code for file share access demo with documentation and vpn setup.

.gitignore

@@ -37,3 +37,4 @@ override.tf.json
 .terraformrc
 terraform.rc
 .DS_Store
+**/local.tf

Terraform/deploy-fsx-ontap-fileshare-access/main.tf

@@ -0,0 +1,124 @@
+terraform {
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.44.0"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "2.5.1"
+    }
+  }
+
+}
+
+provider "aws" {
+  region = var.aws_location
+
+  default_tags {
+    tags = {
+      "creator" = var.creator_tag
+    }
+  }
+}
+
+module "fsxontap" {
+  source = "./modules/fsxn"
+
+  fsxn_password           = var.fsxn_password
+  fsxn_deployment_type    = "SINGLE_AZ_1"
+  fsxn_subnet_ids         = [aws_subnet.private_subnet[0].id, aws_subnet.private_subnet[1].id]
+  fsxn_security_group_ids = [aws_security_group.sg-fsx.id]
+  fsxn_volume_name_prefix = "${var.environment}_shares"
+
+  ad = {
+    domain_name              = "AD.FSXN.COM"
+    administrators_group     = "FSXN Administrators"
+    ou                       = "OU=FSXN,DC=AD,DC=FSXN,DC=com"
+    service_account          = "fsxnadmin"
+    service_account_password = var.ad_admin_password
+    dns_ips                  = [module.ec2-ad.ip_address.private_ip]
+  }
+  creator_tag = var.creator_tag
+}
+
+module "vpn" {
+  source             = "./modules/vpn"
+  vpc_id             = aws_vpc.vpc.id
+  vpn_cidr           = "10.100.0.0/22"
+  public_subnet_id   = aws_subnet.public_subnet[0].id
+  ca_crt             = file("${path.root}/modules/vpn/certs/ca.pem")
+  client_cert        = file("${path.root}/modules/vpn/certs/client.fsxn.pem")
+  client_private_key = file("${path.root}/modules/vpn/certs/client.fsxn.key")
+  server_cert        = file("${path.root}/modules/vpn/certs/server.fsxn.pem")
+  server_private_key = file("${path.root}/modules/vpn/certs/server.fsxn.key")
+  depends_on         = [module.ec2-ad, module.fsxontap]
+}
+
+module "ec2-ad" {
+  source                  = "./modules/ec2ad"
+  ad_domain               = "ad.fsxn.com"
+  ad_service_account      = "fsxnadmin"
+  ad_service_account_pwd  = var.ad_admin_password
+  ad_administrators_group = "FSXN ADMINISTRATORS"
+  ec2_instance_key_pair   = var.ec2_instance_keypair
+  ec2_subnet_id           = aws_subnet.private_subnet[0].id
+  ec2_instance_name       = "FSxN"
+  ec2_instance_type       = var.ec2_instance_type
+  ec2_iam_role            = var.ec2_iam_role
+  creator_tag             = var.creator_tag
+  ssm_password_key        = aws_ssm_parameter.adadminpassword.name
+  security_groups_ids     = [aws_security_group.sg-AllowRemoteToEC2.id, aws_security_group.sg-AD-Server.id]
+}
+
+resource "aws_instance" "ec2-jump-config-server" {
+  ami           = data.aws_ami.ubuntu-server-2004.id
+  instance_type = "t2.micro"
+  monitoring    = false
+
+  vpc_security_group_ids = [aws_security_group.sg-AllowRemoteToEC2.id]
+  subnet_id              = aws_subnet.public_subnet[0].id
+  key_name               = var.ec2_instance_keypair
+  iam_instance_profile   = var.ec2_iam_role
+
+  user_data = <<EOF
+#!/bin/bash
+apt update
+apt -y install awscli
+vserver="${module.fsxontap.fsxn_svm.name}"
+share_name_1="Share_Vol1"
+path_1="${module.fsxontap.fsxn_volume_1.junction_path}"
+share_name_2="Share_Vol2"
+path_2="${module.fsxontap.fsxn_volume_2.junction_path}"
+cluster="${sort(module.fsxontap.fsxn_management_management_ip)[0]}"
+username="fsxadmin"
+password=$(aws ssm get-parameter --name "${aws_ssm_parameter.fsxpassword.name}" --with-decryption --output text --query Parameter.Value --region ${var.aws_location})
+response=$(curl -ks -u "$username:$password" -X GET "https://$cluster/api/protocols/cifs/shares?name=$share_name_1&svm.name=$vserver")
+echo $response | grep -q "\"name\":\"$share_name_1\"" && echo "Share $share_name_1 already exists." || { curl -ks -u "$username:$password" -X POST -H "Content-Type: application/json" -d '{ "svm": { "name": "'"$vserver"'" }, "name": "'"$share_name_1"'", "path": "'"$path_1"'" }' "https://$cluster/api/protocols/cifs/shares" && echo "Share $share_name_1 created." || echo "Failed to create share $share_name_1."; }
+response=$(curl -ks -u "$username:$password" -X GET "https://$cluster/api/protocols/cifs/shares?name=$share_name_2&svm.name=$vserver")
+echo $response | grep -q "\"name\":\"$share_name_2\"" && echo "Share $share_name_2 already exists." || { curl -ks -u "$username:$password" -X POST -H "Content-Type: application/json" -d '{ "svm": { "name": "'"$vserver"'" }, "name": "'"$share_name_2"'", "path": "'"$path_2"'" }' "https://$cluster/api/protocols/cifs/shares" && echo "Share $share_name_2 created." || echo "Failed to create share $share_name_2."; }
+EOF
+
+  depends_on = [
+    module.fsxontap,
+    aws_vpc.vpc,
+    aws_subnet.public_subnet
+  ]
+  tags = {
+    Name = "${var.creator_tag}-${var.environment}-Jump-Server"
+  }
+}
+
+data "aws_ami" "ubuntu-server-2004" {
+  most_recent = true
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
+  }
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+  owners = ["099720109477"] # Amazon
+}

Terraform/deploy-fsx-ontap-fileshare-access/modules/ec2ad/ec2-ad.tf

@@ -0,0 +1,90 @@
+
+locals {
+  server_name = "${var.creator_tag}-${var.ec2_instance_name}-AD"
+}
+
+resource "aws_instance" "ec2-ad" {
+  ami           = data.aws_ami.windows-core-server.id
+  instance_type = var.ec2_instance_type
+  monitoring    = true
+
+  vpc_security_group_ids = var.security_groups_ids
+  subnet_id              = var.ec2_subnet_id
+  key_name               = var.ec2_instance_key_pair
+  iam_instance_profile   = var.ec2_iam_role
+  get_password_data      = true
+
+  root_block_device {
+    volume_type = "gp2"
+    volume_size = 70
+  }
+
+  lifecycle {
+    ignore_changes = [tags]
+  }
+
+  user_data = <<EOT
+  <powershell>
+$Domain = "${var.ad_domain}"
+$DN = "DC=" + $Domain.Replace(".",",DC=")
+$ssmPass = (Get-SSMParameterValue -Name ${var.ssm_password_key} -WithDecryption 1).Parameters.Value 
+$Pass = ConvertTo-SecureString "$($ssmPass)" -AsPlainText -Force 
+$InstanceId = Get-EC2InstanceMetadata -Category InstanceId 
+$Tags = Get-EC2Tag -Filter @{Name="resource-type";Values="instance"},@{Name="resource-id";Values=$InstanceId}
+
+if(($Tags | Where-Object { $_.Key -eq "ADStatus" }).Value -eq "Completed") {
+  exit
+}
+
+if(($Tags | Where-Object { $_.Key -eq "ADStatus" }) -eq $null) { 
+    $tag = New-Object Amazon.EC2.Model.Tag
+    $tag.Key = "ADStatus"
+    $tag.Value = "Provisioning"
+
+    New-EC2Tag -Resource $InstanceId -Tag $tag
+}
+
+if((Get-WindowsFeature -Name AD-Domain-Services).InstallState -ne "Installed") {
+  Add-WindowsFeature AD-Domain-Services
+}
+
+if((Get-WindowsFeature -Name RSAT-AD-Tools).InstallState -ne "Installed") {
+  Add-WIndowsFeature RSAT-AD-Tools
+}
+
+if((Get-WindowsFeature -Name RSAT-ADDS).InstallState -ne "Installed") {
+  Add-WIndowsFeature RSAT-ADDS
+}
+
+Try {
+  (Get-ADDomain | Where-Object { $_.DNSRoot -eq "${var.ad_domain}"})
+} Catch {
+  Install-ADDSForest -DomainName ${var.ad_domain} -InstallDNS -SafeModeAdministratorPassword $Pass -Confirm:$false 
+}
+
+if((Get-ADOrganizationalUnit -Filter "Name -like 'FSXN'") -eq $null) {
+  New-ADOrganizationalUnit -Name "FSXN" -Path $DN
+}
+
+if((Get-ADUser -Filter "samAccountName -like 'fsxnadmin'") -eq $null) {
+  New-ADUser -Name ${var.ad_service_account} -AccountPassword $Pass -Passwordneverexpires $true -Enabled $true -ChangePasswordAtLogon $false
+  Add-ADGroupMember -Identity "Domain Admins" -Members ${var.ad_service_account}
+  Add-ADGroupMember -Identity "Administrators" -Members ${var.ad_service_account}
+  New-ADGroup -DisplayName "${var.ad_administrators_group}" -GroupCategory Security -GroupScope Global -Name "${var.ad_administrators_group}" -SamAccountName "${var.ad_administrators_group}"  
+  Add-ADGroupMember -Identity "${var.ad_administrators_group}" -Members ${var.ad_service_account}
+
+  $tag = New-Object Amazon.EC2.Model.Tag
+  $tag.Key = "ADStatus"
+  $tag.Value = "Completed"
+
+  New-EC2Tag -Resource $InstanceId -Tag $tag
+}
+
+  </powershell>
+  <persist>true</persist>
+  EOT 
+
+  tags = {
+    Name = local.server_name
+  }
+}

Terraform/deploy-fsx-ontap-fileshare-access/modules/ec2ad/ec2-ami.tf

@@ -0,0 +1,12 @@
+data "aws_ami" "windows-core-server" {
+  most_recent = true
+  filter {
+    name   = "name"
+    values = ["Windows_Server-2022-English-Full-Base-*"]
+  }
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+  owners = ["801119661308"] # Amazon
+}

Terraform/deploy-fsx-ontap-fileshare-access/modules/ec2ad/outputs.tf

@@ -0,0 +1,6 @@
+output "ip_address" {
+  value = {
+    private_ip = aws_instance.ec2-ad.private_ip
+    public_ip  = aws_instance.ec2-ad.public_ip
+  }
+}

Terraform/deploy-fsx-ontap-fileshare-access/modules/ec2ad/variables.tf

@@ -0,0 +1,71 @@
+variable "aws_location" {
+  description = "AWS Region"
+  type        = string
+  default     = "ap-southeeast-1"
+}
+
+variable "ec2_instance_name" {
+  description = "EC2 Instance Name"
+  type        = string
+  default     = "Demo"
+}
+
+variable "ec2_instance_type" {
+  description = "EC2 Instance Type for AD Server"
+  type        = string
+  default     = "t3.xlarge"
+}
+
+variable "ec2_iam_role" {
+  description = "EC2 IAM Role with access to SSM Parameters"
+  type        = string
+  default     = "AWSIAM_ROLE_WITH_SSM_ACCESS"
+}
+
+variable "ad_domain" {
+  description = "Active Directory Domain"
+  type        = string
+}
+
+variable "ad_service_account" {
+  description = "Active Directory Service Account"
+  type        = string
+  default     = "ec2ad_svc_account"
+}
+
+variable "ad_service_account_pwd" {
+  description = "Active Directory Service Account Password"
+  type        = string
+  sensitive   = true
+}
+
+variable "ad_administrators_group" {
+  description = "Active Directory new administrators group"
+  type        = string
+  default     = "FS Administrators Group"
+}
+
+variable "ec2_instance_key_pair" {
+  description = "Name of the instance key pair"
+  type        = string
+}
+
+variable "ec2_subnet_id" {
+  description = "Subnet Id for EC2 Instances"
+  type        = string
+}
+
+variable "security_groups_ids" {
+  description = "Security Groups for EC2 Instances"
+  type        = list(string)
+}
+
+variable "creator_tag" {
+  description = "Tag with the Key as Creator"
+  type        = string
+}
+
+variable "ssm_password_key" {
+  description = "Password Variable Name in the SSM Document"
+  type        = string
+}

Terraform/deploy-fsx-ontap-fileshare-access/modules/fsxn/fsx-fs.tf

@@ -0,0 +1,19 @@
+resource "aws_fsx_ontap_file_system" "fsx_ontap_fs" {
+  storage_capacity    = var.fsxn_ssd_in_gb
+  throughput_capacity = var.fsxn_throughput_capacity
+  deployment_type     = var.fsxn_deployment_type
+  /* 
+    Use Single Subnet if the Deployment Type is Single AZ. 
+  */
+  subnet_ids          = (var.fsxn_deployment_type == "SINGLE_AZ_1") ? [var.fsxn_subnet_ids[0]] : var.fsxn_subnet_ids
+  preferred_subnet_id = var.fsxn_subnet_ids[0]
+  fsx_admin_password  = var.fsxn_password
+  security_group_ids  = var.fsxn_security_group_ids
+
+  tags = {
+    "Name" = "${var.creator_tag}-FSxN-Shares-Demo"
+  }
+}
+
+
+

Terraform/deploy-fsx-ontap-fileshare-access/modules/fsxn/fsx-svm.tf

@@ -0,0 +1,18 @@
+resource "aws_fsx_ontap_storage_virtual_machine" "fsxsvm01" {
+  file_system_id             = aws_fsx_ontap_file_system.fsx_ontap_fs.id
+  name                       = "svm01"
+  root_volume_security_style = var.fsxn_volume_security_style
+  svm_admin_password         = var.fsxn_password
+
+  active_directory_configuration {
+    netbios_name = "FSxN-svm01"
+    self_managed_active_directory_configuration {
+      domain_name                            = var.ad.domain_name
+      dns_ips                                = var.ad.dns_ips
+      file_system_administrators_group       = var.ad.administrators_group
+      organizational_unit_distinguished_name = var.ad.ou
+      username                               = var.ad.service_account
+      password                               = var.ad.service_account_password
+    }
+  }
+}

Terraform/deploy-fsx-ontap-fileshare-access/modules/fsxn/fsx-volume.tf

@@ -0,0 +1,30 @@
+resource "aws_fsx_ontap_volume" "fsxn_volume_1" {
+  name                       = "${var.fsxn_volume_name_prefix}_vol1"
+  junction_path              = "/${var.fsxn_volume_name_prefix}_vol1"
+  security_style             = var.fsxn_volume_security_style
+  size_in_megabytes          = 500000
+  snapshot_policy            = "default"
+  storage_efficiency_enabled = true
+  storage_virtual_machine_id = aws_fsx_ontap_storage_virtual_machine.fsxsvm01.id
+  skip_final_backup          = true
+  tiering_policy {
+    name           = "AUTO"
+    cooling_period = "7"
+  }
+}
+
+resource "aws_fsx_ontap_volume" "fsxn_volume_2" {
+  name                       = "${var.fsxn_volume_name_prefix}_vol2"
+  junction_path              = "/${var.fsxn_volume_name_prefix}_vol2"
+  security_style             = var.fsxn_volume_security_style
+  size_in_megabytes          = 500000
+  snapshot_policy            = "default"
+  storage_efficiency_enabled = true
+  storage_virtual_machine_id = aws_fsx_ontap_storage_virtual_machine.fsxsvm01.id
+  skip_final_backup          = true
+  tiering_policy {
+    name = "ALL"
+  }
+}
+
+