Mirrors/kasm-terraform
1
0
Fork 0
mirror of https://github.com/kasmtech/terraform.git synced 2026-01-23 02:24:11 +00:00
Code Issues Projects Releases Wiki Activity

Simplified TF, added CPX, updated download URL

Browse source
This commit is contained in:
Bryan Scarbrough 2024-02-12 22:45:26 +00:00
parent a27368ea3d
commit ebd13ab824
No known key found for this signature in database
116 changed files with 3880 additions and 1491 deletions
Download patch file Download diff file Expand all files Collapse all files

101
aws/multi_region/README.md
View file

@ -45,50 +45,85 @@ Create a user via the IAM console that will be used for the terraform deployment
3. Verify the configuration
terraform plan -var-file settings.tfvars -var-file secrets.tfvars
terraform plan -var-file secrets.tfvars
4. Deploy
terraform apply -var-file settings.tfvars -var-file secrets.tfvars
terraform apply -var-file secrets.tfvars
5. Login to the Deployment as an Admin via the domain defined e.g `https://kasm.contoso.com`
6. Navigate to the Agents tab, and enable each Agent after it checks in. (May take a few minutes)
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
# AWS Terraform Variable definitions
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
| Variable | Description | Variable type | Example |
|:--------:|-------------|---------------|---------|
| `aws_access_key` | The AWS access key used for deployment. | String | `"AKIAJSIE27KKMHXI3BJQ"` |
| `aws_secret_key` | The AWS secret key used for deployment. | String | `"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"` |
| `aws_primary_region` | The AWS Region to deploy all Kasm Management resources. | String | `"us-east-1"` |
| `project_name` | The name of the deployment (e.g dev, staging). A short single word of up to 15 characters. | String | `"kasm"` |
| `aws_domain_name` | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https. | String | `"kasm.contoso.com"` |
| `kasm_zone_name` | A name given to the kasm deployment Zone. | String | `"default"` |
| `primary_vpc_subnet_cidr` | The subnet CIDR to use for the Primary region's VPC. | String | `"10.0.0.0/16"` |
| `aws_key_pair` | The name of an aws keypair to use. | String | `"kasm_ssh_key"` |
| `primary_region_ec2_ami_id` | The AMI used for the EC2 nodes in the Primary (Management) region. Recommended Ubuntu 20.04 LTS. | String | `"ami-09cd747c78a9add63"` |
| `swap_size` | The amount of swap (in MB) to configure inside the Kasm servers. | Number | `2048` |
| `webapp_instance_type` | The instance type for the Kasm WebApps. | String | `"t3.small"` |
| `webapp_hdd_size_gb` | The HDD size for the WebApp EC2s in GB. | Number | `40` |
| `db_instance_type` | The instance type for the Kasm Database. | String | `"t3.medium"` |
| `db_hdd_size_gb` | The HDD size for the DB EC2 in GB. | Number | `40` |
| `agent_instance_type` | The instance type for the Kasm Agents in the Primary region. | String | `"t3.medium"` |
| `agent_hdd_size_gb` | The HDD size for the Agent EC2s in GB. | Number | `120` |
| `num_webapps` | The number of WebApp role servers to create in this deployment. Acceptable ranges from 1-3. | Number | `2` |
| `num_agents` | The number of static Kasm Agents to create in the primary region. Acceptable ranges from 0-100. | Number | `2` |
| `allow_ssh_cidrs` | A list of subnets in CIDR notation allowed to SSH into your kasm servers (use `["0.0.0.0/0]"` to allow SSH from any IP). | List(String) | `["1.1.1.1/32","172.217.22.14/32"]` |
| `web_access_cidrs` | A list of subnets in CIDR notation allowed Web access to your kasm servers (use `["0.0.0.0/0]"` to allow HTTP/HTTPS from any IP). | List(String) | `["0.0.0.0/0"]` |
| `secondary_regions_settings` | A map of AWS environment settings for secondary regions. The Primary region is considered "region1", thus all secondary regions should be labeled "region2", "region3", etc. Refer to the commented settings in the `secondary_regions_settings` variable in the `settings.tf` for an example. | Map(any) | <pre>{<br/>&nbsp;&nbsp;region2 = {<br/>&nbsp;&nbsp;&nbsp;&nbsp;agent_region = "eu-central-1"<br/>&nbsp;&nbsp;&nbsp;&nbsp;agent_ec2_ami_id = "ami-0e067cc8a2b58de59"<br/>&nbsp;&nbsp;&nbsp;&nbsp;agent_instance_type = "t3.medium"<br/>&nbsp;&nbsp;&nbsp;&nbsp;num_agents = 2<br/>&nbsp;&nbsp;&nbsp;&nbsp;agent_vpc_cidr = "10.1.0.0/16"<br/>&nbsp;&nbsp;}<br/>}</pre>
| `database_password` | The Kasm PostgreSQL database password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `redis_password` | The Kasm Redis password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `admin_password` | The Kasm Administrative user login password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `user_password` | A Kasm standard (non-administrator) user password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `manager_token` | The manager token value used by Kasm agents to authenticate to the Kasm WebApps. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `kasm_build` | The download URL for the desired Kasm Workspaces version. | String | `"https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz"` |
| `aws_default_tags` | A Map of all tags you wish to apply to all TF created resources in this deployment. | Map(Any) | <pre>{<br/>&nbsp;&nbsp;Service_name = "Kasm Workspaces"<br/>&nbsp;&nbsp;Kasm_version = "1.12"<br/>}</pre> |
## Providers
No providers.
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_primary_region"></a> [primary\_region](#module\_primary\_region) | ./primary | n/a |
| <a name="module_primary_region_webapps_and_agents"></a> [primary\_region\_webapps\_and\_agents](#module\_primary\_region\_webapps\_and\_agents) | ./webapps | n/a |
| <a name="module_region2_agents"></a> [region2\_agents](#module\_region2\_agents) | ./agents | n/a |
| <a name="module_region2_webapps"></a> [region2\_webapps](#module\_region2\_webapps) | ./webapps | n/a |
## Resources
No resources.
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_admin_password"></a> [admin\_password](#input\_admin\_password) | The administrative user password. No special characters | `string` | n/a | yes |
| <a name="input_agent_hdd_size_gb"></a> [agent\_hdd\_size\_gb](#input\_agent\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm Agent instances | `number` | n/a | yes |
| <a name="input_agent_instance_type"></a> [agent\_instance\_type](#input\_agent\_instance\_type) | The instance type for the Agents | `string` | n/a | yes |
| <a name="input_aws_access_key"></a> [aws\_access\_key](#input\_aws\_access\_key) | The AWS access key used for deployment | `string` | n/a | yes |
| <a name="input_aws_default_tags"></a> [aws\_default\_tags](#input\_aws\_default\_tags) | Default tags to apply to all AWS resources for this deployment | `map(any)` | <pre>{<br> "Kasm_version": "1.14",<br> "Service_name": "Kasm Workspaces"<br>}</pre> | no |
| <a name="input_aws_domain_name"></a> [aws\_domain\_name](#input\_aws\_domain\_name) | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes |
| <a name="input_aws_key_pair"></a> [aws\_key\_pair](#input\_aws\_key\_pair) | The name of an aws keypair to use. | `string` | n/a | yes |
| <a name="input_aws_primary_region"></a> [aws\_primary\_region](#input\_aws\_primary\_region) | The AWS Region used for deployment | `string` | `"us-east-1"` | no |
| <a name="input_aws_secret_key"></a> [aws\_secret\_key](#input\_aws\_secret\_key) | The AWS secret key used for deployment | `string` | n/a | yes |
| <a name="input_aws_ssm_iam_role_name"></a> [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no |
| <a name="input_cpx_hdd_size_gb"></a> [cpx\_hdd\_size\_gb](#input\_cpx\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm Guac RDP instances | `number` | n/a | yes |
| <a name="input_cpx_instance_type"></a> [cpx\_instance\_type](#input\_cpx\_instance\_type) | The instance type for the Guac RDP nodes | `string` | n/a | yes |
| <a name="input_create_aws_ssm_iam_role"></a> [create\_aws\_ssm\_iam\_role](#input\_create\_aws\_ssm\_iam\_role) | Create an AWS SSM IAM role to attach to VMs for SSH/console access to VMs. | `bool` | `false` | no |
| <a name="input_database_password"></a> [database\_password](#input\_database\_password) | The password for the database. No special characters | `string` | n/a | yes |
| <a name="input_db_hdd_size_gb"></a> [db\_hdd\_size\_gb](#input\_db\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm Database instances | `number` | n/a | yes |
| <a name="input_db_instance_type"></a> [db\_instance\_type](#input\_db\_instance\_type) | The instance type for the Database | `string` | n/a | yes |
| <a name="input_kasm_build"></a> [kasm\_build](#input\_kasm\_build) | Download URL for Kasm Workspaces | `string` | n/a | yes |
| <a name="input_manager_token"></a> [manager\_token](#input\_manager\_token) | The manager token value for Agents to authenticate to webapps. No special characters | `string` | n/a | yes |
| <a name="input_num_agents"></a> [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | `2` | no |
| <a name="input_num_cpx_nodes"></a> [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of Agent Role Servers to create in the deployment | `number` | n/a | yes |
| <a name="input_num_webapps"></a> [num\_webapps](#input\_num\_webapps) | The number of WebApp role servers to create in the deployment | `number` | `2` | no |
| <a name="input_primary_region_ec2_ami_id"></a> [primary\_region\_ec2\_ami\_id](#input\_primary\_region\_ec2\_ami\_id) | AMI Id of Kasm EC2 image in the primary region. Recommended AMI OS Version is Ubuntu 20.04 LTS. | `string` | n/a | yes |
| <a name="input_primary_vpc_subnet_cidr"></a> [primary\_vpc\_subnet\_cidr](#input\_primary\_vpc\_subnet\_cidr) | The subnet CIDR to use for the VPC | `string` | `"10.0.0.0/16"` | no |
| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes |
| <a name="input_proxy_hdd_size_gb"></a> [proxy\_hdd\_size\_gb](#input\_proxy\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm dedicated proxy instances | `number` | n/a | yes |
| <a name="input_proxy_instance_type"></a> [proxy\_instance\_type](#input\_proxy\_instance\_type) | The instance type for the dedicated proxy node | `string` | `""` | no |
| <a name="input_redis_password"></a> [redis\_password](#input\_redis\_password) | The password for the Redis server. No special characters | `string` | n/a | yes |
| <a name="input_secondary_regions_settings"></a> [secondary\_regions\_settings](#input\_secondary\_regions\_settings) | Map of Kasm settings for secondary regions | <pre>map(object({<br> agent_region = string<br> agent_vpc_cidr = string<br> ec2_ami_id = string<br> })<br> )</pre> | n/a | yes |
| <a name="input_service_registration_token"></a> [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | n/a | yes |
| <a name="input_ssh_access_cidrs"></a> [ssh\_access\_cidrs](#input\_ssh\_access\_cidrs) | CIDR notation of the bastion host allowed to SSH in to the machines | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]</pre> | no |
| <a name="input_swap_size"></a> [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes |
| <a name="input_user_password"></a> [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes |
| <a name="input_web_access_cidrs"></a> [web\_access\_cidrs](#input\_web\_access\_cidrs) | CIDR notation of the bastion host allowed to SSH in to the machines | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]</pre> | no |
| <a name="input_webapp_hdd_size_gb"></a> [webapp\_hdd\_size\_gb](#input\_webapp\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm WebApp instances | `number` | n/a | yes |
| <a name="input_webapp_instance_type"></a> [webapp\_instance\_type](#input\_webapp\_instance\_type) | The instance type for the webapps | `string` | `""` | no |
## Outputs
No outputs.
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
# Detailed Terraform Deployment Diagram

104
aws/multi_region/agents/README.md Normal file
View file

@ -0,0 +1,104 @@
# agents
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.36.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_acm_certificate.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
| [aws_acm_certificate_validation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |
| [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
| [aws_instance.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
| [aws_instance.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
| [aws_instance.proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
| [aws_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |
| [aws_lb.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
| [aws_lb_listener.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
| [aws_lb_target_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
| [aws_lb_target_group_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |
| [aws_nat_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
| [aws_route53_record.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_route53_record.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_route_table.internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
| [aws_route_table.nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
| [aws_route_table_association.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_route_table_association.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_route_table_association.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_route_table_association.proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_route_table_association.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_security_group.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group_rule.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.windows_cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.windows_webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_subnet.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_subnet.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_subnet.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_subnet.proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_subnet.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
| [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_agent_hdd_size_gb"></a> [agent\_hdd\_size\_gb](#input\_agent\_hdd\_size\_gb) | The HDD size for agents | `number` | n/a | yes |
| <a name="input_agent_instance_type"></a> [agent\_instance\_type](#input\_agent\_instance\_type) | The instance type for the agents | `string` | n/a | yes |
| <a name="input_agent_security_rules"></a> [agent\_security\_rules](#input\_agent\_security\_rules) | A map of objects of security rules to apply to the Kasm WebApp server | <pre>map(object({<br> from_port = number<br> to_port = number<br> protocol = string<br> }))</pre> | <pre>{<br> "https": {<br> "from_port": 443,<br> "protocol": "tcp",<br> "to_port": 443<br> }<br>}</pre> | no |
| <a name="input_agent_vpc_cidr"></a> [agent\_vpc\_cidr](#input\_agent\_vpc\_cidr) | Subnet CIDR range for Agent VPC | `string` | n/a | yes |
| <a name="input_anywhere"></a> [anywhere](#input\_anywhere) | Anywhere subnet for routing and load ingress from all IPs | `string` | `"0.0.0.0/0"` | no |
| <a name="input_aws_domain_name"></a> [aws\_domain\_name](#input\_aws\_domain\_name) | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes |
| <a name="input_aws_key_pair"></a> [aws\_key\_pair](#input\_aws\_key\_pair) | The name of an aws keypair to use. | `string` | n/a | yes |
| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | The AWS region for the deployment. (e.g us-east-1) | `string` | n/a | yes |
| <a name="input_aws_ssm_iam_role_name"></a> [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no |
| <a name="input_cpx_hdd_size_gb"></a> [cpx\_hdd\_size\_gb](#input\_cpx\_hdd\_size\_gb) | The HDD size for Kasm Guac RDP nodes | `number` | n/a | yes |
| <a name="input_cpx_instance_type"></a> [cpx\_instance\_type](#input\_cpx\_instance\_type) | The instance type for the cpx RDP nodes | `string` | n/a | yes |
| <a name="input_cpx_security_rules"></a> [cpx\_security\_rules](#input\_cpx\_security\_rules) | A map of objects of security rules to apply to the Kasm Connection Proxy server | <pre>map(object({<br> from_port = number<br> to_port = number<br> protocol = string<br> }))</pre> | <pre>{<br> "https": {<br> "from_port": 443,<br> "protocol": "tcp",<br> "to_port": 443<br> }<br>}</pre> | no |
| <a name="input_default_egress"></a> [default\_egress](#input\_default\_egress) | Default egress security rule for all security groups | <pre>object({<br> from_port = number<br> to_port = number<br> protocol = string<br> cidr_subnets = list(string)<br> })</pre> | <pre>{<br> "cidr_subnets": [<br> "0.0.0.0/0"<br> ],<br> "from_port": 0,<br> "protocol": "-1",<br> "to_port": 0<br>}</pre> | no |
| <a name="input_ec2_ami"></a> [ec2\_ami](#input\_ec2\_ami) | The AMI used for the EC2 nodes. Recommended Ubuntu 20.04 LTS. | `string` | n/a | yes |
| <a name="input_kasm_build"></a> [kasm\_build](#input\_kasm\_build) | The URL for the Kasm Workspaces build | `string` | n/a | yes |
| <a name="input_load_balancer_log_bucket"></a> [load\_balancer\_log\_bucket](#input\_load\_balancer\_log\_bucket) | S3 bucket name for load balancers to forward access logs to | `string` | n/a | yes |
| <a name="input_management_region_nat_gateway"></a> [management\_region\_nat\_gateway](#input\_management\_region\_nat\_gateway) | A list Kasm management region NAT gateways to allow Webapps ingress on 4902 to Kasm Windows agent | `string` | n/a | yes |
| <a name="input_manager_token"></a> [manager\_token](#input\_manager\_token) | The password for the database. No special characters | `string` | n/a | yes |
| <a name="input_num_agents"></a> [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | n/a | yes |
| <a name="input_num_cpx_nodes"></a> [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of cpx Role Servers to create in the deployment | `number` | n/a | yes |
| <a name="input_num_proxy_nodes"></a> [num\_proxy\_nodes](#input\_num\_proxy\_nodes) | The number of Dedicated Proxy nodes to create in the deployment | `number` | `2` | no |
| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes |
| <a name="input_proxy_hdd_size_gb"></a> [proxy\_hdd\_size\_gb](#input\_proxy\_hdd\_size\_gb) | The HDD size for Dedicated Proxy nodes | `number` | n/a | yes |
| <a name="input_proxy_instance_type"></a> [proxy\_instance\_type](#input\_proxy\_instance\_type) | The instance type for the dedicated proxy nodes | `number` | n/a | yes |
| <a name="input_proxy_security_rules"></a> [proxy\_security\_rules](#input\_proxy\_security\_rules) | A map of objects of security rules to apply to the Kasm WebApp server | <pre>object({<br> from_port = number<br> to_port = number<br> protocol = string<br> })</pre> | <pre>{<br> "from_port": 443,<br> "protocol": "tcp",<br> "to_port": 443<br>}</pre> | no |
| <a name="input_public_lb_security_rules"></a> [public\_lb\_security\_rules](#input\_public\_lb\_security\_rules) | A map of objects of security rules to apply to the Public ALB | <pre>map(object({<br> from_port = number<br> to_port = number<br> protocol = string<br> }))</pre> | <pre>{<br> "http": {<br> "from_port": 80,<br> "protocol": "tcp",<br> "to_port": 80<br> },<br> "https": {<br> "from_port": 443,<br> "protocol": "tcp",<br> "to_port": 443<br> }<br>}</pre> | no |
| <a name="input_service_registration_token"></a> [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | n/a | yes |
| <a name="input_swap_size"></a> [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes |
| <a name="input_windows_security_rules"></a> [windows\_security\_rules](#input\_windows\_security\_rules) | A map of objects of security rules to apply to the Kasm Windows VMs | <pre>map(object({<br> from_port = number<br> to_port = number<br> protocol = string<br> }))</pre> | <pre>{<br> "api": {<br> "from_port": 4902,<br> "protocol": "tcp",<br> "to_port": 4902<br> },<br> "rdp": {<br> "from_port": 3389,<br> "protocol": "tcp",<br> "to_port": 3389<br> }<br>}</pre> | no |
## Outputs
No outputs.
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

18
aws/multi_region/agents/agent.tf
View file

@ -1,10 +1,12 @@
resource "aws_instance" "kasm-agent" {
count = var.num_agents
ami = var.ec2_ami
instance_type = var.agent_instance_type
vpc_security_group_ids = [data.aws_security_group.data-kasm_agent_sg.id]
subnet_id = data.aws_subnet.data-kasm_agent_subnet.id
key_name = var.aws_key_pair
resource "aws_instance" "agent" {
count = var.num_agents
ami = var.ec2_ami
instance_type = var.agent_instance_type
vpc_security_group_ids = [aws_security_group.agent.id]
subnet_id = aws_subnet.agent.id
key_name = var.aws_key_pair
associate_public_ip_address = true
iam_instance_profile = var.aws_ssm_iam_role_name
root_block_device {
volume_size = var.agent_hdd_size_gb
@ -20,6 +22,6 @@ resource "aws_instance" "kasm-agent" {
)
tags = {
Name = "${var.project_name}-${var.zone_name}-kasm-agent"
Name = "${var.project_name}-${var.aws_region}-kasm-agent-${count.index}"
}
}

3
aws/multi_region/agents/availability_zones.tf
View file

@ -1,3 +0,0 @@
data "aws_availability_zones" "available" {
state = "available"
}

32
aws/multi_region/agents/cert.tf Normal file
View file

@ -0,0 +1,32 @@
resource "aws_acm_certificate" "this" {
domain_name = var.aws_domain_name
subject_alternative_names = ["*.${var.aws_domain_name}"]
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
}
resource "aws_route53_record" "certificate" {
for_each = {
for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
name = each.value.name
type = each.value.type
records = [each.value.record]
zone_id = data.aws_route53_zone.this.id
ttl = 30
allow_overwrite = true
}
resource "aws_acm_certificate_validation" "this" {
certificate_arn = aws_acm_certificate.this.arn
validation_record_fqdns = [for record in aws_route53_record.certificate : record.fqdn]
}

27
aws/multi_region/agents/cpx.tf Normal file
View file

@ -0,0 +1,27 @@
resource "aws_instance" "cpx" {
count = var.num_cpx_nodes
ami = var.ec2_ami
instance_type = var.cpx_instance_type
vpc_security_group_ids = aws_security_group.cpx[*].id
subnet_id = aws_subnet.cpx[0].id
key_name = var.aws_key_pair
iam_instance_profile = var.aws_ssm_iam_role_name
root_block_device {
volume_size = var.cpx_hdd_size_gb
}
user_data = templatefile("${path.module}/../userdata/cpx_bootstrap.sh",
{
kasm_build_url = var.kasm_build
swap_size = var.swap_size
manager_address = var.aws_domain_name
service_registration_token = var.service_registration_token
}
)
tags = {
Name = "${var.project_name}-${var.aws_region}-kasm-cpx-${count.index}"
}
}

24
aws/multi_region/agents/dependencies.tf Normal file
View file

@ -0,0 +1,24 @@
locals {
kasm_agent_vpc_subnet_cidr_mask = split("/", var.agent_vpc_cidr)[1]
kasm_agent_subnet_cidr_calculation = (8 - (local.kasm_agent_vpc_subnet_cidr_mask - 16))
kasm_agent_subnet_cidr_size = local.kasm_agent_subnet_cidr_calculation < 3 ? 3 : local.kasm_agent_subnet_cidr_calculation
all_security_groups = compact([
aws_security_group.public_lb.id,
aws_security_group.proxy.id,
aws_security_group.agent.id,
one(aws_security_group.cpx[*].id),
one(aws_security_group.windows[*].id)
])
proxy_security_rules = { for value in local.all_security_groups : value => var.proxy_security_rules if value == aws_security_group.public_lb.id }
}
data "aws_route53_zone" "this" {
name = var.aws_domain_name
private_zone = false
}
data "aws_availability_zones" "available" {
state = "available"
}

57
aws/multi_region/agents/elb.tf Normal file
View file

@ -0,0 +1,57 @@
resource "aws_lb" "this" {
name = "${var.project_name}-lb"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.public_lb.id]
subnets = aws_subnet.alb[*].id
access_logs {
bucket = var.load_balancer_log_bucket
enabled = true
}
}
resource "aws_lb_listener" "this" {
load_balancer_arn = aws_lb.this.arn
port = "443"
protocol = "HTTPS"
certificate_arn = aws_acm_certificate.this.arn
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.this.arn
}
}
resource "aws_lb_target_group" "this" {
name = "${var.project_name}-target-group"
port = 443
protocol = "HTTPS"
vpc_id = aws_vpc.this.id
health_check {
path = "/desktop"
matcher = 301
protocol = "HTTPS"
}
}
resource "aws_lb_target_group_attachment" "this" {
count = var.num_proxy_nodes
target_group_arn = aws_lb_target_group.this.arn
target_id = aws_instance.proxy[count.index].id
port = 443
}
resource "aws_route53_record" "alb" {
zone_id = data.aws_route53_zone.this.zone_id
name = "${var.aws_region}-proxy.${var.aws_domain_name}"
type = "A"
alias {
name = aws_lb.this.dns_name
zone_id = aws_lb.this.zone_id
evaluate_target_health = false
}
}

6
aws/multi_region/agents/provider.tf
View file

@ -1,8 +1,10 @@
terraform {
required_version = "~> 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
#version = "4.56.0"
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}

27
aws/multi_region/agents/proxy.tf Normal file
View file

@ -0,0 +1,27 @@
resource "aws_instance" "proxy" {
count = var.num_proxy_nodes
ami = var.ec2_ami
instance_type = var.proxy_instance_type
vpc_security_group_ids = [aws_security_group.proxy.id]
subnet_id = aws_subnet.proxy[(count.index)].id
key_name = var.aws_key_pair
iam_instance_profile = var.aws_ssm_iam_role_name
root_block_device {
volume_size = var.proxy_hdd_size_gb
}
user_data = templatefile("${path.module}/../userdata/proxy_bootstrap.sh",
{
kasm_build_url = var.kasm_build
swap_size = var.swap_size
manager_address = var.aws_domain_name
proxy_alb_address = "${var.aws_region}-proxy.${var.aws_domain_name}"
}
)
tags = {
Name = "${var.project_name}-${var.aws_region}-kasm-proxy"
}
}

51
aws/multi_region/agents/routes.tf
View file

@ -1,21 +1,54 @@
resource "aws_route_table" "internet_access" {
vpc_id = data.aws_vpc.data-kasm_agent_vpc.id
resource "aws_route_table" "internet_gateway" {
vpc_id = aws_vpc.this.id
route {
cidr_block = var.anywhere
gateway_id = data.aws_internet_gateway.data-kasm_agent_default_ig.id
gateway_id = aws_internet_gateway.this.id
}
tags = {
Name = "${var.project_name}-kasm-agent-default-route"
Name = "${var.project_name}-kasm-internet-gateway-route"
}
}
data "aws_route_table" "data-agent_internet_gateway_route_table" {
route_table_id = aws_route_table.internet_access.id
resource "aws_route_table" "nat_gateway" {
vpc_id = aws_vpc.this.id
route {
cidr_block = var.anywhere
gateway_id = aws_nat_gateway.this.id
}
tags = {
Name = "${var.project_name}-kasm-nat-gateway-route"
}
}
resource "aws_route_table_association" "agent_table_association" {
subnet_id = data.aws_subnet.data-kasm_agent_subnet.id
route_table_id = data.aws_route_table.data-agent_internet_gateway_route_table.id
resource "aws_route_table_association" "alb" {
count = 2
subnet_id = aws_subnet.alb[(count.index)].id
route_table_id = aws_route_table.internet_gateway.id
}
resource "aws_route_table_association" "proxy" {
count = var.num_proxy_nodes
subnet_id = aws_subnet.proxy[(count.index)].id
route_table_id = aws_route_table.nat_gateway.id
}
resource "aws_route_table_association" "agent" {
subnet_id = aws_subnet.agent.id
route_table_id = aws_route_table.internet_gateway.id
}
resource "aws_route_table_association" "cpx" {
count = var.num_cpx_nodes > 0 ? 1 : 0
subnet_id = aws_subnet.cpx[0].id
route_table_id = aws_route_table.nat_gateway.id
}
resource "aws_route_table_association" "windows" {
count = var.num_cpx_nodes > 0 ? 1 : 0
subnet_id = aws_subnet.windows[0].id
route_table_id = aws_route_table.internet_gateway.id
}

147
aws/multi_region/agents/security_group.tf
View file

@ -1,30 +1,129 @@
resource "aws_security_group" "kasm-agent-sg" {
name = "${var.project_name}-${var.zone_name}-kasm-agent-access"
resource "aws_security_group" "public_lb" {
name = "${var.project_name}-kasm-allow-public-lb-access"
description = "Security Group for ELB"
vpc_id = aws_vpc.this.id
tags = {
Name = "${var.project_name}-kasm-public-lb-access"
}
}
resource "aws_security_group_rule" "public_lb" {
for_each = var.public_lb_security_rules
security_group_id = aws_security_group.public_lb.id
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
cidr_blocks = [var.anywhere]
}
resource "aws_security_group" "proxy" {
name = "${var.project_name}-kasm-proxy"
description = "Allow access to proxy"
vpc_id = aws_vpc.this.id
tags = {
Name = "${var.project_name}-kasm-proxy-access"
}
}
resource "aws_security_group_rule" "proxy" {
for_each = local.proxy_security_rules
security_group_id = aws_security_group.proxy.id
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = each.key
}
resource "aws_security_group" "agent" {
name = "${var.project_name}-kasm-agent-access"
description = "Allow access to agents"
vpc_id = data.aws_vpc.data-kasm_agent_vpc.id
vpc_id = aws_vpc.this.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = var.ssh_access_cidrs
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [var.anywhere]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [var.anywhere]
tags = {
Name = "${var.project_name}-kasm-agent-access"
}
}
data "aws_security_group" "data-kasm_agent_sg" {
id = aws_security_group.kasm-agent-sg.id
resource "aws_security_group_rule" "agent" {
for_each = var.agent_security_rules
security_group_id = aws_security_group.agent.id
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = aws_security_group.proxy.id
}
resource "aws_security_group" "cpx" {
count = var.num_cpx_nodes > 0 ? 1 : 0
name = "${var.project_name}-kasm-cpx-access"
description = "Allow access to cpx RDP nodes"
tags = {
Name = "${var.project_name}-kasm-cpx-access"
}
}
resource "aws_security_group_rule" "cpx" {
for_each = var.num_cpx_nodes > 0 ? var.cpx_security_rules : {}
security_group_id = one(aws_security_group.cpx[*].id)
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = aws_security_group.proxy.id
}
resource "aws_security_group" "windows" {
count = var.num_cpx_nodes > 0 ? 1 : 0
name = "${var.project_name}-kasm-windows-access"
description = "Allow access to Windows servers"
vpc_id = aws_vpc.this.id
tags = {
Name = "${var.project_name}-kasm-windows-access"
}
}
resource "aws_security_group_rule" "windows_cpx" {
for_each = var.num_cpx_nodes > 0 ? var.windows_security_rules : {}
security_group_id = one(aws_security_group.windows[*].id)
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = one(aws_security_group.cpx[*].id)
}
resource "aws_security_group_rule" "windows_webapp" {
for_each = var.num_cpx_nodes > 0 ? { for key, value in var.windows_security_rules : key => value if can(regex("(?i:api)", key)) } : {}
security_group_id = one(aws_security_group.windows[*].id)
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
cidr_blocks = [var.management_region_nat_gateway]
}
resource "aws_security_group_rule" "egress" {
for_each = { for value in local.all_security_groups : value => var.default_egress }
security_group_id = each.key
type = each.value.rule_type
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
cidr_blocks = [var.anywhere]
}

64
aws/multi_region/agents/subnet.tf
View file

@ -1,19 +1,59 @@
locals {
kasm_agent_vpc_subnet_cidr_mask = split("/", var.agent_vpc_cidr)[1]
kasm_agent_subnet_cidr_calculation = (8 - (local.kasm_agent_vpc_subnet_cidr_mask - 16))
kasm_agent_subnet_cidr_size = local.kasm_agent_subnet_cidr_calculation < 0 ? 0 : local.kasm_agent_subnet_cidr_calculation
}
resource "aws_subnet" "kasm-agent-subnet" {
vpc_id = data.aws_vpc.data-kasm_agent_vpc.id
cidr_block = cidrsubnet(var.agent_vpc_cidr, local.kasm_agent_subnet_cidr_size, 0)
resource "aws_subnet" "alb" {
count = 2
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.agent_vpc_cidr, local.kasm_agent_subnet_cidr_size, count.index)
availability_zone = data.aws_availability_zones.available.names[0]
map_public_ip_on_launch = true
tags = {
Name = "${var.project_name}-${var.zone_name}-kasm-agent-subnet"
Name = "${var.project_name}-${var.aws_region}-kasm-alb-subnet"
}
}
data "aws_subnet" "data-kasm_agent_subnet" {
id = aws_subnet.kasm-agent-subnet.id
resource "aws_subnet" "proxy" {
count = var.num_proxy_nodes
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.agent_vpc_cidr, local.kasm_agent_subnet_cidr_size, (count.index + 2))
availability_zone = data.aws_availability_zones.available.names[0]
tags = {
Name = "${var.project_name}-${var.aws_region}-kasm-proxy-subnet"
}
}
resource "aws_subnet" "agent" {
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.agent_vpc_cidr, local.kasm_agent_subnet_cidr_size, 4)
availability_zone = data.aws_availability_zones.available.names[0]
map_public_ip_on_launch = true
tags = {
Name = "${var.project_name}-${var.aws_region}-kasm-agent-subnet"
}
}
resource "aws_subnet" "cpx" {
count = var.num_cpx_nodes > 0 ? 1 : 0
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.agent_vpc_cidr, local.kasm_agent_subnet_cidr_size, 5)
availability_zone = data.aws_availability_zones.available.names[0]
tags = {
Name = "${var.project_name}-${var.aws_region}-kasm-cpx-subnet"
}
}
resource "aws_subnet" "windows" {
count = var.num_cpx_nodes > 0 ? 1 : 0
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.agent_vpc_cidr, local.kasm_agent_subnet_cidr_size, 6)
availability_zone = data.aws_availability_zones.available.names[0]
map_public_ip_on_launch = true
tags = {
Name = "${var.project_name}-${var.aws_region}-kasm-windows-subnet"
}
}

167
aws/multi_region/agents/variables.tf
View file

@ -33,18 +33,55 @@ variable "agent_hdd_size_gb" {
type = number
}
variable "num_cpx_nodes" {
description = "The number of cpx Role Servers to create in the deployment"
type = number
}
variable "cpx_instance_type" {
description = "The instance type for the cpx RDP nodes"
type = string
}
variable "cpx_hdd_size_gb" {
description = "The HDD size for Kasm Guac RDP nodes"
type = number
}
variable "aws_ssm_iam_role_name" {
description = "The name of the SSM EC2 role to associate with Kasm VMs for SSH access"
type = string
default = ""
}
variable "num_proxy_nodes" {
description = "The number of Dedicated Proxy nodes to create in the deployment"
type = number
default = 2
}
variable "proxy_instance_type" {
description = "The instance type for the dedicated proxy nodes"
type = number
}
variable "proxy_hdd_size_gb" {
description = "The HDD size for Dedicated Proxy nodes"
type = number
}
variable "aws_region" {
description = "The AWS region for the deployment. (e.g us-east-1)"
type = string
}
variable "kasm_build" {
description = "The URL for the Kasm Workspaces build"
variable "load_balancer_log_bucket" {
description = "S3 bucket name for load balancers to forward access logs to"
type = string
}
variable "zone_name" {
description = "A name given to the Kasm deployment Zone"
variable "kasm_build" {
description = "The URL for the Kasm Workspaces build"
type = string
}
@ -64,9 +101,15 @@ variable "manager_token" {
sensitive = true
}
variable "ssh_access_cidrs" {
description = "CIDR notation of the bastion host allowed to SSH in to the machines"
type = list(string)
variable "service_registration_token" {
description = "The service registration token value for cpx RDP servers to authenticate to webapps. No special characters"
type = string
sensitive = true
}
variable "management_region_nat_gateway" {
description = "A list Kasm management region NAT gateways to allow Webapps ingress on 4902 to Kasm Windows agent"
type = string
}
variable "anywhere" {
@ -74,3 +117,113 @@ variable "anywhere" {
type = string
default = "0.0.0.0/0"
}
variable "public_lb_security_rules" {
description = "A map of objects of security rules to apply to the Public ALB"
type = map(object({
from_port = number
to_port = number
protocol = string
}))
default = {
https = {
from_port = 443
to_port = 443
protocol = "tcp"
}
http = {
from_port = 80
to_port = 80
protocol = "tcp"
}
}
}
variable "proxy_security_rules" {
description = "A map of objects of security rules to apply to the Kasm WebApp server"
type = object({
from_port = number
to_port = number
protocol = string
})
default = {
from_port = 443
to_port = 443
protocol = "tcp"
}
}
variable "cpx_security_rules" {
description = "A map of objects of security rules to apply to the Kasm Connection Proxy server"
type = map(object({
from_port = number
to_port = number
protocol = string
}))
default = {
https = {
from_port = 443
to_port = 443
protocol = "tcp"
}
}
}
variable "agent_security_rules" {
description = "A map of objects of security rules to apply to the Kasm WebApp server"
type = map(object({
from_port = number
to_port = number
protocol = string
}))
default = {
https = {
from_port = 443
to_port = 443
protocol = "tcp"
}
}
}
variable "windows_security_rules" {
description = "A map of objects of security rules to apply to the Kasm Windows VMs"
type = map(object({
from_port = number
to_port = number
protocol = string
}))
default = {
rdp = {
from_port = 3389
to_port = 3389
protocol = "tcp"
}
api = {
from_port = 4902
to_port = 4902
protocol = "tcp"
}
}
}
variable "default_egress" {
description = "Default egress security rule for all security groups"
type = object({
from_port = number
to_port = number
protocol = string
cidr_subnets = list(string)
})
default = {
from_port = 0
to_port = 0
protocol = "-1"
cidr_subnets = ["0.0.0.0/0"]
}
}

29
aws/multi_region/agents/vpc.tf
View file

@ -1,23 +1,32 @@
resource "aws_vpc" "kasm-agent-vpc" {
resource "aws_vpc" "this" {
cidr_block = var.agent_vpc_cidr
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = "${var.project_name}-${var.zone_name}-kasm-vpc"
Name = "${var.project_name}-${var.aws_region}-kasm-vpc"
}
}
data "aws_vpc" "data-kasm_agent_vpc" {
id = aws_vpc.kasm-agent-vpc.id
}
resource "aws_internet_gateway" "this" {
vpc_id = aws_vpc.this.id
resource "aws_internet_gateway" "kasm-default-ig" {
vpc_id = data.aws_vpc.data-kasm_agent_vpc.id
tags = {
Name = "${var.project_name}-${var.zone_name}-kasm-ig"
Name = "${var.project_name}-${var.aws_region}-kasm-ig"
}
}
data "aws_internet_gateway" "data-kasm_agent_default_ig" {
internet_gateway_id = aws_internet_gateway.kasm-default-ig.id
resource "aws_eip" "this" {
domain = "vpc"
}
resource "aws_nat_gateway" "this" {
allocation_id = aws_eip.this.id
subnet_id = aws_subnet.alb[0].id
tags = {
Name = "${var.project_name}-${var.aws_region}-kasm-nat"
}
depends_on = [aws_internet_gateway.this]
}

104
aws/multi_region/deployment.tf
View file

@ -11,6 +11,7 @@ module "primary_region" {
ec2_ami = var.primary_region_ec2_ami_id
db_instance_type = var.db_instance_type
num_webapps = var.num_webapps
num_cpx_nodes = var.num_cpx_nodes
project_name = var.project_name
kasm_build = var.kasm_build
db_hdd_size_gb = var.db_hdd_size_gb
@ -23,39 +24,43 @@ module "primary_region" {
service_registration_token = var.service_registration_token
aws_key_pair = var.aws_key_pair
aws_domain_name = var.aws_domain_name
ssh_access_cidrs = var.ssh_access_cidrs
web_access_cidrs = var.web_access_cidrs
}
module "primary_region-webapps-and-agents" {
module "primary_region_webapps_and_agents" {
source = "./webapps"
faux_aws_region = var.aws_primary_region
zone_name = var.aws_primary_region
primary_aws_region = var.aws_primary_region
load_balancer_subnet_ids = module.primary_region.lb_subnet_ids
num_webapps = var.num_webapps
num_agents = var.num_agents
num_cpx_nodes = var.num_cpx_nodes
ec2_ami = var.primary_region_ec2_ami_id
swap_size = var.swap_size
webapp_subnet_ids = module.primary_region.webapp_subnet_ids
webapp_security_group_id = module.primary_region.webapp_security_group_id
agent_subnet_id = module.primary_region.agent_subnet_id
agent_security_group_id = module.primary_region.agent_security_group_id
cpx_security_group_id = module.primary_region.cpx_security_group_id
load_balancer_security_group_id = module.primary_region.lb_security_group_id
webapp_instance_type = var.webapp_instance_type
webapp_hdd_size_gb = var.webapp_hdd_size_gb
agent_instance_type = var.agent_instance_type
agent_hdd_size_gb = var.agent_hdd_size_gb
cpx_instance_type = var.cpx_instance_type
cpx_hdd_size_gb = var.cpx_hdd_size_gb
aws_domain_name = var.aws_domain_name
project_name = var.project_name
kasm_build = var.kasm_build
database_password = var.database_password
redis_password = var.redis_password
manager_token = var.manager_token
service_registration_token = var.service_registration_token
aws_key_pair = var.aws_key_pair
kasm_db_ip = module.primary_region.kasm_db_ip
primary_vpc_id = module.primary_region.primary_vpc_id
certificate_arn = module.primary_region.certificate_arn
ssh_access_cidrs = var.ssh_access_cidrs
load_balancer_log_bucket = module.primary_region.lb_log_bucket
}
@ -64,11 +69,12 @@ module "primary_region-webapps-and-agents" {
# Add a webapp and agent module for each additional region desired.
#
#####################################################################
module "region2-webapps" {
module "region2_webapps" {
source = "./webapps"
faux_aws_region = var.secondary_regions_settings.region2.agent_region
zone_name = var.secondary_regions_settings.region2.agent_region
primary_aws_region = var.aws_primary_region
load_balancer_subnet_ids = module.primary_region.lb_subnet_ids
num_webapps = var.num_webapps
webapp_instance_type = var.webapp_instance_type
webapp_hdd_size_gb = var.webapp_hdd_size_gb
@ -87,26 +93,31 @@ module "region2-webapps" {
kasm_db_ip = module.primary_region.kasm_db_ip
primary_vpc_id = module.primary_region.primary_vpc_id
certificate_arn = module.primary_region.certificate_arn
ssh_access_cidrs = var.ssh_access_cidrs
load_balancer_log_bucket = module.primary_region.lb_log_bucket
}
module "region2-agents" {
source = "./agents"
aws_region = var.secondary_regions_settings.region2.agent_region
zone_name = var.secondary_regions_settings.region2.agent_region
num_agents = var.secondary_regions_settings.region2.num_agents
agent_instance_type = var.secondary_regions_settings.region2.agent_instance_type
ec2_ami = var.secondary_regions_settings.region2.agent_ec2_ami_id
agent_vpc_cidr = var.secondary_regions_settings.region2.agent_vpc_cidr
agent_hdd_size_gb = var.secondary_regions_settings.region2.agent_hdd_size_gb
swap_size = var.swap_size
aws_domain_name = var.aws_domain_name
project_name = var.project_name
kasm_build = var.kasm_build
manager_token = var.manager_token
aws_key_pair = var.aws_key_pair
ssh_access_cidrs = var.ssh_access_cidrs
module "region2_agents" {
source = "./agents"
aws_region = var.secondary_regions_settings.region2.agent_region
ec2_ami = var.secondary_regions_settings.region2.ec2_ami_id
agent_vpc_cidr = var.secondary_regions_settings.region2.agent_vpc_cidr
load_balancer_log_bucket = module.primary_region.lb_log_bucket
management_region_nat_gateway = module.primary_region.nat_gateway_ip
proxy_instance_type = var.proxy_instance_type
proxy_hdd_size_gb = var.proxy_hdd_size_gb
num_agents = var.num_agents
agent_instance_type = var.agent_instance_type
agent_hdd_size_gb = var.agent_hdd_size_gb
num_cpx_nodes = var.num_cpx_nodes
cpx_instance_type = var.cpx_instance_type
cpx_hdd_size_gb = var.cpx_hdd_size_gb
swap_size = var.swap_size
aws_domain_name = var.aws_domain_name
project_name = var.project_name
kasm_build = var.kasm_build
aws_key_pair = var.aws_key_pair
manager_token = var.manager_token
service_registration_token = var.service_registration_token
providers = {
aws = aws.region2
@ -120,13 +131,11 @@ module "region2-agents" {
# file for your desired region.
#
#########################################################################
# module "region3-webapps" {
# module "region3_webapps" {
# source = "./webapps"
# ##### Update the values below to reference the appropriate region number
# faux_aws_region = var.secondary_regions_settings.region3.agent_region
# zone_name = var.secondary_regions_settings.region3.agent_region
#
# ##### The values below should not change
# load_balancer_subnet_ids = module.primary_region.lb_subnet_ids
# primary_aws_region = var.aws_primary_region
# num_webapps = var.num_webapps
# webapp_instance_type = var.webapp_instance_type
@ -146,31 +155,32 @@ module "region2-agents" {
# kasm_db_ip = module.primary_region.kasm_db_ip
# primary_vpc_id = module.primary_region.primary_vpc_id
# certificate_arn = module.primary_region.certificate_arn
# ssh_access_cidrs = var.ssh_access_cidrs
# load_balancer_log_bucket = module.primary_region.lb_log_bucket
# }
# module "region3-agents" {
# source = "./agents"
# ##### Update the values below to reference the appropriate region number
# aws_region = var.secondary_regions_settings.region3.agent_region
# zone_name = var.secondary_regions_settings.region3.agent_region
# num_agents = var.secondary_regions_settings.region3.num_agents
# agent_instance_type = var.secondary_regions_settings.region3.agent_instance_type
# ec2_ami = var.secondary_regions_settings.region3.agent_ec2_ami_id
# agent_vpc_cidr = var.secondary_regions_settings.region3.agent_vpc_cidr
# agent_hdd_size_gb = var.secondary_regions_settings.region3.agent_hdd_size_gb
# swap_size = var.swap_size
#
# ##### The values below should not change
# aws_domain_name = var.aws_domain_name
# project_name = var.project_name
# kasm_build = var.kasm_build
# manager_token = var.manager_token
# aws_key_pair = var.aws_key_pair
# ssh_access_cidrs = var.ssh_access_cidrs
#
# ##### Update the provider to reference the settings in the provder.tf file
# module "region3_agents" {
# source = "./agents"
# aws_region = var.secondary_regions_settings.region3.agent_region
# ec2_ami = var.secondary_regions_settings.region3.ec2_ami_id
# agent_vpc_cidr = var.secondary_regions_settings.region3.agent_vpc_cidr
# load_balancer_log_bucket = module.primary_region.lb_log_bucket
# management_region_nat_gateway = module.primary_region.nat_gateway_ip
# proxy_instance_type = var.proxy_instance_type
# proxy_hdd_size_gb = var.proxy_hdd_size_gb
# num_agents = var.num_agents
# agent_instance_type = var.agent_instance_type
# agent_hdd_size_gb = var.agent_hdd_size_gb
# num_cpx_nodes = var.num_cpx_nodes
# cpx_instance_type = var.cpx_instance_type
# cpx_hdd_size_gb = var.cpx_hdd_size_gb
# swap_size = var.swap_size
# aws_domain_name = var.aws_domain_name
# project_name = var.project_name
# kasm_build = var.kasm_build
# aws_key_pair = var.aws_key_pair
# manager_token = var.manager_token
# service_registration_token = var.service_registration_token
# providers = {
# aws = aws.region3
# }

126
aws/multi_region/primary/README.md Normal file
View file

@ -0,0 +1,126 @@
# primary
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.36.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_acm_certificate.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
| [aws_acm_certificate_validation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |
| [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
| [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_instance.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
| [aws_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |
| [aws_nat_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
| [aws_route53_record.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_route_table.internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
| [aws_route_table.nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
| [aws_route_table_association.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_route_table_association.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_route_table_association.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_route_table_association.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_route_table_association.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_route_table_association.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
| [aws_security_group.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group_rule.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_subnet.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_subnet.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_subnet.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_subnet.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_subnet.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_subnet.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
| [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source |
| [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_admin_password"></a> [admin\_password](#input\_admin\_password) | The administrative user password. No special characters | `string` | n/a | yes |
| <a name="input_agent_security_rules"></a> [agent\_security\_rules](#input\_agent\_security\_rules) | A map of objects of security rules to apply to the Kasm WebApp server | <pre>map(object({<br> from_port = number<br> to_port = number<br> protocol = string<br> }))</pre> | <pre>{<br> "https": {<br> "from_port": 443,<br> "protocol": "tcp",<br> "to_port": 443<br> }<br>}</pre> | no |
| <a name="input_anywhere"></a> [anywhere](#input\_anywhere) | Anywhere subnet for routing and load ingress from all IPs | `string` | `"0.0.0.0/0"` | no |
| <a name="input_aws_domain_name"></a> [aws\_domain\_name](#input\_aws\_domain\_name) | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes |
| <a name="input_aws_key_pair"></a> [aws\_key\_pair](#input\_aws\_key\_pair) | The name of an aws keypair to use. | `string` | n/a | yes |
| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | The AWS region for the deployment. (e.g us-east-1) | `string` | n/a | yes |
| <a name="input_aws_ssm_iam_role_name"></a> [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no |
| <a name="input_cpx_security_rules"></a> [cpx\_security\_rules](#input\_cpx\_security\_rules) | A map of objects of security rules to apply to the Kasm Connection Proxy server | <pre>map(object({<br> from_port = number<br> to_port = number<br> protocol = string<br> }))</pre> | <pre>{<br> "https": {<br> "from_port": 443,<br> "protocol": "tcp",<br> "to_port": 443<br> }<br>}</pre> | no |
| <a name="input_database_password"></a> [database\_password](#input\_database\_password) | The password for the database. No special characters | `string` | n/a | yes |
| <a name="input_db_hdd_size_gb"></a> [db\_hdd\_size\_gb](#input\_db\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm Database instances | `number` | n/a | yes |
| <a name="input_db_instance_type"></a> [db\_instance\_type](#input\_db\_instance\_type) | The instance type for the Database | `string` | n/a | yes |
| <a name="input_db_security_rules"></a> [db\_security\_rules](#input\_db\_security\_rules) | A map of objects of security rules to apply to the Kasm DB | <pre>map(object({<br> from_port = number<br> to_port = number<br> protocol = string<br> }))</pre> | <pre>{<br> "postgres": {<br> "from_port": 5432,<br> "protocol": "tcp",<br> "to_port": 5432<br> },<br> "redis": {<br> "from_port": 6379,<br> "protocol": "tcp",<br> "to_port": 6379<br> }<br>}</pre> | no |
| <a name="input_default_egress"></a> [default\_egress](#input\_default\_egress) | Default egress security rule for all security groups | <pre>object({<br> from_port = number<br> to_port = number<br> protocol = string<br> cidr_subnets = list(string)<br> })</pre> | <pre>{<br> "cidr_subnets": [<br> "0.0.0.0/0"<br> ],<br> "from_port": 0,<br> "protocol": "-1",<br> "to_port": 0<br>}</pre> | no |
| <a name="input_ec2_ami"></a> [ec2\_ami](#input\_ec2\_ami) | The AMI used for the EC2 nodes. Recommended Ubuntu 22.04 LTS. | `string` | n/a | yes |
| <a name="input_kasm_build"></a> [kasm\_build](#input\_kasm\_build) | The URL for the Kasm Workspaces build | `string` | n/a | yes |
| <a name="input_manager_token"></a> [manager\_token](#input\_manager\_token) | The manager token value for Agents to authenticate to webapps. No special characters | `string` | n/a | yes |
| <a name="input_num_cpx_nodes"></a> [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of cpx RDP role servers to create in the deployment | `number` | n/a | yes |
| <a name="input_num_webapps"></a> [num\_webapps](#input\_num\_webapps) | The number of WebApp role servers to create in the deployment | `number` | n/a | yes |
| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes |
| <a name="input_public_lb_security_rules"></a> [public\_lb\_security\_rules](#input\_public\_lb\_security\_rules) | A map of objects of security rules to apply to the Public ALB | <pre>map(object({<br> from_port = number<br> to_port = number<br> protocol = string<br> }))</pre> | <pre>{<br> "http": {<br> "from_port": 80,<br> "protocol": "tcp",<br> "to_port": 80<br> },<br> "https": {<br> "from_port": 443,<br> "protocol": "tcp",<br> "to_port": 443<br> }<br>}</pre> | no |
| <a name="input_redis_password"></a> [redis\_password](#input\_redis\_password) | The password for the Redis server. No special characters | `string` | n/a | yes |
| <a name="input_service_registration_token"></a> [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | n/a | yes |
| <a name="input_swap_size"></a> [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes |
| <a name="input_user_password"></a> [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes |
| <a name="input_vpc_subnet_cidr"></a> [vpc\_subnet\_cidr](#input\_vpc\_subnet\_cidr) | The subnet CIDR to use for the Primary VPC | `string` | n/a | yes |
| <a name="input_web_access_cidrs"></a> [web\_access\_cidrs](#input\_web\_access\_cidrs) | List of Networks in CIDR notation for IPs allowed to access the Kasm Web interface | `list(string)` | n/a | yes |
| <a name="input_webapp_security_rules"></a> [webapp\_security\_rules](#input\_webapp\_security\_rules) | A map of objects of security rules to apply to the Kasm WebApp server | <pre>object({<br> from_port = number<br> to_port = number<br> protocol = string<br> })</pre> | <pre>{<br> "from_port": 443,<br> "protocol": "tcp",<br> "to_port": 443<br>}</pre> | no |
| <a name="input_windows_security_rules"></a> [windows\_security\_rules](#input\_windows\_security\_rules) | A map of objects of security rules to apply to the Kasm Windows VMs | <pre>map(object({<br> from_port = number<br> to_port = number<br> protocol = string<br> }))</pre> | <pre>{<br> "cpx_rdp": {<br> "from_port": 3389,<br> "protocol": "tcp",<br> "to_port": 3389<br> },<br> "cpx_screenshot": {<br> "from_port": 4902,<br> "protocol": "tcp",<br> "to_port": 4902<br> },<br> "webapp_screenshot": {<br> "from_port": 4902,<br> "protocol": "tcp",<br> "to_port": 4902<br> }<br>}</pre> | no |
| <a name="input_zone_name"></a> [zone\_name](#input\_zone\_name) | A name given to the kasm deployment Zone | `string` | `"default"` | no |
## Outputs
| Name | Description |
|------|-------------|
| <a name="output_agent_security_group_id"></a> [agent\_security\_group\_id](#output\_agent\_security\_group\_id) | Kasm Agent Primary region security group ID |
| <a name="output_agent_subnet_id"></a> [agent\_subnet\_id](#output\_agent\_subnet\_id) | Kasm Agent Primary region subnet ID |
| <a name="output_certificate_arn"></a> [certificate\_arn](#output\_certificate\_arn) | AWS Certificate manager certificate ARN |
| <a name="output_cpx_security_group_id"></a> [cpx\_security\_group\_id](#output\_cpx\_security\_group\_id) | Kasm Connection Proxy Primary region security group ID |
| <a name="output_cpx_subnet_id"></a> [cpx\_subnet\_id](#output\_cpx\_subnet\_id) | Kasm cpx RDP Primary region subnet ID |
| <a name="output_kasm_db_ip"></a> [kasm\_db\_ip](#output\_kasm\_db\_ip) | Kasm Database server subnet ID |
| <a name="output_lb_log_bucket"></a> [lb\_log\_bucket](#output\_lb\_log\_bucket) | Load balancer logging bucket name |
| <a name="output_lb_security_group_id"></a> [lb\_security\_group\_id](#output\_lb\_security\_group\_id) | Kasm Load balancer security group ID |
| <a name="output_lb_subnet_ids"></a> [lb\_subnet\_ids](#output\_lb\_subnet\_ids) | A list of the Public LB subnet IDs |
| <a name="output_nat_gateway_ip"></a> [nat\_gateway\_ip](#output\_nat\_gateway\_ip) | The NAT Gateway IP returned in CIDR notation for use with Windows security group rules |
| <a name="output_primary_vpc_id"></a> [primary\_vpc\_id](#output\_primary\_vpc\_id) | Kasm VPC ID |
| <a name="output_ssm_iam_profile"></a> [ssm\_iam\_profile](#output\_ssm\_iam\_profile) | The SSM IAM Instance Profile name |
| <a name="output_webapp_security_group_id"></a> [webapp\_security\_group\_id](#output\_webapp\_security\_group\_id) | Kasm Webapp security group ID |
| <a name="output_webapp_subnet_ids"></a> [webapp\_subnet\_ids](#output\_webapp\_subnet\_ids) | A list of the Kasm Webapp subnet IDs |
| <a name="output_windows_security_group_id"></a> [windows\_security\_group\_id](#output\_windows\_security\_group\_id) | Kasm Windows Primary region security group ID |
| <a name="output_windows_subnet_id"></a> [windows\_subnet\_id](#output\_windows\_subnet\_id) | Kasm Windows Primary region subnet ID |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

3
aws/multi_region/primary/availability_zones.tf
View file

@ -1,3 +0,0 @@
data "aws_availability_zones" "available" {
state = "available"
}

19
aws/multi_region/primary/cert.tf
View file

@ -1,9 +1,4 @@
data "aws_route53_zone" "kasm-route53-zone" {
name = var.aws_domain_name
private_zone = false
}
resource "aws_acm_certificate" "kasm-alb-cert" {
resource "aws_acm_certificate" "this" {
domain_name = var.aws_domain_name
subject_alternative_names = ["*.${var.aws_domain_name}"]
validation_method = "DNS"
@ -14,9 +9,9 @@ resource "aws_acm_certificate" "kasm-alb-cert" {
}
}
resource "aws_route53_record" "kasm-route53-cert-validation-record" {
resource "aws_route53_record" "certificate" {
for_each = {
for dvo in aws_acm_certificate.kasm-alb-cert.domain_validation_options : dvo.domain_name => {
for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
@ -25,14 +20,14 @@ resource "aws_route53_record" "kasm-route53-cert-validation-record" {
name = each.value.name
type = each.value.type
records = [each.value.record]
zone_id = data.aws_route53_zone.kasm-route53-zone.id
zone_id = data.aws_route53_zone.this.id
ttl = 30
allow_overwrite = true
}
resource "aws_acm_certificate_validation" "kasm-elb-certificate-validation" {
certificate_arn = aws_acm_certificate.kasm-alb-cert.arn
validation_record_fqdns = [for record in aws_route53_record.kasm-route53-cert-validation-record : record.fqdn]
resource "aws_acm_certificate_validation" "this" {
certificate_arn = aws_acm_certificate.this.arn
validation_record_fqdns = [for record in aws_route53_record.certificate : record.fqdn]
}

26
aws/multi_region/primary/db.tf
View file

@ -1,9 +1,10 @@
resource "aws_instance" "kasm-db" {
resource "aws_instance" "db" {
ami = var.ec2_ami
instance_type = var.db_instance_type
vpc_security_group_ids = [data.aws_security_group.data-kasm_db_sg.id]
subnet_id = data.aws_subnet.data-kasm_db_subnet.id
vpc_security_group_ids = [aws_security_group.db.id]
subnet_id = aws_subnet.db.id
key_name = var.aws_key_pair
iam_instance_profile = var.aws_ssm_iam_role_name == "" ? aws_iam_instance_profile.this[0].name : var.aws_ssm_iam_role_name
root_block_device {
volume_size = var.db_hdd_size_gb
@ -11,13 +12,14 @@ resource "aws_instance" "kasm-db" {
user_data = templatefile("${path.module}/../userdata/db_bootstrap.sh",
{
kasm_build_url = var.kasm_build
user_password = var.user_password
admin_password = var.admin_password
redis_password = var.redis_password
database_password = var.database_password
manager_token = var.manager_token
swap_size = var.swap_size
kasm_build_url = var.kasm_build
user_password = var.user_password
admin_password = var.admin_password
redis_password = var.redis_password
database_password = var.database_password
manager_token = var.manager_token
service_registration_token = var.service_registration_token
swap_size = var.swap_size
}
)
@ -25,7 +27,3 @@ resource "aws_instance" "kasm-db" {
Name = "${var.project_name}-kasm-db"
}
}
data "aws_instance" "data-kasm_db" {
instance_id = aws_instance.kasm-db.id
}

23
aws/multi_region/primary/dependencies.tf Normal file
View file

@ -0,0 +1,23 @@
locals {
all_security_groups = compact([
aws_security_group.public_lb.id,
aws_security_group.webapp.id,
aws_security_group.agent.id,
aws_security_group.db.id,
one(aws_security_group.cpx[*].id),
one(aws_security_group.windows[*].id)
])
webapp_security_rules = { for value in local.all_security_groups : value => var.webapp_security_rules if value != aws_security_group.db.id || value != aws_security_group.webapp.id }
}
data "aws_availability_zones" "available" {
state = "available"
}
data "aws_elb_service_account" "main" {}
data "aws_route53_zone" "this" {
name = var.aws_domain_name
private_zone = false
}

26
aws/multi_region/primary/lb_s3_log_bucket.tf
View file

@ -1,21 +1,15 @@
data "aws_elb_service_account" "main" {}
resource "aws_s3_bucket" "kasm_s3_logs" {
resource "aws_s3_bucket" "this" {
bucket_prefix = "${var.project_name}-${var.zone_name}-"
force_destroy = true
}
data "aws_s3_bucket" "data-kasm_s3_logs_bucket" {
bucket = aws_s3_bucket.kasm_s3_logs.bucket
}
resource "aws_s3_bucket_acl" "kasm_s3_acl" {
bucket = data.aws_s3_bucket.data-kasm_s3_logs_bucket.id
resource "aws_s3_bucket_acl" "this" {
bucket = aws_s3_bucket.this.id
acl = "private"
}
resource "aws_s3_bucket_policy" "kasm_s3_logs_policy" {
bucket = data.aws_s3_bucket.data-kasm_s3_logs_bucket.id
resource "aws_s3_bucket_policy" "this" {
bucket = aws_s3_bucket.this.id
policy = jsonencode({
Id = "Policy"
@ -26,7 +20,7 @@ resource "aws_s3_bucket_policy" "kasm_s3_logs_policy" {
"s3:PutObject"
]
Effect = "Allow"
Resource = "${aws_s3_bucket.kasm_s3_logs.arn}/AWSLogs/*"
Resource = "${aws_s3_bucket.this.arn}/AWSLogs/*"
Principal = {
AWS = [
data.aws_elb_service_account.main.arn
@ -37,8 +31,8 @@ resource "aws_s3_bucket_policy" "kasm_s3_logs_policy" {
})
}
resource "aws_s3_bucket_server_side_encryption_configuration" "encrypt_elb_bucket" {
bucket = data.aws_s3_bucket.data-kasm_s3_logs_bucket.id
resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
bucket = aws_s3_bucket.this.id
rule {
apply_server_side_encryption_by_default {
@ -47,8 +41,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "encrypt_elb_bucke
}
}
resource "aws_s3_bucket_public_access_block" "s3_log_public_access" {
bucket = data.aws_s3_bucket.data-kasm_s3_logs_bucket.id
resource "aws_s3_bucket_public_access_block" "this" {
bucket = aws_s3_bucket.this.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true

62
aws/multi_region/primary/output.tf
View file

@ -1,35 +1,79 @@
output "certificate_arn" {
value = aws_acm_certificate_validation.kasm-elb-certificate-validation.certificate_arn
description = "AWS Certificate manager certificate ARN"
value = aws_acm_certificate_validation.this.certificate_arn
}
output "lb_subnet_ids" {
description = "A list of the Public LB subnet IDs"
value = aws_subnet.alb[*].id
}
output "webapp_subnet_ids" {
value = data.aws_subnet.data-kasm_webapp_subnets[*].id
description = "A list of the Kasm Webapp subnet IDs"
value = aws_subnet.webapp[*].id
}
output "agent_subnet_id" {
value = data.aws_subnet.data-kasm_agent_subnet.id
description = "Kasm Agent Primary region subnet ID"
value = aws_subnet.agent.id
}
output "cpx_subnet_id" {
description = "Kasm cpx RDP Primary region subnet ID"
value = one(aws_subnet.cpx[*].id)
}
output "windows_subnet_id" {
description = "Kasm Windows Primary region subnet ID"
value = one(aws_subnet.windows[*].id)
}
output "kasm_db_ip" {
value = data.aws_instance.data-kasm_db.private_ip
description = "Kasm Database server subnet ID"
value = aws_instance.db.private_ip
}
output "primary_vpc_id" {
value = data.aws_vpc.data-kasm-default-vpc.id
description = "Kasm VPC ID"
value = aws_vpc.this.id
}
output "lb_log_bucket" {
value = data.aws_s3_bucket.data-kasm_s3_logs_bucket.bucket
description = "Load balancer logging bucket name"
value = aws_s3_bucket.this.bucket
}
output "lb_security_group_id" {
value = data.aws_security_group.data-kasm_default_elb_sg.id
description = "Kasm Load balancer security group ID"
value = aws_security_group.public_lb.id
}
output "webapp_security_group_id" {
value = data.aws_security_group.data-kasm_webapp_sg.id
description = "Kasm Webapp security group ID"
value = aws_security_group.webapp.id
}
output "agent_security_group_id" {
value = data.aws_security_group.data-kasm_agent_sg.id
description = "Kasm Agent Primary region security group ID"
value = aws_security_group.agent.id
}
output "cpx_security_group_id" {
description = "Kasm Connection Proxy Primary region security group ID"
value = one(aws_security_group.cpx[*].id)
}
output "windows_security_group_id" {
description = "Kasm Windows Primary region security group ID"
value = one(aws_security_group.windows[*].id)
}
output "ssm_iam_profile" {
description = "The SSM IAM Instance Profile name"
value = var.aws_ssm_iam_role_name == "" ? aws_iam_instance_profile.this[0].name : var.aws_ssm_iam_role_name
}
output "nat_gateway_ip" {
description = "The NAT Gateway IP returned in CIDR notation for use with Windows security group rules"
value = "${aws_nat_gateway.this.public_ip}/32"
}

6
aws/multi_region/primary/provider.tf
View file

@ -1,8 +1,10 @@
terraform {
required_version = "~> 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
#version = "4.56.0"
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}

57
aws/multi_region/primary/routes.tf
View file

@ -1,9 +1,9 @@
resource "aws_route_table" "internet_access" {
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
resource "aws_route_table" "internet_gateway" {
vpc_id = aws_vpc.this.id
route {
cidr_block = var.anywhere
gateway_id = data.aws_internet_gateway.data-kasm_default_ig.id
gateway_id = aws_internet_gateway.this.id
}
tags = {
@ -11,22 +11,51 @@ resource "aws_route_table" "internet_access" {
}
}
data "aws_route_table" "data-internet_gateway_route_table" {
route_table_id = aws_route_table.internet_access.id
resource "aws_route_table" "nat_gateway" {
vpc_id = aws_vpc.this.id
route {
cidr_block = var.anywhere
gateway_id = aws_nat_gateway.this.id
}
tags = {
Name = "${var.project_name}-kasm-nat-gateway-route"
}
}
resource "aws_route_table_association" "webapp_route_association" {
resource "aws_route_table_association" "alb" {
count = 2
subnet_id = aws_subnet.alb[count.index].id
route_table_id = aws_route_table.internet_gateway.id
}
resource "aws_route_table_association" "webapp" {
count = var.num_webapps
subnet_id = data.aws_subnet.data-kasm_webapp_subnets[count.index].id
route_table_id = data.aws_route_table.data-internet_gateway_route_table.id
subnet_id = aws_subnet.webapp[count.index].id
route_table_id = aws_route_table.nat_gateway.id
}
resource "aws_route_table_association" "db_route_association" {
subnet_id = data.aws_subnet.data-kasm_db_subnet.id
route_table_id = data.aws_route_table.data-internet_gateway_route_table.id
resource "aws_route_table_association" "db" {
subnet_id = aws_subnet.db.id
route_table_id = aws_route_table.nat_gateway.id
}
resource "aws_route_table_association" "agent_table_association" {
subnet_id = data.aws_subnet.data-kasm_agent_subnet.id
route_table_id = data.aws_route_table.data-internet_gateway_route_table.id
resource "aws_route_table_association" "cpx" {
count = var.num_cpx_nodes > 0 ? 1 : 0
subnet_id = one(aws_subnet.cpx[*].id)
route_table_id = aws_route_table.nat_gateway.id
}
resource "aws_route_table_association" "agent" {
subnet_id = aws_subnet.agent.id
route_table_id = aws_route_table.internet_gateway.id
}
resource "aws_route_table_association" "windows" {
count = var.num_cpx_nodes > 0 ? 1 : 0
subnet_id = one(aws_subnet.windows[*].id)
route_table_id = aws_route_table.internet_gateway.id
}

242
aws/multi_region/primary/security_group.tf
View file

@ -1,145 +1,139 @@
resource "aws_security_group" "kasm-default-elb-sg" {
name = "${var.project_name}-${var.zone_name}-kasm-allow-elb-access"
resource "aws_security_group" "public_lb" {
name = "${var.project_name}-kasm-allow-public-lb-access"
description = "Security Group for ELB"
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = var.web_access_cidrs
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = var.web_access_cidrs
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [var.anywhere]
}
vpc_id = aws_vpc.this.id
tags = {
Name = "${var.project_name}-${var.zone_name}-kasm-allow-access"
Name = "${var.project_name}-kasm-public-lb-access"
}
}
data "aws_security_group" "data-kasm_default_elb_sg" {
id = aws_security_group.kasm-default-elb-sg.id
resource "aws_security_group_rule" "public_lb" {
for_each = var.public_lb_security_rules
security_group_id = aws_security_group.public_lb.id
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
cidr_blocks = var.web_access_cidrs
}
resource "aws_security_group" "kasm-db-sg" {
name = "${var.project_name}-kasm-allow-db-access"
description = "Allow access to db"
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = var.ssh_access_cidrs
}
ingress {
from_port = 5432
to_port = 5432
protocol = "tcp"
cidr_blocks = data.aws_subnet.data-kasm_webapp_subnets[*].id
}
ingress {
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = data.aws_subnet.data-kasm_webapp_subnets[*].id
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [var.anywhere]
}
tags = {
Name = "${var.project_name}-kasm-allow-db-access"
}
}
data "aws_security_group" "data-kasm_db_sg" {
id = aws_security_group.kasm-db-sg.id
}
resource "aws_security_group" "kasm-webapp-sg" {
name = "${var.project_name}-${var.zone_name}-kasm-webapp-access"
resource "aws_security_group" "webapp" {
name = "${var.project_name}-kasm-webapp"
description = "Allow access to webapps"
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
vpc_id = aws_vpc.this.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = var.ssh_access_cidrs
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
security_groups = [data.aws_security_group.data-kasm_db_sg.id]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
security_groups = [data.aws_security_group.data-kasm_agent_sg.id]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [var.anywhere]
tags = {
Name = "${var.project_name}-kasm-webapp-access"
}
}
data "aws_security_group" "data-kasm_webapp_sg" {
id = aws_security_group.kasm-webapp-sg.id
resource "aws_security_group_rule" "webapp" {
for_each = local.webapp_security_rules
security_group_id = aws_security_group.webapp.id
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = each.key
}
resource "aws_security_group" "kasm-agent-sg" {
name = "${var.project_name}-${var.zone_name}-kasm-agent-access"
resource "aws_security_group" "agent" {
name = "${var.project_name}-kasm-agent-access"
description = "Allow access to agents"
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
vpc_id = aws_vpc.this.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = var.ssh_access_cidrs
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [var.anywhere]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [var.anywhere]
tags = {
Name = "${var.project_name}-kasm-agent-access"
}
}
data "aws_security_group" "data-kasm_agent_sg" {
id = aws_security_group.kasm-agent-sg.id
resource "aws_security_group_rule" "agent" {
for_each = var.agent_security_rules
security_group_id = aws_security_group.agent.id
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = aws_security_group.webapp.id
}
resource "aws_security_group" "db" {
name = "${var.project_name}-kasm-db-access"
description = "Allow access to webapps"
vpc_id = aws_vpc.this.id
tags = {
Name = "${var.project_name}-kasm-db-access"
}
}
resource "aws_security_group_rule" "db" {
for_each = var.db_security_rules
security_group_id = aws_security_group.db.id
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = aws_security_group.webapp.id
}
resource "aws_security_group" "cpx" {
count = var.num_cpx_nodes > 0 ? 1 : 0
name = "${var.project_name}-kasm-cpx-access"
description = "Allow access to cpx RDP nodes"
tags = {
Name = "${var.project_name}-kasm-cpx-access"
}
}
resource "aws_security_group_rule" "cpx" {
for_each = var.num_cpx_nodes > 0 ? var.cpx_security_rules : {}
security_group_id = one(aws_security_group.cpx[*].id)
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = aws_security_group.webapp.id
}
resource "aws_security_group" "windows" {
count = var.num_cpx_nodes > 0 ? 1 : 0
name = "${var.project_name}-kasm-windows-access"
description = "Allow access to Windows servers"
vpc_id = aws_vpc.this.id
tags = {
Name = "${var.project_name}-kasm-windows-access"
}
}
resource "aws_security_group_rule" "windows" {
for_each = var.num_cpx_nodes > 0 ? var.windows_security_rules : {}
security_group_id = one(aws_security_group.windows[*].id)
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = can(regex("(?i:cpx)", each.key)) ? one(aws_security_group.cpx[*].id) : aws_security_group.webapp.id
}
resource "aws_security_group_rule" "egress" {
for_each = { for value in local.all_security_groups : value => var.default_egress }
security_group_id = each.key
type = each.value.rule_type
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
cidr_blocks = [var.anywhere]
}

29
aws/multi_region/primary/ssm.tf Normal file
View file

@ -0,0 +1,29 @@
resource "aws_iam_role" "this" {
count = var.aws_ssm_iam_role_name == "" ? 1 : 0
name = "Kasm_SSM_IAM_Instance_Role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
}]
})
}
resource "aws_iam_role_policy_attachment" "this" {
count = var.aws_ssm_iam_role_name == "" ? 1 : 0
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
role = aws_iam_role.this[0].name
}
resource "aws_iam_instance_profile" "this" {
count = var.aws_ssm_iam_role_name == "" ? 1 : 0
name = "Kasm_SSM_Instance_Profile"
role = aws_iam_role.this[0].name
}

86
aws/multi_region/primary/subnet.tf
View file

@ -1,51 +1,77 @@
locals {
kasm_vpc_subnet_cidr_mask = split("/", var.vpc_subnet_cidr)[1]
kasm_server_subnet_cidr_calculation = (8 - (local.kasm_vpc_subnet_cidr_mask - 16))
kasm_server_subnet_cidr_size = local.kasm_server_subnet_cidr_calculation < 2 ? 2 : local.kasm_server_subnet_cidr_calculation
kasm_agent_subnet_id = (var.num_webapps + 1)
kasm_server_subnet_cidr_size = local.kasm_server_subnet_cidr_calculation < 3 ? 3 : local.kasm_server_subnet_cidr_calculation
}
## Will create Agent subnet x.x.0.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/22)
resource "aws_subnet" "kasm-db-subnet" {
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 0)
map_public_ip_on_launch = true
## Will create Agent subnet x.x.0.0/24 and x.x.1.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "aws_subnet" "alb" {
count = 2
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, count.index)
availability_zone = data.aws_availability_zones.available.names[count.index]
tags = {
Name = "${var.project_name}-kasm-db-subnet"
Name = "${var.project_name}-kasm_alb_subnet"
}
}
data "aws_subnet" "data-kasm_db_subnet" {
id = aws_subnet.kasm-db-subnet.id
}
## Will create WebApp subnets x.x.2.0/24 and x.x.3.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/22 and 2 webapps)
resource "aws_subnet" "webapp" {
count = var.num_webapps
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, (count.index + 2))
availability_zone = data.aws_availability_zones.available.names[count.index]
## Will create WebApp subnets x.x.1.0/24 and x.x.2.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/22 and 2 webapps)
resource "aws_subnet" "kasm-webapp-subnets" {
count = var.num_webapps
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, (count.index + 1))
availability_zone = data.aws_availability_zones.available.names[count.index]
map_public_ip_on_launch = true
tags = {
Name = "${var.project_name}-kasm-webapp-subnet"
}
}
data "aws_subnet" "data-kasm_webapp_subnets" {
count = var.num_webapps
id = aws_subnet.kasm-webapp-subnets[count.index].id
}
## Will create DB subnet x.x.4.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/22)
resource "aws_subnet" "db" {
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 4)
availability_zone = data.aws_availability_zones.available.names[0]
## Will create Agent subnet x.x.3.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/22)
resource "aws_subnet" "kasm-agent-subnet" {
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, local.kasm_agent_subnet_id)
map_public_ip_on_launch = true
tags = {
Name = "${var.project_name}-agent-natgw-subnet"
Name = "${var.project_name}-kasm_db_subnet"
}
}
data "aws_subnet" "data-kasm_agent_subnet" {
id = aws_subnet.kasm-agent-subnet.id
## Will create Agent subnet x.x.3.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/22)
resource "aws_subnet" "agent" {
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 5)
availability_zone = data.aws_availability_zones.available.names[1]
tags = {
Name = "${var.project_name}-agent-subnet"
}
}
## Will create Agent subnet x.x.4.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/22)
resource "aws_subnet" "cpx" {
count = var.num_cpx_nodes > 0 ? 1 : 0
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 6)
availability_zone = data.aws_availability_zones.available.names[0]
tags = {
Name = "${var.project_name}-cpx-subnet"
}
}
## Will create Agent subnet x.x.5.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/22)
resource "aws_subnet" "windows" {
count = var.num_cpx_nodes > 0 ? 1 : 0
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 7)
availability_zone = data.aws_availability_zones.available.names[1]
tags = {
Name = "${var.project_name}-windows-subnet"
}
}

158
aws/multi_region/primary/variables.tf
View file

@ -26,7 +26,6 @@ variable "db_hdd_size_gb" {
variable "db_instance_type" {
description = "The instance type for the Database"
type = string
default = "t3.small"
}
variable "swap_size" {
@ -70,7 +69,7 @@ variable "manager_token" {
}
variable "service_registration_token" {
description = "The guac token value for Guac RDP servers to authenticate to webapps. No special characters"
description = "The service registration token value for cpx RDP servers to authenticate to webapps. No special characters"
type = string
sensitive = true
}
@ -87,15 +86,10 @@ variable "aws_key_pair" {
}
variable "ec2_ami" {
description = "The AMI used for the EC2 nodes. Recommended Ubuntu 20.04 LTS."
description = "The AMI used for the EC2 nodes. Recommended Ubuntu 22.04 LTS."
type = string
}
variable "ssh_access_cidrs" {
description = "CIDR notation of the bastion host allowed to SSH in to the machines"
type = list(string)
}
variable "web_access_cidrs" {
description = "List of Networks in CIDR notation for IPs allowed to access the Kasm Web interface"
type = list(string)
@ -106,8 +100,156 @@ variable "num_webapps" {
type = number
}
variable "num_cpx_nodes" {
description = "The number of cpx RDP role servers to create in the deployment"
type = number
}
variable "aws_ssm_iam_role_name" {
description = "The name of the SSM EC2 role to associate with Kasm VMs for SSH access"
type = string
default = ""
}
variable "anywhere" {
description = "Anywhere subnet for routing and load ingress from all IPs"
type = string
default = "0.0.0.0/0"
}
variable "public_lb_security_rules" {
description = "A map of objects of security rules to apply to the Public ALB"
type = map(object({
from_port = number
to_port = number
protocol = string
}))
default = {
https = {
from_port = 443
to_port = 443
protocol = "tcp"
}
http = {
from_port = 80
to_port = 80
protocol = "tcp"
}
}
}
variable "webapp_security_rules" {
description = "A map of objects of security rules to apply to the Kasm WebApp server"
type = object({
from_port = number
to_port = number
protocol = string
})
default = {
from_port = 443
to_port = 443
protocol = "tcp"
}
}
variable "db_security_rules" {
description = "A map of objects of security rules to apply to the Kasm DB"
type = map(object({
from_port = number
to_port = number
protocol = string
}))
default = {
postgres = {
from_port = 5432
to_port = 5432
protocol = "tcp"
}
redis = {
from_port = 6379
to_port = 6379
protocol = "tcp"
}
}
}
variable "cpx_security_rules" {
description = "A map of objects of security rules to apply to the Kasm Connection Proxy server"
type = map(object({
from_port = number
to_port = number
protocol = string
}))
default = {
https = {
from_port = 443
to_port = 443
protocol = "tcp"
}
}
}
variable "agent_security_rules" {
description = "A map of objects of security rules to apply to the Kasm WebApp server"
type = map(object({
from_port = number
to_port = number
protocol = string
}))
default = {
https = {
from_port = 443
to_port = 443
protocol = "tcp"
}
}
}
variable "windows_security_rules" {
description = "A map of objects of security rules to apply to the Kasm Windows VMs"
type = map(object({
from_port = number
to_port = number
protocol = string
}))
default = {
cpx_rdp = {
from_port = 3389
to_port = 3389
protocol = "tcp"
}
cpx_screenshot = {
from_port = 4902
to_port = 4902
protocol = "tcp"
}
webapp_screenshot = {
from_port = 4902
to_port = 4902
protocol = "tcp"
}
}
}
variable "default_egress" {
description = "Default egress security rule for all security groups"
type = object({
from_port = number
to_port = number
protocol = string
cidr_subnets = list(string)
})
default = {
from_port = 0
to_port = 0
protocol = "-1"
cidr_subnets = ["0.0.0.0/0"]
}
}

25
aws/multi_region/primary/vpc.tf
View file

@ -1,4 +1,4 @@
resource "aws_vpc" "kasm-default-vpc" {
resource "aws_vpc" "this" {
cidr_block = var.vpc_subnet_cidr
enable_dns_hostnames = true
enable_dns_support = true
@ -7,17 +7,24 @@ resource "aws_vpc" "kasm-default-vpc" {
}
}
data "aws_vpc" "data-kasm-default-vpc" {
id = aws_vpc.kasm-default-vpc.id
}
resource "aws_internet_gateway" "kasm-default-ig" {
vpc_id = aws_vpc.kasm-default-vpc.id
resource "aws_internet_gateway" "this" {
vpc_id = aws_vpc.this.id
tags = {
Name = "${var.project_name}-kasm-ig"
}
}
data "aws_internet_gateway" "data-kasm_default_ig" {
internet_gateway_id = aws_internet_gateway.kasm-default-ig.id
resource "aws_eip" "this" {
domain = "vpc"
}
resource "aws_nat_gateway" "this" {
allocation_id = aws_eip.this.id
subnet_id = aws_subnet.alb[0].id
tags = {
Name = "${var.project_name}-${var.aws_region}-kasm-nat"
}
depends_on = [aws_internet_gateway.this]
}

8
aws/multi_region/provider.tf
View file

@ -1,8 +1,10 @@
terraform {
required_version = "~> 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
#version = "4.56.0"
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
@ -31,7 +33,7 @@ provider "aws" {
##############################################################################
###
### Uncomment the below provider section if you want to deploy a 3rd region.
###
###
### Copy/paste the provider below to deploy additional regions, then refer
### to the README.md, the deployment.tf file, and the settings.tfvars file for
### code blocks to copy/paste/configure to deploy the new regions.

62
aws/multi_region/settings.tfvars → aws/multi_region/terraform.tfvars
View file

@ -1,37 +1,53 @@
aws_domain_name = "kasm.contoso.com"
project_name = "contoso"
## AWS Environment settings
aws_key_pair = ""
aws_primary_region = "us-east-1"
aws_primary_region = ""
aws_domain_name = "kasm.contoso.com"
primary_vpc_subnet_cidr = "10.0.0.0/16"
## Kasm deployment project
project_name = "contoso"
## Kasm passwords
database_password = "changeme"
redis_password = "changeme"
user_password = "changeme"
admin_password = "changeme"
manager_token = "changeme"
service_registration_token = "changeme"
kasm_build = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz"
ssh_access_cidrs = ["0.0.0.0/0"]
## Kasm download URL
kasm_build = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.14.0.3a7abb.tar.gz"
## VM Public Access subnets
web_access_cidrs = ["0.0.0.0/0"]
swap_size = 2048
primary_region_ec2_ami_id = "ami-09cd747c78a9add63"
## AWS SSM setup for console/SSH access to VMs behind NAT gateway
create_aws_ssm_iam_role = false
aws_ssm_iam_role_name = ""
## Number of each Kasm role to deploy
num_webapps = 2
num_agents = 2
num_cpx_nodes = 1
## Kasm Server settings
primary_region_ec2_ami_id = ""
webapp_instance_type = "t3.small"
db_instance_type = "t3.small"
agent_instance_type = "t3.medium"
webapp_hdd_size_gb = 40
db_hdd_size_gb = 40
agent_hdd_size_gb = 40
cpx_instance_type = "t3.small"
webapp_hdd_size_gb = 50
db_hdd_size_gb = 50
cpx_hdd_size_gb = 50
agent_hdd_size_gb = 150
swap_size = 2048
## Settings for all additional Agent regions
secondary_regions_settings = {
secondary_regions_settings = {
region2 = {
agent_region = "us-west-1"
agent_ec2_ami_id = "ami-0d221cb540e0015f4"
agent_instance_type = "t3.medium"
agent_hdd_size_gb = 120
num_agents = 2
agent_vpc_cidr = "10.1.0.0/16"
agent_region = ""
agent_vpc_cidr = "10.1.0.0/16"
ec2_ami_id = ""
}
#######################################################################
@ -41,15 +57,13 @@ secondary_regions_settings = {
### additional regions.
###
### Make sure to add a provider section for each additional region in
### the providers.tf file.
### the providers.tf file.
###
#######################################################################
# region3 = {
# agent_region = "eu-central-1"
# agent_ec2_ami_id = "ami-0e067cc8a2b58de59"
# agent_instance_type = "t3.medium"
# num_agents = 2
# agent_vpc_cidr = "10.2.0.0/16"
# agent_region = ""
# agent_vpc_cidr = "10.2.0.0/16"
# ec2_ami_id = ""
# }
}
@ -58,5 +72,5 @@ aws_default_tags = {
Deployed_by = "Terraform"
Deployment_type = "Multi-Region"
Service_name = "Kasm Workspaces"
Kasm_version = "1.12"
Kasm_version = "1.14"
}

29
aws/multi_region/userdata/cpx_bootstrap.sh Normal file
View file

@ -0,0 +1,29 @@
#!/bin/bash
set -ex
echo "Starting Kasm Workspaces Agent Install"
/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=${swap_size}
/sbin/mkswap /var/swap.1
chmod 600 /var/swap.1
/sbin/swapon /var/swap.1
echo '/var/swap.1 swap swap defaults 0 0' | tee -a /etc/fstab
cd /tmp
PRIVATE_IP=(`hostname -I | cut -d ' ' -f1 | tr -d '\\n'`)
wget ${kasm_build_url} -O kasm_workspaces.tar.gz
tar -xf kasm_workspaces.tar.gz
echo "Waiting for Kasm WebApp availability..."
while ! (curl -k https://${manager_address}/api/__healthcheck 2>/dev/null | grep -q true)
do
echo "Waiting for API server..."
sleep 5
done
echo "WebApp is alive"
bash kasm_release/install.sh -S cpx -e -p $PRIVATE_IP -n ${manager_address} -k ${service_registration_token}
echo "Done"

8
aws/multi_region/userdata/db_bootstrap.sh
View file

@ -2,7 +2,7 @@
set -ex
echo "Starting Kasm Workspaces Install"
/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=${swap_size}
/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count="${swap_size}"
/sbin/mkswap /var/swap.1
chmod 600 /var/swap.1
/sbin/swapon /var/swap.1
@ -11,10 +11,8 @@ echo '/var/swap.1 swap swap defaults 0 0' | tee -a /etc/fstab
cd /tmp
PRIVATE_IP=(`hostname -I | cut -d ' ' -f1 | tr -d '\\n'`)
wget ${kasm_build_url} -O kasm_workspaces.tar.gz
wget "${kasm_build_url}" -O kasm_workspaces.tar.gz
tar -xf kasm_workspaces.tar.gz
bash kasm_release/install.sh -S db -e -Q ${database_password} -R ${redis_password} -U ${user_password} -P ${admin_password} -M ${manager_token}
bash kasm_release/install.sh -S db -e -Q "${database_password}" -R "${redis_password}" -U "${user_password}" -P "${admin_password}" -M "${manager_token}" -k "${service_registration_token}"
echo "Done"

4
aws/standard/module/userdata/guac_bootstrap.sh → aws/multi_region/userdata/guac_bootstrap.sh
View file

@ -2,7 +2,7 @@
set -ex
echo "Starting Kasm Workspaces Agent Install"
/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=${swap_size}
/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count="${swap_size}"
/sbin/mkswap /var/swap.1
chmod 600 /var/swap.1
/sbin/swapon /var/swap.1
@ -24,6 +24,6 @@ do
done
echo "WebApp is alive"
bash kasm_release/install.sh -S guac -e -p $PRIVATE_IP -n ${manager_address} -k ${service_registration_token}
bash kasm_release/install.sh -S cpx -e -p "${PRIVATE_IP}" -n "${manager_address}" -k "${service_registration_token}"
echo "Done"

27
aws/multi_region/userdata/proxy_bootstrap.sh Normal file
View file

@ -0,0 +1,27 @@
#!/bin/bash
set -ex
echo "Starting Kasm Workspaces Agent Install"
/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=${swap_size}
/sbin/mkswap /var/swap.1
chmod 600 /var/swap.1
/sbin/swapon /var/swap.1
echo '/var/swap.1 swap swap defaults 0 0' | tee -a /etc/fstab
cd /tmp
wget ${kasm_build_url} -O kasm_workspaces.tar.gz
tar -xf kasm_workspaces.tar.gz
echo "Waiting for Kasm WebApp availability..."
while ! (curl -k https://${manager_address}/api/__healthcheck 2>/dev/null | grep -q true)
do
echo "Waiting for API server..."
sleep 5
done
echo "WebApp is alive"
bash kasm_release/install.sh -S proxy -e -H -p ${proxy_alb_address} -n ${manager_address}
echo "Done"

2
aws/multi_region/userdata/webapp_bootstrap.sh
View file

@ -11,8 +11,6 @@ echo '/var/swap.1 swap swap defaults 0 0' | tee -a /etc/fstab
cd /tmp
PRIVATE_IP=(`hostname -I | cut -d ' ' -f1 | tr -d '\\n'`)
wget ${kasm_build_url} -O kasm_workspaces.tar.gz
tar -xf kasm_workspaces.tar.gz

112
aws/multi_region/variables.tf
View file

@ -30,6 +30,28 @@ variable "aws_key_pair" {
}
}
variable "create_aws_ssm_iam_role" {
description = "Create an AWS SSM IAM role to attach to VMs for SSH/console access to VMs."
type = bool
default = false
validation {
condition = can(tobool(var.create_aws_ssm_iam_role))
error_message = "The create_aws_ssm_iam_role is a boolean value and can only be either true or false."
}
}
variable "aws_ssm_iam_role_name" {
description = "The name of the SSM EC2 role to associate with Kasm VMs for SSH access"
type = string
default = ""
validation {
condition = can(regex("[a-zA-Z0-9+=,.@-]{1,64}", var.aws_ssm_iam_role_name))
error_message = "The aws_ssm_iam_role_name must be unique across the account and can only consisit of between 1 and 64 characters consisting of letters, numbers, underscores (_), plus (+), equals (=), comman (,), period (.), at symbol (@), or dash (-)."
}
}
variable "project_name" {
description = "The name of the deployment (e.g dev, staging). A short single word"
type = string
@ -83,10 +105,20 @@ variable "num_webapps" {
}
}
variable "num_cpx_nodes" {
description = "The number of Agent Role Servers to create in the deployment"
type = number
validation {
condition = var.num_cpx_nodes == 0 ? true : var.num_cpx_nodes >= 0 && var.num_cpx_nodes <= 100 && floor(var.num_cpx_nodes) == var.num_cpx_nodes
error_message = "If num_cpx_nodes is set to 0, this Terraform will not deploy the Connection Proxy node. Acceptable number of Kasm Agents range between 0-100."
}
}
variable "webapp_instance_type" {
description = "The instance type for the webapps"
type = string
default = "t3.small"
default = ""
validation {
condition = can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", var.webapp_instance_type))
@ -97,7 +129,6 @@ variable "webapp_instance_type" {
variable "db_instance_type" {
description = "The instance type for the Database"
type = string
default = "t3.small"
validation {
condition = can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", var.db_instance_type))
@ -108,7 +139,6 @@ variable "db_instance_type" {
variable "agent_instance_type" {
description = "The instance type for the Agents"
type = string
default = "t3.medium"
validation {
condition = can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", var.agent_instance_type))
@ -116,6 +146,27 @@ variable "agent_instance_type" {
}
}
variable "cpx_instance_type" {
description = "The instance type for the Guac RDP nodes"
type = string
validation {
condition = can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", var.cpx_instance_type))
error_message = "Check the cpx_instance_type variable and ensure it is a valid AWS Instance type (https://aws.amazon.com/ec2/instance-types/)."
}
}
variable "proxy_instance_type" {
description = "The instance type for the dedicated proxy node"
type = string
default = ""
validation {
condition = can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", var.proxy_instance_type))
error_message = "Check the proxy_instance_type variable and ensure it is a valid AWS Instance type (https://aws.amazon.com/ec2/instance-types/)."
}
}
variable "webapp_hdd_size_gb" {
description = "The HDD size in GB to configure for the Kasm WebApp instances"
type = number
@ -146,10 +197,29 @@ variable "agent_hdd_size_gb" {
}
}
variable "cpx_hdd_size_gb" {
description = "The HDD size in GB to configure for the Kasm Guac RDP instances"
type = number
validation {
condition = can(var.cpx_hdd_size_gb >= 40)
error_message = "Kasm Guac RDP nodes should have at least a 40 GB HDD to ensure enough space for Kasm services."
}
}
variable "proxy_hdd_size_gb" {
description = "The HDD size in GB to configure for the Kasm dedicated proxy instances"
type = number
validation {
condition = can(var.proxy_hdd_size_gb >= 40)
error_message = "Kasm dedicated proxy nodes should have at least a 40 GB HDD to ensure enough space for Kasm services."
}
}
variable "primary_region_ec2_ami_id" {
description = "AMI Id of Kasm EC2 image in the primary region. Recommended AMI OS Version is Ubuntu 20.04 LTS."
type = string
default = "ami-09cd747c78a9add63"
validation {
condition = can(regex("^(ami-[a-f0-9]{17})", var.primary_region_ec2_ami_id))
@ -159,26 +229,23 @@ variable "primary_region_ec2_ami_id" {
variable "secondary_regions_settings" {
description = "Map of Kasm settings for secondary regions"
type = map(any)
type = map(object({
agent_region = string
agent_vpc_cidr = string
ec2_ami_id = string
})
)
validation {
condition = alltrue([for region in var.secondary_regions_settings : can(regex("^([a-z]{2}-[a-z]{4,}-[\\d]{1})$", region.agent_region))])
condition = alltrue([for region in var.secondary_regions_settings : can(regex("^([a-z]{2}-[a-z]{4,}-[\\d]{1})$", region.region))])
error_message = "Verify the regions in the secondary_regions_settings variable and ensure they are valid AWS regions in a valid format (e.g. us-east-1)."
}
validation {
condition = alltrue([for ami_id in var.secondary_regions_settings : can(regex("^(ami-[a-f0-9]{17})", ami_id.agent_ec2_ami_id))])
condition = alltrue([for ami_id in var.secondary_regions_settings : can(regex("^(ami-[a-f0-9]{17})", ami_id.ec2_ami_id))])
error_message = "Please verify that all of your Region's AMI IDs are in the correct format for AWS (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html)."
}
validation {
condition = alltrue([for instance_type in var.secondary_regions_settings : can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", instance_type.agent_instance_type))])
error_message = "Check the Instance types used in your secondary_regions_settings and ensure they are valid AWS Instance types (https://aws.amazon.com/ec2/instance-types/)."
}
validation {
condition = alltrue([for number_of_agents in var.secondary_regions_settings : number_of_agents.num_agents >= 0 && number_of_agents.num_agents <= 100 && floor(number_of_agents.num_agents) == number_of_agents.num_agents])
error_message = "Check the number of agents in the secondary_regions_settings variable. Acceptable number of Kasm Agents range between 0-100."
}
validation {
condition = alltrue([for subnet in var.secondary_regions_settings : can(cidrhost(subnet.agent_vpc_cidr, 0))])
condition = alltrue([for subnet in var.secondary_regions_settings : can(cidrhost(subnet.vpc_cidr, 0))])
error_message = "Verify the VPC subnet in your secondary_regions_settings. They must all be valid IPv4 CIDRs."
}
}
@ -259,6 +326,17 @@ variable "manager_token" {
}
}
variable "service_registration_token" {
description = "The service registration token value for cpx RDP servers to authenticate to webapps. No special characters"
type = string
sensitive = true
validation {
condition = can(regex("^[a-zA-Z0-9]{12,30}$", var.service_registration_token))
error_message = "The Service Registration Token should be a string between 12 and 30 letters or numbers with no special characters."
}
}
variable "ssh_access_cidrs" {
description = "CIDR notation of the bastion host allowed to SSH in to the machines"
type = list(string)
@ -292,6 +370,6 @@ variable "aws_default_tags" {
type = map(any)
default = {
Service_name = "Kasm Workspaces"
Kasm_version = "1.12"
Kasm_version = "1.14"
}
}

84
aws/multi_region/webapps/README.md Normal file
View file

@ -0,0 +1,84 @@
# webapps
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.36.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_instance.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
| [aws_instance.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
| [aws_instance.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
| [aws_lb.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
| [aws_lb_listener.http](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
| [aws_lb_listener.https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
| [aws_lb_target_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
| [aws_lb_target_group_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |
| [aws_route53_health_check.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_health_check) | resource |
| [aws_route53_record.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_route53_record.latency](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_agent_hdd_size_gb"></a> [agent\_hdd\_size\_gb](#input\_agent\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm Agent instances | `number` | `0` | no |
| <a name="input_agent_instance_type"></a> [agent\_instance\_type](#input\_agent\_instance\_type) | the instance type for the agents | `string` | `""` | no |
| <a name="input_agent_security_group_id"></a> [agent\_security\_group\_id](#input\_agent\_security\_group\_id) | Kasm Agent security group ID | `string` | `""` | no |
| <a name="input_agent_subnet_id"></a> [agent\_subnet\_id](#input\_agent\_subnet\_id) | Subnet ID created for agents | `string` | `""` | no |
| <a name="input_aws_domain_name"></a> [aws\_domain\_name](#input\_aws\_domain\_name) | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes |
| <a name="input_aws_key_pair"></a> [aws\_key\_pair](#input\_aws\_key\_pair) | The name of an aws keypair to use. | `string` | n/a | yes |
| <a name="input_aws_ssm_iam_role_name"></a> [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no |
| <a name="input_aws_to_kasm_zone_map"></a> [aws\_to\_kasm\_zone\_map](#input\_aws\_to\_kasm\_zone\_map) | AWS regions mapped to Kasm Deployment Zone names | `map(any)` | <pre>{<br> "af-south-1": "Africa-(Cape-Town)",<br> "ap-east-1": "China-(Hong-Kong)",<br> "ap-northeast-1": "Japan-(Tokyo)",<br> "ap-northeast-2": "S-Korea-(Seoul)",<br> "ap-northeast-3": "Japan-(Osaka)",<br> "ap-south-1": "India-(Mumbai)",<br> "ap-south-2": "India-(Hyderbad)",<br> "ap-southeast-1": "Singapore",<br> "ap-southeast-2": "Austrailia-(Sydney)",<br> "ap-southeast-3": "Indonesia-(Jakarta)",<br> "ap-southeast-4": "Austrailia-(Melbourne)",<br> "ca-central-1": "Canada-(Montreal)",<br> "eu-central-1": "Switzerland-(Zurich)",<br> "eu-north-1": "Sweden-(Stockholm)",<br> "eu-south-1": "Italy-(Milan)",<br> "eu-south-2": "Spain-(Aragon)",<br> "eu-west-1": "Ireland-(Dublin)",<br> "eu-west-2": "UK-(London)",<br> "eu-west-3": "France-(Paris)",<br> "me-central-1": "United-Arab-Emirates",<br> "me-south-1": "Manama-(Bahrain)",<br> "sa-east-1": "Brazil-(Sao-Paulo)",<br> "us-east-1": "USA-(Virginia)",<br> "us-east-2": "USA-(Ohio)",<br> "us-west-1": "USA-(California)",<br> "us-west-2": "USA-(Oregon)"<br>}</pre> | no |
| <a name="input_certificate_arn"></a> [certificate\_arn](#input\_certificate\_arn) | The certificate ARN created in the primary region for use with all load balancers in the deployment. | `string` | n/a | yes |
| <a name="input_cpx_hdd_size_gb"></a> [cpx\_hdd\_size\_gb](#input\_cpx\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm CPX instances | `number` | `0` | no |
| <a name="input_cpx_instance_type"></a> [cpx\_instance\_type](#input\_cpx\_instance\_type) | the instance type for the CPX nodes | `string` | `""` | no |
| <a name="input_cpx_security_group_id"></a> [cpx\_security\_group\_id](#input\_cpx\_security\_group\_id) | CPX security group ID | `string` | `""` | no |
| <a name="input_cpx_subnet_id"></a> [cpx\_subnet\_id](#input\_cpx\_subnet\_id) | Subnet ID created for Kasm CPX nodes | `string` | `""` | no |
| <a name="input_database_password"></a> [database\_password](#input\_database\_password) | The password for the database. No special characters | `string` | n/a | yes |
| <a name="input_ec2_ami"></a> [ec2\_ami](#input\_ec2\_ami) | The AMI used for the EC2 nodes. Recommended Ubuntu 20.04 LTS. | `string` | n/a | yes |
| <a name="input_faux_aws_region"></a> [faux\_aws\_region](#input\_faux\_aws\_region) | The AWS region this WebApp is supposed to represent even though it will be created in the primary region of the deployment. (e.g us-east-1) | `string` | n/a | yes |
| <a name="input_kasm_build"></a> [kasm\_build](#input\_kasm\_build) | The URL for the Kasm Workspaces build | `string` | n/a | yes |
| <a name="input_kasm_db_ip"></a> [kasm\_db\_ip](#input\_kasm\_db\_ip) | The IP/DNS name of the Kasm database | `string` | n/a | yes |
| <a name="input_load_balancer_log_bucket"></a> [load\_balancer\_log\_bucket](#input\_load\_balancer\_log\_bucket) | S3 bucket name for load balancers to forward access logs to | `string` | n/a | yes |
| <a name="input_load_balancer_security_group_id"></a> [load\_balancer\_security\_group\_id](#input\_load\_balancer\_security\_group\_id) | Security Group ID for the Primary region's load balancer | `string` | n/a | yes |
| <a name="input_load_balancer_subnet_ids"></a> [load\_balancer\_subnet\_ids](#input\_load\_balancer\_subnet\_ids) | ALB subnet IDs created to host webapps in the primary region | `list(string)` | n/a | yes |
| <a name="input_manager_token"></a> [manager\_token](#input\_manager\_token) | The Manager Token used by Kasm Agents to authenticate. No special characters | `string` | n/a | yes |
| <a name="input_num_agents"></a> [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | `0` | no |
| <a name="input_num_cpx_nodes"></a> [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of cpx Role Servers to create in the deployment | `number` | `0` | no |
| <a name="input_num_webapps"></a> [num\_webapps](#input\_num\_webapps) | The number of WebApp role servers to create in the deployment | `number` | n/a | yes |
| <a name="input_primary_aws_region"></a> [primary\_aws\_region](#input\_primary\_aws\_region) | The AWS region for primary region of the deployment. (e.g us-east-1) | `string` | n/a | yes |
| <a name="input_primary_vpc_id"></a> [primary\_vpc\_id](#input\_primary\_vpc\_id) | The VPC ID of the primary region | `string` | n/a | yes |
| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes |
| <a name="input_redis_password"></a> [redis\_password](#input\_redis\_password) | The password for the database. No special characters | `string` | n/a | yes |
| <a name="input_service_registration_token"></a> [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | `""` | no |
| <a name="input_swap_size"></a> [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes |
| <a name="input_webapp_hdd_size_gb"></a> [webapp\_hdd\_size\_gb](#input\_webapp\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm WebApp instances | `number` | n/a | yes |
| <a name="input_webapp_instance_type"></a> [webapp\_instance\_type](#input\_webapp\_instance\_type) | The instance type for the webapps | `string` | n/a | yes |
| <a name="input_webapp_security_group_id"></a> [webapp\_security\_group\_id](#input\_webapp\_security\_group\_id) | WebApp security group ID | `string` | n/a | yes |
| <a name="input_webapp_subnet_ids"></a> [webapp\_subnet\_ids](#input\_webapp\_subnet\_ids) | WebApp subnet IDs created to host webapps in the primary region | `list(string)` | n/a | yes |
| <a name="input_zone_name"></a> [zone\_name](#input\_zone\_name) | A name given to the Kasm deployment Zone | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
| <a name="output_kasm_zone_settings"></a> [kasm\_zone\_settings](#output\_kasm\_zone\_settings) | Upstream Auth and Proxy Address settings to apply to Kasm Zone configuration |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

17
aws/multi_region/webapps/agent.tf
View file

@ -1,10 +1,13 @@
resource "aws_instance" "kasm-agent" {
count = var.num_agents
ami = var.ec2_ami
instance_type = var.agent_instance_type
vpc_security_group_ids = [var.agent_security_group_id]
subnet_id = var.agent_subnet_id
key_name = var.aws_key_pair
resource "aws_instance" "agent" {
count = var.num_agents
ami = var.ec2_ami
instance_type = var.agent_instance_type
vpc_security_group_ids = [var.agent_security_group_id]
subnet_id = var.agent_subnet_id
key_name = var.aws_key_pair
associate_public_ip_address = true
iam_instance_profile = var.aws_ssm_iam_role_name
root_block_device {
volume_size = var.agent_hdd_size_gb

3
aws/multi_region/webapps/availability_zones.tf
View file

@ -1,3 +0,0 @@
data "aws_availability_zones" "available" {
state = "available"
}

27
aws/multi_region/webapps/cpx.tf Normal file
View file

@ -0,0 +1,27 @@
resource "aws_instance" "cpx" {
count = var.num_cpx_nodes
ami = var.ec2_ami
instance_type = var.cpx_instance_type
vpc_security_group_ids = [var.cpx_security_group_id]
subnet_id = var.cpx_subnet_id
key_name = var.aws_key_pair
iam_instance_profile = var.aws_ssm_iam_role_name
root_block_device {
volume_size = var.cpx_hdd_size_gb
}
user_data = templatefile("${path.module}/../userdata/cpx_bootstrap.sh",
{
kasm_build_url = var.kasm_build
swap_size = var.swap_size
manager_address = var.aws_domain_name
service_registration_token = var.service_registration_token
}
)
tags = {
Name = "${var.project_name}-${var.primary_aws_region}-kasm-cpx-${count.index}"
}
}

4
aws/multi_region/webapps/dependencies.tf Normal file
View file

@ -0,0 +1,4 @@
data "aws_route53_zone" "this" {
name = var.aws_domain_name
private_zone = false
}

79
aws/multi_region/webapps/elb.tf
View file

@ -1,14 +1,9 @@
data "aws_route53_zone" "kasm-route53-zone" {
name = var.aws_domain_name
private_zone = false
}
resource "aws_lb" "kasm-alb" {
resource "aws_lb" "this" {
name = "${var.project_name}-lb"
internal = false
load_balancer_type = "application"
security_groups = [var.load_balancer_security_group_id]
subnets = var.webapp_subnet_ids
subnets = var.load_balancer_subnet_ids
access_logs {
bucket = var.load_balancer_log_bucket
@ -16,41 +11,20 @@ resource "aws_lb" "kasm-alb" {
}
}
data "aws_lb" "data-kasm_alb" {
arn = aws_lb.kasm-alb.arn
}
resource "aws_lb_target_group" "kasm-target-group" {
name = "${var.project_name}-target-group"
port = 443
protocol = "HTTPS"
vpc_id = var.primary_vpc_id
health_check {
path = "/api/__healthcheck"
matcher = 200
protocol = "HTTPS"
}
}
data "aws_lb_target_group" "data-kasm_target_group" {
arn = aws_lb_target_group.kasm-target-group.arn
}
resource "aws_lb_listener" "kasm-alb-listener" {
load_balancer_arn = data.aws_lb.data-kasm_alb.arn
resource "aws_lb_listener" "https" {
load_balancer_arn = aws_lb.this.arn
port = "443"
protocol = "HTTPS"
certificate_arn = var.certificate_arn
default_action {
type = "forward"
target_group_arn = data.aws_lb_target_group.data-kasm_target_group.arn
target_group_arn = aws_lb_target_group.this.arn
}
}
resource "aws_lb_listener" "kasm_alb_listener_http" {
load_balancer_arn = data.aws_lb.data-kasm_alb.arn
resource "aws_lb_listener" "http" {
load_balancer_arn = aws_lb.this.arn
port = "80"
protocol = "HTTP"
@ -65,34 +39,47 @@ resource "aws_lb_listener" "kasm_alb_listener_http" {
}
}
resource "aws_lb_target_group_attachment" "kasm-target-group-attachment" {
count = var.num_webapps
target_group_arn = data.aws_lb_target_group.data-kasm_target_group.arn
target_id = data.aws_instance.data-kasm_web_apps[count.index].id
resource "aws_lb_target_group" "this" {
name = "${var.project_name}-target-group"
port = 443
protocol = "HTTPS"
vpc_id = var.primary_vpc_id
health_check {
path = "/api/__healthcheck"
matcher = 200
protocol = "HTTPS"
}
}
resource "aws_lb_target_group_attachment" "this" {
count = var.num_webapps
target_group_arn = aws_lb_target_group.this.arn
target_id = aws_instance.webapp[count.index].id
port = 443
}
resource "aws_route53_record" "kasm-route53-elb-record" {
zone_id = data.aws_route53_zone.kasm-route53-zone.zone_id
resource "aws_route53_record" "alb" {
zone_id = data.aws_route53_zone.this.zone_id
name = "${var.zone_name}-lb.${var.aws_domain_name}"
type = "A"
alias {
name = data.aws_lb.data-kasm_alb.dns_name
zone_id = data.aws_lb.data-kasm_alb.zone_id
name = aws_lb.this.dns_name
zone_id = aws_lb.this.zone_id
evaluate_target_health = true
}
}
resource "aws_route53_record" "kasm-app-url" {
zone_id = data.aws_route53_zone.kasm-route53-zone.zone_id
resource "aws_route53_record" "latency" {
zone_id = data.aws_route53_zone.this.zone_id
name = var.aws_domain_name
type = "A"
set_identifier = "${var.project_name}-${var.zone_name}-set-id"
alias {
name = data.aws_lb.data-kasm_alb.dns_name
zone_id = data.aws_lb.data-kasm_alb.zone_id
name = aws_lb.this.dns_name
zone_id = aws_lb.this.zone_id
evaluate_target_health = true
}
@ -101,7 +88,7 @@ resource "aws_route53_record" "kasm-app-url" {
}
}
resource "aws_route53_health_check" "kasm-elb-hc" {
resource "aws_route53_health_check" "this" {
fqdn = "${var.zone_name}-lb.${var.aws_domain_name}"
port = 443
type = "HTTPS"

8
aws/multi_region/webapps/outputs.tf Normal file
View file

@ -0,0 +1,8 @@
output "kasm_zone_settings" {
description = "Upstream Auth and Proxy Address settings to apply to Kasm Zone configuration"
value = <<ZONE
Kam Zone configuration for zone: ${var.faux_aws_region}
Upstream Auth address: ${var.aws_domain_name}
Proxy address: ${var.zone_name}-lb.${var.aws_domain_name}
ZONE
}

6
aws/multi_region/webapps/provider.tf
View file

@ -1,8 +1,10 @@
terraform {
required_version = "~> 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
#version = "4.56.0"
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}

91
aws/multi_region/webapps/variables.tf
View file

@ -19,6 +19,12 @@ variable "agent_hdd_size_gb" {
default = 0
}
variable "cpx_hdd_size_gb" {
description = "The HDD size in GB to configure for the Kasm CPX instances"
type = number
default = 0
}
variable "database_password" {
description = "The password for the database. No special characters"
type = string
@ -31,6 +37,13 @@ variable "redis_password" {
sensitive = true
}
variable "service_registration_token" {
description = "The service registration token value for cpx RDP servers to authenticate to webapps. No special characters"
type = string
sensitive = true
default = ""
}
variable "manager_token" {
description = "The Manager Token used by Kasm Agents to authenticate. No special characters"
type = string
@ -45,13 +58,11 @@ variable "swap_size" {
variable "num_webapps" {
description = "The number of WebApp role servers to create in the deployment"
type = number
default = 2
}
variable "webapp_instance_type" {
description = "The instance type for the webapps"
type = string
default = "t3.small"
}
variable "webapp_security_group_id" {
@ -59,11 +70,28 @@ variable "webapp_security_group_id" {
type = string
}
variable "load_balancer_subnet_ids" {
description = "ALB subnet IDs created to host webapps in the primary region"
type = list(string)
}
variable "webapp_subnet_ids" {
description = "WebApp subnet IDs created to host webapps in the primary region"
type = list(string)
}
variable "cpx_instance_type" {
description = "the instance type for the CPX nodes"
type = string
default = ""
}
variable "cpx_subnet_id" {
description = "Subnet ID created for Kasm CPX nodes"
type = string
default = ""
}
variable "num_agents" {
description = "The number of Agent Role Servers to create in the deployment"
type = number
@ -73,7 +101,7 @@ variable "num_agents" {
variable "agent_instance_type" {
description = "the instance type for the agents"
type = string
default = "t3.medium"
default = ""
}
variable "agent_subnet_id" {
@ -98,6 +126,12 @@ variable "faux_aws_region" {
type = string
}
variable "num_cpx_nodes" {
description = "The number of cpx Role Servers to create in the deployment"
type = number
default = 0
}
variable "kasm_build" {
description = "The URL for the Kasm Workspaces build"
type = string
@ -128,11 +162,6 @@ variable "certificate_arn" {
type = string
}
variable "ssh_access_cidrs" {
description = "List of Networks in CIDR notation for IPs allowed to SSH in to the machines"
type = list(string)
}
variable "load_balancer_log_bucket" {
description = "S3 bucket name for load balancers to forward access logs to"
type = string
@ -143,7 +172,53 @@ variable "primary_vpc_id" {
type = string
}
variable "aws_ssm_iam_role_name" {
description = "The name of the SSM EC2 role to associate with Kasm VMs for SSH access"
type = string
default = ""
}
variable "load_balancer_security_group_id" {
description = "Security Group ID for the Primary region's load balancer"
type = string
}
variable "cpx_security_group_id" {
description = "CPX security group ID"
type = string
default = ""
}
variable "aws_to_kasm_zone_map" {
description = "AWS regions mapped to Kasm Deployment Zone names"
type = map(any)
default = {
us-east-1 = "USA-(Virginia)"
us-east-2 = "USA-(Ohio)"
us-west-1 = "USA-(California)"
us-west-2 = "USA-(Oregon)"
ap-south-1 = "India-(Mumbai)"
ap-northeast-3 = "Japan-(Osaka)"
ap-northeast-2 = "S-Korea-(Seoul)"
ap-southeast-1 = "Singapore"
ap-southeast-2 = "Austrailia-(Sydney)"
ap-northeast-1 = "Japan-(Tokyo)"
ca-central-1 = "Canada-(Montreal)"
eu-central-1 = "Germany-(Frankfurt)"
eu-west-1 = "Ireland-(Dublin)"
eu-west-2 = "UK-(London)"
eu-west-3 = "France-(Paris)"
eu-north-1 = "Sweden-(Stockholm)"
eu-south-1 = "Italy-(Milan)"
eu-south-2 = "Spain-(Aragon)"
eu-central-1 = "Switzerland-(Zurich)"
sa-east-1 = "Brazil-(Sao-Paulo)"
af-south-1 = "Africa-(Cape-Town)"
ap-east-1 = "China-(Hong-Kong)"
ap-south-2 = "India-(Hyderbad)"
ap-southeast-3 = "Indonesia-(Jakarta)"
ap-southeast-4 = "Austrailia-(Melbourne)"
me-south-1 = "Manama-(Bahrain)"
me-central-1 = "United-Arab-Emirates"
}
}

13
aws/multi_region/webapps/webapp.tf
View file

@ -1,10 +1,12 @@
resource "aws_instance" "kasm-web-app" {
count = var.num_webapps
resource "aws_instance" "webapp" {
count = var.num_webapps
ami = var.ec2_ami
instance_type = var.webapp_instance_type
vpc_security_group_ids = [var.webapp_security_group_id]
subnet_id = var.webapp_subnet_ids[count.index]
key_name = var.aws_key_pair
iam_instance_profile = var.aws_ssm_iam_role_name
root_block_device {
volume_size = var.webapp_hdd_size_gb
@ -17,7 +19,7 @@ resource "aws_instance" "kasm-web-app" {
database_password = var.database_password
redis_password = var.redis_password
swap_size = var.swap_size
zone_name = "default"
zone_name = var.aws_to_kasm_zone_map[(var.faux_aws_region)]
}
)
@ -25,8 +27,3 @@ resource "aws_instance" "kasm-web-app" {
Name = "${var.project_name}-${var.zone_name}-kasm-webapp"
}
}
data "aws_instance" "data-kasm_web_apps" {
count = var.num_webapps
instance_id = aws_instance.kasm-web-app[count.index].id
}

94
aws/standard/README.md
View file

@ -33,7 +33,7 @@ Create a user via the IAM console that will be used for the terraform deployment
3. Verify the configuration
terraform plan -var-file settings.tfvars -var-file secrets.tfvars
terraform plan -var-file secrets.tfvars
4. Deploy
@ -43,39 +43,71 @@ Create a user via the IAM console that will be used for the terraform deployment
6. Navigate to the Agents tab, and enable each Agent after it checks in. (May take a few minutes)
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
# AWS Terraform Variable definitions
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
| Variable | Description | Variable type | Example |
|:--------:|-------------|---------------|---------|
| `aws_access_key` | The AWS access key used for deployment. | String | `"AKIAJSIE27KKMHXI3BJQ"` |
| `aws_secret_key` | The AWS secret key used for deployment. | String | `"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"` |
| `aws_region` | The AWS Region used for deployment. | String | `"us-east-1"` |
| `project_name` | The name of the deployment (e.g dev, staging). A short single word of up to 15 characters. | String | `"kasm"` |
| `aws_domain_name` | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https. | String | `"kasm.contoso.com"` |
| `kasm_zone_name` | A name given to the kasm deployment Zone. | String | `"default"` |
| `vpc_subnet_cidr` | The subnet CIDR to use for the VPC | String | `"10.0.0.0/16"` |
| `aws_key_pair` | The name of an aws keypair to use. | String | `"kasm_ssh_key"` |
| `ec2_ami` | The AMI used for the EC2 nodes. Recommended Ubuntu 20.04 LTS. | String | `"ami-09cd747c78a9add63"` |
| `swap_size` | The amount of swap (in MB) to configure inside the Kasm servers. | Number | `2048` |
| `webapp_instance_type` | The instance type for the webapps. | String | `"t3.small"` |
| `db_instance_type` | The instance type for the webapps. | String | `"t3.medium"` |
| `agent_instance_type` | The instance type for the webapps. | String | `"t3.medium"` |
| `guac_instance_type` | The instance type for the webapps. | String | `"t3.medium"` |
| `num_webapps` | The number of WebApp role servers to create in this deployment. Acceptable ranges from 1-3. | Number | `2` |
| `num_agents` | The number of static Kasm Agents to create in this deploymenbt. Acceptable ranges from 0-100. | Number | `2` |
| `num_guac_rdp_nodes` | The number of Guacamole RDP access servers to create in this deployment. Acceptable ranges from 0-100. | Number | `1` |
| `allow_ssh_cidrs` | A list of subnets in CIDR notation allowed to SSH into your kasm servers | List(String) | `["10.0.0.0/16","172.217.22.14/32"]` |
| `web_access_cidrs` | A list of subnets in CIDR notation allowed Web access to your kasm servers | List(String) | `["0.0.0.0/0"]` |
| `database_password` | The Kasm PostgreSQL database password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `redis_password` | The Kasm Redis password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `admin_password` | The Kasm Administrative user login password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `user_password` | A Kasm standard (non-administrator) user password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `manager_token` | The manager token value used by Kasm agents to authenticate to the Kasm WebApps. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `service_registration_token` | The service registration token value used by Guac RDP servers to authenticate to the Kasm Webapps. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `kasm_build` | The download URL for the desired Kasm Workspaces version. | String | `"https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz"` |
| `aws_default_tags` | A Map of all tags you wish to apply to all TF created resources in this deployment. | Map(Any) | <pre align=left>{<br/>&nbsp;&nbsp;Service_name = "Kasm Workspaces"<br/>&nbsp;&nbsp;Kasm_version = "1.12"<br/>}</pre> |
## Providers
No providers.
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_standard"></a> [standard](#module\_standard) | ./module | n/a |
## Resources
No resources.
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_admin_password"></a> [admin\_password](#input\_admin\_password) | The administrative user password. No special characters | `string` | n/a | yes |
| <a name="input_agent_hdd_size_gb"></a> [agent\_hdd\_size\_gb](#input\_agent\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm Agent instances | `number` | n/a | yes |
| <a name="input_agent_instance_type"></a> [agent\_instance\_type](#input\_agent\_instance\_type) | The instance type for the Agents | `string` | n/a | yes |
| <a name="input_aws_access_key"></a> [aws\_access\_key](#input\_aws\_access\_key) | The AWS access key used for deployment | `string` | n/a | yes |
| <a name="input_aws_default_tags"></a> [aws\_default\_tags](#input\_aws\_default\_tags) | Default tags to apply to all AWS resources for this deployment | `map(any)` | `{}` | no |
| <a name="input_aws_domain_name"></a> [aws\_domain\_name](#input\_aws\_domain\_name) | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes |
| <a name="input_aws_key_pair"></a> [aws\_key\_pair](#input\_aws\_key\_pair) | The name of an aws keypair to use. | `string` | n/a | yes |
| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | The AWS Region used for deployment | `string` | `"us-east-1"` | no |
| <a name="input_aws_secret_key"></a> [aws\_secret\_key](#input\_aws\_secret\_key) | The AWS secret key used for deployment | `string` | n/a | yes |
| <a name="input_aws_ssm_iam_role_name"></a> [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no |
| <a name="input_cpx_hdd_size_gb"></a> [cpx\_hdd\_size\_gb](#input\_cpx\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm cpx RDP instances | `number` | n/a | yes |
| <a name="input_cpx_instance_type"></a> [cpx\_instance\_type](#input\_cpx\_instance\_type) | The instance type for the cpxamole RDP nodes | `string` | n/a | yes |
| <a name="input_create_aws_ssm_iam_role"></a> [create\_aws\_ssm\_iam\_role](#input\_create\_aws\_ssm\_iam\_role) | Create an AWS SSM IAM role to attach to VMs for SSH/console access to VMs. | `bool` | `false` | no |
| <a name="input_database_password"></a> [database\_password](#input\_database\_password) | The password for the database. No special characters | `string` | n/a | yes |
| <a name="input_db_hdd_size_gb"></a> [db\_hdd\_size\_gb](#input\_db\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm Database instances | `number` | n/a | yes |
| <a name="input_db_instance_type"></a> [db\_instance\_type](#input\_db\_instance\_type) | The instance type for the Database | `string` | n/a | yes |
| <a name="input_ec2_ami_id"></a> [ec2\_ami\_id](#input\_ec2\_ami\_id) | The AMI used for the EC2 nodes. Recommended Ubuntu 22.04 LTS. | `string` | n/a | yes |
| <a name="input_kasm_build"></a> [kasm\_build](#input\_kasm\_build) | The URL for the Kasm Workspaces build | `string` | n/a | yes |
| <a name="input_kasm_zone_name"></a> [kasm\_zone\_name](#input\_kasm\_zone\_name) | A name given to the kasm deployment Zone | `string` | `"default"` | no |
| <a name="input_manager_token"></a> [manager\_token](#input\_manager\_token) | The manager token value for Agents to authenticate to webapps. No special characters | `string` | n/a | yes |
| <a name="input_num_agents"></a> [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | n/a | yes |
| <a name="input_num_cpx_nodes"></a> [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of Agent Role Servers to create in the deployment | `number` | n/a | yes |
| <a name="input_num_webapps"></a> [num\_webapps](#input\_num\_webapps) | The number of WebApp role servers to create in the deployment | `number` | n/a | yes |
| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes |
| <a name="input_redis_password"></a> [redis\_password](#input\_redis\_password) | The password for the Redis server. No special characters | `string` | n/a | yes |
| <a name="input_service_registration_token"></a> [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | n/a | yes |
| <a name="input_swap_size"></a> [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes |
| <a name="input_user_password"></a> [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes |
| <a name="input_vpc_subnet_cidr"></a> [vpc\_subnet\_cidr](#input\_vpc\_subnet\_cidr) | The subnet CIDR to use for the VPC | `string` | `"10.0.0.0/16"` | no |
| <a name="input_web_access_cidrs"></a> [web\_access\_cidrs](#input\_web\_access\_cidrs) | CIDR notation of the bastion host allowed to SSH in to the machines | `list(string)` | n/a | yes |
| <a name="input_webapp_hdd_size_gb"></a> [webapp\_hdd\_size\_gb](#input\_webapp\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm WebApp instances | `number` | n/a | yes |
| <a name="input_webapp_instance_type"></a> [webapp\_instance\_type](#input\_webapp\_instance\_type) | The instance type for the webapps | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
| <a name="output_kasm_zone_settings"></a> [kasm\_zone\_settings](#output\_kasm\_zone\_settings) | Upstream Auth settings to apply to Kasm Zone configuration |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
# Detailed Terraform Deployment Diagram

31
aws/standard/deployment.tf
View file

@ -1,23 +1,28 @@
module "standard" {
source = "./module"
aws_key_pair = var.aws_key_pair
aws_region = var.aws_region
aws_domain_name = var.aws_domain_name
project_name = var.project_name
num_agents = var.num_agents
num_webapps = var.num_webapps
num_guac_nodes = var.num_guac_nodes
vpc_subnet_cidr = var.vpc_subnet_cidr
source = "./module"
aws_key_pair = var.aws_key_pair
aws_region = var.aws_region
aws_domain_name = var.aws_domain_name
project_name = var.project_name
num_agents = var.num_agents
num_webapps = var.num_webapps
num_cpx_nodes = var.num_cpx_nodes
vpc_subnet_cidr = var.vpc_subnet_cidr
create_aws_ssm_iam_role = var.create_aws_ssm_iam_role
aws_ssm_iam_role_name = var.aws_ssm_iam_role_name
## Kasm Server settings
agent_instance_type = var.agent_instance_type
guac_instance_type = var.guac_instance_type
webapp_instance_type = var.webapp_instance_type
webapp_hdd_size_gb = var.webapp_hdd_size_gb
db_instance_type = var.db_instance_type
ec2_ami = var.ec2_ami
db_hdd_size_gb = var.db_hdd_size_gb
agent_instance_type = var.agent_instance_type
agent_hdd_size_gb = var.agent_hdd_size_gb
cpx_instance_type = var.cpx_instance_type
cpx_hdd_size_gb = var.cpx_hdd_size_gb
ec2_ami = var.ec2_ami_id
swap_size = var.swap_size
ssh_access_cidrs = var.ssh_access_cidrs
web_access_cidrs = var.web_access_cidrs
database_password = var.database_password
redis_password = var.redis_password

8
aws/standard/diagram/aws_multi_server.drawio
View file

@ -22,7 +22,7 @@
<mxCell id="91" value="Agent Security Group" style="fontStyle=0;verticalAlign=top;align=center;spacingTop=-2;fillColor=none;rounded=1;whiteSpace=wrap;html=1;strokeColor=#FF0000;strokeWidth=2;dashed=1;container=1;collapsible=0;expand=0;recursiveResize=0;labelBackgroundColor=none;fontSize=10;fontColor=#000000;arcSize=2;" parent="2" vertex="1">
<mxGeometry x="286.5" y="461" width="150" height="156" as="geometry"/>
</mxCell>
<mxCell id="134" value="Guac Security Group" style="fontStyle=0;verticalAlign=top;align=center;spacingTop=-2;fillColor=none;rounded=1;whiteSpace=wrap;html=1;strokeColor=#FF0000;strokeWidth=2;dashed=1;container=1;collapsible=0;expand=0;recursiveResize=0;labelBackgroundColor=none;fontSize=10;fontColor=#000000;arcSize=2;" parent="2" vertex="1">
<mxCell id="134" value="cpx Security Group" style="fontStyle=0;verticalAlign=top;align=center;spacingTop=-2;fillColor=none;rounded=1;whiteSpace=wrap;html=1;strokeColor=#FF0000;strokeWidth=2;dashed=1;container=1;collapsible=0;expand=0;recursiveResize=0;labelBackgroundColor=none;fontSize=10;fontColor=#000000;arcSize=2;" parent="2" vertex="1">
<mxGeometry x="284" y="641" width="150" height="156" as="geometry"/>
</mxCell>
<mxCell id="89" value="AZ 1a" style="sketch=0;outlineConnect=0;gradientColor=none;html=1;whiteSpace=wrap;fontSize=12;fontStyle=0;shape=mxgraph.aws4.group;grIcon=mxgraph.aws4.group_availability_zone;strokeColor=#545B64;fillColor=none;verticalAlign=top;align=left;spacingLeft=30;fontColor=#545B64;dashed=1;" parent="2" vertex="1">
@ -107,10 +107,10 @@
<mxCell id="138" style="edgeStyle=orthogonalEdgeStyle;html=1;exitX=0.5;exitY=0;exitDx=0;exitDy=0;exitPerimeter=0;entryX=0.75;entryY=1;entryDx=0;entryDy=0;labelBackgroundColor=default;strokeWidth=3;startArrow=none;startFill=0;endArrow=classic;endFill=1;fillColor=#d5e8d4;strokeColor=#82b366;" parent="2" source="127" target="108" edge="1">
<mxGeometry relative="1" as="geometry"/>
</mxCell>
<mxCell id="127" value="Private LB&lt;br&gt;Agent/Guac Mgmt" style="outlineConnect=0;dashed=0;verticalLabelPosition=middle;verticalAlign=middle;align=left;html=1;shape=mxgraph.aws3.application_load_balancer;fillColor=#F58534;gradientColor=none;fontSize=10;labelPosition=right;" parent="2" vertex="1">
<mxCell id="127" value="Private LB&lt;br&gt;Agent/cpx Mgmt" style="outlineConnect=0;dashed=0;verticalLabelPosition=middle;verticalAlign=middle;align=left;html=1;shape=mxgraph.aws3.application_load_balancer;fillColor=#F58534;gradientColor=none;fontSize=10;labelPosition=right;" parent="2" vertex="1">
<mxGeometry x="503" y="401" width="40" height="40" as="geometry"/>
</mxCell>
<mxCell id="128" value="Guac Subnet&lt;br&gt;10.0.4.0/24" style="points=[[0,0],[0.25,0],[0.5,0],[0.75,0],[1,0],[1,0.25],[1,0.5],[1,0.75],[1,1],[0.75,1],[0.5,1],[0.25,1],[0,1],[0,0.75],[0,0.5],[0,0.25]];outlineConnect=0;gradientColor=none;html=1;whiteSpace=wrap;fontSize=12;fontStyle=0;container=1;pointerEvents=0;collapsible=0;recursiveResize=0;shape=mxgraph.aws4.group;grIcon=mxgraph.aws4.group_security_group;grStroke=0;strokeColor=#248814;fillColor=#E9F3E6;verticalAlign=top;align=left;spacingLeft=30;fontColor=#248814;dashed=0;" parent="2" vertex="1">
<mxCell id="128" value="cpx Subnet&lt;br&gt;10.0.4.0/24" style="points=[[0,0],[0.25,0],[0.5,0],[0.75,0],[1,0],[1,0.25],[1,0.5],[1,0.75],[1,1],[0.75,1],[0.5,1],[0.25,1],[0,1],[0,0.75],[0,0.5],[0,0.25]];outlineConnect=0;gradientColor=none;html=1;whiteSpace=wrap;fontSize=12;fontStyle=0;container=1;pointerEvents=0;collapsible=0;recursiveResize=0;shape=mxgraph.aws4.group;grIcon=mxgraph.aws4.group_security_group;grStroke=0;strokeColor=#248814;fillColor=#E9F3E6;verticalAlign=top;align=left;spacingLeft=30;fontColor=#248814;dashed=0;" parent="2" vertex="1">
<mxGeometry x="287.5" y="658" width="140" height="130" as="geometry"/>
</mxCell>
<mxCell id="129" value="" style="group" parent="128" vertex="1" connectable="0">
@ -125,7 +125,7 @@
<mxCell id="132" value="" style="sketch=0;points=[[0,0,0],[0.25,0,0],[0.5,0,0],[0.75,0,0],[1,0,0],[0,1,0],[0.25,1,0],[0.5,1,0],[0.75,1,0],[1,1,0],[0,0.25,0],[0,0.5,0],[0,0.75,0],[1,0.25,0],[1,0.5,0],[1,0.75,0]];outlineConnect=0;fontColor=#232F3E;gradientColor=#F78E04;gradientDirection=north;fillColor=#D05C17;strokeColor=#ffffff;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontSize=12;fontStyle=0;aspect=fixed;shape=mxgraph.aws4.resourceIcon;resIcon=mxgraph.aws4.ec2;" parent="129" vertex="1">
<mxGeometry x="25" y="20" width="40" height="40" as="geometry"/>
</mxCell>
<mxCell id="133" value="Kasm Guac RDP" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=10;" parent="129" vertex="1">
<mxCell id="133" value="Kasm cpx RDP" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=10;" parent="129" vertex="1">
<mxGeometry y="60" width="70" height="30" as="geometry"/>
</mxCell>
<mxCell id="102" value="Load Balancer&lt;br style=&quot;font-size: 10px;&quot;&gt;Access Logs S3" style="sketch=0;outlineConnect=0;fontColor=#232F3E;gradientColor=none;fillColor=#3F8624;strokeColor=none;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontSize=10;fontStyle=0;aspect=fixed;pointerEvents=1;shape=mxgraph.aws4.bucket;labelBackgroundColor=none;" parent="2" vertex="1">

135
aws/standard/module/README.md Normal file
View file

@ -0,0 +1,135 @@
# module
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.36.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_acm_certificate.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
| [aws_acm_certificate_validation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |
| [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
| [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_instance.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
| [aws_instance.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
| [aws_instance.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
| [aws_instance.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
| [aws_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |
| [aws_lb.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
| [aws_lb.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
| [aws_lb_listener.http](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
| [aws_lb_listener.https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
| [aws_lb_listener.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
| [aws_lb_target_group.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
| [aws_lb_target_group.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
| [aws_lb_target_group_attachment.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |
| [aws_lb_target_group_attachment.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |
| [aws_nat_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
| [aws_route53_health_check.kasm-elb-hc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_health_check) | resource |
| [aws_route53_record.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_route53_record.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_route53_record.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_route_table.ig](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
| [aws_route_table.nat](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
| [aws_route_table_association.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_route_table_association.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_route_table_association.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_route_table_association.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_route_table_association.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_route_table_association.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
| [aws_security_group.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.private_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group_rule.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.private_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_subnet.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_subnet.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_subnet.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_subnet.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_subnet.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_subnet.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
| [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source |
| [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_admin_password"></a> [admin\_password](#input\_admin\_password) | The administrative user password. No special characters | `string` | n/a | yes |
| <a name="input_agent_hdd_size_gb"></a> [agent\_hdd\_size\_gb](#input\_agent\_hdd\_size\_gb) | The HDD size for Kasm Agent nodes | `number` | n/a | yes |
| <a name="input_agent_instance_type"></a> [agent\_instance\_type](#input\_agent\_instance\_type) | The instance type for the Agents | `string` | `"t3.medium"` | no |
| <a name="input_agent_security_rules"></a> [agent\_security\_rules](#input\_agent\_security\_rules) | A map of objects of security rules to apply to the Kasm WebApp server | <pre>map(object({<br> from_port = number<br> to_port = number<br> protocol = string<br> }))</pre> | <pre>{<br> "https": {<br> "from_port": 443,<br> "protocol": "tcp",<br> "to_port": 443<br> }<br>}</pre> | no |
| <a name="input_anywhere"></a> [anywhere](#input\_anywhere) | Anywhere route subnet | `string` | `"0.0.0.0/0"` | no |
| <a name="input_aws_domain_name"></a> [aws\_domain\_name](#input\_aws\_domain\_name) | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes |
| <a name="input_aws_key_pair"></a> [aws\_key\_pair](#input\_aws\_key\_pair) | The name of an aws keypair to use. | `string` | n/a | yes |
| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | The AWS region for the deployment. (e.g us-east-1) | `string` | n/a | yes |
| <a name="input_aws_ssm_iam_role_name"></a> [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no |
| <a name="input_cpx_hdd_size_gb"></a> [cpx\_hdd\_size\_gb](#input\_cpx\_hdd\_size\_gb) | The HDD size for Kasm Guac RDP nodes | `number` | n/a | yes |
| <a name="input_cpx_instance_type"></a> [cpx\_instance\_type](#input\_cpx\_instance\_type) | The instance type for the cpxamole RDP nodes | `string` | `"t3.medium"` | no |
| <a name="input_cpx_security_rules"></a> [cpx\_security\_rules](#input\_cpx\_security\_rules) | A map of objects of security rules to apply to the Kasm Connection Proxy server | <pre>map(object({<br> from_port = number<br> to_port = number<br> protocol = string<br> }))</pre> | <pre>{<br> "https": {<br> "from_port": 443,<br> "protocol": "tcp",<br> "to_port": 443<br> }<br>}</pre> | no |
| <a name="input_create_aws_ssm_iam_role"></a> [create\_aws\_ssm\_iam\_role](#input\_create\_aws\_ssm\_iam\_role) | Create an AWS SSM IAM role to attach to VMs for SSH/console access to VMs. | `bool` | `false` | no |
| <a name="input_database_password"></a> [database\_password](#input\_database\_password) | The password for the database. No special characters | `string` | n/a | yes |
| <a name="input_db_hdd_size_gb"></a> [db\_hdd\_size\_gb](#input\_db\_hdd\_size\_gb) | The HDD size for Kasm DB | `number` | n/a | yes |
| <a name="input_db_instance_type"></a> [db\_instance\_type](#input\_db\_instance\_type) | The instance type for the Database | `string` | `"t3.small"` | no |
| <a name="input_db_security_rules"></a> [db\_security\_rules](#input\_db\_security\_rules) | A map of objects of security rules to apply to the Kasm DB | <pre>map(object({<br> from_port = number<br> to_port = number<br> protocol = string<br> }))</pre> | <pre>{<br> "postgres": {<br> "from_port": 5432,<br> "protocol": "tcp",<br> "to_port": 5432<br> },<br> "redis": {<br> "from_port": 6379,<br> "protocol": "tcp",<br> "to_port": 6379<br> }<br>}</pre> | no |
| <a name="input_default_egress"></a> [default\_egress](#input\_default\_egress) | Default egress security rule for all security groups | <pre>object({<br> from_port = number<br> to_port = number<br> protocol = string<br> cidr_subnets = list(string)<br> })</pre> | <pre>{<br> "cidr_subnets": [<br> "0.0.0.0/0"<br> ],<br> "from_port": 0,<br> "protocol": "-1",<br> "to_port": 0<br>}</pre> | no |
| <a name="input_ec2_ami"></a> [ec2\_ami](#input\_ec2\_ami) | The AMI used for the EC2 nodes. Recommended Ubuntu 20.04 LTS. | `string` | n/a | yes |
| <a name="input_kasm_build"></a> [kasm\_build](#input\_kasm\_build) | The URL for the Kasm Workspaces build | `string` | n/a | yes |
| <a name="input_kasm_zone_name"></a> [kasm\_zone\_name](#input\_kasm\_zone\_name) | A name given to the kasm deployment Zone | `string` | `"default"` | no |
| <a name="input_manager_token"></a> [manager\_token](#input\_manager\_token) | The manager token value for Agents to authenticate to webapps. No special characters | `string` | n/a | yes |
| <a name="input_num_agents"></a> [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | `2` | no |
| <a name="input_num_cpx_nodes"></a> [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of cpx RDP Role Servers to create in the deployment | `number` | `2` | no |
| <a name="input_num_webapps"></a> [num\_webapps](#input\_num\_webapps) | The number of WebApp role servers to create in the deployment | `number` | `2` | no |
| <a name="input_private_lb_security_rules"></a> [private\_lb\_security\_rules](#input\_private\_lb\_security\_rules) | A map of objects of security rules to apply to the Private ALB | <pre>object({<br> from_port = number<br> to_port = number<br> protocol = string<br> })</pre> | <pre>{<br> "from_port": 443,<br> "protocol": "tcp",<br> "to_port": 443<br>}</pre> | no |
| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes |
| <a name="input_public_lb_security_rules"></a> [public\_lb\_security\_rules](#input\_public\_lb\_security\_rules) | A map of objects of security rules to apply to the Public ALB | <pre>map(object({<br> from_port = number<br> to_port = number<br> protocol = string<br> }))</pre> | <pre>{<br> "http": {<br> "from_port": 80,<br> "protocol": "tcp",<br> "to_port": 80<br> },<br> "https": {<br> "from_port": 443,<br> "protocol": "tcp",<br> "to_port": 443<br> }<br>}</pre> | no |
| <a name="input_redis_password"></a> [redis\_password](#input\_redis\_password) | The password for the Redis server. No special characters | `string` | n/a | yes |
| <a name="input_service_registration_token"></a> [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | n/a | yes |
| <a name="input_swap_size"></a> [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes |
| <a name="input_user_password"></a> [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes |
| <a name="input_vpc_subnet_cidr"></a> [vpc\_subnet\_cidr](#input\_vpc\_subnet\_cidr) | The subnet CIDR to use for the VPC | `string` | `"10.0.0.0/16"` | no |
| <a name="input_web_access_cidrs"></a> [web\_access\_cidrs](#input\_web\_access\_cidrs) | CIDR notation of the bastion host allowed to SSH in to the machines | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]</pre> | no |
| <a name="input_webapp_hdd_size_gb"></a> [webapp\_hdd\_size\_gb](#input\_webapp\_hdd\_size\_gb) | The HDD size for Kasm Webapp nodes | `number` | n/a | yes |
| <a name="input_webapp_instance_type"></a> [webapp\_instance\_type](#input\_webapp\_instance\_type) | The instance type for the webapps | `string` | `"t3.small"` | no |
| <a name="input_webapp_security_rules"></a> [webapp\_security\_rules](#input\_webapp\_security\_rules) | A map of objects of security rules to apply to the Kasm WebApp server | <pre>object({<br> from_port = number<br> to_port = number<br> protocol = string<br> })</pre> | <pre>{<br> "from_port": 443,<br> "protocol": "tcp",<br> "to_port": 443<br>}</pre> | no |
| <a name="input_windows_security_rules"></a> [windows\_security\_rules](#input\_windows\_security\_rules) | A map of objects of security rules to apply to the Kasm Windows VMs | <pre>map(object({<br> from_port = number<br> to_port = number<br> protocol = string<br> }))</pre> | <pre>{<br> "cpx_api": {<br> "from_port": 4902,<br> "protocol": "tcp",<br> "to_port": 4902<br> },<br> "cpx_rdp": {<br> "from_port": 3389,<br> "protocol": "tcp",<br> "to_port": 3389<br> },<br> "webapp_api": {<br> "from_port": 4902,<br> "protocol": "tcp",<br> "to_port": 4902<br> }<br>}</pre> | no |
## Outputs
No outputs.
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

16
aws/standard/module/agent.tf
View file

@ -1,14 +1,16 @@
resource "aws_instance" "kasm-agent" {
count = var.num_agents
resource "aws_instance" "agent" {
count = var.num_agents
ami = var.ec2_ami
instance_type = var.agent_instance_type
vpc_security_group_ids = [data.aws_security_group.data-kasm_agent_sg.id]
subnet_id = data.aws_subnet.data-kasm_agent_subnet.id
vpc_security_group_ids = [aws_security_group.agent.id]
subnet_id = aws_subnet.agent.id
key_name = var.aws_key_pair
associate_public_ip_address = false
iam_instance_profile = one(aws_iam_instance_profile.this[*].id)
associate_public_ip_address = true
root_block_device {
volume_size = 120
volume_size = var.agent_hdd_size_gb
}
user_data = templatefile("${path.module}/userdata/agent_bootstrap.sh",
@ -21,6 +23,6 @@ resource "aws_instance" "kasm-agent" {
)
tags = {
Name = "${var.project_name}-${var.kasm_zone_name}-kasm-agent"
Name = "${var.project_name}-${var.kasm_zone_name}-kasm-agent-${count.index}"
}
}

60
aws/standard/module/alb_logs_s3_bucket.tf
View file

@ -1,60 +0,0 @@
data "aws_route53_zone" "kasm-route53-zone" {
name = var.aws_domain_name
}
data "aws_elb_service_account" "main" {}
resource "aws_s3_bucket" "kasm_s3_logs" {
bucket_prefix = "${var.project_name}-${var.kasm_zone_name}-"
force_destroy = true
}
resource "aws_s3_bucket_acl" "kasm_s3_acl" {
bucket = aws_s3_bucket.kasm_s3_logs.id
acl = "private"
}
resource "aws_s3_bucket_policy" "kasm_s3_logs_policy" {
bucket = aws_s3_bucket.kasm_s3_logs.id
policy = jsonencode({
Id = "Policy"
Version = "2012-10-17"
Statement = [
{
Action = [
"s3:PutObject"
]
Effect = "Allow"
Resource = "${aws_s3_bucket.kasm_s3_logs.arn}/AWSLogs/*"
Principal = {
AWS = [
data.aws_elb_service_account.main.arn
]
}
}
]
})
}
resource "aws_s3_bucket_server_side_encryption_configuration" "encrypt_elb_bucket" {
bucket = aws_s3_bucket.kasm_s3_logs.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
data "aws_s3_bucket" "data-kasm_s3_logs_bucket" {
bucket = aws_s3_bucket.kasm_s3_logs.bucket
}
resource "aws_s3_bucket_public_access_block" "s3_log_public_access" {
bucket = aws_s3_bucket.kasm_s3_logs.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}

3
aws/standard/module/availability_zones.tf
View file

@ -1,3 +0,0 @@
data "aws_availability_zones" "available" {
state = "available"
}

14
aws/standard/module/cert.tf
View file

@ -1,4 +1,4 @@
resource "aws_acm_certificate" "kasm-alb-cert" {
resource "aws_acm_certificate" "this" {
domain_name = var.aws_domain_name
subject_alternative_names = ["*.${var.aws_domain_name}"]
validation_method = "DNS"
@ -8,9 +8,9 @@ resource "aws_acm_certificate" "kasm-alb-cert" {
}
}
resource "aws_route53_record" "kasm-route53-cert-validation-record" {
resource "aws_route53_record" "this" {
for_each = {
for dvo in aws_acm_certificate.kasm-alb-cert.domain_validation_options : dvo.domain_name => {
for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
@ -19,13 +19,13 @@ resource "aws_route53_record" "kasm-route53-cert-validation-record" {
name = each.value.name
type = each.value.type
records = [each.value.record]
zone_id = data.aws_route53_zone.kasm-route53-zone.id
zone_id = data.aws_route53_zone.this.id
ttl = 30
allow_overwrite = true
}
resource "aws_acm_certificate_validation" "kasm-elb-certificate-validation" {
certificate_arn = aws_acm_certificate.kasm-alb-cert.arn
validation_record_fqdns = [for record in aws_route53_record.kasm-route53-cert-validation-record : record.fqdn]
resource "aws_acm_certificate_validation" "this" {
certificate_arn = aws_acm_certificate.this.arn
validation_record_fqdns = [for record in aws_route53_record.this : record.fqdn]
}

13
aws/standard/module/db.tf
View file

@ -1,12 +1,13 @@
resource "aws_instance" "kasm-db" {
resource "aws_instance" "db" {
ami = var.ec2_ami
instance_type = var.db_instance_type
vpc_security_group_ids = [data.aws_security_group.data-kasm_db_sg.id]
subnet_id = data.aws_subnet.data-kasm_db_subnet.id
vpc_security_group_ids = [aws_security_group.db.id]
subnet_id = aws_subnet.db.id
key_name = var.aws_key_pair
iam_instance_profile = one(aws_iam_instance_profile.this[*].id)
root_block_device {
volume_size = 40
volume_size = var.db_hdd_size_gb
}
user_data = templatefile("${path.module}/userdata/db_bootstrap.sh",
@ -26,7 +27,3 @@ resource "aws_instance" "kasm-db" {
Name = "${var.project_name}-kasm-db"
}
}
data "aws_instance" "data-kasm_db" {
instance_id = aws_instance.kasm-db.id
}

25
aws/standard/module/dependencies.tf Normal file
View file

@ -0,0 +1,25 @@
locals {
private_lb_hostname = "${var.aws_region}-private.${var.aws_domain_name}"
all_security_groups = compact([
aws_security_group.public_lb.id,
aws_security_group.private_lb.id,
aws_security_group.webapp.id,
aws_security_group.agent.id,
aws_security_group.db.id,
one(aws_security_group.cpx[*].id),
one(aws_security_group.windows[*].id)
])
webapp_security_rules = { for value in local.all_security_groups : value => var.webapp_security_rules if value != aws_security_group.db.id || value != aws_security_group.webapp.id }
}
data "aws_availability_zones" "available" {
state = "available"
}
data "aws_route53_zone" "this" {
name = var.aws_domain_name
}
data "aws_elb_service_account" "main" {}

50
aws/standard/module/elb_logs_s3_bucket.tf Normal file
View file

@ -0,0 +1,50 @@
resource "aws_s3_bucket" "this" {
bucket_prefix = "${var.project_name}-${var.kasm_zone_name}-"
force_destroy = true
}
resource "aws_s3_bucket_acl" "this" {
bucket = aws_s3_bucket.this.id
acl = "private"
}
resource "aws_s3_bucket_policy" "this" {
bucket = aws_s3_bucket.this.id
policy = jsonencode({
Id = "Policy"
Version = "2012-10-17"
Statement = [
{
Action = [
"s3:PutObject"
]
Effect = "Allow"
Resource = "${aws_s3_bucket.this.arn}/AWSLogs/*"
Principal = {
AWS = [
data.aws_elb_service_account.main.arn
]
}
}
]
})
}
resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
bucket = aws_s3_bucket.this.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
resource "aws_s3_bucket_public_access_block" "this" {
bucket = aws_s3_bucket.this.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}

23
aws/standard/module/guac_rdp.tf
View file

@ -1,17 +1,18 @@
resource "aws_instance" "kasm-guac" {
count = var.num_guac_nodes
ami = var.ec2_ami
instance_type = var.guac_instance_type
vpc_security_group_ids = [data.aws_security_group.data-kasm_guac_sg.id]
subnet_id = data.aws_subnet.data-kasm_guac_subnet.id
key_name = var.aws_key_pair
associate_public_ip_address = false
resource "aws_instance" "cpx" {
count = var.num_cpx_nodes
ami = var.ec2_ami
instance_type = var.cpx_instance_type
vpc_security_group_ids = aws_security_group.cpx[*].id
subnet_id = one(aws_subnet.cpx[*].id)
key_name = var.aws_key_pair
iam_instance_profile = one(aws_iam_instance_profile.this[*].id)
root_block_device {
volume_size = 120
volume_size = var.cpx_hdd_size_gb
}
user_data = templatefile("${path.module}/userdata/guac_bootstrap.sh",
user_data = templatefile("${path.module}/userdata/cpx_bootstrap.sh",
{
kasm_build_url = var.kasm_build
swap_size = var.swap_size
@ -21,6 +22,6 @@ resource "aws_instance" "kasm-guac" {
)
tags = {
Name = "${var.project_name}-${var.kasm_zone_name}-kasm-guac"
Name = "${var.project_name}-${var.kasm_zone_name}-kasm-cpx-${count.index}"
}
}

14
aws/standard/module/natgw.tf
View file

@ -1,14 +0,0 @@
resource "aws_eip" "nat_gateway_eip" {
vpc = true
}
resource "aws_nat_gateway" "agent_and_guac_natgw" {
allocation_id = aws_eip.nat_gateway_eip.id
subnet_id = data.aws_subnet.data-kasm_webapp_subnets[0].id
depends_on = [data.aws_internet_gateway.data-kasm-default-ig]
}
data "aws_nat_gateway" "data-agent_and_guac_natgw" {
id = aws_nat_gateway.agent_and_guac_natgw.id
}

62
aws/standard/module/private_alb.tf
View file

@ -1,16 +1,12 @@
locals {
private_lb_hostname = "${var.kasm_zone_name}-private-lb.${var.aws_domain_name}"
}
resource "aws_lb" "kasm-private-alb" {
resource "aws_lb" "private" {
name = "${var.project_name}-private-lb"
internal = true
load_balancer_type = "application"
security_groups = [data.aws_security_group.data-kasm_default_elb_sg.id]
subnets = data.aws_subnet.data-kasm_webapp_subnets[*].id
security_groups = [aws_security_group.private_lb.id]
subnets = aws_subnet.webapp[*].id
access_logs {
bucket = data.aws_s3_bucket.data-kasm_s3_logs_bucket.bucket
bucket = aws_s3_bucket.this.bucket
enabled = true
}
@ -19,15 +15,11 @@ resource "aws_lb" "kasm-private-alb" {
}
}
data "aws_lb" "data-kasm_private_alb" {
arn = aws_lb.kasm-private-alb.arn
}
resource "aws_lb_target_group" "kasm-private-target-group" {
resource "aws_lb_target_group" "private" {
name = "${var.project_name}-private-target-group"
port = 443
protocol = "HTTPS"
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
vpc_id = aws_vpc.this.id
health_check {
path = "/api/__healthcheck"
@ -40,19 +32,15 @@ resource "aws_lb_target_group" "kasm-private-target-group" {
}
}
data "aws_lb_target_group" "data-kasm_private_target_group" {
arn = aws_lb_target_group.kasm-private-target-group.arn
}
resource "aws_lb_listener" "kasm-private-alb-listener" {
load_balancer_arn = data.aws_lb.data-kasm_private_alb.arn
resource "aws_lb_listener" "private" {
load_balancer_arn = aws_lb.private.arn
port = "443"
protocol = "HTTPS"
certificate_arn = aws_acm_certificate_validation.kasm-elb-certificate-validation.certificate_arn
certificate_arn = aws_acm_certificate_validation.this.certificate_arn
default_action {
type = "forward"
target_group_arn = data.aws_lb_target_group.data-kasm_private_target_group.arn
target_group_arn = aws_lb_target_group.private.arn
}
tags = {
@ -60,34 +48,22 @@ resource "aws_lb_listener" "kasm-private-alb-listener" {
}
}
resource "aws_lb_target_group_attachment" "kasm-private-target-group-attachment" {
count = var.num_webapps
target_group_arn = data.aws_lb_target_group.data-kasm_private_target_group.arn
target_id = data.aws_instance.data-kasm_web_app[count.index].id
resource "aws_lb_target_group_attachment" "private" {
count = var.num_webapps
target_group_arn = aws_lb_target_group.private.arn
target_id = aws_instance.webapp[count.index].id
port = 443
}
resource "aws_route53_record" "kasm-route53-private-elb-record" {
zone_id = data.aws_route53_zone.kasm-route53-zone.zone_id
resource "aws_route53_record" "private" {
zone_id = data.aws_route53_zone.this.zone_id
name = local.private_lb_hostname
type = "A"
alias {
name = data.aws_lb.data-kasm_private_alb.dns_name
zone_id = data.aws_lb.data-kasm_private_alb.zone_id
name = aws_lb.private.dns_name
zone_id = aws_lb.private.zone_id
evaluate_target_health = true
}
}
resource "aws_route53_health_check" "kasm-private-elb-hc" {
fqdn = local.private_lb_hostname
port = 443
type = "HTTPS"
resource_path = "/api/__healthcheck"
failure_threshold = "5"
request_interval = "30"
tags = {
Name = "hc-${var.kasm_zone_name}-private-lb.${var.aws_domain_name}"
}
}

6
aws/standard/module/provider.tf
View file

@ -1,8 +1,10 @@
terraform {
required_version = "~> 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
#version = "4.56.0"
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}

95
aws/standard/module/public_alb.tf
View file

@ -1,12 +1,12 @@
resource "aws_lb" "kasm-alb" {
resource "aws_lb" "public" {
name = "${var.project_name}-lb"
internal = false
load_balancer_type = "application"
security_groups = [data.aws_security_group.data-kasm_default_elb_sg.id]
subnets = data.aws_subnet.data-kasm_webapp_subnets[*].id
security_groups = [aws_security_group.public_lb.id]
subnets = aws_subnet.alb[*].id
access_logs {
bucket = data.aws_s3_bucket.data-kasm_s3_logs_bucket.bucket
bucket = aws_s3_bucket.this.bucket
enabled = true
}
@ -15,40 +15,15 @@ resource "aws_lb" "kasm-alb" {
}
}
data "aws_lb" "data-kasm_alb" {
arn = aws_lb.kasm-alb.arn
}
resource "aws_lb_target_group" "kasm-target-group" {
name = "${var.project_name}-target-group"
port = 443
protocol = "HTTPS"
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
health_check {
path = "/api/__healthcheck"
matcher = 200
protocol = "HTTPS"
}
tags = {
Name = "${var.project_name}-kasm-public-tg"
}
}
data "aws_lb_target_group" "data-kasm_target_group" {
arn = aws_lb_target_group.kasm-target-group.arn
}
resource "aws_lb_listener" "kasm-alb-listener" {
load_balancer_arn = data.aws_lb.data-kasm_alb.arn
resource "aws_lb_listener" "https" {
load_balancer_arn = aws_lb.public.arn
port = "443"
protocol = "HTTPS"
certificate_arn = aws_acm_certificate_validation.kasm-elb-certificate-validation.certificate_arn
certificate_arn = aws_acm_certificate_validation.this.certificate_arn
default_action {
type = "forward"
target_group_arn = data.aws_lb_target_group.data-kasm_target_group.arn
target_group_arn = aws_lb_target_group.public.arn
}
tags = {
@ -56,8 +31,8 @@ resource "aws_lb_listener" "kasm-alb-listener" {
}
}
resource "aws_lb_listener" "kasm_alb_listener_http" {
load_balancer_arn = data.aws_lb.data-kasm_alb.arn
resource "aws_lb_listener" "http" {
load_balancer_arn = aws_lb.public.arn
port = "80"
protocol = "HTTP"
@ -76,44 +51,46 @@ resource "aws_lb_listener" "kasm_alb_listener_http" {
}
}
resource "aws_lb_target_group_attachment" "kasm-target-group-attachment" {
count = var.num_webapps
target_group_arn = data.aws_lb_target_group.data-kasm_target_group.arn
target_id = data.aws_instance.data-kasm_web_app[count.index].id
port = 443
}
resource "aws_lb_target_group" "public" {
name = "${var.project_name}-target-group"
port = 443
protocol = "HTTPS"
vpc_id = aws_vpc.this.id
resource "aws_route53_record" "kasm-route53-elb-record" {
zone_id = data.aws_route53_zone.kasm-route53-zone.zone_id
name = "${var.kasm_zone_name}-lb.${var.aws_domain_name}"
type = "A"
health_check {
path = "/api/__healthcheck"
matcher = 200
protocol = "HTTPS"
}
alias {
name = aws_lb.kasm-alb.dns_name
zone_id = aws_lb.kasm-alb.zone_id
evaluate_target_health = true
tags = {
Name = "${var.project_name}-kasm-public-tg"
}
}
resource "aws_route53_record" "kasm-app-url" {
zone_id = data.aws_route53_zone.kasm-route53-zone.zone_id
resource "aws_lb_target_group_attachment" "public" {
count = var.num_webapps
target_group_arn = aws_lb_target_group.public.arn
target_id = aws_instance.webapp[count.index].id
port = 443
}
resource "aws_route53_record" "public" {
zone_id = data.aws_route53_zone.this.zone_id
name = var.aws_domain_name
type = "A"
set_identifier = "${var.project_name}-${var.kasm_zone_name}-set-id"
alias {
name = data.aws_lb.data-kasm_alb.dns_name
zone_id = data.aws_lb.data-kasm_alb.zone_id
name = aws_lb.public.dns_name
zone_id = aws_lb.public.zone_id
evaluate_target_health = true
}
latency_routing_policy {
region = var.aws_region
}
}
resource "aws_route53_health_check" "kasm-elb-hc" {
fqdn = "${var.kasm_zone_name}-lb.${var.aws_domain_name}"
fqdn = var.aws_domain_name
port = 443
type = "HTTPS"
resource_path = "/api/__healthcheck"
@ -121,6 +98,6 @@ resource "aws_route53_health_check" "kasm-elb-hc" {
request_interval = "30"
tags = {
Name = "hc-${var.kasm_zone_name}-lb.${var.aws_domain_name}"
Name = "hc-${var.aws_domain_name}"
}
}

67
aws/standard/module/routes.tf
View file

@ -1,9 +1,9 @@
resource "aws_route_table" "internet_access" {
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
resource "aws_route_table" "ig" {
vpc_id = aws_vpc.this.id
route {
cidr_block = var.anywhere
gateway_id = data.aws_internet_gateway.data-kasm-default-ig.id
gateway_id = aws_internet_gateway.this.id
}
tags = {
@ -11,27 +11,12 @@ resource "aws_route_table" "internet_access" {
}
}
data "aws_route_table" "data-internet_gateway_route_table" {
route_table_id = aws_route_table.internet_access.id
}
resource "aws_route_table_association" "webapp_route_association" {
count = var.num_webapps
subnet_id = data.aws_subnet.data-kasm_webapp_subnets[count.index].id
route_table_id = data.aws_route_table.data-internet_gateway_route_table.id
}
resource "aws_route_table_association" "db_route_association" {
subnet_id = data.aws_subnet.data-kasm_db_subnet.id
route_table_id = data.aws_route_table.data-internet_gateway_route_table.id
}
resource "aws_route_table" "nat_route_table" {
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
resource "aws_route_table" "nat" {
vpc_id = aws_vpc.this.id
route {
cidr_block = var.anywhere
gateway_id = data.aws_nat_gateway.data-agent_and_guac_natgw.id
gateway_id = aws_nat_gateway.this.id
}
tags = {
@ -39,16 +24,40 @@ resource "aws_route_table" "nat_route_table" {
}
}
data "aws_route_table" "data-nat_route_table" {
route_table_id = aws_route_table.nat_route_table.id
resource "aws_route_table_association" "alb" {
count = 2
subnet_id = aws_subnet.alb[count.index].id
route_table_id = aws_route_table.ig.id
}
resource "aws_route_table_association" "agent_nat_route_table_association" {
subnet_id = data.aws_subnet.data-kasm_agent_subnet.id
route_table_id = data.aws_route_table.data-nat_route_table.id
resource "aws_route_table_association" "webapp" {
count = var.num_webapps
subnet_id = aws_subnet.webapp[count.index].id
route_table_id = aws_route_table.nat.id
}
resource "aws_route_table_association" "guac_nat_route_table_association" {
subnet_id = data.aws_subnet.data-kasm_guac_subnet.id
route_table_id = data.aws_route_table.data-nat_route_table.id
resource "aws_route_table_association" "db" {
subnet_id = aws_subnet.db.id
route_table_id = aws_route_table.nat.id
}
resource "aws_route_table_association" "cpx" {
count = var.num_cpx_nodes > 0 ? 1 : 0
subnet_id = one(aws_subnet.cpx[*].id)
route_table_id = aws_route_table.nat.id
}
resource "aws_route_table_association" "agent" {
subnet_id = aws_subnet.agent.id
route_table_id = aws_route_table.ig.id
}
resource "aws_route_table_association" "windows" {
count = var.num_cpx_nodes > 0 ? 1 : 0
subnet_id = one(aws_subnet.windows[*].id)
route_table_id = aws_route_table.ig.id
}

264
aws/standard/module/security_group.tf
View file

@ -1,174 +1,160 @@
resource "aws_security_group" "kasm-default-elb-sg" {
name = "${var.project_name}-kasm-allow-elb-access"
resource "aws_security_group" "public_lb" {
name = "${var.project_name}-kasm-allow-public-lb-access"
description = "Security Group for ELB"
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = var.web_access_cidrs
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = var.web_access_cidrs
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [var.anywhere]
}
vpc_id = aws_vpc.this.id
tags = {
Name = "${var.project_name}-kasm-allow-access"
Name = "${var.project_name}-kasm-public-lb-access"
}
}
data "aws_security_group" "data-kasm_default_elb_sg" {
id = aws_security_group.kasm-default-elb-sg.id
resource "aws_security_group_rule" "public_lb" {
for_each = var.public_lb_security_rules
security_group_id = aws_security_group.public_lb.id
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
cidr_blocks = var.web_access_cidrs
}
resource "aws_security_group" "kasm-webapp-sg" {
name = "${var.project_name}-${var.kasm_zone_name}-kasm-webapp"
resource "aws_security_group" "private_lb" {
name = "${var.project_name}-kasm-allow-private-lb-access"
description = "Security Group for ELB"
vpc_id = aws_vpc.this.id
tags = {
Name = "${var.project_name}-kasm-private-lb-access"
}
}
resource "aws_security_group_rule" "private_lb" {
for_each = var.private_lb_security_rules
security_group_id = aws_security_group.private_lb.id
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = each.key
}
resource "aws_security_group" "webapp" {
name = "${var.project_name}-kasm-webapp"
description = "Allow access to webapps"
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
vpc_id = aws_vpc.this.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = var.ssh_access_cidrs
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
security_groups = [data.aws_security_group.data-kasm_default_elb_sg.id]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [
data.aws_subnet.data-kasm_agent_subnet.cidr_block,
data.aws_subnet.data-kasm_guac_subnet.cidr_block
]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [var.anywhere]
tags = {
Name = "${var.project_name}-kasm-webapp-access"
}
}
data "aws_security_group" "data-kasm_webapp_sg" {
id = aws_security_group.kasm-webapp-sg.id
resource "aws_security_group_rule" "webapp" {
for_each = local.webapp_security_rules
security_group_id = aws_security_group.webapp.id
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = each.key
}
resource "aws_security_group" "kasm-agent-sg" {
name = "${var.project_name}-${var.kasm_zone_name}-kasm-agent-access"
resource "aws_security_group" "agent" {
name = "${var.project_name}-kasm-agent-access"
description = "Allow access to agents"
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
vpc_id = aws_vpc.this.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = var.ssh_access_cidrs
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = data.aws_subnet.data-kasm_webapp_subnets[*].cidr_block
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [var.anywhere]
tags = {
Name = "${var.project_name}-kasm-agent-access"
}
}
data "aws_security_group" "data-kasm_agent_sg" {
id = aws_security_group.kasm-agent-sg.id
resource "aws_security_group_rule" "agent" {
for_each = var.agent_security_rules
security_group_id = aws_security_group.agent.id
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = aws_security_group.webapp.id
}
resource "aws_security_group" "kasm-db-sg" {
name = "${var.project_name}-${var.kasm_zone_name}-kasm-db-access"
resource "aws_security_group" "db" {
name = "${var.project_name}-kasm-db-access"
description = "Allow access to webapps"
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
vpc_id = aws_vpc.this.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = var.ssh_access_cidrs
}
ingress {
from_port = 5432
to_port = 5432
protocol = "tcp"
cidr_blocks = data.aws_subnet.data-kasm_webapp_subnets[*].cidr_block
}
ingress {
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = data.aws_subnet.data-kasm_webapp_subnets[*].cidr_block
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [var.anywhere]
tags = {
Name = "${var.project_name}-kasm-db-access"
}
}
data "aws_security_group" "data-kasm_db_sg" {
id = aws_security_group.kasm-db-sg.id
resource "aws_security_group_rule" "db" {
for_each = var.db_security_rules
security_group_id = aws_security_group.db.id
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = aws_security_group.webapp.id
}
resource "aws_security_group" "kasm-guac-sg" {
name = "${var.project_name}-${var.kasm_zone_name}-kasm-guac-access"
description = "Allow access to guac RDP nodes"
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
resource "aws_security_group" "cpx" {
count = var.num_cpx_nodes > 0 ? 1 : 0
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = var.ssh_access_cidrs
}
name = "${var.project_name}-kasm-cpx-access"
description = "Allow access to cpx RDP nodes"
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = data.aws_subnet.data-kasm_webapp_subnets[*].cidr_block
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [var.anywhere]
tags = {
Name = "${var.project_name}-kasm-cpx-access"
}
}
data "aws_security_group" "data-kasm_guac_sg" {
id = aws_security_group.kasm-guac-sg.id
resource "aws_security_group_rule" "cpx" {
for_each = var.num_cpx_nodes > 0 ? var.cpx_security_rules : {}
security_group_id = one(aws_security_group.cpx[*].id)
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = aws_security_group.webapp.id
}
resource "aws_security_group" "windows" {
count = var.num_cpx_nodes > 0 ? 1 : 0
name = "${var.project_name}-kasm-windows-access"
description = "Allow access to Windows servers"
vpc_id = aws_vpc.this.id
tags = {
Name = "${var.project_name}-kasm-windows-access"
}
}
resource "aws_security_group_rule" "windows" {
for_each = var.num_cpx_nodes > 0 ? var.windows_security_rules : {}
security_group_id = one(aws_security_group.windows[*].id)
type = "ingress"
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = can(regex("(?i:cpx)", each.key)) ? one(aws_security_group.cpx[*].id) : aws_security_group.webapp.id
}
resource "aws_security_group_rule" "egress" {
for_each = { for value in local.all_security_groups : value => var.default_egress }
security_group_id = each.key
type = each.value.rule_type
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
cidr_blocks = var.web_access_cidrs
}

29
aws/standard/module/ssm.tf Normal file
View file

@ -0,0 +1,29 @@
resource "aws_iam_role" "this" {
count = var.create_aws_ssm_iam_role ? 1 : 0
name = var.aws_ssm_iam_role_name != "" ? var.aws_ssm_iam_role_name : "Kasm_SSM_IAM_Instance_Role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
}]
})
}
resource "aws_iam_role_policy_attachment" "this" {
count = var.create_aws_ssm_iam_role ? 1 : 0
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
role = one(aws_iam_role.this[*].name)
}
resource "aws_iam_instance_profile" "this" {
count = var.create_aws_ssm_iam_role ? 1 : 0
name = "Kasm_SSM_Instance_Profile"
role = one(aws_iam_role.this[*].name)
}

91
aws/standard/module/subnet.tf
View file

@ -2,68 +2,81 @@ locals {
kasm_vpc_subnet_cidr_mask = split("/", var.vpc_subnet_cidr)[1]
kasm_server_subnet_cidr_calculation = (8 - (local.kasm_vpc_subnet_cidr_mask - 16))
kasm_server_subnet_cidr_size = local.kasm_server_subnet_cidr_calculation < 3 ? 3 : local.kasm_server_subnet_cidr_calculation
kasm_agent_subnet_id = (var.num_webapps + 1)
}
## Will create Agent subnet x.x.0.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "aws_subnet" "kasm-db-subnet" {
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 0)
## Will create Agent subnet x.x.0.0/24 and x.x.1.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "aws_subnet" "alb" {
count = 2
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, count.index)
availability_zone = data.aws_availability_zones.available.names[count.index]
map_public_ip_on_launch = true
tags = {
Name = "${var.project_name}-kasm-lb-subnet-${count.index}"
}
}
## Will create WebApp subnets x.x.2.0/24 and x.x.3.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "aws_subnet" "webapp" {
count = var.num_webapps
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, (count.index + 2))
availability_zone = data.aws_availability_zones.available.names[count.index]
tags = {
Name = "${var.project_name}-kasm-webapp-subnet-${count.index}"
}
}
## Will create Agent subnet x.x.4.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "aws_subnet" "db" {
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 4)
availability_zone = data.aws_availability_zones.available.names[1]
tags = {
Name = "${var.project_name}-kasm-db-subnet"
}
}
data "aws_subnet" "data-kasm_db_subnet" {
id = aws_subnet.kasm-db-subnet.id
}
## Will create WebApp subnets x.x.1.x/24 and x.x.2.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "aws_subnet" "kasm-webapp-subnets" {
count = var.num_webapps
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, (count.index + 1))
availability_zone = data.aws_availability_zones.available.names[count.index]
## Will create Agent subnet x.x.6.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "aws_subnet" "agent" {
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 5)
map_public_ip_on_launch = true
availability_zone = data.aws_availability_zones.available.names[1]
tags = {
Name = "${var.project_name}-kasm-webapp-subnet"
Name = "${var.project_name}-agent-subnet"
}
}
data "aws_subnet" "data-kasm_webapp_subnets" {
count = var.num_webapps
id = aws_subnet.kasm-webapp-subnets[count.index].id
}
## Will create CPX subnet x.x.5.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "aws_subnet" "cpx" {
count = var.num_cpx_nodes > 0 ? 1 : 0
## Will create Agent subnet x.x.3.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "aws_subnet" "kasm-agent-subnet" {
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, local.kasm_agent_subnet_id)
map_public_ip_on_launch = true
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 6)
availability_zone = data.aws_availability_zones.available.names[0]
tags = {
Name = "${var.project_name}-agent-natgw-subnet"
Name = "${var.project_name}-cpx-subnet"
}
}
data "aws_subnet" "data-kasm_agent_subnet" {
id = aws_subnet.kasm-agent-subnet.id
}
## Will create cpx subnet x.x.7.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "aws_subnet" "windows" {
count = var.num_cpx_nodes > 0 ? 1 : 0
## Will create Guac subnet x.x.4.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "aws_subnet" "kasm-guac-subnet" {
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, (local.kasm_agent_subnet_id + 1))
vpc_id = aws_vpc.this.id
cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 7)
map_public_ip_on_launch = true
availability_zone = data.aws_availability_zones.available.names[1]
tags = {
Name = "${var.project_name}-guac-natgw-subnet"
Name = "${var.project_name}-windows-subnet"
}
}
data "aws_subnet" "data-kasm_guac_subnet" {
id = aws_subnet.kasm-guac-subnet.id
}

29
aws/standard/module/userdata/cpx_bootstrap.sh Normal file
View file

@ -0,0 +1,29 @@
#!/bin/bash
set -ex
echo "Starting Kasm Workspaces Agent Install"
/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=${swap_size}
/sbin/mkswap /var/swap.1
chmod 600 /var/swap.1
/sbin/swapon /var/swap.1
echo '/var/swap.1 swap swap defaults 0 0' | tee -a /etc/fstab
cd /tmp
PRIVATE_IP=(`hostname -I | cut -d ' ' -f1 | tr -d '\\n'`)
wget ${kasm_build_url} -O kasm_workspaces.tar.gz
tar -xf kasm_workspaces.tar.gz
echo "Waiting for Kasm WebApp availability..."
while ! (curl -k https://${manager_address}/api/__healthcheck 2>/dev/null | grep -q true)
do
echo "Waiting for API server..."
sleep 5
done
echo "WebApp is alive"
bash kasm_release/install.sh -S cpx -e -p $PRIVATE_IP -n ${manager_address} -k ${service_registration_token}
echo "Done"

2
aws/standard/module/userdata/db_bootstrap.sh
View file

@ -11,8 +11,6 @@ echo '/var/swap.1 swap swap defaults 0 0' | tee -a /etc/fstab
cd /tmp
PRIVATE_IP=(`hostname -I | cut -d ' ' -f1 | tr -d '\\n'`)
wget ${kasm_build_url} -O kasm_workspaces.tar.gz
tar -xf kasm_workspaces.tar.gz
bash kasm_release/install.sh -S db -e -Q ${database_password} -R ${redis_password} -U ${user_password} -P ${admin_password} -M ${manager_token} -k ${service_registration_token}

2
aws/standard/module/userdata/webapp_bootstrap.sh
View file

@ -11,8 +11,6 @@ echo '/var/swap.1 swap swap defaults 0 0' | tee -a /etc/fstab
cd /tmp
PRIVATE_IP=(`hostname -I | cut -d ' ' -f1 | tr -d '\\n'`)
wget ${kasm_build_url} -O kasm_workspaces.tar.gz
tar -xf kasm_workspaces.tar.gz

196
aws/standard/module/variables.tf
View file

@ -31,8 +31,8 @@ variable "num_agents" {
default = 2
}
variable "num_guac_nodes" {
description = "The number of Agent Role Servers to create in the deployment"
variable "num_cpx_nodes" {
description = "The number of cpx RDP Role Servers to create in the deployment"
type = number
default = 2
}
@ -55,16 +55,30 @@ variable "agent_instance_type" {
default = "t3.medium"
}
variable "guac_instance_type" {
description = "The instance type for the Guacamole RDP nodes"
variable "cpx_instance_type" {
description = "The instance type for the cpxamole RDP nodes"
type = string
default = "t3.medium"
}
variable "ssh_access_cidrs" {
description = "CIDR notation of the bastion host allowed to SSH in to the machines"
type = list(string)
default = ["0.0.0.0/0"]
variable "webapp_hdd_size_gb" {
description = "The HDD size for Kasm Webapp nodes"
type = number
}
variable "db_hdd_size_gb" {
description = "The HDD size for Kasm DB"
type = number
}
variable "cpx_hdd_size_gb" {
description = "The HDD size for Kasm Guac RDP nodes"
type = number
}
variable "agent_hdd_size_gb" {
description = "The HDD size for Kasm Agent nodes"
type = number
}
variable "web_access_cidrs" {
@ -93,6 +107,18 @@ variable "swap_size" {
type = number
}
variable "create_aws_ssm_iam_role" {
description = "Create an AWS SSM IAM role to attach to VMs for SSH/console access to VMs."
type = bool
default = false
}
variable "aws_ssm_iam_role_name" {
description = "The name of the SSM EC2 role to associate with Kasm VMs for SSH access"
type = string
default = ""
}
variable "database_password" {
description = "The password for the database. No special characters"
type = string
@ -124,7 +150,7 @@ variable "manager_token" {
}
variable "service_registration_token" {
description = "The service registration token value for Guac RDP servers to authenticate to webapps. No special characters"
description = "The service registration token value for cpx RDP servers to authenticate to webapps. No special characters"
type = string
sensitive = true
}
@ -145,3 +171,155 @@ variable "anywhere" {
error_message = "Anywhere variable must be valid IPv4 CIDR - usually 0.0.0.0/0 for all default routes and default Security Group access."
}
}
variable "public_lb_security_rules" {
description = "A map of objects of security rules to apply to the Public ALB"
type = map(object({
from_port = number
to_port = number
protocol = string
}))
default = {
https = {
from_port = 443
to_port = 443
protocol = "tcp"
}
http = {
from_port = 80
to_port = 80
protocol = "tcp"
}
}
}
variable "private_lb_security_rules" {
description = "A map of objects of security rules to apply to the Private ALB"
type = object({
from_port = number
to_port = number
protocol = string
})
default = {
from_port = 443
to_port = 443
protocol = "tcp"
}
}
variable "webapp_security_rules" {
description = "A map of objects of security rules to apply to the Kasm WebApp server"
type = object({
from_port = number
to_port = number
protocol = string
})
default = {
from_port = 443
to_port = 443
protocol = "tcp"
}
}
variable "db_security_rules" {
description = "A map of objects of security rules to apply to the Kasm DB"
type = map(object({
from_port = number
to_port = number
protocol = string
}))
default = {
postgres = {
from_port = 5432
to_port = 5432
protocol = "tcp"
}
redis = {
from_port = 6379
to_port = 6379
protocol = "tcp"
}
}
}
variable "cpx_security_rules" {
description = "A map of objects of security rules to apply to the Kasm Connection Proxy server"
type = map(object({
from_port = number
to_port = number
protocol = string
}))
default = {
https = {
from_port = 443
to_port = 443
protocol = "tcp"
}
}
}
variable "agent_security_rules" {
description = "A map of objects of security rules to apply to the Kasm WebApp server"
type = map(object({
from_port = number
to_port = number
protocol = string
}))
default = {
https = {
from_port = 443
to_port = 443
protocol = "tcp"
}
}
}
variable "windows_security_rules" {
description = "A map of objects of security rules to apply to the Kasm Windows VMs"
type = map(object({
from_port = number
to_port = number
protocol = string
}))
default = {
cpx_rdp = {
from_port = 3389
to_port = 3389
protocol = "tcp"
}
cpx_api = {
from_port = 4902
to_port = 4902
protocol = "tcp"
}
webapp_api = {
from_port = 4902
to_port = 4902
protocol = "tcp"
}
}
}
variable "default_egress" {
description = "Default egress security rule for all security groups"
type = object({
from_port = number
to_port = number
protocol = string
cidr_subnets = list(string)
})
default = {
from_port = 0
to_port = 0
protocol = "-1"
cidr_subnets = ["0.0.0.0/0"]
}
}

31
aws/standard/module/vpc.tf
View file

@ -1,23 +1,36 @@
resource "aws_vpc" "kasm-default-vpc" {
resource "aws_vpc" "this" {
cidr_block = var.vpc_subnet_cidr
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = "${var.project_name}-kasm-db-vpc"
Name = "${var.project_name}-kasm-vpc"
}
}
data "aws_vpc" "data-kasm-default-vpc" {
id = aws_vpc.kasm-default-vpc.id
}
resource "aws_internet_gateway" "this" {
vpc_id = aws_vpc.this.id
resource "aws_internet_gateway" "kasm-default-ig" {
vpc_id = data.aws_vpc.data-kasm-default-vpc.id
tags = {
Name = "${var.project_name}-kasm-ig"
}
}
data "aws_internet_gateway" "data-kasm-default-ig" {
internet_gateway_id = aws_internet_gateway.kasm-default-ig.id
resource "aws_eip" "this" {
domain = "vpc"
tags = {
Name = "${var.project_name}-kasm-nat-gateway-eip"
}
}
resource "aws_nat_gateway" "this" {
allocation_id = aws_eip.this.id
subnet_id = aws_subnet.alb[0].id
tags = {
Name = "${var.project_name}-kasm-nat-gateway"
}
depends_on = [aws_internet_gateway.this]
}

28
aws/standard/module/webapp.tf
View file

@ -1,20 +1,21 @@
resource "aws_instance" "kasm-web-app" {
count = var.num_webapps
ami = var.ec2_ami
instance_type = var.webapp_instance_type
vpc_security_group_ids = [data.aws_security_group.data-kasm_webapp_sg.id]
subnet_id = data.aws_subnet.data-kasm_webapp_subnets[count.index].id
key_name = var.aws_key_pair
associate_public_ip_address = true
resource "aws_instance" "webapp" {
count = var.num_webapps
ami = var.ec2_ami
instance_type = var.webapp_instance_type
vpc_security_group_ids = [aws_security_group.webapp.id]
subnet_id = aws_subnet.webapp[count.index].id
key_name = var.aws_key_pair
iam_instance_profile = one(aws_iam_instance_profile.this[*].id)
root_block_device {
volume_size = 40
volume_size = var.webapp_hdd_size_gb
}
user_data = templatefile("${path.module}/userdata/webapp_bootstrap.sh",
{
kasm_build_url = var.kasm_build
db_ip = data.aws_instance.data-kasm_db.private_ip
db_ip = aws_instance.db.private_ip
database_password = var.database_password
redis_password = var.redis_password
swap_size = var.swap_size
@ -23,11 +24,6 @@ resource "aws_instance" "kasm-web-app" {
)
tags = {
Name = "${var.project_name}-${var.kasm_zone_name}-kasm-webapp"
Name = "${var.project_name}-${var.kasm_zone_name}-kasm-webapp-${count.index}"
}
}
data "aws_instance" "data-kasm_web_app" {
count = var.num_webapps
instance_id = aws_instance.kasm-web-app[count.index].id
}

7
aws/standard/output.tf Normal file
View file

@ -0,0 +1,7 @@
output "kasm_zone_settings" {
description = "Upstream Auth settings to apply to Kasm Zone configuration"
value = <<ZONE
Kam Zone configuration for zone: default
Upstream Auth address: ${var.aws_region}-private.${var.aws_domain_name}
ZONE
}

6
aws/standard/provider.tf
View file

@ -1,8 +1,10 @@
terraform {
required_version = "~> 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
#version = "4.56.0"
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}

2
aws/standard/secrets.tfvars.example Normal file
View file

@ -0,0 +1,2 @@
aws_access_key = ""
aws_secret_key = ""

43
aws/standard/settings.tfvars
View file

@ -1,43 +0,0 @@
## AWS Environment settings
aws_key_pair = "troy-common-ssh"
aws_region = "us-east-1"
aws_domain_name = "bryan-test2.sandbox1.kasmweb.net"
vpc_subnet_cidr = "10.0.0.0/16"
## Kasm deployment settings
kasm_zone_name = "default"
project_name = "contoso"
num_agents = 2
num_webapps = 2
num_guac_nodes = 1
## Kasm Server settings
agent_instance_type = "t3.medium"
guac_instance_type = "t3.medium"
webapp_instance_type = "t3.small"
db_instance_type = "t3.small"
ec2_ami = "ami-09cd747c78a9add63"
swap_size = 2048
## VM Access subnets
ssh_access_cidrs = ["0.0.0.0/0"]
web_access_cidrs = ["0.0.0.0/0"]
## Kasm passwords
database_password = "changeme"
redis_password = "changeme"
user_password = "changeme"
admin_password = "changeme"
manager_token = "changeme"
service_registration_token = "changeme"
## Kasm download URL
kasm_build = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz"
## Default tags for all AWS resources
aws_default_tags = {
Deployed_by = "Terraform"
Deployment_type = "Multi-Server"
Service_name = "Kasm Workspaces"
Kasm_version = "1.12"
}

61
aws/standard/terraform.tfvars Normal file
View file

@ -0,0 +1,61 @@
## AWS Environment settings
aws_key_pair = ""
aws_region = ""
aws_domain_name = ""
vpc_subnet_cidr = "10.0.0.0/16"
## Kasm deployment settings
kasm_zone_name = "default"
project_name = "contoso"
## Number of each Kasm role to deploy
num_agents = 2
num_webapps = 2
num_cpx_nodes = 1
## VM Public Access subnets
web_access_cidrs = ["0.0.0.0/0"]
## AWS SSM setup for console/SSH access to VMs behind NAT gateway
create_aws_ssm_iam_role = false
aws_ssm_iam_role_name = ""
## Kasm Server settings
ec2_ami_id = ""
swap_size = 2048
## Kasm Webapp Instance Settings
webapp_instance_type = "t3.small"
webapp_hdd_size_gb = 50
## Kasm DB Instance Settings
db_instance_type = "t3.medium"
db_hdd_size_gb = 80
## Kasm Agent Instance Settings
agent_instance_type = "t3.medium"
agent_hdd_size_gb = 150
## Kasm CPX Instance Settings
cpx_instance_type = "t3.small"
cpx_hdd_size_gb = 50
## Kasm passwords
database_password = "changeme"
redis_password = "changeme"
user_password = "changeme"
admin_password = "changeme"
manager_token = "changeme"
service_registration_token = "changeme"
## Kasm download URL
kasm_build = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.14.0.3a7abb.tar.gz"
## Default tags for all AWS resources
aws_default_tags = {
Deployed_by = "Terraform"
Deployment_type = "Multi-Server"
Service_name = "Kasm Workspaces"
Kasm_version = "1.14"
}

102
aws/standard/variables.tf
View file

@ -96,7 +96,6 @@ variable "swap_size" {
variable "webapp_instance_type" {
description = "The instance type for the webapps"
type = string
default = "t3.small"
validation {
condition = can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", var.webapp_instance_type))
@ -107,7 +106,6 @@ variable "webapp_instance_type" {
variable "db_instance_type" {
description = "The instance type for the Database"
type = string
default = "t3.small"
validation {
condition = can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", var.db_instance_type))
@ -118,7 +116,6 @@ variable "db_instance_type" {
variable "agent_instance_type" {
description = "The instance type for the Agents"
type = string
default = "t3.medium"
validation {
condition = can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", var.agent_instance_type))
@ -126,32 +123,29 @@ variable "agent_instance_type" {
}
}
variable "guac_instance_type" {
description = "The instance type for the Guacamole RDP nodes"
variable "cpx_instance_type" {
description = "The instance type for the cpxamole RDP nodes"
type = string
default = "t3.medium"
validation {
condition = can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", var.guac_instance_type))
error_message = "Check the guac_instance_type variable and ensure it is a valid AWS Instance type (https://aws.amazon.com/ec2/instance-types/)."
condition = can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", var.cpx_instance_type))
error_message = "Check the cpx_instance_type variable and ensure it is a valid AWS Instance type (https://aws.amazon.com/ec2/instance-types/)."
}
}
variable "num_webapps" {
description = "The number of WebApp role servers to create in the deployment"
type = number
default = 2
validation {
condition = var.num_webapps >= 1 && var.num_webapps <= 3 && floor(var.num_webapps) == var.num_webapps
error_message = "Acceptable number of webapps range between 1-3."
condition = var.num_webapps >= 1 && var.num_webapps <= 6 && floor(var.num_webapps) == var.num_webapps
error_message = "Acceptable number of webapps range between 1-6."
}
}
variable "num_agents" {
description = "The number of Agent Role Servers to create in the deployment"
type = number
default = 2
validation {
condition = var.num_agents >= 0 && var.num_agents <= 100 && floor(var.num_agents) == var.num_agents
@ -159,32 +153,59 @@ variable "num_agents" {
}
}
variable "num_guac_nodes" {
variable "num_cpx_nodes" {
description = "The number of Agent Role Servers to create in the deployment"
type = number
default = 1
validation {
condition = var.num_guac_nodes >= 0 && var.num_guac_nodes <= 100 && floor(var.num_guac_nodes) == var.num_guac_nodes
error_message = "Acceptable number of Kasm Agents range between 0-100."
condition = var.num_cpx_nodes == 0 ? true : var.num_cpx_nodes >= 0 && var.num_cpx_nodes <= 100 && floor(var.num_cpx_nodes) == var.num_cpx_nodes
error_message = "If num_cpx_nodes is set to 0, this Terraform will not deploy the Connection Proxy node. Acceptable number of Kasm Agents range between 0-100."
}
}
variable "ssh_access_cidrs" {
description = "CIDR notation of the bastion host allowed to SSH in to the machines"
type = list(string)
default = ["0.0.0.0/0"]
variable "webapp_hdd_size_gb" {
description = "The HDD size in GB to configure for the Kasm WebApp instances"
type = number
validation {
condition = alltrue([for subnet in var.ssh_access_cidrs : can(cidrhost(subnet, 0))])
error_message = "One of the subnets provided in the ssh_access_cidr variable is invalid."
condition = can(var.webapp_hdd_size_gb >= 40)
error_message = "Kasm Webapps should have at least a 40 GB HDD to ensure enough space for Kasm services."
}
}
variable "db_hdd_size_gb" {
description = "The HDD size in GB to configure for the Kasm Database instances"
type = number
validation {
condition = can(var.db_hdd_size_gb >= 40)
error_message = "Kasm Database should have at least a 40 GB HDD to ensure enough space for Kasm services."
}
}
variable "agent_hdd_size_gb" {
description = "The HDD size in GB to configure for the Kasm Agent instances"
type = number
validation {
condition = can(var.agent_hdd_size_gb >= 120)
error_message = "Kasm Agents should have at least a 120 GB HDD to ensure enough space for Kasm services."
}
}
variable "cpx_hdd_size_gb" {
description = "The HDD size in GB to configure for the Kasm cpx RDP instances"
type = number
validation {
condition = can(var.cpx_hdd_size_gb >= 40)
error_message = "Kasm cpx RDP nodes should have at least a 40 GB HDD to ensure enough space for Kasm services. If num_cpx_nodes is set to 0 this setting is ignored."
}
}
variable "web_access_cidrs" {
description = "CIDR notation of the bastion host allowed to SSH in to the machines"
type = list(string)
default = ["0.0.0.0/0"]
validation {
condition = alltrue([for subnet in var.web_access_cidrs : can(cidrhost(subnet, 0))])
@ -192,12 +213,12 @@ variable "web_access_cidrs" {
}
}
variable "ec2_ami" {
description = "The AMI used for the EC2 nodes. Recommended Ubuntu 20.04 LTS."
variable "ec2_ami_id" {
description = "The AMI used for the EC2 nodes. Recommended Ubuntu 22.04 LTS."
type = string
validation {
condition = can(regex("^(ami-[a-f0-9]{17})", var.ec2_ami))
condition = can(regex("^(ami-[a-f0-9]{17})", var.ec2_ami_id))
error_message = "Please verify that your AMI is in the correct format for AWS (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html)."
}
}
@ -258,7 +279,7 @@ variable "manager_token" {
}
variable "service_registration_token" {
description = "The service registration token value for Guac RDP servers to authenticate to webapps. No special characters"
description = "The service registration token value for cpx RDP servers to authenticate to webapps. No special characters"
type = string
sensitive = true
@ -268,6 +289,28 @@ variable "service_registration_token" {
}
}
variable "create_aws_ssm_iam_role" {
description = "Create an AWS SSM IAM role to attach to VMs for SSH/console access to VMs."
type = bool
default = false
validation {
condition = can(tobool(var.create_aws_ssm_iam_role))
error_message = "The create_aws_ssm_iam_role is a boolean value and can only be either true or false."
}
}
variable "aws_ssm_iam_role_name" {
description = "The name of the SSM EC2 role to associate with Kasm VMs for SSH access"
type = string
default = ""
validation {
condition = can(regex("[a-zA-Z0-9+=,.@-]{1,64}", var.aws_ssm_iam_role_name))
error_message = "The aws_ssm_iam_role_name must be unique across the account and can only consisit of between 1 and 64 characters consisting of letters, numbers, underscores (_), plus (+), equals (=), comman (,), period (.), at symbol (@), or dash (-)."
}
}
## Non-validated variables
variable "kasm_build" {
description = "The URL for the Kasm Workspaces build"
@ -277,8 +320,5 @@ variable "kasm_build" {
variable "aws_default_tags" {
description = "Default tags to apply to all AWS resources for this deployment"
type = map(any)
default = {
Service_name = "Kasm Workspaces"
Kasm_version = "1.12"
}
default = {}
}