port version 0.0.2 from legos

Author: yuhunglin

.gitignore

@@ -0,0 +1,2 @@
+*.tfstate*
+.terraform/

CHANGELOG.md

@@ -0,0 +1,14 @@
+# CHANGELOG
+
+### ???
+
+- Feature: Automatically push instance's subnet route into `server.conf`
+
+### 0.0.2
+
+- Fix: use updated `awscli` client from pip instead of apt
+
+### 0.0.1
+
+- Basic functioning openvpn server working off us-east-1
+

README.md

@@ -0,0 +1 @@
+# Terraform AWS OpenVPN Module

certs/main.tf

@@ -0,0 +1,224 @@
+# openvpn_server
+
+provider "aws" {
+  region = "${var.region}"
+}
+
+/* ---------------------------- */
+/* IAM Role & Instance Profile  */
+/* ---------------------------- */
+
+resource "aws_iam_role" "vpn_role" {
+  name = "${var.region}-${var.stack_item_label}-vpn"
+  path = "/"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "sts:AssumeRole",
+      "Principal": {
+         "Service": "ec2.amazonaws.com"
+      }
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "s3_vpn" {
+  name = "s3_vpn"
+  role = "${aws_iam_role.vpn_role.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:Get*"
+      ],
+      "Resource": [
+        "arn:aws:s3:::${var.s3_path}",
+        "arn:aws:s3:::${var.s3_path}/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:List*"
+      ],
+      "Resource": [
+        "arn:aws:s3:::${var.s3_bucket}"
+      ]
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "tags" {
+  name = "tags"
+  role = "${aws_iam_role.vpn_role.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+          "ec2:CreateTags",
+          "ec2:AssociateAddress",
+          "ec2:DescribeAddresses",
+          "ec2:DescribeInstances"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "vpn_profile" {
+  name  = "${var.region}-${var.stack_item_label}-vpn"
+  roles = ["${aws_iam_role.vpn_role.name}"]
+}
+
+/* ---------------------------- */
+/* Security Group               */
+/* ---------------------------- */
+resource "aws_security_group_rule" "allow_all_out" {
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${module.asg.sg_id}"
+}
+
+resource "aws_security_group_rule" "allow_ssh_in_tcp" {
+  type        = "ingress"
+  from_port   = 22
+  to_port     = 22
+  protocol    = "tcp"
+  cidr_blocks = ["${split(",",var.cidr_whitelist)}"]
+
+  security_group_id = "${module.asg.sg_id}"
+}
+
+resource "aws_security_group_rule" "allow_openvpn_in_tdp" {
+  type        = "ingress"
+  from_port   = 1194
+  to_port     = 1194
+  protocol    = "tcp"
+  cidr_blocks = ["${split(",",var.cidr_whitelist)}"]
+
+  security_group_id = "${module.asg.sg_id}"
+}
+
+resource "aws_security_group_rule" "allow_ping_request_icmp" {
+  type        = "ingress"
+  from_port   = 8
+  to_port     = 0
+  protocol    = "icmp"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${module.asg.sg_id}"
+}
+
+resource "aws_security_group_rule" "allow_ping_reply_icmp" {
+  type        = "ingress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "icmp"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${module.asg.sg_id}"
+}
+
+/* ---------------------------- */
+/* User Data                    */
+/* ---------------------------- */
+resource "template_file" "user_data" {
+  template = "${file("${path.module}/templates/user_data.tpl")}"
+
+  vars {
+    instance_number  = "${count.index}"
+    hostname         = "${var.role}-${count.index}"
+    region           = "${var.region}"
+    stack_item_label = "${var.stack_item_label}"
+    role             = "${var.role}"
+    s3_path          = "${var.s3_path}"
+    route_cidrs      = "${var.route_cidrs}"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+module "asg" {
+  source = "github.com/unifio/terraform-aws-asg?ref=v0.2.0//group"
+
+  # Resource tags
+  stack_item_label    = "${var.stack_item_label}-vpn-asg"
+  stack_item_fullname = "${var.stack_item_fullname}-vpn"
+
+  # VPC parameters
+  vpc_id  = "${var.vpc_id}"
+  subnets = "${var.subnets}"
+  region  = "${var.region}"
+
+  # LC parameters
+  ami              = "${var.ami}"
+  instance_type    = "${var.instance_type}"
+  instance_profile = "${aws_iam_instance_profile.vpn_profile.id}"
+  user_data        = "${template_file.user_data.rendered}"
+  key_name         = "${var.key_name}"
+  ebs_optimized    = false
+
+  # ASG parameters
+  max_size         = 2
+  min_size         = 1
+  hc_grace_period  = 300
+  hc_check_type    = "EC2"
+  min_elb_capacity = 1
+  load_balancers   = "${aws_elb.elb.id}"
+}
+
+# Create a new load balancer
+resource "aws_elb" "elb" {
+  name            = "${var.stack_item_label}-vpn-elb"
+  subnets         = ["${split(",",var.subnets)}"]
+  internal        = false
+  security_groups = ["${module.asg.sg_id}"]
+
+  listener {
+    instance_port     = 1194
+    instance_protocol = "tcp"
+    lb_port           = 1194
+    lb_protocol       = "tcp"
+  }
+
+  health_check {
+    healthy_threshold   = 2
+    unhealthy_threshold = 2
+    timeout             = 3
+    target              = "TCP:1194"
+    interval            = 30
+  }
+
+  tags {
+    Name        = "${var.stack_item_label}-vpn-elb"
+    application = "${var.stack_item_fullname}-vpn"
+    managed_by  = "terraform"
+  }
+}
+
+# Create a Route53 record
+

certs/outputs.tf

@@ -0,0 +1,12 @@
+# openvpn_server - Output Variables
+
+/* ---------------------------- */
+## VPN server security group ID */
+/* ---------------------------- */
+output "vpn_server_sg_id" {
+  value = "${module.asg.sg_id}"
+}
+
+output "cidr_whitelist" {
+  value = "${var.cidr_whitelist}"
+}

certs/templates/user_data.tpl

@@ -0,0 +1,19 @@
+#cloud-config
+environment:
+  stack_item_label: ${stack_item_label}
+  hostname: ${hostname}
+  aws_region: ${region}
+  instance_role: ${role}
+  instance_number: ${instance_number}
+runcmd:
+  - echo "OPENVPN_CERT_SOURCE=s3://${s3_path}" > /etc/openvpn/get-openvpn-certs.env
+  - echo "push \"route $(ip route get 8.8.8.8| grep src| sed 's/.*src \(.*\)$/\1/g') 255.255.255.255 net_gateway\"" >> /etc/openvpn/server.conf
+  - echo "push \"route ${cidrhost(element(split(",",route_cidrs),1), 0)}  ${cidrnetmask(element(split(",",route_cidrs),1))}\"" >> /etc/openvpn/server.conf
+  - echo "push \"route ${cidrhost(element(split(",",route_cidrs),2), 0)}  ${cidrnetmask(element(split(",",route_cidrs),2))}\"" >> /etc/openvpn/server.conf
+  - echo "push \"route ${cidrhost(element(split(",",route_cidrs),3), 0)}  ${cidrnetmask(element(split(",",route_cidrs),3))}\"" >> /etc/openvpn/server.conf
+  - echo "push \"route ${cidrhost(element(split(",",route_cidrs),4), 0)}  ${cidrnetmask(element(split(",",route_cidrs),4))}\"" >> /etc/openvpn/server.conf
+  - systemctl start get-openvpn-certs
+  - systemctl restart openvpn@server
+  - systemctl restart iptables
+
+output : { all : '| tee -a /var/log/cloud-init-output.log' }

certs/variables.tf

@@ -0,0 +1,66 @@
+# openvpn_server - Variables
+
+variable "ami" {
+  description = "Artifact AMI"
+}
+
+variable "stack_item_fullname" {}
+
+variable "stack_item_label" {}
+
+#
+# 0 - if instance is a standalone instance outside a VPC
+# 1 - if instance is in a vpc
+#
+variable "in_vpc" {
+  default = 0
+}
+
+variable "vpc_id" {
+  default = ""
+}
+
+variable "security_groups" {
+  default = ""
+}
+
+# Which subnet the vpn servers will run in.
+variable "subnets" {
+  default = ""
+}
+
+# TODO: expects 4 subnets to map as internal network routes.
+# Fix the magic # problem
+variable "route_cidrs" {
+  default = ""
+}
+
+variable "key_name" {}
+
+#
+# m3.medium - if instance is a standalone instance outside a VPC
+# t2.small - if instance is in a vpc
+#
+variable "instance_type" {}
+
+variable "region" {}
+
+variable "release" {
+  default = "0.0.2"
+}
+
+variable "role" {
+  default = "vpn_server"
+}
+
+# Do not include the trailing slash
+variable "s3_path" {}
+
+variable "s3_bucket" {}
+
+variable "sns_topic_arn" {}
+
+# From AWS limits, max rules for an SG is ~50
+variable "cidr_whitelist" {
+  default = "0.0.0.0/0"
+}