Merge pull request #1 from unifio/wlc-update

Review & Update

Author: yuhunglin

.ruby-version

@@ -0,0 +1 @@
+2.3.0

Gemfile

@@ -0,0 +1,3 @@
+source "http://rubygems.org"
+
+gem "rake"

Gemfile.lock

@@ -0,0 +1,13 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    rake (11.1.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  rake
+
+BUNDLED WITH
+   1.11.2

Rakefile

@@ -0,0 +1,43 @@
+require 'rake'
+
+inputs = {
+  'stack_item_label'    => 'expl-tst',
+  'stack_item_fullname' => 'Example Stack',
+  'vpc_id'              => 'vpc-xxxxxx',
+  'region'              => 'us-west-2',
+  'subnets'             => 'subnet-111111,subnet-222222',
+  'ami'                 => 'ami-xxxxxx',
+  'instance_type'       => 't2.small',
+  'key_name'            => 'example',
+  'route_cidrs'         => '10.10.0.0/25,10.10.0.128/25,10.10.4.0/25,10.10.4.128/25',
+  's3_bucket'           => 'openvpn-certs',
+  's3_bucket_prefix'    => '20160603',
+  'cidr_whitelist'      => '0.0.0.0/0'
+}
+
+task :default => :verify
+
+desc "Verify the stack"
+task :verify do
+
+  vars = []
+  inputs.each() do |var, value|
+    vars.push("-var #{var}=\"#{value}\"")
+  end
+
+  ['openvpn'].each do |stack|
+    task_args = {:stack => stack, :args => vars.join(' ')}
+    Rake::Task['clean'].execute(Rake::TaskArguments.new(task_args.keys, task_args.values))
+    Rake::Task['plan'].execute(Rake::TaskArguments.new(task_args.keys, task_args.values))
+  end
+end
+
+desc "Remove existing local state if present"
+task :clean, [:stack] do |t, args|
+  sh "cd examples/#{args['stack']} && rm -fr .terraform *.tfstate*"
+end
+
+desc "Create execution plan"
+task :plan, [:stack, :args] do |t, args|
+  sh "cd examples/#{args['stack']} && terraform get && terraform plan -module-depth=-1 -input=false #{args['args']}"
+end

certs/main.tf

@@ -1,15 +1,8 @@
-# openvpn_server
-
-provider "aws" {
-  region = "${var.region}"
-}
-
-/* ---------------------------- */
-/* IAM Role & Instance Profile  */
-/* ---------------------------- */
+# OpenVPN Server
 
+## Creates IAM role & policies
 resource "aws_iam_role" "vpn_role" {
-  name = "${var.region}-${var.stack_item_label}-vpn"
+  name = "${var.stack_item_label}-${var.region}"
   path = "/"
 
   assume_role_policy = <<EOF
@@ -42,8 +35,8 @@ resource "aws_iam_role_policy" "s3_vpn_ro" {
         "s3:Get*"
       ],
       "Resource": [
-        "arn:aws:s3:::${var.s3_path}",
-        "arn:aws:s3:::${var.s3_path}/*"
+        "arn:aws:s3:::${var.s3_bucket}/${var.s3_bucket_prefix}",
+        "arn:aws:s3:::${var.s3_bucket}/${var.s3_bucket_prefix}/*"
       ]
     },
     {
@@ -83,77 +76,56 @@ resource "aws_iam_role_policy" "tags" {
 EOF
 }
 
+## Creates IAM instance profile
 resource "aws_iam_instance_profile" "vpn_profile" {
-  name  = "${var.region}-${var.stack_item_label}-vpn"
+  name  = "${var.stack_item_label}-${var.region}"
   roles = ["${aws_iam_role.vpn_role.name}"]
 }
 
-/* ---------------------------- */
-/* Security Group               */
-/* ---------------------------- */
+## Creates security group rules
 resource "aws_security_group_rule" "allow_all_out" {
-  type        = "egress"
-  from_port   = 0
-  to_port     = 0
-  protocol    = "-1"
-  cidr_blocks = ["0.0.0.0/0"]
-
-  security_group_id = "${module.asg.sg_id}"
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = "${module.cluster.sg_id}"
 }
 
 resource "aws_security_group_rule" "allow_ssh_in_tcp" {
-  type        = "ingress"
-  from_port   = 22
-  to_port     = 22
-  protocol    = "tcp"
-  cidr_blocks = ["${split(",",var.cidr_whitelist)}"]
-
-  security_group_id = "${module.asg.sg_id}"
-}
-
-resource "aws_security_group_rule" "allow_openvpn_in_tdp" {
-  type        = "ingress"
-  from_port   = 1194
-  to_port     = 1194
-  protocol    = "tcp"
-  cidr_blocks = ["${split(",",var.cidr_whitelist)}"]
-
-  security_group_id = "${module.asg.sg_id}"
+  type              = "ingress"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks       = ["${split(",",var.cidr_whitelist)}"]
+  security_group_id = "${module.cluster.sg_id}"
 }
 
-resource "aws_security_group_rule" "allow_ping_request_icmp" {
-  type        = "ingress"
-  from_port   = 8
-  to_port     = 0
-  protocol    = "icmp"
-  cidr_blocks = ["0.0.0.0/0"]
-
-  security_group_id = "${module.asg.sg_id}"
+resource "aws_security_group_rule" "allow_openvpn_in_tcp" {
+  type              = "ingress"
+  from_port         = 1194
+  to_port           = 1194
+  protocol          = "tcp"
+  cidr_blocks       = ["${split(",",var.cidr_whitelist)}"]
+  security_group_id = "${module.cluster.sg_id}"
 }
 
-resource "aws_security_group_rule" "allow_ping_reply_icmp" {
-  type        = "ingress"
-  from_port   = 0
-  to_port     = 0
-  protocol    = "icmp"
-  cidr_blocks = ["0.0.0.0/0"]
-
-  security_group_id = "${module.asg.sg_id}"
+resource "aws_security_group_rule" "allow_ping_in_icmp" {
+  type              = "ingress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "icmp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = "${module.cluster.sg_id}"
 }
 
-/* ---------------------------- */
-/* User Data                    */
-/* ---------------------------- */
+## Creates instance user data
 resource "template_file" "user_data" {
   template = "${file("${path.module}/templates/user_data.tpl")}"
 
   vars {
-    instance_number  = "${count.index}"
-    hostname         = "${var.role}-${count.index}"
-    region           = "${var.region}"
-    stack_item_label = "${var.stack_item_label}"
-    role             = "${var.role}"
-    s3_path          = "${var.s3_path}"
+    s3_bucket        = "${var.s3_bucket}"
+    s3_bucket_prefix = "${var.s3_bucket_prefix}"
     route_cidrs      = "${var.route_cidrs}"
   }
 
@@ -162,12 +134,13 @@ resource "template_file" "user_data" {
   }
 }
 
-module "asg" {
+## Creates auto scaling cluster
+module "cluster" {
   source = "github.com/unifio/terraform-aws-asg?ref=v0.2.0//group"
 
   # Resource tags
-  stack_item_label    = "${var.stack_item_label}-vpn-asg"
-  stack_item_fullname = "${var.stack_item_fullname}-vpn"
+  stack_item_label    = "${var.stack_item_label}"
+  stack_item_fullname = "${var.stack_item_fullname}"
 
   # VPC parameters
   vpc_id  = "${var.vpc_id}"
@@ -186,17 +159,16 @@ module "asg" {
   max_size         = 2
   min_size         = 1
   hc_grace_period  = 300
-  hc_check_type    = "EC2"
   min_elb_capacity = 1
   load_balancers   = "${aws_elb.elb.id}"
 }
 
-# Create a new load balancer
+## Creates a load balancer
 resource "aws_elb" "elb" {
-  name            = "${var.stack_item_label}-vpn-elb"
+  name            = "${var.stack_item_label}"
   subnets         = ["${split(",",var.subnets)}"]
   internal        = false
-  security_groups = ["${module.asg.sg_id}"]
+  security_groups = ["${module.cluster.sg_id}"]
 
   listener {
     instance_port     = 1194
@@ -214,11 +186,12 @@ resource "aws_elb" "elb" {
   }
 
   tags {
-    Name        = "${var.stack_item_label}-vpn-elb"
-    application = "${var.stack_item_label}-vpn"
+    Name        = "${var.stack_item_label}"
+    application = "${var.stack_item_fullname}"
     managed_by  = "terraform"
   }
-}
-
-# Create a Route53 record
 
+  lifecycle {
+    create_before_destroy = true
+  }
+}

certs/outputs.tf

@@ -1,10 +1,7 @@
-# openvpn_server - Output Variables
+# Outputs
 
-/* ---------------------------- */
-## VPN server security group ID */
-/* ---------------------------- */
 output "vpn_server_sg_id" {
-  value = "${module.asg.sg_id}"
+  value = "${module.cluster.sg_id}"
 }
 
 output "cidr_whitelist" {

certs/templates/user_data.tpl

@@ -1,12 +1,6 @@
 #cloud-config
-environment:
-  stack_item_label: ${stack_item_label}
-  hostname: ${hostname}
-  aws_region: ${region}
-  instance_role: ${role}
-  instance_number: ${instance_number}
 runcmd:
-  - echo "OPENVPN_CERT_SOURCE=s3://${s3_path}" > /etc/openvpn/get-openvpn-certs.env
+  - echo "OPENVPN_CERT_SOURCE=s3://${s3_bucket}/${s3_bucket_prefix}" > /etc/openvpn/get-openvpn-certs.env
   - echo "push \"route $(ip route get 8.8.8.8| grep src| sed 's/.*src \(.*\)$/\1/g') 255.255.255.255 net_gateway\"" >> /etc/openvpn/server.conf
   - echo "push \"route ${cidrhost(element(split(",",route_cidrs),1), 0)}  ${cidrnetmask(element(split(",",route_cidrs),1))}\"" >> /etc/openvpn/server.conf
   - echo "push \"route ${cidrhost(element(split(",",route_cidrs),2), 0)}  ${cidrnetmask(element(split(",",route_cidrs),2))}\"" >> /etc/openvpn/server.conf