_arn            = data.aws_acm_certificate.certificate.arn
    subnets                    = data.terraform_remote_state.shared.outputs.vpc.public_subnets
    access_logs = {
      bucket  = module.logging_alb.log_s3_bucket_id
      prefix  = local.customer
      enabled = true
    }
    idle_timeout = 905
  }
}

module "acm" {
  source  = "terraform-aws-modules/acm/aws"
  version = "4.3.1"

  domain_name         = "${local.customer}.loadtest.fleetdm.com"
  zone_id             = data.aws_route53_zone.main.id
  create_certificate  = false
  wait_for_validation = false
}

module "ses" {
  source            = "github.com/fleetdm/fleet-terraform//addons/ses?ref=tf-mod-addon-ses-v1.4.0"
  zone_id           = data.aws_route53_zone.main.id
  domain            = "${terraform.workspace}.loadtest.fleetdm.com"
  extra_txt_records = []
  custom_mail_from = {
    enabled       = true
    domain_prefix = "mail"
  }
}

module "migrations" {
  source                   = "github.com/fleetdm/fleet-terraform//addons/migrations?ref=tf-mod-addon-migrations-v2.2.1"
  ecs_cluster              = module.loadtest.byo-db.byo-ecs.service.cluster
  task_definition          = module.loadtest.byo-db.byo-ecs.task_definition.family
  task_definition_revision = module.loadtest.byo-db.byo-ecs.task_definition.revision
  subnets                  = module.loadtest.byo-db.byo-ecs.service.network_configuration[0].subnets
  security_groups          = module.loadtest.byo-db.byo-ecs.service.network_configuration[0].security_groups
  ecs_service              = module.loadtest.byo-db.byo-ecs.service.name
  desired_count            = module.loadtest.byo-db.byo-ecs.appautoscaling_target.min_capacity
  min_capacity             = module.loadtest.byo-db.byo-ecs.appautoscaling_target.min_capacity
  max_capacity             = module.loadtest.byo-db.byo-ecs.appautoscaling_target.max_capacity

  depends_on = [
    module.loadtest,
    module.vuln-processing
  ]
}

module "vuln-processing" {
  source                              = "github.com/fleetdm/fleet-terraform//addons/external-vuln-scans?ref=tf-mod-addon-external-vuln-scans-v2.3.0"
  ecs_cluster                         = module.loadtest.byo-db.byo-ecs.service.cluster
  execution_iam_role_arn              = module.loadtest.byo-db.byo-ecs.execution_iam_role_arn
  subnets                             = module.loadtest.byo-db.byo-ecs.service.network_configuration[0].subnets
  security_groups                     = module.loadtest.byo-db.byo-ecs.service.network_configuration[0].security_groups
  fleet_config                        = module.loadtest.byo-db.byo-ecs.fleet_config
  task_role_arn                       = module.loadtest.byo-db.byo-ecs.iam_role_arn
  fleet_server_private_key_secret_arn = module.loadtest.byo-db.byo-ecs.fleet_server_private_key_secret_arn
  awslogs_config = {
    group  = module.loadtest.byo-db.byo-ecs.fleet_config.awslogs.name
    region = module.loadtest.byo-db.byo-ecs.fleet_config.awslogs.region
    prefix = module.loadtest.byo-db.byo-ecs.fleet_config.awslogs.prefix
  }
  fleet_s3_software_installers_config = module.loadtest.byo-db.byo-ecs.fleet_s3_software_installers_config
}

module "mdm" {
  source             = "github.com/fleetdm/fleet-terraform/addons/mdm?depth=1&ref=tf-mod-addon-mdm-v2.0.0"
  apn_secret_name    = null
  scep_secret_name   = "${local.customer}-scep"
  abm_secret_name    = null
  enable_windows_mdm = true
  enable_apple_mdm   = false
}

module "osquery-carve" {
  source = "github.com/fleetdm/fleet-terraform//addons/osquery-carve?ref=tf-mod-addon-osquery-carve-v1.1.1"
  osquery_carve_s3_bucket = {
    name = "${local.customer}-osquery-carve"
  }
}

module "logging_alb" {
  source          = "github.com/fleetdm/fleet-terraform//addons/logging-alb?ref=tf-mod-addon-logging-alb-v1.6.2"
  prefix          = local.customer
  alt_path_prefix = local.customer
  enable_athena   = true
}