Merge pull request #17 from unifio/yl-wip

PoC module for docker-openvpn

Author: yuhunglin

.gitignore

@@ -1,2 +1,4 @@
 *.tfstate*
 .terraform/
+docker-openvpn-server/terraform.tfvars*
+docker-openvpn-server/.env

CHANGELOG.md

@@ -1,5 +1,8 @@
 ## Unreleased
 
+* Bring in covalence to help with bootstrapping/testing. Consider some kitchen/localstack testing.
+* PoC docker-openvpn-server modules
+
 ## 1.0.0
 
 #### IMPROVEMENTS:

docker-openvpn-server/cluster/ami.tf

@@ -0,0 +1,8 @@
+data "aws_ami" "cluster_ami" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["amzn-ami-*-amazon-ecs-optimized"]
+  }
+}

docker-openvpn-server/cluster/eip.tf

@@ -0,0 +1,10 @@
+resource "aws_eip" "openvpn_eip" {
+  count = "${var.assign_eip == "true" ? 1 : 0}"
+  vpc   = true
+
+  tags {
+    application = "${var.stack_item_fullname}"
+    managed_by  = "terraform"
+    Name        = "${var.stack_item_label}"
+  }
+}

docker-openvpn-server/cluster/iam.tf

@@ -0,0 +1,102 @@
+# inputs
+locals {
+  in_iam_stack_item_label = "${var.stack_item_label}"
+  in_iam_region           = "${var.region}"
+  in_iam_s3_bucket        = "${var.s3_bucket}"
+  in_iam_s3_bucket_prefix = "${var.s3_bucket_prefix}"
+}
+
+# local vars for the file
+locals {
+  local_iam_name           = "${local.in_iam_stack_item_label}-${local.in_iam_region}"
+  local_iam_s3_full_path   = "${replace(local.in_iam_s3_bucket,"/(/)+$/","")}/${replace(local.in_iam_s3_bucket_prefix,"/^(/)+|(/)+$/","")}"
+  local_iam_s3_bucket_path = "${replace(local.in_iam_s3_bucket,"/(/)+$/","")}"
+}
+
+## Creates IAM role & policies
+resource "aws_iam_role" "role" {
+  name = "${local.local_iam_name}"
+  path = "/"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "sts:AssumeRole",
+      "Principal": {
+         "Service": "ec2.amazonaws.com"
+      }
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "s3_certs_ro" {
+  name = "s3_certs_ro"
+  role = "${aws_iam_role.role.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:Get*"
+      ],
+      "Resource": [
+        "arn:aws:s3:::${local.local_iam_s3_full_path}",
+        "arn:aws:s3:::${local.local_iam_s3_full_path}/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:List*"
+      ],
+      "Resource": [
+        "arn:aws:s3:::${local.local_iam_s3_bucket_path}"
+      ]
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "tags" {
+  name = "tags"
+  role = "${aws_iam_role.role.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+          "ec2:CreateTags",
+          "ec2:DescribeTags",
+          "ec2:AssociateAddress",
+          "ec2:DescribeAddresses",
+          "ec2:DescribeInstances"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+## Creates IAM instance profile
+resource "aws_iam_instance_profile" "profile" {
+  name = "${local.local_iam_name}"
+  role = "${aws_iam_role.role.name}"
+}
+
+## outputs
+locals {
+  out_iam_instance_profile_id = "${aws_iam_instance_profile.profile.id}"
+}

docker-openvpn-server/cluster/main.tf

@@ -0,0 +1,58 @@
+provider "template" {
+  version = "~> 1.0.0"
+}
+
+locals {
+  user_data_vars = {
+    additional_routes    = "${var.additional_routes}"
+    assign_eip           = "${var.assign_eip}"
+    hostname             = "${var.stack_item_label}"
+    s3_bucket            = "${var.s3_bucket}"
+    s3_bucket_prefix     = "${coalesce(var.s3_bucket_prefix_for_service, var.s3_bucket_prefix)}"
+    stack_item_label     = "${var.stack_item_label}"
+    region               = "${var.region}"
+    route_cidrs          = "${var.route_cidrs}"
+    vpc_dns_ip           = "${var.vpc_dns_ip}"
+    openvpn_docker_image = "${var.openvpn_docker_image}"
+    openvpn_docker_tag   = "${var.openvpn_docker_tag}"
+  }
+}
+
+## Creates instance user data
+data "template_file" "user_data" {
+  template = "${file("${path.module}/templates/user_data.tpl")}"
+  vars     = "${local.user_data_vars}"
+}
+
+## Creates auto scaling cluster
+module "cluster" {
+  source = "github.com/unifio/terraform-aws-asg?ref=v0.3.2//group"
+
+  # Resource tags
+  stack_item_label    = "${var.stack_item_label}"
+  stack_item_fullname = "${var.stack_item_fullname}"
+
+  # VPC parameters
+  vpc_id  = "${var.vpc_id}"
+  subnets = ["${split(",",var.subnets)}"]
+
+  # LC parameters
+  ami                           = "${coalesce(var.ami_custom, data.aws_ami.cluster_ami.id)}"
+  ebs_optimized                 = "false"
+  enable_monitoring             = "true"
+  instance_based_naming_enabled = "${var.instance_based_naming_enabled}"
+  instance_profile              = "${aws_iam_instance_profile.profile.id}"
+  instance_type                 = "${var.instance_type}"
+  key_name                      = "${var.key_name}"
+  user_data                     = "${coalesce(var.ami_custom_user_data, data.template_file.user_data.rendered)}"
+  associate_public_ip_address   = "${var.associate_public_ip_address}"
+
+  # ASG parameters
+  enabled_metrics   = "${var.enabled_metrics}"
+  hc_check_type     = "${var.enable_lb == "true" ? "ELB" : "EC2"}"
+  instance_tags     = "${var.instance_tags}"
+  max_size          = 2
+  min_size          = 1
+  hc_grace_period   = 300
+  target_group_arns = "${var.lb_target_group_arns}"
+}

docker-openvpn-server/cluster/sg.tf

@@ -0,0 +1,43 @@
+# inputs
+locals {
+  in_sg_id            = "${module.cluster.sg_id}"
+  in_sg_vpn_whitelist = "${var.vpn_whitelist}"
+  in_sg_ssh_whitelist = "${var.ssh_whitelist}"
+}
+
+## Creates security group rules
+resource "aws_security_group_rule" "cluster_allow_all_out" {
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = "${local.in_sg_id}"
+}
+
+resource "aws_security_group_rule" "cluster_allow_openvpn_tcp_in" {
+  type              = "ingress"
+  from_port         = 1194
+  to_port           = 1194
+  protocol          = "tcp"
+  cidr_blocks       = ["${split(",",local.in_sg_vpn_whitelist)}"]
+  security_group_id = "${local.in_sg_id}"
+}
+
+resource "aws_security_group_rule" "cluster_allow_ssh_in" {
+  type              = "ingress"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks       = ["${split(",",local.in_sg_ssh_whitelist)}"]
+  security_group_id = "${local.in_sg_id}"
+}
+
+resource "aws_security_group_rule" "cluster_allow_icmp_in" {
+  type              = "ingress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "icmp"
+  cidr_blocks       = ["${split(",",var.ssh_whitelist)}"]
+  security_group_id = "${local.in_sg_id}"
+}

docker-openvpn-server/cluster/templates/user_data.tpl

@@ -0,0 +1,31 @@
+#cloud-config
+runcmd:
+  - sleep 60
+  - yum update -y
+  - yum install jq -y
+  - curl -s -O https://bootstrap.pypa.io/get-pip.py && python get-pip.py
+  - /usr/local/bin/pip install awscli && ln -sf /usr/local/bin/aws /usr/bin/
+
+  - export INSTANCE_ID=`curl http://169.254.169.254/latest/meta-data/instance-id`
+  - docker pull ${openvpn_docker_image}:${openvpn_docker_tag}
+  - mkdir -p /opt/openvpn
+  - touch /opt/openvpn/.env && chmod 700 /opt/openvpn/.env
+  - touch /opt/openvpn/server-append.conf && chmod 700 /opt/openvpn/server-append.conf
+  - echo "OPENVPN_S3_PULL_CERTS=true" >> /opt/openvpn/.env
+  - echo "OPENVPN_S3_CERT_PATH=${replace(s3_bucket,"/(/)+$/","")}/${replace(s3_bucket_prefix,"/^(/)+|(/)+$/","")}" >> /opt/openvpn/.env
+  - if [ -n "${vpc_dns_ip}" ]; then echo "push \"dhcp-option DNS ${vpc_dns_ip}\"" >> /opt/openvpn/server-append.conf;fi
+  - echo "push \"route $(ip route get 8.8.8.8| grep src| sed 's/.*src \(.*\)$/\1/g') 255.255.255.255 net_gateway\"" >> /opt/openvpn/server-append.conf
+  - echo "push \"route ${cidrhost(element(split(",",route_cidrs),1), 0)}  ${cidrnetmask(element(split(",",route_cidrs),1))}\"" >> /opt/openvpn/server-append.conf
+  - echo "push \"route ${cidrhost(element(split(",",route_cidrs),2), 0)}  ${cidrnetmask(element(split(",",route_cidrs),2))}\"" >> /opt/openvpn/server-append.conf
+  - echo "push \"route ${cidrhost(element(split(",",route_cidrs),3), 0)}  ${cidrnetmask(element(split(",",route_cidrs),3))}\"" >> /opt/openvpn/server-append.conf
+  - echo "push \"route ${cidrhost(element(split(",",route_cidrs),4), 0)}  ${cidrnetmask(element(split(",",route_cidrs),4))}\"" >> /opt/openvpn/server-append.conf
+  - for route in `echo ${additional_routes} | tr ',' ' '`; do echo "push \"route $${route}  255.255.255.255\"" >> /opt/openvpn/server-append.conf;done
+
+  - echo "OPENVPN_COMPRESS_ALGORITHM=lzo" >> /opt/openvpn/.env
+  - echo "OPENVPN_KEY_DHSIZE=1024" >> /opt/openvpn/.env
+  - echo "OPENVPN_TLS_ENABLE=false" >> /opt/openvpn/.env
+
+  - docker run -d --name openvpn --env-file=/opt/openvpn/.env --cap-add=NET_ADMIN --device=/dev/net/tun -v /opt/openvpn/:/etc/openvpn/ -v /var/run/openvpn/:/var/run/openvpn -p 1194:1194/tcp ${openvpn_docker_image}:${openvpn_docker_tag} /start_server.sh
+  - if [ ${assign_eip} = 'true' ]; then for eip in `aws ec2 describe-tags --region=${region} --filters  "Name=resource-type,Values=elastic-ip" "Name=value,Values=${stack_item_label}" | jq -r '.Tags[].ResourceId'`; do if [ `aws ec2 describe-addresses --allocation-id $${eip} --region=${region} | jq -r '.Addresses[].InstanceId'` = 'null' ]; then echo "$${eip} is available, assigning it to current instance";aws ec2 associate-address --instance-id "$${INSTANCE_ID}" --allocation-id $${eip} --region=${region};else echo "$${eip} is taken";fi; done;fi
+
+output : { all : '| tee -a /var/log/cloud-init-output.log' }