Refactored for standardization

Author: blakeneyops

certs/main.tf

@@ -1,15 +1,13 @@
-# openvpn_server
+# OpenVPN Server
 
+## Configures providers
 provider "aws" {
   region = "${var.region}"
 }
 
-/* ---------------------------- */
-/* IAM Role & Instance Profile  */
-/* ---------------------------- */
-
+## Creates IAM role & policies
 resource "aws_iam_role" "vpn_role" {
-  name = "${var.region}-${var.stack_item_label}-vpn"
+  name = "${var.stack_item_label}-${var.region}"
   path = "/"
 
   assume_role_policy = <<EOF
@@ -42,8 +40,8 @@ resource "aws_iam_role_policy" "s3_vpn_ro" {
         "s3:Get*"
       ],
       "Resource": [
-        "arn:aws:s3:::${var.s3_path}",
-        "arn:aws:s3:::${var.s3_path}/*"
+        "arn:aws:s3:::${var.s3_bucket}/${var.s3_bucket_prefix}",
+        "arn:aws:s3:::${var.s3_bucket}/${var.s3_bucket_prefix}/*"
       ]
     },
     {
@@ -83,77 +81,56 @@ resource "aws_iam_role_policy" "tags" {
 EOF
 }
 
+## Creates IAM instance profile
 resource "aws_iam_instance_profile" "vpn_profile" {
-  name  = "${var.region}-${var.stack_item_label}-vpn"
+  name  = "${var.stack_item_label}-${var.region}"
   roles = ["${aws_iam_role.vpn_role.name}"]
 }
 
-/* ---------------------------- */
-/* Security Group               */
-/* ---------------------------- */
+## Creates security group rules
 resource "aws_security_group_rule" "allow_all_out" {
-  type        = "egress"
-  from_port   = 0
-  to_port     = 0
-  protocol    = "-1"
-  cidr_blocks = ["0.0.0.0/0"]
-
-  security_group_id = "${module.asg.sg_id}"
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = "${module.cluster.sg_id}"
 }
 
 resource "aws_security_group_rule" "allow_ssh_in_tcp" {
-  type        = "ingress"
-  from_port   = 22
-  to_port     = 22
-  protocol    = "tcp"
-  cidr_blocks = ["${split(",",var.cidr_whitelist)}"]
-
-  security_group_id = "${module.asg.sg_id}"
+  type              = "ingress"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks       = ["${split(",",var.cidr_whitelist)}"]
+  security_group_id = "${module.cluster.sg_id}"
 }
 
-resource "aws_security_group_rule" "allow_openvpn_in_tdp" {
-  type        = "ingress"
-  from_port   = 1194
-  to_port     = 1194
-  protocol    = "tcp"
-  cidr_blocks = ["${split(",",var.cidr_whitelist)}"]
-
-  security_group_id = "${module.asg.sg_id}"
-}
-
-resource "aws_security_group_rule" "allow_ping_request_icmp" {
-  type        = "ingress"
-  from_port   = 8
-  to_port     = 0
-  protocol    = "icmp"
-  cidr_blocks = ["0.0.0.0/0"]
-
-  security_group_id = "${module.asg.sg_id}"
+resource "aws_security_group_rule" "allow_openvpn_in_tcp" {
+  type              = "ingress"
+  from_port         = 1194
+  to_port           = 1194
+  protocol          = "tcp"
+  cidr_blocks       = ["${split(",",var.cidr_whitelist)}"]
+  security_group_id = "${module.cluster.sg_id}"
 }
 
-resource "aws_security_group_rule" "allow_ping_reply_icmp" {
-  type        = "ingress"
-  from_port   = 0
-  to_port     = 0
-  protocol    = "icmp"
-  cidr_blocks = ["0.0.0.0/0"]
-
-  security_group_id = "${module.asg.sg_id}"
+resource "aws_security_group_rule" "allow_ping_in_icmp" {
+  type              = "ingress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "icmp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = "${module.cluster.sg_id}"
 }
 
-/* ---------------------------- */
-/* User Data                    */
-/* ---------------------------- */
+## Creates instance user data
 resource "template_file" "user_data" {
   template = "${file("${path.module}/templates/user_data.tpl")}"
 
   vars {
-    instance_number  = "${count.index}"
-    hostname         = "${var.role}-${count.index}"
-    region           = "${var.region}"
-    stack_item_label = "${var.stack_item_label}"
-    role             = "${var.role}"
-    s3_path          = "${var.s3_path}"
+    s3_bucket        = "${var.s3_bucket}"
+    s3_bucket_prefix = "${var.s3_bucket_prefix}"
     route_cidrs      = "${var.route_cidrs}"
   }
 
@@ -162,12 +139,13 @@ resource "template_file" "user_data" {
   }
 }
 
-module "asg" {
+## Creates auto scaling cluster
+module "cluster" {
   source = "github.com/unifio/terraform-aws-asg?ref=v0.2.0//group"
 
   # Resource tags
-  stack_item_label    = "${var.stack_item_label}-vpn-asg"
-  stack_item_fullname = "${var.stack_item_fullname}-vpn"
+  stack_item_label    = "${var.stack_item_label}"
+  stack_item_fullname = "${var.stack_item_fullname}"
 
   # VPC parameters
   vpc_id  = "${var.vpc_id}"
@@ -186,17 +164,16 @@ module "asg" {
   max_size         = 2
   min_size         = 1
   hc_grace_period  = 300
-  hc_check_type    = "EC2"
   min_elb_capacity = 1
   load_balancers   = "${aws_elb.elb.id}"
 }
 
-# Create a new load balancer
+## Creates a load balancer
 resource "aws_elb" "elb" {
-  name            = "${var.stack_item_label}-vpn-elb"
+  name            = "${var.stack_item_label}"
   subnets         = ["${split(",",var.subnets)}"]
   internal        = false
-  security_groups = ["${module.asg.sg_id}"]
+  security_groups = ["${module.cluster.sg_id}"]
 
   listener {
     instance_port     = 1194
@@ -214,11 +191,12 @@ resource "aws_elb" "elb" {
   }
 
   tags {
-    Name        = "${var.stack_item_label}-vpn-elb"
-    application = "${var.stack_item_label}-vpn"
+    Name        = "${var.stack_item_label}"
+    application = "${var.stack_item_fullname}"
     managed_by  = "terraform"
   }
-}
-
-# Create a Route53 record
 
+  lifecycle {
+    create_before_destroy = true
+  }
+}

certs/outputs.tf

@@ -1,10 +1,7 @@
-# openvpn_server - Output Variables
+# Outputs
 
-/* ---------------------------- */
-## VPN server security group ID */
-/* ---------------------------- */
 output "vpn_server_sg_id" {
-  value = "${module.asg.sg_id}"
+  value = "${module.cluster.sg_id}"
 }
 
 output "cidr_whitelist" {

certs/templates/user_data.tpl

@@ -1,12 +1,6 @@
 #cloud-config
-environment:
-  stack_item_label: ${stack_item_label}
-  hostname: ${hostname}
-  aws_region: ${region}
-  instance_role: ${role}
-  instance_number: ${instance_number}
 runcmd:
-  - echo "OPENVPN_CERT_SOURCE=s3://${s3_path}" > /etc/openvpn/get-openvpn-certs.env
+  - echo "OPENVPN_CERT_SOURCE=s3://${s3_bucket}/${s3_bucket_prefix}" > /etc/openvpn/get-openvpn-certs.env
   - echo "push \"route $(ip route get 8.8.8.8| grep src| sed 's/.*src \(.*\)$/\1/g') 255.255.255.255 net_gateway\"" >> /etc/openvpn/server.conf
   - echo "push \"route ${cidrhost(element(split(",",route_cidrs),1), 0)}  ${cidrnetmask(element(split(",",route_cidrs),1))}\"" >> /etc/openvpn/server.conf
   - echo "push \"route ${cidrhost(element(split(",",route_cidrs),2), 0)}  ${cidrnetmask(element(split(",",route_cidrs),2))}\"" >> /etc/openvpn/server.conf

certs/variables.tf

@@ -1,66 +1,81 @@
-# openvpn_server - Variables
+# Input Variables
 
-variable "ami" {
-  description = "Artifact AMI"
+## Resource tags
+variable "stack_item_label" {
+  type        = "string"
+  description = "Short form identifier for this stack. This value is used to create the 'Name' resource tag for resources created by this stack item, and also serves as a unique key for re-use."
 }
 
-variable "stack_item_fullname" {}
+variable "stack_item_fullname" {
+  type        = "string"
+  description = "Long form descriptive name for this stack item. This value is used to create the 'application' resource tag for resources created by this stack item."
+}
 
-variable "stack_item_label" {}
+## VPC parameters
 
-#
-# 0 - if instance is a standalone instance outside a VPC
-# 1 - if instance is in a vpc
-#
+###
+### 0 - if instance is a standalone instance outside a VPC
+### 1 - if instance is in a vpc
+###
 variable "in_vpc" {
-  default = 0
+  type        = "string"
+  description = "Flag for associating the cluster with a VPC."
+  default     = 1
 }
 
 variable "vpc_id" {
-  default = ""
+  type        = "string"
+  description = "ID of the target VPC."
 }
 
-variable "security_groups" {
-  default = ""
+variable "region" {
+  type        = "string"
+  description = "AWS region to be utilized."
 }
 
-# Which subnet the vpn servers will run in.
 variable "subnets" {
-  default = ""
+  type        = "string"
+  description = "List of VPC subnets to associate with the cluster."
 }
 
-# TODO: expects 4 subnets to map as internal network routes.
-# Fix the magic # problem
-variable "route_cidrs" {
-  default = ""
+## OpenVPN parameters
+variable "ami" {
+  type        = "string"
+  description = "Amazon Machine Image (AMI) to associate with the launch configuration."
 }
 
-variable "key_name" {}
-
-#
-# m3.medium - if instance is a standalone instance outside a VPC
-# t2.small - if instance is in a vpc
-#
-variable "instance_type" {}
-
-variable "region" {}
-
-variable "release" {
-  default = "0.0.2"
+variable "instance_type" {
+  type        = "string"
+  description = "EC2 instance type to associate with the launch configuration."
+  default     = "t2.small"
 }
 
-variable "role" {
-  default = "vpn_server"
+variable "key_name" {
+  type        = "string"
+  description = "SSH key pair to associate with the launch configuration."
 }
 
-# Do not include the trailing slash
-variable "s3_path" {}
+### TODO: expects 4 subnets to map as internal network routes.
+### Fix the magic # problem
+variable "route_cidrs" {
+  type        = "string"
+  description = "Routes for the VPN server to expose"
+}
 
-variable "s3_bucket" {}
+variable "s3_bucket" {
+  type        = "string"
+  description = "The S3 bucket where certificate and configuration are stored."
+}
 
-variable "sns_topic_arn" {}
+### Do not include the trailing slash
+variable "s3_bucket_prefix" {
+  type        = "string"
+  description = "The S3 bucket prefix. Certificates and configuration will be sourced from the root if not configured."
+  default     = ""
+}
 
-# From AWS limits, max rules for an SG is ~50
 variable "cidr_whitelist" {
-  default = "0.0.0.0/0"
+  type        = "string"
+  description = "Limit access to the designated list of CIDRs"
+  default     = "0.0.0.0/0"
 }