bat9go
/
Ycsecurity
cermin dari https://github.com/yandex-cloud/yc-solution-library-for-security


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194
							
data "yandex_vpc_network" "vpc-positive" {
  network_id = var.vpc_id
}

resource "yandex_vpc_subnet" "ext-subnet" {
  folder_id = var.folder_id

  count          = 2
  name           = "ext-subnet-${element(var.network_names, count.index)}"
  zone           = element(var.zones, count.index)
  network_id     = data.yandex_vpc_network.vpc-positive.id
  v4_cidr_blocks = [element(var.ext_cidrs, count.index)]
}


resource "yandex_vpc_subnet" "mgmgt-subnet" {
  folder_id = var.folder_id

  count          = 2
  name           = "mgmt-subnet-${element(var.network_names, count.index)}"
  zone           = element(var.zones, count.index)
  network_id     = data.yandex_vpc_network.vpc-positive.id
  v4_cidr_blocks = [element(var.mgmt_cidrs, count.index)]
}


//Создание Security Group
resource "yandex_vpc_security_group" "ptaf-sg" {
  folder_id = var.folder_id
  name       = "ptaf-sg"
  network_id = data.yandex_vpc_network.vpc-positive.id
  ingress {
    protocol       = "TCP"
    v4_cidr_blocks = ["0.0.0.0/0"]
    port      = 80
  }
  ingress {
    protocol       = "TCP"
    security_group_id = yandex_vpc_security_group.ssh-broker.id
    from_port      = 0
    to_port        = 65535
  }
  ingress {
    protocol       = "TCP"
    v4_cidr_blocks = ["198.18.235.0/24", "198.18.248.0/24"]
    from_port      = 0
    to_port        = 65535
  }
  ingress {
    protocol       = "TCP"
    predefined_target = "self_security_group"
    from_port      = 0
    to_port        = 65535
  }
  egress {
    protocol       = "ANY"
    v4_cidr_blocks = ["0.0.0.0/0"]
    from_port      = 0
    to_port        = 65535
  }
}


resource "yandex_vpc_security_group" "app-sg" {
  folder_id = var.folder_id
  name       = "apps-sg"
  network_id = data.yandex_vpc_network.vpc-positive.id
  ingress {
    protocol       = "TCP"
    security_group_id = yandex_vpc_security_group.ptaf-sg.id
    port      = 80
  }
  ingress {
    protocol       = "TCP"
    v4_cidr_blocks = ["0.0.0.0/0"]
    port      = 80
  }
  ingress {
    protocol       = "TCP"
    v4_cidr_blocks = ["198.18.235.0/24", "198.18.248.0/24"]
    from_port      = 0
    to_port        = 65535
  }
  egress {
    protocol       = "ANY"
    v4_cidr_blocks = ["0.0.0.0/0"]
    from_port      = 0
    to_port        = 65535
  }
}


resource "yandex_vpc_security_group" "ssh-broker" {
  folder_id = var.folder_id
  name       = "broker-sg"
  network_id = data.yandex_vpc_network.vpc-positive.id
  ingress {
    protocol       = "TCP"
    v4_cidr_blocks = ["0.0.0.0/0"]
    port      = 22
  }
  egress {
    protocol       = "ANY"
    v4_cidr_blocks = ["0.0.0.0/0"]
    from_port      = 0
    to_port        = 65535
  }
}


//Создание LB_target_group ptaf
resource "yandex_lb_target_group" "ptaf_group" {
  name      = "ptafgroup"

  target {
    subnet_id = yandex_vpc_subnet.ext-subnet[0].id
    address   = yandex_compute_instance.ptaf-a.network_interface.0.ip_address
  }

  target {
    subnet_id = yandex_vpc_subnet.ext-subnet[1].id
    address   = yandex_compute_instance.ptaf-b.network_interface.0.ip_address
  }
}


//Объявление extLB для импорта
resource "yandex_lb_network_load_balancer" "ext-lb" {
  name = "extlb"

  listener {
    name = "my-listener"
    port = 80
    external_address_spec {
      ip_version = "ipv4"
    }
  }

  attached_target_group {
    target_group_id = "${yandex_lb_target_group.ptaf_group.id}"

    healthcheck {
      name = "tcp"
      tcp_options {
        port = 80
      }
    }
  }

  
}

//data target-group app
data "yandex_lb_target_group" "app-group" {
  target_group_id = var.app_target_group_id
}

//Создание intLB 
resource "yandex_lb_network_load_balancer" "int-lb" {
  name = "intlb"
  type = "internal"
  depends_on = [
    yandex_lb_network_load_balancer.ext-lb,
  ]

  listener {
    name = "my-listener"
    port = 80
    internal_address_spec {
      subnet_id  = yandex_vpc_subnet.ext-subnet[0].id
    }
  }

  attached_target_group {
    target_group_id = data.yandex_lb_target_group.app-group.id

    healthcheck {
      name = "tcp"
      tcp_options {
        port = 80
      }
    }
  }

  
}