Merge pull request #4 from unifio/wc-review

Misc. Updates

Author: blakeneyops

CHANGELOG.md

@@ -1,16 +1,32 @@
-# CHANGELOG
+## Unreleased
 
-### ???
+## ???
 
 - Feature: Automatically push instance's subnet route into `server.conf`
 - export `zone_id`, `dns_name` from aws_elb
 - Fix the 4 subnet fixed mapping
 - Fill in some examples
 
-### 0.0.5
+## 0.0.6
+
+#### BREAKING CHANGES:
+- Updates in resource naming will cause churn for existing resources.
+- Updated certificate generator to require VPC deployment
+
+#### IMPROVEMENTS:
+- Standardization with other Unif.io OSS terraform modules
+- Documentation improvements
+- Updated security group scheme for OpenVPN server
+- Added pre-built AMI lookup to the server module
+
+## 0.0.5
+
+#### FEATURES:
 - Initial release of `generate-certs` module
 
-### 0.0.4
+## 0.0.4
+
+#### IMPROVEMENTS:
 - Standardization with other Unif.io OSS terraform modules
 - CI Builder
 - Small tweaks:
@@ -20,15 +36,17 @@
   - lifecycle `create_before_destroy` fixes to deal with dependency issues on build.
   - somewhat breaking change: in_vpc now is `1`(true) instead of `0`(false)
 
-### 0.0.3
+## 0.0.3
 
+#### IMPROVEMENTS:
 - Fix: tag.application for elb reverted to using short name instead of full application name due to naming restrictions
 
-### 0.0.2
+## 0.0.2
 
+#### IMPROVEMENTS:
 - Fix: use updated `awscli` client from pip instead of apt
 
-### 0.0.1
+## 0.0.1
 
+#### FEATURES:
 - Basic functioning openvpn server working off us-east-1
-

Rakefile

@@ -4,15 +4,13 @@ inputs = {
   'stack_item_label'    => 'expl-tst',
   'stack_item_fullname' => 'Example Stack',
   'vpc_id'              => 'vpc-xxxxxx',
-  'region'              => 'us-west-2',
+  'region'              => 'us-east-1',
   'subnets'             => 'subnet-111111,subnet-222222',
-  'ami'                 => 'ami-xxxxxx',
   'instance_type'       => 't2.small',
   'key_name'            => 'example',
   'route_cidrs'         => '10.10.0.0/25,10.10.0.128/25,10.10.4.0/25,10.10.4.128/25',
   's3_bucket'           => 'openvpn-certs',
   's3_bucket_prefix'    => '20160603',
-  'cidr_whitelist'      => '0.0.0.0/0'
 }
 
 task :default => :verify

certs/main.tf

@@ -1,7 +1,7 @@
 # OpenVPN Server
 
 ## Creates IAM role & policies
-resource "aws_iam_role" "vpn_role" {
+resource "aws_iam_role" "role" {
   name = "${var.stack_item_label}-${var.region}"
   path = "/"
 
@@ -21,9 +21,9 @@ resource "aws_iam_role" "vpn_role" {
 EOF
 }
 
-resource "aws_iam_role_policy" "s3_vpn_ro" {
-  name = "s3_vpn_ro"
-  role = "${aws_iam_role.vpn_role.id}"
+resource "aws_iam_role_policy" "s3_certs_ro" {
+  name = "s3_certs_ro"
+  role = "${aws_iam_role.role.id}"
 
   policy = <<EOF
 {
@@ -35,8 +35,8 @@ resource "aws_iam_role_policy" "s3_vpn_ro" {
         "s3:Get*"
       ],
       "Resource": [
-        "arn:aws:s3:::${var.s3_bucket}/${var.s3_bucket_prefix}",
-        "arn:aws:s3:::${var.s3_bucket}/${var.s3_bucket_prefix}/*"
+        "arn:aws:s3:::${replace(var.s3_bucket,"/(\/)+$/","")}/${replace(var.s3_bucket_prefix,"/^(\/)+|(\/)+$/","")}",
+        "arn:aws:s3:::${replace(var.s3_bucket,"/(\/)+$/","")}/${replace(var.s3_bucket_prefix,"/^(\/)+|(\/)+$/","")}/*"
       ]
     },
     {
@@ -45,7 +45,7 @@ resource "aws_iam_role_policy" "s3_vpn_ro" {
         "s3:List*"
       ],
       "Resource": [
-        "arn:aws:s3:::${var.s3_bucket}"
+        "arn:aws:s3:::${replace(var.s3_bucket,"/(\/)+$/","")}"
       ]
     }
   ]
@@ -54,8 +54,8 @@ EOF
 }
 
 resource "aws_iam_role_policy" "tags" {
-  name = "vpn-tags"
-  role = "${aws_iam_role.vpn_role.id}"
+  name = "tags"
+  role = "${aws_iam_role.role.id}"
 
   policy = <<EOF
 {
@@ -77,45 +77,109 @@ EOF
 }
 
 ## Creates IAM instance profile
-resource "aws_iam_instance_profile" "vpn_profile" {
+resource "aws_iam_instance_profile" "profile" {
   name  = "${var.stack_item_label}-${var.region}"
-  roles = ["${aws_iam_role.vpn_role.name}"]
+  roles = ["${aws_iam_role.role.name}"]
 }
 
-## Creates security group rules
-resource "aws_security_group_rule" "allow_all_out" {
+## Create elastic load balancer security group and rules
+resource "aws_security_group" "sg_elb" {
+  name_prefix = "${var.stack_item_label}-elb-"
+  description = "${var.stack_item_fullname} load balancer security group"
+  vpc_id      = "${var.vpc_id}"
+
+  tags {
+    Name        = "${var.stack_item_label}-elb"
+    application = "${var.stack_item_fullname}"
+    managed_by  = "terraform"
+  }
+}
+
+resource "aws_security_group_rule" "elb_allow_all_out" {
   type              = "egress"
   from_port         = 0
   to_port           = 0
   protocol          = "-1"
   cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = "${module.cluster.sg_id}"
+  security_group_id = "${aws_security_group.sg_elb.id}"
 }
 
-resource "aws_security_group_rule" "allow_ssh_in_tcp" {
+resource "aws_security_group_rule" "elb_allow_openvpn_tcp_in" {
   type              = "ingress"
-  from_port         = 22
-  to_port           = 22
+  from_port         = 1194
+  to_port           = 1194
   protocol          = "tcp"
-  cidr_blocks       = ["${split(",",var.cidr_whitelist)}"]
+  cidr_blocks       = ["${split(",",var.vpn_whitelist)}"]
+  security_group_id = "${aws_security_group.sg_elb.id}"
+}
+
+## Creates an elastic load balancer
+resource "aws_elb" "elb" {
+  name            = "${var.stack_item_label}"
+  subnets         = ["${split(",",var.subnets)}"]
+  internal        = false
+  security_groups = ["${aws_security_group.sg_elb.id}"]
+
+  listener {
+    instance_port     = 1194
+    instance_protocol = "tcp"
+    lb_port           = 1194
+    lb_protocol       = "tcp"
+  }
+
+  health_check {
+    healthy_threshold   = 4
+    unhealthy_threshold = 2
+    timeout             = 3
+    target              = "TCP:1194"
+    interval            = 30
+  }
+
+  tags {
+    Name        = "${var.stack_item_label}"
+    application = "${var.stack_item_fullname}"
+    managed_by  = "terraform"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+## Creates security group rules
+resource "aws_security_group_rule" "cluster_allow_all_out" {
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = "${module.cluster.sg_id}"
 }
 
-resource "aws_security_group_rule" "allow_openvpn_in_tcp" {
+resource "aws_security_group_rule" "cluster_allow_openvpn_tcp_in" {
+  type                     = "ingress"
+  from_port                = 1194
+  to_port                  = 1194
+  protocol                 = "tcp"
+  source_security_group_id = "${aws_security_group.sg_elb.id}"
+  security_group_id        = "${module.cluster.sg_id}"
+}
+
+resource "aws_security_group_rule" "cluster_allow_ssh_in" {
   type              = "ingress"
-  from_port         = 1194
-  to_port           = 1194
+  from_port         = 22
+  to_port           = 22
   protocol          = "tcp"
-  cidr_blocks       = ["${split(",",var.cidr_whitelist)}"]
+  cidr_blocks       = ["${split(",",var.ssh_whitelist)}"]
   security_group_id = "${module.cluster.sg_id}"
 }
 
-resource "aws_security_group_rule" "allow_ping_in_icmp" {
+resource "aws_security_group_rule" "cluster_allow_icmp_in" {
   type              = "ingress"
   from_port         = 0
   to_port           = 0
   protocol          = "icmp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["${split(",",var.ssh_whitelist)}"]
   security_group_id = "${module.cluster.sg_id}"
 }
 
@@ -124,6 +188,7 @@ resource "template_file" "user_data" {
   template = "${file("${path.module}/templates/user_data.tpl")}"
 
   vars {
+    hostname         = "${var.stack_item_label}"
     s3_bucket        = "${var.s3_bucket}"
     s3_bucket_prefix = "${var.s3_bucket_prefix}"
     route_cidrs      = "${var.route_cidrs}"
@@ -148,9 +213,9 @@ module "cluster" {
   region  = "${var.region}"
 
   # LC parameters
-  ami              = "${var.ami}"
+  ami              = "${coalesce(lookup(var.ami_region_lookup, var.region), var.ami_custom)}"
   instance_type    = "${var.instance_type}"
-  instance_profile = "${aws_iam_instance_profile.vpn_profile.id}"
+  instance_profile = "${aws_iam_instance_profile.profile.id}"
   user_data        = "${template_file.user_data.rendered}"
   key_name         = "${var.key_name}"
   ebs_optimized    = false
@@ -162,36 +227,3 @@ module "cluster" {
   min_elb_capacity = 1
   load_balancers   = "${aws_elb.elb.id}"
 }
-
-## Creates a load balancer
-resource "aws_elb" "elb" {
-  name            = "${var.stack_item_label}"
-  subnets         = ["${split(",",var.subnets)}"]
-  internal        = false
-  security_groups = ["${module.cluster.sg_id}"]
-
-  listener {
-    instance_port     = 1194
-    instance_protocol = "tcp"
-    lb_port           = 1194
-    lb_protocol       = "tcp"
-  }
-
-  health_check {
-    healthy_threshold   = 2
-    unhealthy_threshold = 2
-    timeout             = 3
-    target              = "TCP:1194"
-    interval            = 30
-  }
-
-  tags {
-    Name        = "${var.stack_item_label}"
-    application = "${var.stack_item_fullname}"
-    managed_by  = "terraform"
-  }
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}

certs/outputs.tf

@@ -4,6 +4,14 @@ output "vpn_server_sg_id" {
   value = "${module.cluster.sg_id}"
 }
 
-output "cidr_whitelist" {
-  value = "${var.cidr_whitelist}"
+output "vpn_whitelist" {
+  value = "${var.vpn_whitelist}"
+}
+
+output "vpn_elb_dns_name" {
+  value = "${aws_elb.elb.dns_name}"
+}
+
+output "vpn_elb_zone_id" {
+  value = "${aws_elb.elb.zone_id}"
 }

certs/templates/user_data.tpl

@@ -1,6 +1,6 @@
 #cloud-config
 runcmd:
-  - echo "OPENVPN_CERT_SOURCE=s3://${s3_bucket}/${s3_bucket_prefix}" > /etc/openvpn/get-openvpn-certs.env
+  - echo "OPENVPN_CERT_SOURCE=s3://${replace(s3_bucket,"/(\/)+$/","")}/${replace(s3_bucket_prefix,"/^(\/)+|(\/)+$/","")}" > /etc/openvpn/get-openvpn-certs.env
   - echo "push \"route $(ip route get 8.8.8.8| grep src| sed 's/.*src \(.*\)$/\1/g') 255.255.255.255 net_gateway\"" >> /etc/openvpn/server.conf
   - echo "push \"route ${cidrhost(element(split(",",route_cidrs),1), 0)}  ${cidrnetmask(element(split(",",route_cidrs),1))}\"" >> /etc/openvpn/server.conf
   - echo "push \"route ${cidrhost(element(split(",",route_cidrs),2), 0)}  ${cidrnetmask(element(split(",",route_cidrs),2))}\"" >> /etc/openvpn/server.conf

certs/variables.tf

@@ -12,17 +12,6 @@ variable "stack_item_fullname" {
 }
 
 ## VPC parameters
-
-###
-### 0 - if instance is a standalone instance outside a VPC
-### 1 - if instance is in a vpc
-###
-variable "in_vpc" {
-  type        = "string"
-  description = "Flag for associating the cluster with a VPC."
-  default     = 1
-}
-
 variable "vpc_id" {
   type        = "string"
   description = "ID of the target VPC."
@@ -39,9 +28,21 @@ variable "subnets" {
 }
 
 ## OpenVPN parameters
-variable "ami" {
+variable "ami_custom" {
   type        = "string"
-  description = "Amazon Machine Image (AMI) to associate with the launch configuration."
+  description = "Custom AMI to utilize"
+  default     = ""
+}
+
+variable "ami_region_lookup" {
+  # Not meant to be overwritten
+  type = "map"
+
+  default = {
+    us-east-1      = "ami-d66995bb"
+    ap-northeast-1 = "ami-4803ec29"
+    custom         = ""
+  }
 }
 
 variable "instance_type" {
@@ -74,8 +75,14 @@ variable "s3_bucket_prefix" {
   default     = ""
 }
 
-variable "cidr_whitelist" {
+variable "vpn_whitelist" {
+  type        = "string"
+  description = "Limit VPN access to the designated list of CIDRs"
+  default     = "0.0.0.0/0"
+}
+
+variable "ssh_whitelist" {
   type        = "string"
-  description = "Limit access to the designated list of CIDRs"
+  description = "Limit SSH access to the designated list of CIDRs"
   default     = "0.0.0.0/0"
 }