Marcos Lopes-Criado projeto em Terraform e Ansible

projeto/infra/README-update.md

@@ -0,0 +1,44 @@
+## Diagrama
+
+![Diagram](img/infra.png)
+
+
+# Infra estrutura com Terraform na AWS
+
++ O código cria a infraestrutura na AWS e gera a chave SSH na máquina local
+
+
+## Para utilizar o código
+
+- Verifique o arquivo ___variables.tf___ na raiz do projeto e altere, se for necessário, as variáveis ___namespace___ e ___region___
+
+Execute no seu terminal:
+
+- export AWS_SECRET_ACCESS_KEY="" 
+- export AWS_ACCESS_KEY_ID=""
+
+Em seguida, ainda no terminal:
+
+- terraform init
+- terraform plan
+- terraform apply
+
+
+## Para acessar a máquina EC2
+
+#### Saída do log do Terraform
+
+key_name = "Chave SSH  teste-apiwiki-key.pem "
+public_ip = "Conect ssh -i teste-apiwiki-key.pem [email protected] "
+web = "Aguarde alguns minutos e acesse http://34.201.139.77 "
+
+
+## Melhorias
+
+- Melhorar as variáveis de automação em Ansible
+- Gerar um certificado válido via Letsencrypt ou utilizar um serviço de WAF para melhorar a segurança ( a segunda opção seria ótima)
+- Criar uma configuração personalizada para o Apache (iria melhorar a necessidade de módulos adicionais e dar mais flexibilidade na implantação de nvoos rercusos)
+- Identificar possibilidade de gerar uma imagem Docker personalizada para escalabilidade do serviço
+- Balanceador de carga para as instâncias, caso o serviço seja escalado.
+- Criar automação no Terraform para adicionar um RDS (MySQL/Aurora)
+- Revisitar os processos do Ansible para identificar melhorias de segurança antes da implantação

projeto/infra/ansible/README.md

@@ -0,0 +1,8 @@
+
+## Rodando o playbook
+
+
+```
+$ ansible-playbook install-wp-debian.yml --extra-vars "domain=dominio"
+```
+

projeto/infra/ansible/roles/install-wp-debian/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# defaults file for install-wp-debian

projeto/infra/ansible/roles/install-wp-debian/files/cert/site.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIUMLRBlwN00xFZF5ryqoKRx3aHIf8wDQYJKoZIhvcNAQEL
+BQAwfDELMAkGA1UEBhMCQlIxEjAQBgNVBAgMCVNhbyBQYXVsbzEVMBMGA1UEBwwM
+U8ODwqNvIFBhdWxvMRgwFgYDVQQKDA9Lbm93WW91clRvb2xzZXQxFDASBgNVBAsM
+C0RldmVsb3BtZW50MRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjIwNzE4MTUyMzA5
+WhcNMjMwNzE4MTUyMzA5WjB8MQswCQYDVQQGEwJCUjESMBAGA1UECAwJU2FvIFBh
+dWxvMRUwEwYDVQQHDAxTw4PCo28gUGF1bG8xGDAWBgNVBAoMD0tub3dZb3VyVG9v
+bHNldDEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxEjAQBgNVBAMMCWxvY2FsaG9zdDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPOWA1l5u2JP5Nb7YQXiirej
+C2BqlFwcugjWAtJBZFj8nQSvz5Ze6BNLdRrIIYeTLcscgIKw+LzpqnpLTpWIc+3r
+cZX8LuMqMpEuGa3UWuP7G8n45RSmXM8hHk1ex71YZtCC6t0yTnceA5IotYhm+Jjc
+5gDGoLLN4H4GwP6Gfl3oAKHuK8oy69SN4OeC0HSKJBKXxORTrWsozLhXXsqCK5W1
+7eJAAZdIvpvfMbZRXMpdhWpIZ+AkpgCQ0nqC+w1rztLUY7WJXQ3L/+cRWggE+q0t
+NcJXF6wrnHd1o+B/1TKAMwv9UU0ln9vHpMmFVue3qjci98eEf9i7I26hJd6rPIEC
+AwEAAaMjMCEwHwYDVR0RBBgwFoIJbG9jYWxob3N0ggkxMjcuMC4wLjEwDQYJKoZI
+hvcNAQELBQADggEBABfSbR0KuaBw6EGoh6mpvpJSx4Y4rbwYNF6HZQL74+s5nE+J
+cKmWTbRMMqOoVJEZ6Q2zzAlSG/+H27BzHnPblTxqpzDop6mVkSf/SNJpsKyX8uKg
+W+OtMf4hNQM/v/sw3x5DTjZDGUvrGoEYwlwWr2Dwv4c296Q1QjlAyOCjeDAXZYEH
+Nt4BlRBxW825uzhXTAseo49ZZhQyfJLzhIcFRcnMI3r9P09beNUXWwGLrNrSPzMZ
+AFw1f9Brm4y2JIJ+0UJ3JXQSzdIWccEyLarUWdYvDmsCH4HaqQn6Tz+0tkeLxU06
+HKaqI5RVIqozTrDrL9Os2yY0Dnr1za282yEPH0I=
+-----END CERTIFICATE-----

projeto/infra/ansible/roles/install-wp-debian/files/cert/site.csr

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIE8zCCAtsCAQAwfDELMAkGA1UEBhMCQlIxEjAQBgNVBAgMCVNhbyBQYXVsbzEV
+MBMGA1UEBwwMU8ODwqNvIFBhdWxvMRgwFgYDVQQKDA9Lbm93WW91clRvb2xzZXQx
+FDASBgNVBAsMC0RldmVsb3BtZW50MRIwEAYDVQQDDAlsb2NhbGhvc3QwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCrlrXHzZrxL1g5oWljpB9WlRQogmf3
+17VGbx363ky50utmgvwNOp1CQoCXN2GekE+tdURPrCbLlv47gxIx9FS0zWBKuRsx
+2EzLetxpGU3yabevx6D0rVMKEWhM9vXXsNASMoCBgt8oLkjwH6k40nsSVc1thBuw
+jcv/rdYj7Ar09wvnKMC+/fG8jnJxzLAkf4DChqh/0ILD7NURmCPnFAZXHeMAKp+O
+iKqT4TNR64PbbhE7qfVGNSRVEuYOiwm9v7FMnXEJdTEQaM5iz6ycLL+UT5AuO12d
+lM1qX+Ykuzww5K9yUV5AwzfdpQqC73dVXrKgfuiNcKEkzIru/FGGFGNHb0J/SBT4
+fIb8fN9+FSC5NZmLV24mnYAkQzQzz48C2i2Zz+Z3jFrpTFLT1+mgme1YoLJ07RGb
+USWv/RjR8amL6N30IX/fk5kT79vDCDL2XA9WNsvXKrWgK/0VDxNUGhxw/5R7/Iik
+5lTt2jVCqBP4fs06uxJIZZGdM0Ei0mDs7WOsawLqBm1UpOhF2trCcpqqDe9IHDLR
+Hj6wkeDWkROCP2JpPy6FjjYNKeD3m1kIxYNChavRt7G2Woobsvgw6izlTRGJ4bsg
+/0E4w062LC+YnFW5X1Xdn+j47CpjQYfqnQSzHUljyVzJntsJf9b1p2PC7o/iaZi2
+4ujl/q5kbQyKrQIDAQABoDIwMAYJKoZIhvcNAQkOMSMwITAfBgNVHREEGDAWggls
+b2NhbGhvc3SCCTEyNy4wLjAuMTANBgkqhkiG9w0BAQsFAAOCAgEAfJLHFyebhvc/
+sr7OE5mefFIpYCDWJQ0EJEfTwujf8FRflnJZenTOTDedqkEClHmLiXNviXciFIDw
+JH2RB/pl9kO6bdZaw7oemcTy4N5d5YF/6KIqMYfSv6C0hVYZ08W37bCNJ4mn6OHG
+TEpe2Ww69kNcNBpNCQ1tA0CC5bhFf7khNkqWMZyr34ZwAyyYFci3ITxy5yE78qPt
+bp4PMb5Mzeb8x7wHWxqfd2KdmFlu1aByWrmxY3u7/aCzDJpUl+/C0OXsUj3yZ/KI
++/PuIUduxNIRicP+Zd6ezQwwWc6h2Y0TFadszxAhJnWUD6ZffsMwdDrQ1gq0jTua
+1jblcRTeba1eYPpd+EwB/jupycjofBRTK6knEIV2ulHbuewd3UPkBd49RLmjNPYJ
+nb2mxFtf13iS717Y5I62mUM90mT8hAvqZFbPNjHZEPr8zccfXEKLMlOMA2sxxATa
+AMm0/t11KJQsACR20ITvzUb6gYUKRfRTg2EXIhnZtFeCdg+EXAK9QkHhHX54QLeH
+s7J8wgfOcahlxbtv8GTJyNzBGMgfeMJvZKnhmALQch96x3ZxN0w3sHUty7Nr9Z9R
+2W13/1iPIxUWX2RfL58OBSfflpiBVcYJKRCLG8QmaFc/AMdhQnKEwS9k4tgSj161
+puYOOSgbySClTbV6CHofXcCEf7bxzbw=
+-----END CERTIFICATE REQUEST-----

projeto/infra/ansible/roles/install-wp-debian/files/cert/site.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDzlgNZebtiT+TW
++2EF4oq3owtgapRcHLoI1gLSQWRY/J0Er8+WXugTS3UayCGHky3LHICCsPi86ap6
+S06ViHPt63GV/C7jKjKRLhmt1Frj+xvJ+OUUplzPIR5NXse9WGbQgurdMk53HgOS
+KLWIZviY3OYAxqCyzeB+BsD+hn5d6ACh7ivKMuvUjeDngtB0iiQSl8TkU61rKMy4
+V17KgiuVte3iQAGXSL6b3zG2UVzKXYVqSGfgJKYAkNJ6gvsNa87S1GO1iV0Ny//n
+EVoIBPqtLTXCVxesK5x3daPgf9UygDML/VFNJZ/bx6TJhVbnt6o3IvfHhH/YuyNu
+oSXeqzyBAgMBAAECggEADDeO7XLskg69xIaRJDFrkbBMxsYxsLkEH6NUOuVqugfZ
+fD2xJLKX4zfapMA65kjceB5y15s2rortsPqL83YHknxHkyU12NDp/lwYj55h/KNA
+jo28N5/scbsQgQLq87U2WujmDLgUNWc8+JywFipL96bEpm9P6gfnZYrDLUDjn6QF
+LafLI9Jjh2nKzZnB/Zq18MCdI7e6MGE8v8k2KRH4LQEeEut+ArTgFO6QUevZTc2P
+RTe5AyDScW4+YSgKwSwxvkI4T5hlsvyxLnPV+/QptuBlS7oIC7WaJOlOcMPfPheK
+NUyeSRU3/XZyUbQdlIvG0dIXVvjCInBPmZxe1zNvDQKBgQD/vN7nfn/M7246ziy8
+zNwRlPxyBQQU/DwIcIohY5ZFuzADyj7LQtXtLvYFUTmmUp/GMo3p3Smdv/78FxNe
+HaNMSqSJicEKHIb/W/2c+SOW/N6KCTHgWMPM67aNqVlye4ufKOozMaixb62Ldumy
+7o/WTbLsk0qIMf41ot4gmztP+wKBgQDz1fPeOLupEviw0PCMu/Pj9WzCJAOC7esL
+Euwp1OGtFEoEQmgZu0MroOLYZlNacAqcf9ko+bm43sYIl23AM2OolM6IVLGPMZHv
+3Xm7DLAxh3z/XAzbSe5nOJxS4WB8Q1EULBBsjvLXASKa6FegfrJGRlvIJGicW4vw
+D4WdKvXwswKBgDeaL/izB0Redl/wvcda3yovc2ey8X1CjibjmRTDW0PT/A+G5Ho7
+ENod0L29OESSSEzGZxaG0GqM+PqEZeCbnwqSXA3PVppFM5DHxm9ft743QodOknqN
+shyWzz0jqd/7PpMfSTRSQrQ5bMka1JrjxYA5qoJHT/gmrneo7pS2S4ILAoGAFlS3
+2tgzR463O+pGvXzRH0Vwym7l623Coub+ve4DJQjAppc2VXTy9+HqJItqgtPUBPUo
+fDoyqh2s4UiNApcyP1QxfgbTpBuUE/WimmDVGhQgfHp/qu2gac+jcWu2nGrF2CUY
+8/g7gTlXY/x3WfmAdjMnYLME6ZzwufGR+QzgLUUCgYEA/3DahNRH11kuw7NM1BGR
+rpD2ScRJWKhGI7Rc1RQbWHODN3vmzKZR1i4IjMzw/RwL1eevenT6cCJMHx7nO/k3
+zcyhHRCf2EwRmIs5AKdvqjUUQRklR3nPb+AWFyblPg2sm34RkA6PPH15kxQP3BBq
+YXxHVzP8VpjAqCJ9B+2s74M=
+-----END PRIVATE KEY-----

projeto/infra/ansible/roles/install-wp-debian/files/default.conf.j2

@@ -0,0 +1,146 @@
+server {
+    listen [::]:80;
+    listen 80;
+
+    server_name _;
+
+    root /var/www/html;
+    index index.php;
+
+    location ~ /.well-known/acme-challenge {
+        allow all; 
+        root /var/www/html;
+    }
+
+    location ~ ^/.user.ini {
+        deny all;
+    }
+
+    location ~*  .(svg|svgz)$ {
+        types {}
+        default_type image/svg+xml;
+    }
+
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    location ~ / {
+        proxy_read_timeout    90;
+        proxy_connect_timeout 90;
+        proxy_http_version  1.1;
+        proxy_cache_bypass  $http_upgrade;
+        proxy_set_header Upgrade           $http_upgrade;
+        proxy_set_header Connection        "upgrade";
+        proxy_set_header X-Real-IP  $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+        proxy_pass http://wordpress:80;
+    }
+
+    location ~[^?]*/$ {
+        proxy_set_header X-Real-IP  $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+        proxy_pass http://wordpress:80;
+    }
+
+    location ~ .php$ {
+        proxy_set_header X-Real-IP  $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+        proxy_pass http://wordpress:80;
+    }
+
+    location ~/. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+} 
+
+
+
+server {
+    listen 443 ssl;
+
+    ssl_certificate /etc/nginx/ssl/site.crt;
+    ssl_certificate_key /etc/nginx/ssl/site.key;
+
+    server_name _;
+
+    root /var/www/html;
+    index index.php;
+
+    location ~ /.well-known/acme-challenge {
+        allow all; 
+        root /var/www/html;
+    }
+
+
+    location ~ ^/.user.ini {
+        deny all;
+    }
+
+    location ~*  .(svg|svgz)$ {
+        types {}
+        default_type image/svg+xml;
+    }
+
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    location ~ / {
+        proxy_read_timeout    90;
+        proxy_connect_timeout 90;
+        proxy_http_version  1.1;
+        proxy_cache_bypass  $http_upgrade;
+        proxy_set_header Upgrade           $http_upgrade;
+        proxy_set_header Connection        "upgrade";
+        proxy_set_header X-Real-IP  $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+        proxy_pass http://wordpress:80;
+    }
+
+    location ~[^?]*/$ {
+        proxy_set_header X-Real-IP  $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+        proxy_pass http://wordpress:80;
+    }
+
+    location ~ .php$ {
+        proxy_set_header X-Real-IP  $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+        proxy_pass http://wordpress:80;
+    }
+
+    location ~/. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+} 

projeto/infra/ansible/roles/install-wp-debian/files/docker-compose.yml.j2

@@ -0,0 +1,59 @@
+version: "3.9"
+services:
+    wordpress:
+        container_name: wordpress
+        image: wordpress:php8.1-apache
+        restart: always
+        stdin_open: true
+        tty: true
+        environment:
+          WORDPRESS_DB_HOST: {{mysql_host}}
+          WORDPRESS_DB_USER: {{mysql_user}}
+          WORDPRESS_DB_PASSWORD: {{mysql_password}}
+          WORDPRESS_DB_NAME: {{mysql_database}}
+        volumes:
+            - /var/www/html:/var/www/html
+        networks: 
+          dev:
+            ipv4_address: 171.28.5.10
+
+    mariadb:
+        container_name: mariadb
+        image: mariadb:10.5.9
+        restart: always
+        environment:
+            MYSQL_ROOT_PASSWORD: {{mysql_root_password}}
+        ports:
+          - '3306:3306'    
+        volumes:
+          - db_data:/var/lib/mysql
+        networks: 
+          dev:
+            ipv4_address: 171.28.5.11
+
+    nginx:
+        container_name: nginx
+        image: nginx:latest
+        restart: unless-stopped
+        ports:
+            - 80:80
+            - 443:443
+        volumes:
+            - ./nginx/conf:/etc/nginx/conf.d
+            - ./nginx/certs/cert:/etc/nginx/ssl
+        networks: 
+          dev:
+            ipv4_address: 171.28.5.12
+
+volumes:
+    db_data:
+
+networks: 
+  dev:
+    driver: bridge
+    driver_opts:
+      com.docker.network.enable_ipv6: "false"
+    ipam:
+      driver: default
+      config:
+      - subnet: 171.28.0.0/16