Extract nat provision stack

Author: Veetaha

connector/terraform/.terraform.lock.hcl …aform/examples/basic/.terraform.lock.hclconnector/terraform/.terraform.lock.hcl renamed to connector/terraform/examples/basic/.terraform.lock.hcl connector/terraform/.terraform.lock.hcl renamed to connector/terraform/examples/basic/.terraform.lock.hcl

@@ -0,0 +1,16 @@
+
+module "elastio_connectors" {
+  source = "../../"
+
+  elastio_tenant = var.elastio_tenant
+  elastio_pat    = var.elastio_pat
+
+  elastio_cloud_connectors = [
+    {
+      region = "us-east-1"
+    },
+    {
+      region = "us-east-2",
+    }
+  ]
+}

connector/terraform/examples/basic/main.tf

@@ -0,0 +1,39 @@
+variable "elastio_pat" {
+  description = "Personal Access Token generated by the Elastio Portal"
+  sensitive   = true
+  type        = string
+  nullable    = false
+}
+
+variable "elastio_tenant" {
+  description = "Name of your Elastio tenant. For example `mycompany.app.elastio.com`"
+  type        = string
+  nullable    = false
+}
+
+variable "elastio_cloud_connectors" {
+  description = <<DESCR
+    List of regions where Cloud Connectors are to be deployed, VPC and subnet(s) to use,
+    and other regional configurations (mostly for regulatory compliance).
+  DESCR
+
+  type = list(object({
+    region     = string
+    vpc_id     = optional(string)
+    subnet_ids = optional(list(string))
+
+    s3_access_logging = optional(object({
+      target_bucket = string
+      target_prefix = optional(string)
+
+      # Can be one of the following:
+      # - SimplePrefix
+      # - PartitionedPrefix:EventTime
+      # - PartitionedPrefix:DeliveryTime
+      target_object_key_format = optional(string)
+    }))
+  }))
+
+  nullable = false
+  default  = []
+}

connector/terraform/examples/basic/variables.tf

@@ -1,10 +1,17 @@
+locals {
+  connectors = {
+    for connector in var.elastio_cloud_connectors :
+    connector.region => connector
+  }
+}
 
 module "account" {
   source = "./modules/account"
 
-  elastio_pat                           = var.elastio_pat
-  elastio_tenant                        = var.elastio_tenant
-  elastio_cloud_connectors              = var.elastio_cloud_connectors
+  elastio_pat    = var.elastio_pat
+  elastio_tenant = var.elastio_tenant
+
+  regional_configs                      = var.elastio_cloud_connectors
   encrypt_with_cmk                      = var.encrypt_with_cmk
   lambda_tracing                        = var.lambda_tracing
   global_managed_policies               = var.global_managed_policies
@@ -19,27 +26,22 @@ module "account" {
 }
 
 module "region" {
-  source = "./modules/region"
+  source   = "./modules/region"
+  for_each = local.connectors
 
-  depends_on = [module.account]
+  elastio_pat    = var.elastio_pat
+  elastio_tenant = var.elastio_tenant
 
-  for_each = {
-    for connector in var.elastio_cloud_connectors :
-    connector.region => connector
-  }
+  region                  = each.value.region
+  vpc_id                  = each.value.vpc_id
+  subnet_ids              = each.value.subnet_ids
+  connector_account_stack = each.value.account.cloudformation_stack
+}
+
+module "nat_provision" {
+  source   = "./modules/nat-provision"
+  for_each = var.elastio_nat_provision_stack == null ? [] : local.connectors
 
-  region                       = each.value.region
-  vpc_id                       = each.value.vpc_id
-  subnet_ids                   = each.value.subnet_ids
-  connector_account_stack_name = each.value.connector_account_stack_name
-
-  elastio_pat                 = var.elastio_pat
-  elastio_tenant              = var.elastio_tenant
-  elastio_nat_provision_stack = var.elastio_nat_provision_stack
-  encrypt_with_cmk            = var.encrypt_with_cmk
-  lambda_tracing              = var.lambda_tracing
-  global_managed_policies     = var.global_managed_policies
-  global_permission_boundary  = var.global_permission_boundary
-  iam_resource_names_prefix   = var.iam_resource_names_prefix
-  iam_resource_names_suffix   = var.iam_resource_names_suffix
+  version                 = var.elastio_nat_provision_stack
+  connector_account_stack = each.value.account.cloudformation_stack
 }

connector/terraform/main.tf

@@ -23,7 +23,7 @@ data "http" "cloudformation_template" {
 }
 
 locals {
-  global_acc_cfn_params = {
+  global_stack_params = {
     encryptWithCmk = var.encrypt_with_cmk,
     lambdaTracing  = var.lambda_tracing,
     globalManagedPolicies = (
@@ -41,40 +41,34 @@ locals {
     ecrPublicPrefix                   = var.ecr_public_prefix
   }
 
-  enriched_connectors = [
-    for connector in var.elastio_cloud_connectors :
+  enriched_regional_configs = [
+    for config in var.regional_configs :
     merge(
-      connector,
+      config,
       {
         # Add the PascalCase version of the region name, because this is the
         # naming convention used in CFN parameters for regional settings.
         region_pascal = join(
           "",
-          [for word in split("-", connector.region) : title(word)]
+          [for word in split("-", config.region) : title(word)]
         )
       }
     )
   ]
 
-  regional_acc_cfn_params = merge(
+  regional_stack_params = merge(
     [
-      for connector in local.enriched_connectors :
+      for config in local.enriched_regional_configs :
       {
-        "s3AccessLoggingTargetBucket${connector.region_pascal}"          = connector.s3_access_logging.target_bucket,
-        "s3AccessLoggingTargetPrefix${connector.region_pascal}"          = connector.s3_access_logging.target_prefix,
-        "s3AccessLoggingTargetObjectKeyFormat${connector.region_pascal}" = connector.s3_access_logging.target_object_key_format,
+        "s3AccessLoggingTargetBucket${config.region_pascal}"          = config.s3_access_logging.target_bucket,
+        "s3AccessLoggingTargetPrefix${config.region_pascal}"          = config.s3_access_logging.target_prefix,
+        "s3AccessLoggingTargetObjectKeyFormat${config.region_pascal}" = config.s3_access_logging.target_object_key_format,
       }
-      if connector.s3_access_logging != null
+      if config.s3_access_logging != null
     ]
     ...
   )
 
-  account_level_stack_params = {
-    for key, value in merge(local.global_acc_cfn_params, local.regional_acc_cfn_params) :
-    key => tostring(value)
-    if value != null
-  }
-
   service_linked_roles_services = [
     "ecs.amazonaws.com",
     "batch.amazonaws.com",
@@ -106,8 +100,7 @@ resource "terraform_data" "service_linked_roles" {
   }
 }
 
-
-resource "aws_cloudformation_stack" "elastio_account_level_stack" {
+resource "aws_cloudformation_stack" "this" {
   depends_on = [terraform_data.service_linked_roles]
 
   name         = "elastio-account-level-stack"
@@ -116,5 +109,9 @@ resource "aws_cloudformation_stack" "elastio_account_level_stack" {
     "elastio:resource" = "true"
   }
   capabilities = ["CAPABILITY_NAMED_IAM"]
-  parameters   = local.account_level_stack_params
+  parameters = {
+    for key, value in merge(local.global_stack_params, local.regional_stack_params) :
+    key => tostring(value)
+    if value != null
+  }
 }

connector/terraform/modules/account/main.tf

@@ -0,0 +1,8 @@
+output "cloudformation_stack" {
+  description = <<DESCR
+    The deployed CloudFormation stack may be used as an input for other stacks
+    like the `nat-provision` stack to let it inherit the configurations.
+  DESCR
+
+  value = aws_cloudformation_stack.this
+}

connector/terraform/modules/account/outputs.tf

@@ -1,3 +1,7 @@
+#########################
+## Required parameters ##
+#########################
+
 variable "elastio_pat" {
   description = "Personal Access Token generated by the Elastio Portal"
   sensitive   = true
@@ -11,10 +15,13 @@ variable "elastio_tenant" {
   nullable    = false
 }
 
-variable "elastio_cloud_connectors" {
+#########################
+## Optional parameters ##
+#########################
+
+variable "regional_configs" {
   description = <<DESCR
-    List of regions where Cloud Connectors are to be deployed, and some regional
-    configurations (mostly for regulatory compliance).
+    Regional configurations for connectors (mostly for regulatory compliance).
   DESCR
 
   type = list(object({
@@ -36,6 +43,26 @@ variable "elastio_cloud_connectors" {
   default  = []
 }
 
+variable "network_configuration" {
+  description = <<DESCR
+    Can be set to either `Auto` or `Manual`. If set to `Auto`, Elastio will
+    automatically create a VPC and subnets in the specified regions for the
+    scan clusters to run in.
+
+    If set to `Manual`, you must provide the `vpc_id` and `subnet_ids` in the
+    `region` module with the network config for each region.
+  DESCR
+
+  type     = string
+  default  = "Manual"
+  nullable = false
+
+  validation {
+    condition     = contains(["Auto", "Manual"], var.network_configuration)
+    error_message = "network_configuration must be one of 'Auto', 'Manual'"
+  }
+}
+
 variable "encrypt_with_cmk" {
   description = <<DESCR
     Provision additional customer-managed KMS keys to encrypt

connector/terraform/modules/account/variables.tf

@@ -0,0 +1,30 @@
+resource "aws_cloudformation_stack" "this" {
+  name = "elastio-nat-provision-lambda"
+  template_url = join(
+    "/",
+    [
+      "https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com",
+      "contrib/elastio-nat-provision-lambda/${var.version}",
+      "cloudformation-lambda.yaml"
+    ]
+  )
+  tags = {
+    "elastio:resource" = "true"
+  }
+  capabilities = ["CAPABILITY_NAMED_IAM"]
+  parameters = {
+    for key, value in var.connector_account_stack.parameters :
+    key => value
+    if contains(
+      [
+        "encryptWithCmk",
+        "lambdaTracing",
+        "globalManagedPolicies",
+        "globalPermissionBoundary",
+        "iamResourceNamesPrefix",
+        "iamResourceNamesSuffix",
+      ],
+      key
+    )
+  }
+}

connector/terraform/modules/nat-provision/main.tf

@@ -0,0 +1,44 @@
+#########################
+## Required parameters ##
+#########################
+
+variable "connector_account_stack" {
+  description = <<DESCR
+    The Elastio Connector Account stack metadata. This is used to inherit the
+    configs by the `nat-provision` stack. The value for this parameter can be
+    provided as the `cloudformation_stack` output of the `account` module, or
+    you could use a `data "aws_cloudformation_stack"` data source to fetch the
+    stack metadata and provide it here.
+  DESCR
+
+  type = object({
+    parameters = map(string)
+  })
+
+  nullable = false
+}
+
+#########################
+## Optional parameters ##
+#########################
+
+variable "version" {
+  description = <<DESCR
+    Specifies the version of Elastio NAT provision stack to deploy (e.g. `v5`).
+
+    This is a Cloudformation stack that automatically provisions NAT Gateways in
+    your VPC when Elastio worker instances run to provide them with the outbound
+    Internet access when Elastio is deployed in private subnets.
+
+    If you don't need this stack (e.g. you already have NAT gateways in your VPC
+    or you deploy into public subnets) you can omit this parameter. The default
+    value of `null` means there won't be any NAT provision stack deployed.
+
+    The source code of this stack can be found here:
+    https://github.com/elastio/contrib/tree/master/elastio-nat-provision-lambda
+  DESCR
+
+  type     = string
+  nullable = true
+  default  = "v5"
+}

connector/terraform/modules/nat-provision/variables.tf

@@ -5,40 +5,6 @@ locals {
   }
 }
 
-resource "aws_cloudformation_stack" "elastio_nat_provision_stack" {
-  count = var.elastio_nat_provision_stack == null ? 0 : 1
-
-  name = "elastio-nat-provision-lambda"
-  template_url = join(
-    "/",
-    [
-      "https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com",
-      "contrib/elastio-nat-provision-lambda/${var.elastio_nat_provision_stack}",
-      "cloudformation-lambda.yaml"
-    ]
-  )
-  tags = {
-    "elastio:resource" = "true"
-  }
-  capabilities = ["CAPABILITY_NAMED_IAM"]
-  parameters = {
-    for key, value in {
-      EncryptWithCmk         = var.encrypt_with_cmk
-      LambdaTracing          = var.lambda_tracing
-      IamResourceNamesPrefix = var.iam_resource_names_prefix
-      IamResourceNamesSuffix = var.iam_resource_names_suffix
-      GlobalManagedPolicies = (
-        var.global_managed_policies == null
-        ? null
-        : join(",", var.global_managed_policies)
-      ),
-      GlobalPermissionBoundary = var.global_permission_boundary,
-    } :
-    key => tostring(value)
-    if value != null
-  }
-}
-
 data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
 
@@ -55,7 +21,7 @@ resource "terraform_data" "elastio_cloud_connector" {
   input = local.connector_config
   triggers_replace = {
     connector     = local.connector_config,
-    account_stack = var.connector_account_stack_name,
+    account_stack = var.connector_account_stack.name,
   }
 
   provisioner "local-exec" {