[WIFI-10153] Add: terraform resources for demo instance

Signed-off-by: Dmitry Dunaev <dmitry@opsfleet.com>

terraform/wifi-289708231103/cloudsdk_cicd/ansible/hosts.yml

@@ -3,4 +3,10 @@ all:
     freeradius:
       ansible_host: 18.189.85.200
       ansible_user: ubuntu
+    freeradius_qa:
+      ansible_host: 3.20.165.131
+      ansible_user: ubuntu
+    demo:
+      ansible_host: 18.117.69.181
+      ansible_user: ubuntu
 

terraform/wifi-289708231103/cloudsdk_cicd/instance_demo.tf

@@ -0,0 +1,325 @@
+# Demo instance for WIFI-10153
+# TODO increase disk size
+resource "aws_instance" "wlan_demo" {
+  ami                    = "ami-00399ec92321828f5" # Ubuntu 20.04 amd64
+  instance_type          = "m6a.2xlarge"
+  subnet_id              = module.vpc_main.public_subnets[1]
+  vpc_security_group_ids = [aws_security_group.wlan.id]
+  key_name               = aws_key_pair.dunaev_wifi_3714.id
+
+  lifecycle {
+    ignore_changes = [ami]
+  }
+
+  root_block_device {
+    delete_on_termination = true
+    volume_size           = 30
+  }
+
+  tags = merge({
+    "Name" : "${var.org}-${var.project}-${var.env} demo server (WIFI-10153)"
+  }, local.common_tags)
+}
+
+resource "aws_eip" "wlan_demo" {
+  vpc      = true
+  instance = aws_instance.wlan_demo.id
+  tags     = local.common_tags
+}
+
+# Certificate
+data "aws_acm_certificate" "cert_cicd" {
+  domain   = "cicd.${data.terraform_remote_state.route_53.outputs.zone_name}"
+  statuses = ["ISSUED"]
+}
+
+# Load balancers
+## NLB to SDK endpoints
+resource "aws_lb" "nlb_demo" {
+  name                       = "nlb-demo"
+  internal                   = false
+  load_balancer_type         = "network"
+  subnets                    = module.vpc_main.public_subnets
+  enable_deletion_protection = false
+  tags                       = local.common_tags
+}
+
+### Secure endpoints
+locals {
+  sdk_ports_secure = toset([for port in var.sdk_ports_secure : tostring(port)])
+}
+#target_group
+resource "aws_lb_target_group" "nlb_demo_tls" {
+  for_each = local.sdk_ports_secure
+  name     = "nlb-demo-tls-${each.value}"
+  port     = each.value
+  protocol = "TLS"
+  vpc_id   = module.vpc_main.vpc_id
+  health_check {
+    port = 16101
+  }
+}
+#target_group_attachment
+resource "aws_lb_target_group_attachment" "nlb_demo_tls" {
+  for_each         = aws_lb_target_group.nlb_demo_tls
+  target_group_arn = each.value.arn
+  target_id        = aws_instance.wlan_demo.id
+  port             = each.value.port
+}
+#listener
+resource "aws_lb_listener" "nlb_demo_tls" {
+  for_each          = aws_lb_target_group.nlb_demo_tls
+  load_balancer_arn = aws_lb.nlb_demo.arn
+  port              = each.value.port
+  protocol          = "TLS"
+  certificate_arn   = data.aws_acm_certificate.cert_cicd.arn
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = each.value.arn
+  }
+}
+
+### Insecure endpoints
+locals {
+  sdk_ports_insecure = toset([for port in var.sdk_ports_insecure : tostring(port)])
+}
+#target_group
+resource "aws_lb_target_group" "nlb_demo_tcp" {
+  for_each = local.sdk_ports_insecure
+  name     = "nlb-demo-tcp-${each.value}"
+  port     = each.value
+  protocol = "TCP"
+  vpc_id   = module.vpc_main.vpc_id
+  health_check {
+    port = 16101
+  }
+}
+#target_group_attachment
+resource "aws_lb_target_group_attachment" "nlb_demo_tcp" {
+  for_each         = aws_lb_target_group.nlb_demo_tcp
+  target_group_arn = each.value.arn
+  target_id        = aws_instance.wlan_demo.id
+  port             = each.value.port
+}
+#listener
+resource "aws_lb_listener" "nlb_demo_tcp" {
+  for_each          = aws_lb_target_group.nlb_demo_tcp
+  load_balancer_arn = aws_lb.nlb_demo.arn
+  port              = each.value.port
+  protocol          = "TCP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = each.value.arn
+  }
+}
+
+## ALB
+resource "aws_security_group" "ingress_http_https_allow" {
+  name        = "ingress_http_https_allow"
+  description = "Allow HTTP and HTTPS inbound traffic"
+  vpc_id      = module.vpc_main.vpc_id
+
+  ingress {
+    description      = "HTTP from outside"
+    from_port        = 80
+    to_port          = 80
+    protocol         = "tcp"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  ingress {
+    description      = "HTTPS from outside"
+    from_port        = 443
+    to_port          = 443
+    protocol         = "tcp"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  tags = {
+    Name = "ingress_http_https_allow"
+  }
+}
+resource "aws_lb" "alb_demo" {
+  name                       = "alb-demo"
+  internal                   = false
+  load_balancer_type         = "application"
+  security_groups            = [aws_security_group.ingress_http_https_allow.id]
+  subnets                    = module.vpc_main.public_subnets
+  enable_deletion_protection = false
+  tags                       = local.common_tags
+}
+resource "aws_lb_listener" "alb_https_demo" {
+  load_balancer_arn = aws_lb.alb_demo.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = data.aws_acm_certificate.cert_cicd.arn
+
+  default_action {
+    type = "fixed-response"
+
+    fixed_response {
+      content_type = "text/plain"
+      message_body = "Host rule not found"
+      status_code  = "404"
+    }
+  }
+}
+resource "aws_lb_listener" "alb_http_demo" {
+  load_balancer_arn = aws_lb.alb_demo.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type = "redirect"
+
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}
+## ALB to OWGW WebUI
+#target groups
+resource "aws_lb_target_group" "alb_owgwui_https_demo" {
+  name     = "alb-owgwui-https-demo"
+  port     = 443
+  protocol = "HTTPS"
+  vpc_id   = module.vpc_main.vpc_id
+  health_check {
+    port = 16101
+  }
+}
+#target_group_attachment
+resource "aws_lb_target_group_attachment" "alb_owgwui_https_demo" {
+  target_group_arn = aws_lb_target_group.alb_owgwui_https_demo.arn
+  target_id        = aws_instance.wlan_demo.id
+  port             = 443
+}
+#listener_rule
+resource "aws_lb_listener_rule" "alb_owgwui_https_demo" {
+  listener_arn = aws_lb_listener.alb_https_demo.arn
+  priority     = 99
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.alb_owgwui_https_demo.arn
+  }
+
+  condition {
+    host_header {
+      values = ["webui-demo.cicd.${data.terraform_remote_state.route_53.outputs.zone_name}"]
+    }
+  }
+}
+
+## ALB to OWProv WebUI
+#target groups
+resource "aws_lb_target_group" "alb_owprovui_https_demo" {
+  name     = "alb-owprovui-https-demo"
+  port     = 8443
+  protocol = "HTTPS"
+  vpc_id   = module.vpc_main.vpc_id
+  health_check {
+    port = 16101
+  }
+}
+#target_group_attachment
+resource "aws_lb_target_group_attachment" "alb_owprovui_https_demo" {
+  target_group_arn = aws_lb_target_group.alb_owprovui_https_demo.arn
+  target_id        = aws_instance.wlan_demo.id
+  port             = 8443
+}
+#listener_rule
+resource "aws_lb_listener_rule" "alb_owprovui_https_demo" {
+  listener_arn = aws_lb_listener.alb_https_demo.arn
+  priority     = 98
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.alb_owprovui_https_demo.arn
+  }
+
+  condition {
+    host_header {
+      values = ["provui-demo.cicd.${data.terraform_remote_state.route_53.outputs.zone_name}"]
+    }
+  }
+}
+
+# DNS Records
+resource "aws_route53_record" "wlan_demo_instance" {
+  zone_id         = data.terraform_remote_state.route_53.outputs.zone_id
+  name            = "instance-demo.cicd"
+  type            = "A"
+  ttl             = 600
+  allow_overwrite = true
+  records = [
+    aws_eip.wlan_demo.public_ip
+  ]
+}
+
+resource "aws_route53_record" "wlan_demo_sdk" {
+  zone_id         = data.terraform_remote_state.route_53.outputs.zone_id
+  name            = "sdk-demo.cicd"
+  type            = "A"
+  allow_overwrite = true
+  alias {
+    name                   = aws_lb.nlb_demo.dns_name
+    zone_id                = aws_lb.nlb_demo.zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_route53_record" "wlan_demo_webui" {
+  zone_id         = data.terraform_remote_state.route_53.outputs.zone_id
+  name            = "webui-demo.cicd"
+  type            = "A"
+  allow_overwrite = true
+  alias {
+    name                   = aws_lb.alb_demo.dns_name
+    zone_id                = aws_lb.alb_demo.zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_route53_record" "wlan_demo_provui" {
+  zone_id         = data.terraform_remote_state.route_53.outputs.zone_id
+  name            = "provui-demo.cicd"
+  type            = "A"
+  allow_overwrite = true
+  alias {
+    name                   = aws_lb.alb_demo.dns_name
+    zone_id                = aws_lb.alb_demo.zone_id
+    evaluate_target_health = true
+  }
+}
+
+# Outputs
+output "wlan_demo_instance" {
+  value = aws_eip.wlan_demo.public_ip
+}
+
+output "wlan_demo_sdk_fqdn" {
+  value = aws_route53_record.wlan_demo_sdk.fqdn
+}
+output "wlan_demo_webui_fqdn" {
+  value = aws_route53_record.wlan_demo_webui.fqdn
+}
+output "wlan_demo_provui_fqdn" {
+  value = aws_route53_record.wlan_demo_provui.fqdn
+}

terraform/wifi-289708231103/cloudsdk_cicd/instance_freeradius.tf

@@ -31,20 +31,6 @@ resource "aws_eip" "wlan_freeradius" {
   tags     = local.common_tags
 }
 
-resource "null_resource" "ansible_inventory_generate" {
-  triggers = {
-    instance_arn = aws_instance.wlan_freeradius.arn
-    eip_id       = aws_eip.wlan_freeradius.id
-  }
-
-  # Generate Ansible inventory file
-  provisioner "local-exec" {
-    command = <<-EOA
-    echo "${templatefile("${path.module}/templates/ansible_inventory.yml.tpl", { eip = aws_eip.wlan_freeradius })}" > ansible/hosts.yml
-    EOA
-  }
-}
-
 output "wlan_freeradius_instance" {
   value = aws_eip.wlan_freeradius.public_ip
 }
@@ -79,3 +65,22 @@ resource "aws_eip" "wlan_freeradius_qa" {
 output "wlan_freeradius_qa_instance" {
   value = aws_eip.wlan_freeradius_qa.public_ip
 }
+
+resource "null_resource" "ansible_inventory_generate" {
+  triggers = {
+    freeradius_instance_arn    = aws_instance.wlan_freeradius.arn
+    freeradius_eip_id          = aws_eip.wlan_freeradius.id
+    freeradius_qa_instance_arn = aws_instance.wlan_freeradius_qa.arn
+    freeradius_qa_eip_id       = aws_eip.wlan_freeradius_qa.id
+    demo_instance_arn          = aws_instance.wlan_demo.arn
+    demo_eip_id                = aws_eip.wlan_demo.id
+  }
+
+  # Generate Ansible inventory file
+  provisioner "local-exec" {
+    command = <<-EOA
+    echo "${templatefile("${path.module}/templates/ansible_inventory.yml.tpl", { freeradius_eip = aws_eip.wlan_freeradius, freeradius_eip_qa = aws_eip.wlan_freeradius_qa, demo_eip = aws_eip.wlan_demo })}" > ansible/hosts.yml
+    EOA
+  }
+}
+

terraform/wifi-289708231103/cloudsdk_cicd/templates/ansible_inventory.yml.tpl

@@ -1,5 +1,11 @@
 all:
   hosts:
     freeradius:
-      ansible_host: ${eip.public_ip}
+      ansible_host: ${freeradius_eip.public_ip}
+      ansible_user: ubuntu
+    freeradius_qa:
+      ansible_host: ${freeradius_eip_qa.public_ip}
+      ansible_user: ubuntu
+    demo:
+      ansible_host: ${demo_eip.public_ip}
       ansible_user: ubuntu

terraform/wifi-289708231103/cloudsdk_cicd/terraform.tfvars

@@ -37,3 +37,6 @@ eks_access_users_with_kms_access = [
   "gha-wlan-test-bss",
   "gha-toolsmith",
 ]
+
+sdk_ports_secure   = [5912, 5913, 16001, 16002, 16003, 16004, 16005, 16006, 16009, 16789]
+sdk_ports_insecure = [16101, 15002]

terraform/wifi-289708231103/cloudsdk_cicd/variables.tf

@@ -102,3 +102,15 @@ variable "eks_access_users_with_kms_access" {
   type        = set(string)
   default     = []
 }
+
+variable "sdk_ports_secure" {
+  description = "List of SDK ports that require TLS termination on AWS side"
+  type        = set(number)
+  default     = []
+}
+
+variable "sdk_ports_insecure" {
+  description = "List of SDK ports that don't require TLS termination on AWS side"
+  type        = set(number)
+  default     = []
+}