Skip to content

Latest commit

 

History

History
146 lines (114 loc) · 9.28 KB

README.md

File metadata and controls

146 lines (114 loc) · 9.28 KB

English version below License


AWS Indy-Node Module

A Terraform module for managing the resources needed for an Indy-Node node in AWS.

Supports the generation of one or more nodes.

AWS resource limits

AWS has "soft" limits on many ressources required to deploy the indy nodes, which prevent deploying 4 nodes in the same region. Fortunately, it is possible to ask to increase those limits through the AWS Service Quotas dashboard. Those ressources are:

  • Elastic IP -> limited to 5 per region by default
  • VPC -> limited to 5 per region by default
  • Internet Gateway -> limited to 5 per region by default

Usage

module "indy-node" {
  source = "github.com/CQEN-QDCE/terraform-aws-indy-node"


  count             = 2
  instance_name     = "Node-${count.index + 1}"
  application_name  = "OurIndyNetwork"
  environment       = "Dev"
  zone              = data.aws_availability_zones.available.names[count.index % length(data.aws_availability_zones.available.names)]
  ami_id            = data.aws_ami.ubuntu.id
  ec2_instance_type = "t3.large"

  root_volume_size          = "10"
  data_volume_size          = "20"
  ebs_volume_type           = "gp2"
  ebs_encrypted             = true
  ebs_kms_key_id            = var.candy_ebs_kms_key_id
  ebs_delete_on_termination = true

  iam_profile = data.aws_iam_role.ssm_role.id

  ssh_source_address = "0.0.0.0/0"

  use_elastic_ips = true

  subnet_node_cidr_block   = "10.0.1.0/24"
  subnet_client_cidr_block = "10.0.2.0/24"
  vpc_node_cidr_block      = "10.0.0.0/24"

  ssh_key_name = aws_key_pair.ansible.key_name
}

Availability Zones

For the best redundancy and resilience, when more then one node is deployed, each node will deploy itself in a different availability zone. Note that the number of availaibility zones changes for each region.

Security

This code make some security decision that follow some security best practices.

  • IAM profile used for deployment (assume_role in the AWS provider block)
  • IAM profile attached to the EC2 VM
  • SSH key used for remote SSH access to the VM

Requirements

No requirements.

Providers

Name Version
aws n/a
random n/a

Modules

No modules.

Resources

Name Type
aws_ebs_volume.data_volume resource
aws_eip.public_client_ip resource
aws_eip.public_node_ip resource
aws_instance.indy_node resource
aws_internet_gateway.node_gateway resource
aws_network_interface.client_nic resource
aws_network_interface.node_nic resource
aws_network_interface_attachment.client_interface_attachment resource
aws_route.gateway_route resource
aws_security_group.client_security_group resource
aws_security_group.node_security_group resource
aws_security_group_rule.client_security_group_rule_egress resource
aws_security_group_rule.client_security_group_rule_indy resource
aws_security_group_rule.node_security_group_rule_egress resource
aws_security_group_rule.node_security_group_rule_indy resource
aws_security_group_rule.node_security_group_rule_ssh resource
aws_subnet.client_subnet resource
aws_subnet.node_subnet resource
aws_volume_attachment.data_volume_attachment resource
aws_vpc.node_vpc resource
random_id.node_seed resource

Inputs

Name Description Type Default Required
ami_id AMI to use for the instance. any n/a yes
application_name The name of the application. any n/a yes
client_port The port, within the indy range of 9700 to 9799, on which the client interface will listen. string "9702" no
data_volume_size Data EBS volume size any n/a yes
ebs_delete_on_termination EBS delete on termination any n/a yes
ebs_encrypted EBS is encrypted any n/a yes
ebs_kms_key_id KMS key used to encrypt/decrypt EBS any n/a yes
ebs_volume_type EBS volume type any n/a yes
ec2_instance_type Type of instance ec2 any n/a yes
environment The name of the environment. any n/a yes
http_endpoint Whether the metadata service is available. Valid values include enabled or disabled. string "enabled" no
http_tokens Whether or not the instance metadata service requires session tokens (IMDSv2). Valid values include 'optional' or 'required'. string "required" no
iam_profile The IAM profile to attach to the ec2 instance. any null no
instance_name The value to use for the Name tag of the EC2 instance any n/a yes
node_port The port, within the indy range of 9700 to 9799, on which the node interface will listen. string "9701" no
opt_ec2_tags Allows to add optional tags to EC2 vm's map(string) {} no
root_volume_size Root EBS volume size any n/a yes
ssh_key_name Name of the EC2 ssh public key to use to ssh in any n/a yes
ssh_source_address The source IP address for SSH connections, in CIDR notation. any n/a yes
subnet_client_cidr_block The cidr block to use for the client subnet. any n/a yes
subnet_node_cidr_block The cidr block to use for the node subnet. any n/a yes
use_elastic_ips The cidr block to use for the client subnet. bool n/a yes
vpc_node_cidr_block VPC IP CIDR any n/a yes
zone Availability zone where to deploy the VM any n/a yes

Outputs

Name Description
node_info n/a