-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlicense-server.tf
192 lines (166 loc) · 5.47 KB
/
license-server.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
resource "aws_instance" "license_server" {
count = var.licenseServer ? 1 : 0
ami = data.aws_ami.amazon_linux_kernel5.id
instance_type = "t3a.large"
iam_instance_profile = aws_iam_instance_profile.license_server_profile[0].name
subnet_id = local.private_subnets[0]
disable_api_termination = true
vpc_security_group_ids = [module.security_group_license_server[0].security_group_id]
metadata_options {
# [EC2.8] EC2 instances should use IMDSv2
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-ec2-8
http_endpoint = "enabled"
http_tokens = "required" # Require session token for Instance Metadata Service Version 2 (IMDSv2)
}
user_data = <<-EOF
#!/bin/bash
yum update -y
wget -O CodeMeter.rpm "${var.codemeter}"
yum -y localinstall CodeMeter.rpm
systemctl stop codemeter
sed -i -e '/IsNetworkServer=/ s/=.*/=1/' /etc/wibu/CodeMeter/Server.ini
systemctl start codemeter
systemctl enable codemeter
if ${var.enable_ivs}; then
# Package is needed by rtmaps
yum -y install libxcrypt-compat
# Create a download folder
mkdir ~/downloads
cd ~/downloads
echo "Downloading RTMaps"
# Download RTMaps
url='${var.rtMaps_link}'
wget -q $url
filename=`echo $url | awk -F / '{print $NF}'`
echo "Extracting the files"
# Extract the files
tar -xf $filename
# Create the folder and copy the license server
mkdir -p /opt/rtmaps/license
cp -a ~/downloads/rtmaps/license/rlm/ubuntu1804_x86_64/. /opt/rtmaps/license
# Delete the rest
rm -r ~/downloads
echo "Create the rlm.service"
# Create the rlm.service
cat <<-EOF1 > /etc/systemd/system/rlm.service
[Unit]
Description=RLM license server for RTMaps
After=syslog.target network.target
[Service]
Type=simple
User=ec2-user
ExecStart=/opt/rtmaps/license/rlm -dlog /opt/rtmaps/license/rlm.dl
ExecStop=/opt/rtmaps/license/rlmutil rlmdown RLM -q
[Install]
WantedBy=default.target
EOF1
echo "Reload the services"
# Reload the services
systemctl daemon-reload
echo "Enable the rlm.service"
systemctl enable rlm.service
fi
EOF
lifecycle {
ignore_changes = [
ami,
]
}
tags = merge(var.tags, { "Name" = local.license_server, "Patch Group" = local.patchgroupid })
}
data "aws_ami" "amazon_linux_kernel5" {
most_recent = true
filter {
name = "name"
values = ["al2023-ami-202*"]
}
filter {
name = "architecture"
values = ["x86_64"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["amazon"]
}
resource "aws_iam_role" "license_server_role" {
count = var.licenseServer ? 1 : 0
description = "IAM role used for the license server instance profile."
name = local.license_server_role
tags = var.tags
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
}
]
})
}
resource "aws_iam_policy" "license_server_policy" {
count = var.licenseServer ? 1 : 0
name = local.license_server_policy
description = "Allows access to S3 bucket and Secure Session Manager connections."
policy = templatefile("${path.module}/templates/license_server_policy.json", { bucket = local.license_server_bucket_name })
tags = var.tags
}
resource "aws_iam_role_policy_attachment" "minio_policy_attachment" {
count = var.licenseServer ? 1 : 0
role = aws_iam_role.license_server_role[0].name
policy_arn = aws_iam_policy.license_server_policy[0].arn
}
resource "aws_iam_role_policy_attachment" "license_server_ssm" {
count = var.licenseServer ? 1 : 0
role = aws_iam_role.license_server_role[0].name
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
resource "aws_s3_bucket" "license_server_bucket" {
count = var.licenseServer ? 1 : 0
bucket = local.license_server_bucket_name
tags = var.tags
}
# [S3.5] S3 buckets should require requests to use Secure Socket Layer
resource "aws_s3_bucket_policy" "license_server_bucket_ssl" {
count = var.licenseServer ? 1 : 0
bucket = aws_s3_bucket.license_server_bucket[0].id
policy = templatefile("${path.module}/templates/bucket_policy.json", { bucket = aws_s3_bucket.license_server_bucket[0].id })
}
resource "aws_iam_instance_profile" "license_server_profile" {
count = var.licenseServer ? 1 : 0
name = local.license_server_instance_profile
role = aws_iam_role.license_server_role[0].name
}
module "security_group_license_server" {
count = var.licenseServer ? 1 : 0
source = "terraform-aws-modules/security-group/aws"
version = "~> 4"
name = "${var.infrastructurename}-license-server"
description = "License server security group"
vpc_id = local.vpc_id
tags = var.tags
ingress_with_source_security_group_id = [
{
type = "ingress"
from_port = 22350
to_port = 22350
protocol = "tcp"
description = "Inbound TCP on port 22350 from kubernetes nodes security group"
source_security_group_id = module.eks.cluster_primary_security_group_id
},
]
egress_with_cidr_blocks = [
{
from_port = 0
to_port = 0
protocol = "-1"
description = "allow all outbound traffic"
cidr_blocks = "0.0.0.0/0"
},
]
}