jenkins-infra · smerle33 · Oct 14, 2024 · Oct 14, 2024 · Oct 14, 2024 · Oct 14, 2024
diff --git a/locals.tf b/locals.tf
@@ -1,7 +1,8 @@
 locals {
   cluster_name   = "aws-sponso"
   aws_account_id = "326712726440"
-  region         = "us-east-1a"
+  region         = "us-east-2"
+  our_az         = format("${local.region}%s", "b")
   common_tags = {
     "scope"      = "terraform-managed"
     "repository" = "jenkins-infra/terraform-aws-sponsorship"

diff --git a/network.tf b/network.tf
@@ -0,0 +1,96 @@
+# resource "aws_security_group" "restricted_ssh" {
+#   name        = "restricted-ssh"
+#   description = "Allow inbound SSH only from trusted sources (admins or VPN)"
+#   vpc_id      = module.vpc.vpc_id
+
+#   tags = local.common_tags
+# }
+
+# resource "aws_security_group" "unrestricted_http" {
+#   name        = "unrestricted-http"
+#   description = "Allow HTTP(S) from everywhere (public services)"
+#   vpc_id      = module.vpc.vpc_id
+
+#   tags = local.common_tags
+# }
+
+
+# ### WIP old rules, need to upgrade to new ones : https://github.com/jenkins-infra/helpdesk/issues/4320
+# resource "aws_vpc_security_group_ingress_rule" "allow_ssh_from_admins" {
+#   for_each = toset([
+#     for ip in flatten(concat(
+#       module.jenkins_infra_shared_data.outbound_ips["trusted.ci.jenkins.io"],              # permanent agent of update_center2
+#       module.jenkins_infra_shared_data.outbound_ips["trusted.sponsorship.ci.jenkins.io"],  # ephemeral agents for crawler
+#       module.jenkins_infra_shared_data.outbound_ips["privatek8s.jenkins.io"],              # VPN VM
+#       module.jenkins_infra_shared_data.outbound_ips["infracijenkinsioagents1.jenkins.io"], # Terraform management and Docker-packaging build
+#       module.jenkins_infra_shared_data.outbound_ips["private.vpn.jenkins.io"],             # connections routed through the VPN
+#     )) : ip
+#     if can(cidrnetmask("${ip}/32"))
+#   ])
+
+#   description       = "Allow admin (or platform) IPv4 for inbound SSH"
+#   security_group_id = aws_security_group.restricted_ssh.id
+#   cidr_ipv4         = "${each.value}/32"
+#   from_port         = 22
+#   ip_protocol       = "tcp"
+#   to_port           = 22
+# }
+
+# ## We WANT inbound 80 from everywhere
+# #trivy:ignore:avd-aws-0107
+# resource "aws_vpc_security_group_ingress_rule" "allow_http_from_internet" {
+#   description       = "Allow HTTP from everywhere (public Internet)"
+#   security_group_id = aws_security_group.unrestricted_http.id
+#   cidr_ipv4         = "0.0.0.0/0"
+#   from_port         = 80
+#   ip_protocol       = "tcp"
+#   to_port           = 80
+# }
+
+# ## We WANT inbound 443 from everywhere
+# #trivy:ignore:avd-aws-0107
+# resource "aws_vpc_security_group_ingress_rule" "allow_https_from_internet" {
+#   description       = "Allow HTTP from everywhere (public Internet)"
+#   security_group_id = aws_security_group.unrestricted_http.id
+#   cidr_ipv4         = "0.0.0.0/0"
+#   from_port         = 443
+#   ip_protocol       = "tcp"
+#   to_port           = 443
+# }
+
+# ## We WANT egress to internet (APT at least, but also outbound azcopy on some machines)
+# #trivy:ignore:avd-aws-0104
+# resource "aws_vpc_security_group_egress_rule" "allow_http_to_internet" {
+#   description       = "Allow HTTP to everywhere (public Internet)"
+#   security_group_id = aws_security_group.unrestricted_http.id
+
+#   cidr_ipv4   = "0.0.0.0/0"
+#   from_port   = 80
+#   ip_protocol = "tcp"
+#   to_port     = 80
+# }
+
+# ## We WANT egress to internet (APT at least, but also outbound azcopy on some machines)
+# #trivy:ignore:avd-aws-0104
+# resource "aws_vpc_security_group_egress_rule" "allow_https_to_internet" {
+#   description       = "Allow HTTPS to everywhere (public Internet)"
+#   security_group_id = aws_security_group.unrestricted_http.id
+
+#   cidr_ipv4   = "0.0.0.0/0"
+#   from_port   = 443
+#   ip_protocol = "tcp"
+#   to_port     = 443
+# }
+
+# ## We WANT access from puppet master to puppet agents
+# resource "aws_vpc_security_group_egress_rule" "allow_puppet_to_puppetmaster" {
+#   description       = "Allow Puppet protocol to the Puppet master"
+#   security_group_id = aws_security_group.unrestricted_http.id
+
+#   # Ref. https://github.com/jenkins-infra/azure/blob/main/puppet.jenkins.io.tf
+#   # TODO: automate retrieval of this IP with updatecli
+#   cidr_ipv4   = "20.12.27.65/32"
+#   from_port   = 8140
+#   ip_protocol = "tcp"
+#   to_port     = 8140
+# }
diff --git a/providers.tf b/providers.tf
@@ -1,5 +1,5 @@
 provider "aws" {
-  region = "us-east-1"
+  region = local.region
   # profile = var.aws_profile
   assume_role {
     role_arn = "arn:aws:iam::326712726440:role/infra-developer"

diff --git a/vpc.tf b/vpc.tf
@@ -0,0 +1,45 @@
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "5.13.0"
+
+  name = "${local.cluster_name}-vpc"
+  cidr = "10.0.0.0/16" # cannot be less then /16 (more ips)
+
+  # dual stack https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/v5.13.0/examples/ipv6-dualstack/main.tf
+  enable_ipv6                                   = true
+  public_subnet_assign_ipv6_address_on_creation = true
+
+  manage_default_network_acl    = false
+  map_public_ip_on_launch       = true
+  manage_default_route_table    = false
+  manage_default_security_group = false
+
+  # only one zone, no need for multiple availability zones
+  azs = [local.our_az]
+
+  # only private subnets for security (to control allowed outbound connections)
+  private_subnets = [ # only one zone
+    # first VM ci.jenkins.io
+    "10.0.1.0/24", # 10.0.1.1 -> 10.0.1.254 (254 ips)
+    # second for VM agent jenkins
+    "10.0.2.0/23", # 10.0.2.1 -> 10.0.3.254 (510 ips)
+    # next for eks agents
+    "10.0.4.0/23", # 10.0.4.1 -> 10.0.5.254 (510 ips)
+  ]
+  public_subnets = [ # need at least one public network to host the NAT gateways
+    "10.0.255.0/24", # 10.0.255.1 -> 10.0.255.254 (254 ips)
+  ]
+
+  ## TODO analyse result
+  public_subnet_ipv6_prefixes  = [0]
+  private_subnet_ipv6_prefixes = [3, 4, 5]
+
+  # One NAT gateway per subnet (default)
+  # ref. https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest#one-nat-gateway-per-subnet-default
+  enable_nat_gateway     = true
+  single_nat_gateway     = false
+  one_nat_gateway_per_az = false
+
+  enable_dns_hostnames = true
+
+}