Add additional configuration options to Openvpn (#15)

* Add eip and extra route capability

* Update formatting

* Fix the tag filter

Author: kjonick1

certs/main.tf

@@ -69,6 +69,7 @@ resource "aws_iam_role_policy" "tags" {
       "Effect": "Allow",
       "Action": [
           "ec2:CreateTags",
+          "ec2:DescribeTags",
           "ec2:AssociateAddress",
           "ec2:DescribeAddresses",
           "ec2:DescribeInstances"
@@ -187,16 +188,31 @@ resource "aws_security_group_rule" "cluster_allow_icmp_in" {
   security_group_id = "${module.cluster.sg_id}"
 }
 
+resource "aws_eip" "openvpn_eip" {
+  count = "${var.assign_eip == "true" ? 1 : 0}"
+  vpc   = true
+
+  tags {
+    application = "${var.stack_item_fullname}"
+    managed_by  = "terraform"
+    Name        = "${var.stack_item_label}"
+  }
+}
+
 ## Creates instance user data
 data "template_file" "user_data" {
   template = "${file("${path.module}/templates/user_data.tpl")}"
 
   vars {
-    hostname         = "${var.stack_item_label}"
-    s3_bucket        = "${var.s3_bucket}"
-    s3_bucket_prefix = "${var.s3_bucket_prefix}"
-    route_cidrs      = "${var.route_cidrs}"
-    vpc_dns_ip       = "${var.vpc_dns_ip}"
+    additional_routes = "${var.additional_routes}"
+    assign_eip        = "${var.assign_eip}"
+    hostname          = "${var.stack_item_label}"
+    s3_bucket         = "${var.s3_bucket}"
+    s3_bucket_prefix  = "${var.s3_bucket_prefix}"
+    stack_item_label  = "${var.stack_item_label}"
+    region            = "${var.region}"
+    route_cidrs       = "${var.route_cidrs}"
+    vpc_dns_ip        = "${var.vpc_dns_ip}"
   }
 }
 

certs/templates/user_data.tpl

@@ -2,6 +2,7 @@
 ## The sed and daemon-reload entries are temporary and will be removed once permission issue is handled on base AMI.
 ## https://github.com/WhistleLabs/terraform-aws-openvpn/pull/2
 runcmd:
+  - export INSTANCE_ID=`curl http://169.254.169.254/latest/meta-data/instance-id`
   - echo "OPENVPN_CERT_SOURCE=s3://${replace(s3_bucket,"/(/)+$/","")}/${replace(s3_bucket_prefix,"/^(/)+|(/)+$/","")}" > /etc/openvpn/get-openvpn-certs.env
   - echo "push \"dhcp-option DNS ${vpc_dns_ip}\"" >> /etc/openvpn/server.conf
   - echo 'crl-verify /etc/openvpn/keys/crl.pem' >> /etc/openvpn/server.conf
@@ -10,10 +11,12 @@ runcmd:
   - echo "push \"route ${cidrhost(element(split(",",route_cidrs),2), 0)}  ${cidrnetmask(element(split(",",route_cidrs),2))}\"" >> /etc/openvpn/server.conf
   - echo "push \"route ${cidrhost(element(split(",",route_cidrs),3), 0)}  ${cidrnetmask(element(split(",",route_cidrs),3))}\"" >> /etc/openvpn/server.conf
   - echo "push \"route ${cidrhost(element(split(",",route_cidrs),4), 0)}  ${cidrnetmask(element(split(",",route_cidrs),4))}\"" >> /etc/openvpn/server.conf
+  - for route in `echo ${additional_routes} | tr ',' ' '`; do echo "push \"route $${route}  255.255.255.255\"" >> /etc/openvpn/server.conf;done
   - sed -i 's/\(ExecStartPost=.*chmod.*$\)/ExecStartPost=\/bin\/chown -R nobody:nogroup \/etc\/openvpn\n\1\n/g' /etc/systemd/system/get-openvpn-certs.service
   - systemctl daemon-reload
   - systemctl start get-openvpn-certs
   - systemctl restart openvpn@server
   - systemctl restart iptables
+  - if [ ${assign_eip} = 'true' ]; then for eip in `aws ec2 describe-tags --region=${region} --filters  "Name=resource-type,Values=elastic-ip" "Name=value,Values=${stack_item_label}" | jq -r '.Tags[].ResourceId'`; do if [ `aws ec2 describe-addresses --allocation-id $${eip} --region=${region} | jq -r '.Addresses[].InstanceId'` = 'null' ]; then echo "$${eip} is available, assigning it to current instance";aws ec2 associate-address --instance-id "$${INSTANCE_ID}" --allocation-id $${eip} --region=${region};else echo "$${eip} is taken";fi; done;fi
 
 output : { all : '| tee -a /var/log/cloud-init-output.log' }

certs/variables.tf

@@ -28,6 +28,12 @@ variable "subnets" {
 }
 
 ## OpenVPN parameters
+variable "additional_routes" {
+  type        = "string"
+  description = "Additional routes to add to Openvpn Config"
+  default     = ""
+}
+
 variable "ami_custom" {
   type        = "string"
   description = "Custom AMI to utilize"
@@ -39,11 +45,23 @@ variable "ami_region_lookup" {
   type = "map"
 
   default = {
-    us-east-1      = "ami-44e8913e"
-    us-east-2      = "ami-d1c9e1b4"
+    us-east-1 = "ami-44e8913e"
+    us-east-2 = "ami-d1c9e1b4"
   }
 }
 
+variable "assign_eip" {
+  type        = "string"
+  description = "Boolean to determine if Elastic IP should be assigned to host"
+  default     = "false"
+}
+
+variable "eip_tag" {
+  type        = "string"
+  description = "Tag used to lookup Elastic IP to assign"
+  default     = ""
+}
+
 variable "instance_type" {
   type        = "string"
   description = "EC2 instance type to associate with the launch configuration."
@@ -90,4 +108,3 @@ variable "vpn_whitelist" {
   description = "Limit VPN access to the designated list of CIDRs"
   default     = "0.0.0.0/0"
 }
-

generate-certs/main.tf

@@ -70,6 +70,7 @@ resource "aws_iam_role_policy" "tags" {
       "Effect": "Allow",
       "Action": [
           "ec2:CreateTags",
+          "ec2:DescribeTags",
           "ec2:AssociateAddress",
           "ec2:DescribeAddresses",
           "ec2:DescribeInstances"

generate-certs/variables.tf

@@ -23,9 +23,9 @@ variable "ami_region_lookup" {
   type = "map"
 
   default = {
-    us-east-1      = "ami-6d65687b"
-    us-east-2      = "ami-1dcbe878"
-    custom         = ""
+    us-east-1 = "ami-6d65687b"
+    us-east-2 = "ami-1dcbe878"
+    custom    = ""
   }
 }