Initial sweep of Security Group support changes.

Author: nerdynick

README.md

@@ -1,15 +1,24 @@
 # terraform-aws-confluent-platform
 
-Terraform Module for Deploying the Confluent Platform to AWS.
+Terraform Module(s) for Deploying the Confluent Platform within AWS.
 
 # Features
 
-| CP Component    | EC2 Instance | Route53 DNS | Security Groups |
-|:--------------- |:------------:|:-----------:|:---------------:|
-| Zookeeper       | X | X |  |
-| Kafka Broker    | X | X |  |
-| Kafka Connect   | X | X |  |
-| ksqlDB          | X | X |  |
-| Rest Proxy      | X | X |  |
-| Schema Registry | X | X |  |
-| Control Center  | X | X |  |
+## Feature Metric
+
+| CP Component    | EC2 Instance | Route53 DNS | Security Groups | Load Balancers | Multi AZ |
+|:--------------- |:------------:|:-----------:|:---------------:|:--------------:|:--------:|
+| Zookeeper       | X | X | X | N/A |  |
+| Kafka Broker    | X | X | X |  |  |
+| Kafka Connect   | X | X | X |  |  |
+| ksqlDB          | X | X | X |  |  |
+| Rest Proxy      | X | X | X |  |  |
+| Schema Registry | X | X | X |  |  |
+| Control Center  | X | X | X | N/A |  |
+
+## Feature Limitations
+
+1. Out of the box all nodes and security groups are required to live in the same VPC
+
+NOTE: If you leverage the individual component modules, some of these limitations can be worked around.
+These limitation just haven't be able to be baked into a single unified parent module yet, or may not be possible to at all.

main.tf

@@ -13,7 +13,12 @@ module "cp-aws-zookeeper" {
     dns_ttl = var.zookeeper_dns_ttl
     name_template = var.zookeeper_name_template
     dns_template = var.zookeeper_dns_template
+    sg_name = var.zookeeper_sg_name
+    kafka_broker_sg_id = module.cp-aws-kafka_broker.security_group.id
+    
     extra_template_vars = var.extra_template_vars
+    vpc_id = var.vpc_id
+    enable_sg_creation = var.enable_sg_creation
 }
 
 module "cp-aws-kafka_broker" {
@@ -31,7 +36,16 @@ module "cp-aws-kafka_broker" {
     dns_ttl = var.kafka_broker_dns_ttl
     name_template = var.kafka_broker_name_template
     dns_template = var.kafka_broker_dns_template
+    sg_name = var.kafka_broker_sg_name
+    kafka_connect_sg_ids = [module.cp-aws-kafka_connect.security_group.id]
+    ksql_sg_ids = [module.cp-aws-ksql.security_group.id]
+    rest_proxy_sg_id = module.cp-aws-rest_proxy.security_group.id
+    schema_registry_sg_id = module.cp-aws-schema_registry.security_group.id
+    control_center_sg_id = module.cp-aws-control_center.security_group.id
+    
     extra_template_vars = var.extra_template_vars
+    vpc_id = var.vpc_id
+    enable_sg_creation = var.enable_sg_creation
 }
 
 module "cp-aws-kafka_connect" {
@@ -49,7 +63,12 @@ module "cp-aws-kafka_connect" {
     dns_ttl = var.kafka_connect_dns_ttl
     name_template = var.kafka_connect_name_template
     dns_template = var.kafka_connect_dns_template
+    sg_name = var.kafka_connect_sg_name
+    control_center_sg_id = module.cp-aws-control_center.security_group.id
+    
     extra_template_vars = var.extra_template_vars
+    vpc_id = var.vpc_id
+    enable_sg_creation = var.enable_sg_creation
 }
 
 module "cp-aws-control_center" {
@@ -67,7 +86,11 @@ module "cp-aws-control_center" {
     dns_ttl = var.control_center_dns_ttl
     name_template = var.control_center_name_template
     dns_template = var.control_center_dns_template
+    sg_name = var.control_center_sg_name
+    
     extra_template_vars = var.extra_template_vars
+    vpc_id = var.vpc_id
+    enable_sg_creation = var.enable_sg_creation
 }
 
 module "cp-aws-ksql" {
@@ -85,7 +108,12 @@ module "cp-aws-ksql" {
     dns_ttl = var.ksql_dns_ttl
     name_template = var.ksql_name_template
     dns_template = var.ksql_dns_template
+    sg_name = var.ksql_sg_name
+    control_center_sg_id = module.cp-aws-control_center.security_group.id
+    
     extra_template_vars = var.extra_template_vars
+    vpc_id = var.vpc_id
+    enable_sg_creation = var.enable_sg_creation
 }
 
 module "cp-aws-rest_proxy" {
@@ -103,7 +131,11 @@ module "cp-aws-rest_proxy" {
     dns_ttl = var.rest_proxy_dns_ttl
     name_template = var.rest_proxy_name_template
     dns_template = var.rest_proxy_dns_template
+    sg_name = var.rest_proxy_sg_name
+    
     extra_template_vars = var.extra_template_vars
+    vpc_id = var.vpc_id
+    enable_sg_creation = var.enable_sg_creation
 }
 
 module "cp-aws-schema_registry" {
@@ -121,5 +153,14 @@ module "cp-aws-schema_registry" {
     dns_ttl = var.schema_registry_dns_ttl
     name_template = var.schema_registry_name_template
     dns_template = var.schema_registry_dns_template
+    sg_name = var.schema_registry_sg_name
+    kafka_connect_sg_ids = [module.cp-aws-kafka_connect.security_group.id]
+    ksql_sg_ids = [module.cp-aws-ksql.security_group.id]
+    rest_proxy_sg_id = module.cp-aws-rest_proxy.security_group.id
+    schema_registry_sg_id = module.cp-aws-schema_registry.security_group.id
+    control_center_sg_id = module.cp-aws-control_center.security_group.id
+    
     extra_template_vars = var.extra_template_vars
+    vpc_id = var.vpc_id
+    enable_sg_creation = var.enable_sg_creation
 }

modules/base_node/main.tf

@@ -23,8 +23,15 @@ resource "aws_instance" "instance" {
     vpc_security_group_ids = var.security_groups_ids
 
 
-    tags = merge(var.tags, {"name"=data.template_file.node_name[count.index].rendered, "Name"=data.template_file.node_name[count.index].rendered})
-    volume_tags = merge(var.tags, {"name"=data.template_file.node_name[count.index].rendered, "Name"=data.template_file.node_name[count.index].rendered})
+    tags = merge(var.tags, {
+        "name"=data.template_file.node_name[count.index].rendered, 
+        "Name"=data.template_file.node_name[count.index].rendered
+    })
+    
+    volume_tags = merge(var.tags, {
+        "name"=data.template_file.node_name[count.index].rendered, 
+        "Name"=data.template_file.node_name[count.index].rendered
+    })
 
     root_block_device {
         volume_size = var.root_volume_size

modules/control_center/main.tf

@@ -1,4 +1,22 @@
-module "cp-aws-control_center" {
+resource "aws_security_group" "my_security_group" {
+    count = var.enable_sg_creation ? 1 : 0
+    name = var.sg_name
+    description = "Confluent Platform - Control Center"
+    vpc_id = var.vpc_id
+    
+    tags = var.tags
+    
+    #Control Center Related
+    ingress {
+        description = "C3 - REST Interface - Internal"
+        from_port   = 9021
+        to_port     = 9021
+        protocol    = "tcp"
+        self        =  true
+    }
+}
+
+module "my_instance" {
     source = "../base_node"
 
     extra_template_vars = var.extra_template_vars
@@ -10,7 +28,7 @@ module "cp-aws-control_center" {
     key_pair = var.key_pair
     tags = var.tags
     subnet_id = var.subnet_id
-    security_groups_ids = var.security_groups_ids
+    security_groups_ids = combine(var.security_groups_ids, [aws_security_group.my_security_group.id])
     dns_zone_id = var.dns_zone_id
     dns_ttl = var.dns_ttl
     name_template = var.name_template

modules/control_center/outputs.tf

@@ -1,7 +1,11 @@
 output "instances" {
-    value = module.cp-aws-control_center.instances
+    value = module.my_instance.instances
 }
 
 output "dns_records" {
-    value = module.cp-aws-control_center.dns_records
+    value = module.my_instance.dns_records
+}
+
+output "security_group" {
+    value = aws_security_group.my_security_group
 }

modules/control_center/variables.tf

@@ -55,4 +55,17 @@ variable "dns_template" {
 variable "extra_template_vars" {
     type = map
     default = {}
+}
+
+#SG Related Vars
+variable "vpc_id" {
+    type = string
+}
+variable "enable_sg_creation" {
+    type = boolean
+    default = true
+}
+variable "sg_name" {
+    type = string
+    default = "CP_Control_Center"
 }

modules/kafka_broker/main.tf

@@ -1,4 +1,54 @@
-module "cp-aws-kafka_broker" {
+resource "aws_security_group" "my_security_group" {
+    count = var.enable_sg_creation ? 1 : 0
+    name = var.sg_name
+    description = "Confluent Platform - Kafka Brokers/Confluent Servers"
+    vpc_id = var.vpc_id
+    
+    tags = var.tags
+    
+    #Kafka/Confluent Server Related
+    ingress {
+        description = "Kafka - Listeners - Internal Access"
+        from_port   = 9091
+        to_port     = 9093
+        protocol    = "tcp"
+        self        =  true
+    }
+    
+    ingress {
+        description = "Kafka - Listeners - External Access"
+        from_port   = 9092
+        to_port     = 9093
+        protocol    = "tcp"
+        security_groups = combine([
+            var.rest_proxy_sg_id,
+            var.schema_registry_sg_id,
+            var.control_center_sg_id
+        ], var.kafka_connect_sg_ids, var.ksql_sg_ids)
+    }
+    
+    ingress {
+        description = "Kafka - MDS Listeners - Internal Access"
+        from_port   = 8090
+        to_port     = 8091
+        protocol    = "tcp"
+        self        =  true
+    }
+    
+    ingress {
+        description = "Kafka - MDS Listeners - External Access"
+        from_port   = 8090
+        to_port     = 8091
+        protocol    = "tcp"
+        security_groups = combine([
+            var.rest_proxy_sg_id,
+            var.schema_registry_sg_id,
+            var.control_center_sg_id
+        ], var.kafka_connect_sg_ids, var.ksql_sg_ids)
+    }
+}
+
+module "my_instance" {
     source = "../base_node"
 
     extra_template_vars = var.extra_template_vars
@@ -10,7 +60,7 @@ module "cp-aws-kafka_broker" {
     key_pair = var.key_pair
     tags = var.tags
     subnet_id = var.subnet_id
-    security_groups_ids = var.security_groups_ids
+    security_groups_ids = combine(var.security_groups_ids, [aws_security_group.my_security_group.id])
     dns_zone_id = var.dns_zone_id
     dns_ttl = var.dns_ttl
     name_template = var.name_template

modules/kafka_broker/outputs.tf

@@ -1,7 +1,11 @@
 output "instances" {
-    value = module.cp-aws-kafka_broker.instances
+    value = module.my_instance.instances
 }
 
 output "dns_records" {
-    value = module.cp-aws-kafka_broker.dns_records
+    value = module.my_instance.dns_records
+}
+
+output "security_group" {
+    value = aws_security_group.my_security_group
 }

modules/kafka_broker/variables.tf

@@ -55,4 +55,37 @@ variable "dns_template" {
 variable "extra_template_vars" {
     type = map
     default = {}
+}
+
+#SG Related Vars
+variable "vpc_id" {
+    type = string
+}
+variable "enable_sg_creation" {
+    type = boolean
+    default = true
+}
+variable "sg_name" {
+    type = string
+    default = "CP_Kafka_Broker"
+}
+variable "kafka_connect_sg_ids" {
+    type = list
+    default = []
+}
+variable "ksql_sg_ids" {
+    type = list
+    default = []
+}
+variable "rest_proxy_sg_id" {
+    type = string
+    default = ""
+}
+variable "schema_registry_sg_id" {
+    type = string
+    default = ""
+}
+variable "control_center_sg_id" {
+    type = string
+    default = ""
 }

modules/kafka_connect/main.tf

@@ -1,7 +1,31 @@
-###########################
-# Connect Resources
-###########################
-module "cp-aws-kafka_connect" {
+resource "aws_security_group" "my_security_group" {
+    count = var.enable_sg_creation ? 1 : 0
+    name = var.sg_name
+    description = "Confluent Platform - Kafka Connect"
+    vpc_id = var.vpc_id
+    
+    tags = var.tags
+    
+    #Kafka Connect Related
+    ingress {
+        description = "Connect - REST Interface - Internal"
+        from_port   = 8083
+        to_port     = 8083
+        protocol    = "tcp"
+        self        =  true
+    }
+    ingress {
+        description = "Connect - REST Interface - External"
+        from_port   = 8083
+        to_port     = 8083
+        protocol    = "tcp"
+        security_groups = [
+            var.control_center_sg_id
+        ]
+    }
+}
+
+module "my_instance" {
     source = "../base_node"
 
     extra_template_vars = var.extra_template_vars

modules/kafka_connect/output.tf

@@ -1,7 +1,11 @@
 output "instances" {
-    value = module.cp-aws-kafka_connect.instances
+    value = module.my_instance.instances
 }
 
 output "dns_records" {
-    value = module.cp-aws-kafka_connect.dns_records
+    value = module.my_instance.dns_records
+}
+
+output "security_group" {
+    value = aws_security_group.my_security_group
 }