build: add tls for mongo in deployment

aneoconsulting · Sep 13, 2024 · 964b597 · 964b597
1 parent 1560cb4
commit 964b597
Show file tree

Hide file tree

Showing 13 changed files with 163 additions and 5 deletions.
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -115,6 +115,7 @@ module "submitter" {
   generated_env_vars = local.environment
   log_driver         = module.fluenbit.log_driver
   volumes            = local.volumes
+  mounts             = module.database.core_mounts
 }
 
 module "compute_plane" {
@@ -129,6 +130,7 @@ module "compute_plane" {
   volumes            = local.volumes
   network            = docker_network.armonik.id
   log_driver         = module.fluenbit.log_driver
+  mounts             = module.database.core_mounts
 }
 
 module "metrics_exporter" {
@@ -138,6 +140,7 @@ module "metrics_exporter" {
   network            = docker_network.armonik.id
   generated_env_vars = local.environment
   log_driver         = module.fluenbit.log_driver
+  mounts             = module.database.core_mounts
 }
 
 module "partition_metrics_exporter" {
@@ -148,6 +151,7 @@ module "partition_metrics_exporter" {
   generated_env_vars = local.environment
   metrics_env_vars   = module.metrics_exporter.metrics_env_vars
   log_driver         = module.fluenbit.log_driver
+  mounts             = module.database.core_mounts
 }
 
 module "ingress" {

diff --git a/terraform/modules/compute_plane/inputs.tf b/terraform/modules/compute_plane/inputs.tf
@@ -32,6 +32,10 @@ variable "volumes" {
   type = map(string)
 }
 
+variable "mounts" {
+  type = map(string)
+}
+
 variable "replica_counter" {
   type = number
 }

diff --git a/terraform/modules/compute_plane/main.tf b/terraform/modules/compute_plane/main.tf
@@ -74,5 +74,13 @@ resource "docker_container" "polling_agent" {
     }
   }
 
+  dynamic "upload" {
+    for_each = var.mounts
+    content {
+      source = upload.value
+      file   = upload.key
+    }
+  }
+
   depends_on = [docker_container.worker]
 }
diff --git a/terraform/modules/monitoring/metrics/inputs.tf b/terraform/modules/monitoring/metrics/inputs.tf
@@ -14,6 +14,10 @@ variable "generated_env_vars" {
   type = map(string)
 }
 
+variable "mounts" {
+  type = map(string)
+}
+
 variable "exposed_port" {
   type    = number
   default = 5002

diff --git a/terraform/modules/monitoring/metrics/main.tf b/terraform/modules/monitoring/metrics/main.tf
@@ -20,4 +20,12 @@ resource "docker_container" "metrics" {
     internal = 1080
     external = var.exposed_port
   }
+
+  dynamic "upload" {
+    for_each = var.mounts
+    content {
+      source = upload.value
+      file   = upload.key
+    }
+  }
 }
diff --git a/terraform/modules/monitoring/partition_metrics/inputs.tf b/terraform/modules/monitoring/partition_metrics/inputs.tf
@@ -19,6 +19,10 @@ variable "generated_env_vars" {
   type = map(string)
 }
 
+variable "mounts" {
+  type = map(string)
+}
+
 variable "metrics_env_vars" {
   type = map(string)
 }

diff --git a/terraform/modules/monitoring/partition_metrics/main.tf b/terraform/modules/monitoring/partition_metrics/main.tf
@@ -20,4 +20,12 @@ resource "docker_container" "partition_metrics" {
     internal = 1080
     external = var.exposed_port
   }
+
+    dynamic "upload" {
+    for_each = var.mounts
+    content {
+      source = upload.value
+      file   = upload.key
+    }
+  }
 }
diff --git a/terraform/modules/storage/database/mongo/certificates.tf b/terraform/modules/storage/database/mongo/certificates.tf
@@ -0,0 +1,80 @@
+#------------------------------------------------------------------------------
+# Certificate Authority
+#------------------------------------------------------------------------------
+resource "tls_private_key" "root_mongodb" {
+  algorithm   = "RSA"
+  ecdsa_curve = "P384"
+  rsa_bits    = "4096"
+}
+
+resource "tls_self_signed_cert" "root_mongodb" {
+  private_key_pem       = tls_private_key.root_mongodb.private_key_pem
+  is_ca_certificate     = true
+  validity_period_hours = 100000
+  allowed_uses = [
+    "cert_signing",
+    "key_encipherment",
+    "digital_signature"
+  ]
+  subject {
+    organization = "ArmoniK mongodb Root (NonTrusted)"
+    common_name  = "ArmoniK mongodb Root (NonTrusted) Private Certificate Authority"
+    country      = "France"
+  }
+}
+
+#------------------------------------------------------------------------------
+# Certificate
+#------------------------------------------------------------------------------
+resource "tls_private_key" "mongodb_private_key" {
+  algorithm   = "RSA"
+  ecdsa_curve = "P384"
+  rsa_bits    = "4096"
+}
+
+resource "tls_cert_request" "mongodb_cert_request" {
+  private_key_pem = tls_private_key.mongodb_private_key.private_key_pem
+  subject {
+    country     = "France"
+    common_name = "127.0.0.1"
+    # organization = "127.0.0.1"
+  }
+  ip_addresses = [ "127.0.0.1" ]
+}
+
+resource "tls_locally_signed_cert" "mongodb_certificate" {
+  cert_request_pem      = tls_cert_request.mongodb_cert_request.cert_request_pem
+  ca_private_key_pem    = tls_private_key.root_mongodb.private_key_pem
+  ca_cert_pem           = tls_self_signed_cert.root_mongodb.cert_pem
+  validity_period_hours = 100000
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+    "client_auth",
+    "any_extended",
+  ]
+}
+
+locals {
+  user_certificate = format("%s\n%s", tls_locally_signed_cert.mongodb_certificate.cert_pem, tls_self_signed_cert.root_mongodb.cert_pem)
+  server_key = format("%s\n%s", tls_locally_signed_cert.mongodb_certificate.cert_pem, tls_private_key.mongodb_private_key.private_key_pem)
+}
+
+resource "local_sensitive_file" "key" {
+  content         = local.server_key
+  filename        = "${path.root}/generated/mongo/key.pem"
+  file_permission = "0644"
+}
+
+resource "local_sensitive_file" "ca" {
+  content         = tls_self_signed_cert.root_mongodb.cert_pem
+  filename        = "${path.root}/generated/mongo/ca.pem"
+  file_permission = "0644"
+}
+
+resource "local_sensitive_file" "chain" {
+  content         = local.user_certificate
+  filename        = "${path.root}/generated/mongo/chain.pem"
+  file_permission = "0644"
+}
diff --git a/terraform/modules/storage/database/mongo/main.tf b/terraform/modules/storage/database/mongo/main.tf
@@ -7,7 +7,7 @@ resource "docker_container" "database" {
   name  = var.mongodb_params.database_name
   image = docker_image.database.image_id
 
-  command = ["mongod", "--bind_ip_all", "--replSet", var.mongodb_params.replica_set_name]
+  command = ["mongod", "--bind_ip_all", "--replSet", var.mongodb_params.replica_set_name, "--tlsMode=requireTLS", "--tlsDisabledProtocols=TLS1_0", "--tlsCertificateKeyFile=/cert/key.pem", "--tlsCAFile=/cert/ca.pem", "--tlsAllowConnectionsWithoutCertificates"]
 
   networks_advanced {
     name = var.network
@@ -23,12 +23,26 @@ resource "docker_container" "database" {
   dynamic "healthcheck" {
     for_each = var.mongodb_params.windows ? [] : [1]
     content {
-      test     = ["CMD", "mongosh", "--quiet", "--eval", "db.runCommand('ping').ok"]
+      test     = ["CMD", "mongosh", "--quiet", "--tls", "--tlsCAFile", "/cert/chain.pem", "--eval", "db.runCommand('ping').ok"]
       interval = "3s"
       retries  = "2"
-      timeout  = "2s"
+      timeout  = "3s"
     }
   }
+  upload {
+    file    = "/cert/key.pem"
+    content = local.server_key
+  }
+
+  upload {
+    file    = "/cert/ca.pem"
+    content = tls_locally_signed_cert.mongodb_certificate.ca_cert_pem
+  }
+
+  upload {
+    file    = "/cert/chain.pem"
+    content = local.user_certificate
+  }
 }
 
 resource "time_sleep" "wait" {
@@ -37,9 +51,9 @@ resource "time_sleep" "wait" {
 }
 
 locals {
-  linux_run = "docker run --net ${var.network} ${docker_image.database.image_id} mongosh mongodb://${docker_container.database.name}:27017/${var.mongodb_params.database_name}"
+  linux_run = "docker exec ${docker_container.database.name} mongosh mongodb://127.0.0.1:27017/${var.mongodb_params.database_name} --tls --tlsCAFile /cert/chain.pem"
   // mongosh is not installed in windows docker images so we need it to be installed locally
-  windows_run = "mongosh.exe mongodb://localhost:${var.mongodb_params.exposed_port}/${var.mongodb_params.database_name}"
+  windows_run = "mongosh.exe mongodb://localhost:${var.mongodb_params.exposed_port}/${var.mongodb_params.database_name} --tls --tlsCAFile ${local_sensitive_file.chain.filename}"
   prefix_run  = var.mongodb_params.windows ? local.windows_run : local.linux_run
 }
 

diff --git a/terraform/modules/storage/database/mongo/outputs.tf b/terraform/modules/storage/database/mongo/outputs.tf
@@ -9,7 +9,15 @@ output "generated_env_vars" {
     "MongoDB__TableStorage__PollingDelayMax" = "${var.mongodb_params.max_polling_delay}"
     "MongoDB__DirectConnection"              = "${var.mongodb_params.use_direct_connection}"
     "MongoDB__ReplicaSet"                    = "${var.mongodb_params.replica_set_name}"
+    "MongoDB__Tls"                           = "true"
+    "MongoDB_CAFile"                         = "/cert/chain.pem"
   }
 
   depends_on = [null_resource.partitions_in_db]
 }
+
+output "core_mounts" {
+  value = {
+    "/cert/chain.pem" = local_sensitive_file.chain.filename
+  }
+}
diff --git a/terraform/modules/storage/database/mongo/versions.tf b/terraform/modules/storage/database/mongo/versions.tf
@@ -8,5 +8,9 @@ terraform {
       source  = "hashicorp/time"
       version = "0.12.0"
     }
+    tls = {
+      source  = "hashicorp/tls"
+      version = ">= 4.0.4"
+    }
   }
 }
diff --git a/terraform/modules/submitter/inputs.tf b/terraform/modules/submitter/inputs.tf
@@ -18,6 +18,10 @@ variable "generated_env_vars" {
   type = map(string)
 }
 
+variable "mounts" {
+  type = map(string)
+}
+
 variable "volumes" {
   type = map(string)
 }

diff --git a/terraform/modules/submitter/main.tf b/terraform/modules/submitter/main.tf
@@ -34,4 +34,12 @@ resource "docker_container" "submitter" {
       source = mounts.key
     }
   }
+
+  dynamic "upload" {
+    for_each = var.mounts
+    content {
+      source = upload.value
+      file   = upload.key
+    }
+  }
 }