From 426ac095fdbd07488c667e90f477b57bc1aab1ff Mon Sep 17 00:00:00 2001 From: user Date: Mon, 10 Dec 2018 15:05:20 +1000 Subject: [PATCH 001/306] added private variable option to limite vpn remote access to an ip --- .gitignore | 1 + main.tf | 13 +++++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8b642d3 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +private-variables.tf diff --git a/main.tf b/main.tf index baeac9e..edbb817 100644 --- a/main.tf +++ b/main.tf @@ -2,6 +2,11 @@ # This module creates all resources necessary for OpenVPN in AWS #---------------------------------------------------------------- +# You should define this variable as your remote static ip adress to limit vpn exposure to the public internet +variable "remote_vpn_ip_cidr" { + default = "0.0.0.0/0" +} + resource "aws_security_group" "openvpn" { name = "${var.name}" vpc_id = "${var.vpc_id}" @@ -24,25 +29,25 @@ resource "aws_security_group" "openvpn" { protocol = "tcp" from_port = 22 to_port = 22 - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = ["${var.remote_vpn_ip_cidr}"] } ingress { protocol = "tcp" from_port = 443 to_port = 443 - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = ["${var.remote_vpn_ip_cidr}"] } ingress { protocol = "udp" from_port = 1194 to_port = 1194 - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = ["${var.remote_vpn_ip_cidr}"] } egress { protocol = -1 from_port = 0 to_port = 0 - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = ["${var.remote_vpn_ip_cidr}"] } } From ce319c8eb47583cb0ca46c34404c28eebc1621cf Mon Sep 17 00:00:00 2001 From: user Date: Mon, 10 Dec 2018 15:09:52 +1000 Subject: [PATCH 002/306] move remote ip cidr to variables.tf --- main.tf | 3 --- variables.tf | 4 ++++ 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index edbb817..5e24c9a 100644 --- a/main.tf +++ b/main.tf @@ -3,9 +3,6 @@ #---------------------------------------------------------------- # You should define this variable as your remote static ip adress to limit vpn exposure to the public internet -variable "remote_vpn_ip_cidr" { - default = "0.0.0.0/0" -} resource "aws_security_group" "openvpn" { name = "${var.name}" diff --git a/variables.tf b/variables.tf index abec526..80fbccb 100644 --- a/variables.tf +++ b/variables.tf @@ -5,6 +5,10 @@ variable "name" { variable "vpc_id" {} variable "vpc_cidr" {} +variable "remote_vpn_ip_cidr" { + default = "0.0.0.0/0" +} + variable "public_subnet_ids" { type = "list" } From 9090b0e59ef4fa2c62b3387ce3fb5563a6e89f6c Mon Sep 17 00:00:00 2001 From: user Date: Thu, 10 Jan 2019 16:38:49 +1000 Subject: [PATCH 003/306] added icmp from remote ip --- main.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/main.tf b/main.tf index 5e24c9a..f1553cf 100644 --- a/main.tf +++ b/main.tf @@ -40,6 +40,12 @@ resource "aws_security_group" "openvpn" { to_port = 1194 cidr_blocks = ["${var.remote_vpn_ip_cidr}"] } + ingress { + protocol = "icmp" + from_port = 8 + to_port = 0 + cidr_blocks = ["${var.remote_vpn_ip_cidr}"] + } egress { protocol = -1 from_port = 0 From 1a53ebd1e02ccc5fbcad01421471b2b582852623 Mon Sep 17 00:00:00 2001 From: user Date: Fri, 11 Jan 2019 23:11:24 +1000 Subject: [PATCH 004/306] added comments to security group --- main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/main.tf b/main.tf index f1553cf..a1e936e 100644 --- a/main.tf +++ b/main.tf @@ -27,12 +27,14 @@ resource "aws_security_group" "openvpn" { from_port = 22 to_port = 22 cidr_blocks = ["${var.remote_vpn_ip_cidr}"] + description = "ssh" } ingress { protocol = "tcp" from_port = 443 to_port = 443 cidr_blocks = ["${var.remote_vpn_ip_cidr}"] + description = "https" } ingress { protocol = "udp" @@ -45,12 +47,14 @@ resource "aws_security_group" "openvpn" { from_port = 8 to_port = 0 cidr_blocks = ["${var.remote_vpn_ip_cidr}"] + description = "icmp" } egress { protocol = -1 from_port = 0 to_port = 0 cidr_blocks = ["${var.remote_vpn_ip_cidr}"] + description = "all outgoing traffic" } } From 8b78e7ed9008267b52d5f7c984e5af1dda7feba8 Mon Sep 17 00:00:00 2001 From: user Date: Fri, 11 Jan 2019 23:23:16 +1000 Subject: [PATCH 005/306] added comment --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index a1e936e..08d1952 100644 --- a/main.tf +++ b/main.tf @@ -18,6 +18,7 @@ resource "aws_security_group" "openvpn" { from_port = 0 to_port = 0 cidr_blocks = ["${var.vpc_cidr}"] + description = "all incoming traffic from vpc" } # For OpenVPN Client Web Server & Admin Web UI From beb80a674f54b252f61ae11b7dd2c10f9538f852 Mon Sep 17 00:00:00 2001 From: user Date: Sat, 12 Jan 2019 12:31:33 +1000 Subject: [PATCH 006/306] added outgoing rule to allow connections to vpc --- main.tf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 08d1952..f0d1b87 100644 --- a/main.tf +++ b/main.tf @@ -55,7 +55,14 @@ resource "aws_security_group" "openvpn" { from_port = 0 to_port = 0 cidr_blocks = ["${var.remote_vpn_ip_cidr}"] - description = "all outgoing traffic" + description = "all outgoing traffic to vpn client remote ip" + } + egress { + protocol = -1 + from_port = 0 + to_port = 0 + cidr_blocks = ["${var.vpc_cidr}"] + description = "all outgoing traffic to vpc" } } From 3d2068f12a873bb02e19bd271886594b9d607a87 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 12 Jan 2019 17:05:25 +1000 Subject: [PATCH 007/306] added outgoing rules --- main.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/main.tf b/main.tf index f0d1b87..1a82576 100644 --- a/main.tf +++ b/main.tf @@ -64,6 +64,13 @@ resource "aws_security_group" "openvpn" { cidr_blocks = ["${var.vpc_cidr}"] description = "all outgoing traffic to vpc" } + egress { + protocol = -1 + from_port = 0 + to_port = 0 + cidr_blocks = ["0.0.0.0/0"] + description = "all outgoing traffic to anywhere" + } } resource "aws_instance" "openvpn" { From 1dfd43a9dc28170742229297363d64f159a14dfe Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 13 Jan 2019 14:22:11 +1000 Subject: [PATCH 008/306] vpn protocols weren't strings --- main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 1a82576..b2e3b39 100644 --- a/main.tf +++ b/main.tf @@ -14,7 +14,7 @@ resource "aws_security_group" "openvpn" { } ingress { - protocol = -1 + protocol = "-1" from_port = 0 to_port = 0 cidr_blocks = ["${var.vpc_cidr}"] @@ -51,21 +51,21 @@ resource "aws_security_group" "openvpn" { description = "icmp" } egress { - protocol = -1 + protocol = "-1" from_port = 0 to_port = 0 cidr_blocks = ["${var.remote_vpn_ip_cidr}"] description = "all outgoing traffic to vpn client remote ip" } egress { - protocol = -1 + protocol = "-1" from_port = 0 to_port = 0 cidr_blocks = ["${var.vpc_cidr}"] description = "all outgoing traffic to vpc" } egress { - protocol = -1 + protocol = "-1" from_port = 0 to_port = 0 cidr_blocks = ["0.0.0.0/0"] From 5b87666fa0c2d7e906806e76937a1e48d8da4378 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 13 Jan 2019 20:03:16 +1000 Subject: [PATCH 009/306] define list as default --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 80fbccb..a6e2f42 100644 --- a/variables.tf +++ b/variables.tf @@ -10,7 +10,7 @@ variable "remote_vpn_ip_cidr" { } variable "public_subnet_ids" { - type = "list" + default = [] } variable "cert_arn" {} From 764d79c45aee8d7a6e028fd6c6bc5ee7ef028e93 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 13 Jan 2019 20:39:22 +1000 Subject: [PATCH 010/306] use an eip. will still need to correct the script to ref it --- main.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/main.tf b/main.tf index b2e3b39..5ab6231 100644 --- a/main.tf +++ b/main.tf @@ -73,6 +73,15 @@ resource "aws_security_group" "openvpn" { } } +resource "aws_eip_association" "eip_assoc" { + instance_id = "${aws_instance.openvpn.id}" + allocation_id = "${aws_eip.openvpnip.id}" +} + +resource "aws_eip" "openvpnip" { + vpc = true +} + resource "aws_instance" "openvpn" { ami = "${var.ami}" instance_type = "${var.instance_type}" From 7d744f210f2779311456d598436e740aee62303a Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 13 Jan 2019 21:39:08 +1000 Subject: [PATCH 011/306] limits in terraform mean provisioning must occur in the eip resource --- main.tf | 24 ++++++++++++++---------- outputs.tf | 2 +- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/main.tf b/main.tf index 5ab6231..367db01 100644 --- a/main.tf +++ b/main.tf @@ -73,16 +73,13 @@ resource "aws_security_group" "openvpn" { } } -resource "aws_eip_association" "eip_assoc" { - instance_id = "${aws_instance.openvpn.id}" - allocation_id = "${aws_eip.openvpnip.id}" -} - -resource "aws_eip" "openvpnip" { - vpc = true -} +# resource "aws_eip_association" "eip_assoc" { +# instance_id = "${aws_instance.openvpn.id}" +# allocation_id = "${aws_eip.openvpnip.id}" +# } resource "aws_instance" "openvpn" { + #depends_on = ["aws_eip.openvpnip"] ami = "${var.ami}" instance_type = "${var.instance_type}" key_name = "${var.key_name}" @@ -100,11 +97,18 @@ resource "aws_instance" "openvpn" { admin_user=${var.openvpn_admin_user} admin_pw=${var.openvpn_admin_pw} USERDATA +} + +#configuration of the vpn instance must occur after the eip is assigned. normally a provisioner would want to reside in the aws_instance resource, but in this case, +#it must resid in the aws_eip resource to be able to establish a connection +resource "aws_eip" "openvpnip" { + vpc = true + instance = "${aws_instance.openvpn.id}" provisioner "remote-exec" { connection { user = "${var.openvpn_user}" - host = "${self.public_ip}" + host = "${aws_eip.openvpnip.public_ip}" private_key = "${var.private_key}" timeout = "10m" } @@ -172,5 +176,5 @@ resource "aws_route53_record" "openvpn" { name = "vpn.${var.domain_name}" type = "A" ttl = 300 - records = ["${aws_instance.openvpn.public_ip}"] + records = ["${aws_eip.openvpnip.public_ip}"] } diff --git a/outputs.tf b/outputs.tf index 1763ac1..d0e5f1d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -3,7 +3,7 @@ output "private_ip" { } output "public_ip" { - value = "${aws_instance.openvpn.public_ip}" + value = "${aws_eip.openvpnip.public_ip}" } output "public_web_fqdn" { From 2886d185a754dde7dae1a2485874cd1566956082 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 15 Jan 2019 10:19:20 +1000 Subject: [PATCH 012/306] added ability to shutdown vpn via a sleep variable --- main.tf | 8 ++++++++ variables.tf | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/main.tf b/main.tf index 367db01..c807c44 100644 --- a/main.tf +++ b/main.tf @@ -99,6 +99,14 @@ admin_pw=${var.openvpn_admin_pw} USERDATA } +resource "null_resource" shutdownvpn { + count = "${var.sleep ? 1 : 0}" + + provisioner "local-exec" { + command = "aws ec2 stop-instances --instance-ids ${aws_instance.openvpn.id}" + } +} + #configuration of the vpn instance must occur after the eip is assigned. normally a provisioner would want to reside in the aws_instance resource, but in this case, #it must resid in the aws_eip resource to be able to establish a connection resource "aws_eip" "openvpnip" { diff --git a/variables.tf b/variables.tf index a6e2f42..92debab 100644 --- a/variables.tf +++ b/variables.tf @@ -24,3 +24,7 @@ variable "openvpn_admin_pw" {} variable "vpn_cidr" {} variable "domain_name" {} variable "route_zone_id" {} + +variable "sleep" { + default = false +} From b9441de2fc85a7e9aed9b31d5aca8bb71b597685 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 15 Jan 2019 12:12:42 +1000 Subject: [PATCH 013/306] delinting --- main.tf | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/main.tf b/main.tf index c807c44..39d96ad 100644 --- a/main.tf +++ b/main.tf @@ -73,13 +73,7 @@ resource "aws_security_group" "openvpn" { } } -# resource "aws_eip_association" "eip_assoc" { -# instance_id = "${aws_instance.openvpn.id}" -# allocation_id = "${aws_eip.openvpnip.id}" -# } - resource "aws_instance" "openvpn" { - #depends_on = ["aws_eip.openvpnip"] ami = "${var.ami}" instance_type = "${var.instance_type}" key_name = "${var.key_name}" @@ -108,7 +102,7 @@ resource "null_resource" shutdownvpn { } #configuration of the vpn instance must occur after the eip is assigned. normally a provisioner would want to reside in the aws_instance resource, but in this case, -#it must resid in the aws_eip resource to be able to establish a connection +#it must reside in the aws_eip resource to be able to establish a connection resource "aws_eip" "openvpnip" { vpc = true instance = "${aws_instance.openvpn.id}" From 8b95d37a579d5156e938337b26b6a88b93a4b87e Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Wed, 16 Jan 2019 08:25:48 +1000 Subject: [PATCH 014/306] enable tls for ta.key --- main.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/main.tf b/main.tf index 39d96ad..d04c1a1 100644 --- a/main.tf +++ b/main.tf @@ -124,6 +124,9 @@ resource "aws_eip" "openvpnip" { "sudo /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.netmask_bits -v ${element(split("/", var.vpn_cidr), 1)} ConfigPut", + # here we enable tls which is required if we are to generate ta.key and client.ovpn files + "sudo /usr/local/openvpn_as/scripts/sacli --key 'vpn.server.tls_auth' --value ='true' ConfigPut", + # Do a warm restart so the config is picked up "sudo /usr/local/openvpn_as/scripts/sacli start", ] From bf7a9c9f247fd8f13a8cfe1b461059785cf33598 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Wed, 16 Jan 2019 15:08:48 +1000 Subject: [PATCH 015/306] automatically download and start openvpn. but it must be a service!hang --- main.tf | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 2 ++ 2 files changed, 66 insertions(+) diff --git a/main.tf b/main.tf index d04c1a1..d344096 100644 --- a/main.tf +++ b/main.tf @@ -116,6 +116,9 @@ resource "aws_eip" "openvpnip" { } inline = [ + #allow echo of input in bash. Won't display pipes though! + "set -x", + # Sleep 60 seconds until AMI is ready "sleep 60", @@ -131,6 +134,67 @@ resource "aws_eip" "openvpnip" { "sudo /usr/local/openvpn_as/scripts/sacli start", ] } + + provisioner "remote-exec" { + connection { + user = "${var.openvpn_user}" + host = "${aws_eip.openvpnip.public_ip}" + private_key = "${var.private_key}" + timeout = "10m" + } + + inline = [ + "cd /usr/local/openvpn_as/scripts/", + + # todo : need to correct this test user to be dynamic based on user input. + "echo ${var.openvpn_admin_pw} | sudo -S mkdir seperate", + + "set -x", + + # this enables auto login: todo check if theres a problem with not having this abbove the start command + "sudo ./sacli --user openvpnas --key 'prop_autologin' --value 'true' UserPropPut", + + "sudo ./sacli --user openvpnas AutoGenerateOnBehalfOf", + "sudo ./sacli -o ./seperate --cn openvpnas get5", + "sudo chown openvpnas seperate/*", + "ls -la seperate", + ] + + #allow echo of input in bash. Won't display pipes though! + + #auto generate script needs a root shell. + #"sudo -i", + + #allow echo of input in bash. Won't display pipes though! + #"set -x", + } + + #we download the connection config files, and alter the client.ovpn file to use a password file. + ### note user must follow instructions for startvpn.sh to function + provisioner "local-exec" { + command = <> yourserver.txt + echo 'SecurityThroughObscurity99' >> yourserver.txt + sed -i 's/auth-user-pass/auth-user-pass yourserver.txt/g' client.ovpn + ~/openvpn_config/startvpn.sh & + EOT + } + + # todo need to document for users how to create start vpn script and add to sudoers. + + #need to work out a way of starting openvpn with sudo + ##sudo /usr/local/sbin/openvpn --config ./client.ovpn } resource "aws_elb" "openvpn" { diff --git a/variables.tf b/variables.tf index 92debab..3897856 100644 --- a/variables.tf +++ b/variables.tf @@ -16,6 +16,8 @@ variable "public_subnet_ids" { variable "cert_arn" {} variable "key_name" {} variable "private_key" {} + +variable "local_key_path" {} variable "ami" {} variable "instance_type" {} variable "openvpn_user" {} From d4058d57cb316d2fd9d1d616473402296bcdad3a Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Wed, 16 Jan 2019 05:13:36 -0800 Subject: [PATCH 016/306] Succesful auto start of vpn in ubuntu. refactoring required. --- main.tf | 22 ++++++++-------------- startvpn.sh | 28 ++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 14 deletions(-) create mode 100755 startvpn.sh diff --git a/main.tf b/main.tf index d344096..9e08671 100644 --- a/main.tf +++ b/main.tf @@ -151,7 +151,7 @@ resource "aws_eip" "openvpnip" { "set -x", - # this enables auto login: todo check if theres a problem with not having this abbove the start command + # this enables auto login: todo : check if theres a problem with not having this above the start command "sudo ./sacli --user openvpnas --key 'prop_autologin' --value 'true' UserPropPut", "sudo ./sacli --user openvpnas AutoGenerateOnBehalfOf", @@ -159,14 +159,6 @@ resource "aws_eip" "openvpnip" { "sudo chown openvpnas seperate/*", "ls -la seperate", ] - - #allow echo of input in bash. Won't display pipes though! - - #auto generate script needs a root shell. - #"sudo -i", - - #allow echo of input in bash. Won't display pipes though! - #"set -x", } #we download the connection config files, and alter the client.ovpn file to use a password file. @@ -178,6 +170,7 @@ resource "aws_eip" "openvpnip" { cd ~/openvpn_config rm -f ta.key rm -f client.ovpn + rm -f client.conf rm -f client.key rm -f client.crt rm -f ca.crt @@ -187,14 +180,15 @@ resource "aws_eip" "openvpnip" { echo 'openvpnas' >> yourserver.txt echo 'SecurityThroughObscurity99' >> yourserver.txt sed -i 's/auth-user-pass/auth-user-pass yourserver.txt/g' client.ovpn - ~/openvpn_config/startvpn.sh & + mv client.ovpn openvpn.conf + ~/openvpn_config/startvpn.sh + ping -c15 '${aws_instance.openvpn.private_ip}' EOT } - # todo need to document for users how to create start vpn script and add to sudoers. - - #need to work out a way of starting openvpn with sudo - ##sudo /usr/local/sbin/openvpn --config ./client.ovpn + # You can check /var/log/syslog to confirm connection + # todo : need to document for users how to create start vpn script and add to sudoers. script should exist in /etc/openvpn. + # the visudo permissions should be more specific, dont * copy to folder in this script. } resource "aws_elb" "openvpn" { diff --git a/startvpn.sh b/startvpn.sh new file mode 100755 index 0000000..56dc7fe --- /dev/null +++ b/startvpn.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +#IMPORTANT: you will need to have the permissions locked down tight in this file for this to be secure. + +#Create the folder ~/openvpn_config +#Copy startvpn.sh to this path. + +#Make the file owned by root and group root: +#sudo chown root.root + +#Now set the SetUID bit, make it executable for all and writable only by root: + +#sudo chmod 4755 + +#edit the sudoers file to conatin these line, which will allow the command to be run without a password. +#user ALL=(ALL:ALL) NOPASSWD:cp -rfa * /etc/openvpn/. +#user ALL=(ALL:ALL) NOPASSWD:service openvpn restart + +#Keep in mind if this script will allow any input or editing of files, this will also be done as root. + +#https://bbs.archlinux.org/viewtopic.php?id=126126 +#https://askubuntu.com/questions/229800/how-to-auto-start-openvpn-client-on-ubuntu-cli +#https://serverfault.com/questions/480909/how-can-i-run-openvpn-as-daemon-sending-a-config-file + + +cd ~/openvpn_config/ +sudo /bin/cp -rfa * /etc/openvpn/. +sudo /usr/sbin/service openvpn restart From 3270f49dd7162f37d68d3ce68556492279253836 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 18 Jan 2019 03:15:58 -0800 Subject: [PATCH 017/306] option to start vpn --- main.tf | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 9e08671..5d8fa72 100644 --- a/main.tf +++ b/main.tf @@ -181,8 +181,6 @@ resource "aws_eip" "openvpnip" { echo 'SecurityThroughObscurity99' >> yourserver.txt sed -i 's/auth-user-pass/auth-user-pass yourserver.txt/g' client.ovpn mv client.ovpn openvpn.conf - ~/openvpn_config/startvpn.sh - ping -c15 '${aws_instance.openvpn.private_ip}' EOT } @@ -191,6 +189,21 @@ resource "aws_eip" "openvpnip" { # the visudo permissions should be more specific, dont * copy to folder in this script. } +variable "start_vpn" { + default = true +} + +resource "null_resource" "start_vpn" { + count = "${var.start_vpn}" + + provisioner "local-exec" { + command = < Date: Sat, 19 Jan 2019 03:32:02 -0800 Subject: [PATCH 018/306] ad instance id to outputs --- outputs.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/outputs.tf b/outputs.tf index d0e5f1d..f9b91c7 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,3 +1,7 @@ +output "id" { + value = "${aws_instance.openvpn.id}" +} + output "private_ip" { value = "${aws_instance.openvpn.private_ip}" } From f993615bccfb994ef73c7102dc207cbfcdb39cdb Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 19 Jan 2019 04:37:11 -0800 Subject: [PATCH 019/306] add source_dest_check on vpn instance for routing --- main.tf | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 5d8fa72..283cb73 100644 --- a/main.tf +++ b/main.tf @@ -73,11 +73,16 @@ resource "aws_security_group" "openvpn" { } } +variable "source_dest_check" { + default = true +} + resource "aws_instance" "openvpn" { - ami = "${var.ami}" - instance_type = "${var.instance_type}" - key_name = "${var.key_name}" - subnet_id = "${element(var.public_subnet_ids, count.index)}" + ami = "${var.ami}" + instance_type = "${var.instance_type}" + key_name = "${var.key_name}" + subnet_id = "${element(var.public_subnet_ids, count.index)}" + source_dest_check = "${var.source_dest_check}" vpc_security_group_ids = ["${aws_security_group.openvpn.id}"] From 3be4b10a1c009bab0b7620f32c18df15aed9fa1e Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 20 Jan 2019 21:54:05 +1000 Subject: [PATCH 020/306] openvpn autologin file requirement updated for openvpn v2.61 --- main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 283cb73..1b1f7d1 100644 --- a/main.tf +++ b/main.tf @@ -185,7 +185,8 @@ resource "aws_eip" "openvpnip" { echo 'openvpnas' >> yourserver.txt echo 'SecurityThroughObscurity99' >> yourserver.txt sed -i 's/auth-user-pass/auth-user-pass yourserver.txt/g' client.ovpn - mv client.ovpn openvpn.conf + sudo sed -i '/# OVPN_ACCESS_SERVER_PROFILE=/c\# OVPN_ACCESS_SERVER_PROFILE=openvpnas@${aws_eip.openvpnip.public_ip}/AUTOLOGIN\n# OVPN_ACCESS_SERVER_AUTOLOGIN=1' client.ovpn + mv client.ovpn client_route.conf EOT } From 9c67c07905d3d9b6ab3d335b86baa5809e6a8971 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 20 Jan 2019 22:30:50 +1000 Subject: [PATCH 021/306] some debugging with multiple vpn services --- main.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 1b1f7d1..73ec1c9 100644 --- a/main.tf +++ b/main.tf @@ -180,13 +180,14 @@ resource "aws_eip" "openvpnip" { rm -f client.crt rm -f ca.crt rm -f yourserver.txt + rm -f client_route.conf scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -r -i '${var.local_key_path}' openvpnas@${aws_eip.openvpnip.public_ip}:/usr/local/openvpn_as/scripts/seperate/* ~/openvpn_config/ ls -la echo 'openvpnas' >> yourserver.txt echo 'SecurityThroughObscurity99' >> yourserver.txt sed -i 's/auth-user-pass/auth-user-pass yourserver.txt/g' client.ovpn - sudo sed -i '/# OVPN_ACCESS_SERVER_PROFILE=/c\# OVPN_ACCESS_SERVER_PROFILE=openvpnas@${aws_eip.openvpnip.public_ip}/AUTOLOGIN\n# OVPN_ACCESS_SERVER_AUTOLOGIN=1' client.ovpn - mv client.ovpn client_route.conf + sed -i '/# OVPN_ACCESS_SERVER_PROFILE=/c\# OVPN_ACCESS_SERVER_PROFILE=openvpnas@${aws_eip.openvpnip.public_ip}/AUTOLOGIN\n# OVPN_ACCESS_SERVER_AUTOLOGIN=1' client.ovpn + mv client.ovpn openvpn.conf EOT } From c266835c2764c611866a89d8f25b2f30f308db3d Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 21 Jan 2019 00:11:07 +1000 Subject: [PATCH 022/306] semifunctional --- main.tf | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 73ec1c9..dbff23d 100644 --- a/main.tf +++ b/main.tf @@ -167,7 +167,8 @@ resource "aws_eip" "openvpnip" { } #we download the connection config files, and alter the client.ovpn file to use a password file. - ### note user must follow instructions for startvpn.sh to function + ### note user must follow instructions on startvpn.sh to function + ### todo : would be better to avoid all file movement in local exec. startvpn should only start the service and nothing else. provisioner "local-exec" { command = < Date: Mon, 21 Jan 2019 11:59:41 +1000 Subject: [PATCH 023/306] notes --- main.tf | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index dbff23d..6427a76 100644 --- a/main.tf +++ b/main.tf @@ -197,8 +197,20 @@ resource "aws_eip" "openvpnip" { # todo : need to document for users how to create start vpn script and add to sudoers. script should exist in /etc/openvpn. # the visudo permissions should be more specific, dont * copy to folder in this script. - #read more here to learn about setting up routes + # read more here to learn about setting up routes + # https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/ # https://askubuntu.com/questions/612840/adding-route-on-client-using-openvpn + + # you will need ip forwarding on client and server if routing both sides - + # https://community.openvpn.net/openvpn/wiki/265-how-do-i-enable-ip-forwarding + # and promiscuous mode enabled on ethernet adapters. for example, if openvpn client is in ubuntu vm, + # and we are running the vm with bridge ethernet in a rhel host, then enabling promiscuous mode, and setting up a static route + # is needed. + # https://askubuntu.com/questions/430355/configure-a-network-interface-into-promiscuous-mode + # run this in the rhel host to provide static route to the virtual adaptor inside the vm + # sudo ip route add 10.0.0.0/16 via 192.169.0.2 + # ifconfig eth1 up + # ifconfig eth1 promisc } variable "start_vpn" { From f84cd9c7bc653027ca4881c5f83ca1f00f9820bf Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 21 Jan 2019 14:16:16 +1000 Subject: [PATCH 024/306] added more documentation on routing --- main.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/main.tf b/main.tf index 6427a76..e6ad59c 100644 --- a/main.tf +++ b/main.tf @@ -211,6 +211,9 @@ resource "aws_eip" "openvpnip" { # sudo ip route add 10.0.0.0/16 via 192.169.0.2 # ifconfig eth1 up # ifconfig eth1 promisc + # in ubuntu vm, ip forwarding must be on + # http://www.networkinghowtos.com/howto/enable-ip-forwarding-on-ubuntu-13-04/ + # sudo sysctl net.ipv4.ip_forward=1 } variable "start_vpn" { From 6264144b9fb23ee4473d9fb1a354a499a9d44396 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 21 Jan 2019 14:29:05 +1000 Subject: [PATCH 025/306] force all traffic from the client to get directed to the VPN server --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index e6ad59c..16818c9 100644 --- a/main.tf +++ b/main.tf @@ -186,7 +186,7 @@ resource "aws_eip" "openvpnip" { ls -la echo 'openvpnas' >> yourserver.txt echo 'SecurityThroughObscurity99' >> yourserver.txt - sed -i 's/auth-user-pass/auth-user-pass yourserver.txt/g' client.ovpn + sed -i 's/auth-user-pass/auth-user-pass yourserver.txt\npush "redirect-gateway def1 bypass-dhcp"/g' client.ovpn sed -i '/# OVPN_ACCESS_SERVER_PROFILE=/c\# OVPN_ACCESS_SERVER_PROFILE=openvpnas@${aws_eip.openvpnip.public_ip}/AUTOLOGIN\n# OVPN_ACCESS_SERVER_AUTOLOGIN=1' client.ovpn mv client.ovpn openvpn.conf EOT From 0ec8e088dc39ebbcd72c7e02c32f3470dcbb0752 Mon Sep 17 00:00:00 2001 From: user Date: Mon, 21 Jan 2019 18:59:19 -0800 Subject: [PATCH 026/306] add more docs and update autostart --- main.tf | 31 +++++++++++++++++++++++++++---- startvpn.sh | 25 ++++++++++++++++++------- 2 files changed, 45 insertions(+), 11 deletions(-) diff --git a/main.tf b/main.tf index 16818c9..96a30a8 100644 --- a/main.tf +++ b/main.tf @@ -201,19 +201,42 @@ resource "aws_eip" "openvpnip" { # https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/ # https://askubuntu.com/questions/612840/adding-route-on-client-using-openvpn - # you will need ip forwarding on client and server if routing both sides - + # you will need ip forwarding on client and server if routing both sides. # https://community.openvpn.net/openvpn/wiki/265-how-do-i-enable-ip-forwarding + # These are the manual steps I'm doing to get both private subnets to connect, and I'd love to figure out the equivalent commands that I can drop in when I'm provisioning the access server. + + # [b]1.0 Should VPN clients have access to private subnets + # (non-public networks on the server side)?[/b] + # Yes, enable routing + + # [b]2.0 Specify the private subnets to which all clients should be given access (one per line):[/b] + # 10.0.101.0/24 + # 10.0.1.0/24 + # (these subnets are in aws, the open vpn access server resides in the 10.0.101.0/24 subnet) + + # [b]3.0 Allow access from these private subnets to all VPN client IP addresses and subnets[/b] : on + + # [b]4.0 in user permissions / user + # configure vpn gateway: + # [/b]yes + + # [b]5.0 Allow client to act as VPN gateway + # for these client-side subnets:[/b] + # 192.169.0.0/24 + # and promiscuous mode enabled on ethernet adapters. for example, if openvpn client is in ubuntu vm, # and we are running the vm with bridge ethernet in a rhel host, then enabling promiscuous mode, and setting up a static route # is needed. # https://askubuntu.com/questions/430355/configure-a-network-interface-into-promiscuous-mode - # run this in the rhel host to provide static route to the virtual adaptor inside the vm + # run this in the rhel host to provide static route to the adaptor inside the vm (should be on the same subnet) # sudo ip route add 10.0.0.0/16 via 192.169.0.2 + # check routes with: + # sudo route -n # ifconfig eth1 up # ifconfig eth1 promisc - # in ubuntu vm, ip forwarding must be on + # in ubuntu vm, ip forwarding must be on. you must be using a bridged adaptor. # http://www.networkinghowtos.com/howto/enable-ip-forwarding-on-ubuntu-13-04/ - # sudo sysctl net.ipv4.ip_forward=1 + # sudo sysctl net.ipv4.ip_forward=1 } variable "start_vpn" { diff --git a/startvpn.sh b/startvpn.sh index 56dc7fe..257fc78 100755 --- a/startvpn.sh +++ b/startvpn.sh @@ -1,28 +1,39 @@ #!/bin/bash #IMPORTANT: you will need to have the permissions locked down tight in this file for this to be secure. - -#Create the folder ~/openvpn_config -#Copy startvpn.sh to this path. - #Make the file owned by root and group root: + #sudo chown root.root #Now set the SetUID bit, make it executable for all and writable only by root: #sudo chmod 4755 +#sudo chmod +s + + +#edit the sudoers file to conatin this line, which will allow the command to be run without a password. +#user ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa * /etc/openvpn/. +#user ALL=(ALL:ALL) NOPASSWD:/bin/systemctl daemon-reload +#user ALL=(ALL:ALL) NOPASSWD:/usr/sbin/service openvpn restart -#edit the sudoers file to conatin these line, which will allow the command to be run without a password. -#user ALL=(ALL:ALL) NOPASSWD:cp -rfa * /etc/openvpn/. -#user ALL=(ALL:ALL) NOPASSWD:service openvpn restart #Keep in mind if this script will allow any input or editing of files, this will also be done as root. #https://bbs.archlinux.org/viewtopic.php?id=126126 + #https://askubuntu.com/questions/229800/how-to-auto-start-openvpn-client-on-ubuntu-cli + #https://serverfault.com/questions/480909/how-can-i-run-openvpn-as-daemon-sending-a-config-file +#echo openvpnas | sudo /usr/local/sbin/openvpn --config ./client.ovpn cd ~/openvpn_config/ + +echo '--- copying openvpn config files ---' sudo /bin/cp -rfa * /etc/openvpn/. + +echo 'finished copy.' +echo 'restarting service' +sudo systemctl daemon-reload sudo /usr/sbin/service openvpn restart +echo '--- openvpn restarted ---' From 293796ed478649620e109d5363ec54934e0468a6 Mon Sep 17 00:00:00 2001 From: queglay Date: Wed, 23 Jan 2019 09:00:17 +1000 Subject: [PATCH 027/306] Update README.md --- README.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/README.md b/README.md index 3413319..be21e7b 100644 --- a/README.md +++ b/README.md @@ -61,9 +61,57 @@ module "openvpn" { } ``` +## Additional Notes for Routing + +You can check /var/log/syslog to confirm vpn connection. +check autoload is set to all or openvpn in /etc/default +ensure startvpn.sh is in ~/openvpn_config. openvpn.conf auto login files are constructed here and placed in /etc/openvpn before execution. + +read more here to learn about setting up routes +https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/ +https://askubuntu.com/questions/612840/adding-route-on-client-using-openvpn + +You will need ip forwarding on client and server if routing both sides. +https://community.openvpn.net/openvpn/wiki/265-how-do-i-enable-ip-forwarding +These are the manual steps I'm doing to get both private subnets to connect, and I'd love to figure out the equivalent commands that I can drop in when I'm provisioning the access server to automate them, but for now these are manual steps. + +[b]1.0 Should VPN clients have access to private subnets +(non-public networks on the server side)?[/b] +Yes, enable routing + +[b]2.0 Specify the private subnets to which all clients should be given access (one per line):[/b] +10.0.101.0/24 +10.0.1.0/24 +(these subnets are in aws, the open vpn access server resides in the 10.0.101.0/24 subnet) + +[b]3.0 Allow access from these private subnets to all VPN client IP addresses and subnets[/b] : on + +[b]4.0 in user permissions / user +configure vpn gateway: +[/b]yes + +[b]5.0 Allow client to act as VPN gateway +for these client-side subnets:[/b] +192.168.0.0/24 + +if you intend to provide access to other systems on your local network, promiscuous mode must enabled on host ethernet adapters. for example, if openvpn client is in ubuntu vm, and we are running the vm with bridged ethernet in a linux host, then enabling promiscuous mode, and setting up a static route is needed in the host. +https://askubuntu.com/questions/430355/configure-a-network-interface-into-promiscuous-mode +for example, if you use a rhel host run this in the host to provide static route to the adaptor inside the vm (should be on the same subnet) + sudo ip route add 10.0.0.0/16 via [ip adress of the bridged ethernet adaptor in the vm] +check routes with: + sudo route -n + ifconfig eth1 up + ifconfig eth1 promisc + +In the ubuntu vm where where terraform is running, ip forwarding must be on. You must be using a bridged adaptor. +http://www.networkinghowtos.com/howto/enable-ip-forwarding-on-ubuntu-13-04/ + sudo sysctl net.ipv4.ip_forward=1 + + ## Authors Created and maintained by [Quentin Rousseau](https://github.com/kwent) (contact@quent.in). +Autostart and Routing Abilities in this fork by Andrew Graham (https://github.com/queglay/) (queglay@gmail.com) ## License From 39b13d4ecae1408e45a318e52389b786daf80d0a Mon Sep 17 00:00:00 2001 From: queglay Date: Wed, 23 Jan 2019 09:00:45 +1000 Subject: [PATCH 028/306] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index be21e7b..0c72e5d 100644 --- a/README.md +++ b/README.md @@ -99,7 +99,7 @@ https://askubuntu.com/questions/430355/configure-a-network-interface-into-promis for example, if you use a rhel host run this in the host to provide static route to the adaptor inside the vm (should be on the same subnet) sudo ip route add 10.0.0.0/16 via [ip adress of the bridged ethernet adaptor in the vm] check routes with: - sudo route -n + sudo route -n ifconfig eth1 up ifconfig eth1 promisc From 834772e09b72f44307260b683e4ee4003c5b388c Mon Sep 17 00:00:00 2001 From: queglay Date: Wed, 23 Jan 2019 09:02:50 +1000 Subject: [PATCH 029/306] Update README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0c72e5d..7bb0ab3 100644 --- a/README.md +++ b/README.md @@ -97,7 +97,9 @@ for these client-side subnets:[/b] if you intend to provide access to other systems on your local network, promiscuous mode must enabled on host ethernet adapters. for example, if openvpn client is in ubuntu vm, and we are running the vm with bridged ethernet in a linux host, then enabling promiscuous mode, and setting up a static route is needed in the host. https://askubuntu.com/questions/430355/configure-a-network-interface-into-promiscuous-mode for example, if you use a rhel host run this in the host to provide static route to the adaptor inside the vm (should be on the same subnet) - sudo ip route add 10.0.0.0/16 via [ip adress of the bridged ethernet adaptor in the vm] +``` +sudo ip route add 10.0.0.0/16 via [ip adress of the bridged ethernet adaptor in the vm] +``` check routes with: sudo route -n ifconfig eth1 up From 47a4c2cce9e535272c454d14bfdb5fcf16a586f8 Mon Sep 17 00:00:00 2001 From: queglay Date: Wed, 23 Jan 2019 09:03:49 +1000 Subject: [PATCH 030/306] Update README.md --- README.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7bb0ab3..570c6d8 100644 --- a/README.md +++ b/README.md @@ -101,13 +101,17 @@ for example, if you use a rhel host run this in the host to provide static route sudo ip route add 10.0.0.0/16 via [ip adress of the bridged ethernet adaptor in the vm] ``` check routes with: - sudo route -n - ifconfig eth1 up - ifconfig eth1 promisc +``` +sudo route -n +ifconfig eth1 up +ifconfig eth1 promisc +``` In the ubuntu vm where where terraform is running, ip forwarding must be on. You must be using a bridged adaptor. http://www.networkinghowtos.com/howto/enable-ip-forwarding-on-ubuntu-13-04/ - sudo sysctl net.ipv4.ip_forward=1 +``` +sudo sysctl net.ipv4.ip_forward=1 +``` ## Authors From b871687474155ea3fc62ff212aba87926f30cd92 Mon Sep 17 00:00:00 2001 From: queglay Date: Wed, 23 Jan 2019 09:06:53 +1000 Subject: [PATCH 031/306] Update README.md --- README.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 570c6d8..f3b744c 100644 --- a/README.md +++ b/README.md @@ -68,11 +68,11 @@ check autoload is set to all or openvpn in /etc/default ensure startvpn.sh is in ~/openvpn_config. openvpn.conf auto login files are constructed here and placed in /etc/openvpn before execution. read more here to learn about setting up routes -https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/ -https://askubuntu.com/questions/612840/adding-route-on-client-using-openvpn +https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/ +https://askubuntu.com/questions/612840/adding-route-on-client-using-openvpn -You will need ip forwarding on client and server if routing both sides. -https://community.openvpn.net/openvpn/wiki/265-how-do-i-enable-ip-forwarding +You will need ip forwarding on client and server if routing both sides. +https://community.openvpn.net/openvpn/wiki/265-how-do-i-enable-ip-forwarding These are the manual steps I'm doing to get both private subnets to connect, and I'd love to figure out the equivalent commands that I can drop in when I'm provisioning the access server to automate them, but for now these are manual steps. [b]1.0 Should VPN clients have access to private subnets @@ -94,8 +94,8 @@ configure vpn gateway: for these client-side subnets:[/b] 192.168.0.0/24 -if you intend to provide access to other systems on your local network, promiscuous mode must enabled on host ethernet adapters. for example, if openvpn client is in ubuntu vm, and we are running the vm with bridged ethernet in a linux host, then enabling promiscuous mode, and setting up a static route is needed in the host. -https://askubuntu.com/questions/430355/configure-a-network-interface-into-promiscuous-mode +if you intend to provide access to other systems on your local network, promiscuous mode must enabled on host ethernet adapters. for example, if openvpn client is in ubuntu vm, and we are running the vm with bridged ethernet in a linux host, then enabling promiscuous mode, and setting up a static route is needed in the host. +https://askubuntu.com/questions/430355/configure-a-network-interface-into-promiscuous-mode for example, if you use a rhel host run this in the host to provide static route to the adaptor inside the vm (should be on the same subnet) ``` sudo ip route add 10.0.0.0/16 via [ip adress of the bridged ethernet adaptor in the vm] @@ -109,6 +109,7 @@ ifconfig eth1 promisc In the ubuntu vm where where terraform is running, ip forwarding must be on. You must be using a bridged adaptor. http://www.networkinghowtos.com/howto/enable-ip-forwarding-on-ubuntu-13-04/ + ``` sudo sysctl net.ipv4.ip_forward=1 ``` From e3f860b5864642589d0bb61f5304dc643e18a345 Mon Sep 17 00:00:00 2001 From: queglay Date: Wed, 23 Jan 2019 09:08:43 +1000 Subject: [PATCH 032/306] Update README.md --- README.md | 46 +++++++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index f3b744c..4556dad 100644 --- a/README.md +++ b/README.md @@ -65,35 +65,35 @@ module "openvpn" { You can check /var/log/syslog to confirm vpn connection. check autoload is set to all or openvpn in /etc/default -ensure startvpn.sh is in ~/openvpn_config. openvpn.conf auto login files are constructed here and placed in /etc/openvpn before execution. - -read more here to learn about setting up routes +ensure startvpn.sh is in ~/openvpn_config. openvpn.conf auto login files are constructed here and placed in /etc/openvpn before execution. + +read more here to learn about setting up routes https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/ https://askubuntu.com/questions/612840/adding-route-on-client-using-openvpn You will need ip forwarding on client and server if routing both sides. https://community.openvpn.net/openvpn/wiki/265-how-do-i-enable-ip-forwarding These are the manual steps I'm doing to get both private subnets to connect, and I'd love to figure out the equivalent commands that I can drop in when I'm provisioning the access server to automate them, but for now these are manual steps. - -[b]1.0 Should VPN clients have access to private subnets -(non-public networks on the server side)?[/b] -Yes, enable routing - -[b]2.0 Specify the private subnets to which all clients should be given access (one per line):[/b] -10.0.101.0/24 -10.0.1.0/24 -(these subnets are in aws, the open vpn access server resides in the 10.0.101.0/24 subnet) - -[b]3.0 Allow access from these private subnets to all VPN client IP addresses and subnets[/b] : on - -[b]4.0 in user permissions / user -configure vpn gateway: -[/b]yes - -[b]5.0 Allow client to act as VPN gateway -for these client-side subnets:[/b] -192.168.0.0/24 - + +1.0 Should VPN clients have access to private subnets +(non-public networks on the server side)? +Yes, enable routing + +2.0 Specify the private subnets to which all clients should be given access (one per line): +10.0.101.0/24 +10.0.1.0/24 +(these subnets are in aws, the open vpn access server resides in the 10.0.101.0/24 subnet) + +3.0 Allow access from these private subnets to all VPN client IP addresses and subnets : on + +4.0 in user permissions / user +configure vpn gateway: +yes + +5.0 Allow client to act as VPN gateway +for these client-side subnets: +192.168.0.0/24 + if you intend to provide access to other systems on your local network, promiscuous mode must enabled on host ethernet adapters. for example, if openvpn client is in ubuntu vm, and we are running the vm with bridged ethernet in a linux host, then enabling promiscuous mode, and setting up a static route is needed in the host. https://askubuntu.com/questions/430355/configure-a-network-interface-into-promiscuous-mode for example, if you use a rhel host run this in the host to provide static route to the adaptor inside the vm (should be on the same subnet) From 648ddbaf80be45bef73aefaec3b540cc39800ad1 Mon Sep 17 00:00:00 2001 From: user Date: Tue, 22 Jan 2019 15:10:36 -0800 Subject: [PATCH 033/306] documentation cleanup. --- main.tf | 44 +------------------------------------------- 1 file changed, 1 insertion(+), 43 deletions(-) diff --git a/main.tf b/main.tf index 96a30a8..9953267 100644 --- a/main.tf +++ b/main.tf @@ -192,51 +192,9 @@ resource "aws_eip" "openvpnip" { EOT } - # You can check /var/log/syslog to confirm connection - # check autoload is set to all or openvpn in /etc/default + # read docs at readme.md for more information needed on routing. # todo : need to document for users how to create start vpn script and add to sudoers. script should exist in /etc/openvpn. # the visudo permissions should be more specific, dont * copy to folder in this script. - - # read more here to learn about setting up routes - # https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/ - # https://askubuntu.com/questions/612840/adding-route-on-client-using-openvpn - - # you will need ip forwarding on client and server if routing both sides. - # https://community.openvpn.net/openvpn/wiki/265-how-do-i-enable-ip-forwarding - # These are the manual steps I'm doing to get both private subnets to connect, and I'd love to figure out the equivalent commands that I can drop in when I'm provisioning the access server. - - # [b]1.0 Should VPN clients have access to private subnets - # (non-public networks on the server side)?[/b] - # Yes, enable routing - - # [b]2.0 Specify the private subnets to which all clients should be given access (one per line):[/b] - # 10.0.101.0/24 - # 10.0.1.0/24 - # (these subnets are in aws, the open vpn access server resides in the 10.0.101.0/24 subnet) - - # [b]3.0 Allow access from these private subnets to all VPN client IP addresses and subnets[/b] : on - - # [b]4.0 in user permissions / user - # configure vpn gateway: - # [/b]yes - - # [b]5.0 Allow client to act as VPN gateway - # for these client-side subnets:[/b] - # 192.169.0.0/24 - - # and promiscuous mode enabled on ethernet adapters. for example, if openvpn client is in ubuntu vm, - # and we are running the vm with bridge ethernet in a rhel host, then enabling promiscuous mode, and setting up a static route - # is needed. - # https://askubuntu.com/questions/430355/configure-a-network-interface-into-promiscuous-mode - # run this in the rhel host to provide static route to the adaptor inside the vm (should be on the same subnet) - # sudo ip route add 10.0.0.0/16 via 192.169.0.2 - # check routes with: - # sudo route -n - # ifconfig eth1 up - # ifconfig eth1 promisc - # in ubuntu vm, ip forwarding must be on. you must be using a bridged adaptor. - # http://www.networkinghowtos.com/howto/enable-ip-forwarding-on-ubuntu-13-04/ - # sudo sysctl net.ipv4.ip_forward=1 } variable "start_vpn" { From d475500c871070cb5ef0267b5805e65e4ab9d221 Mon Sep 17 00:00:00 2001 From: user Date: Tue, 22 Jan 2019 16:05:20 -0800 Subject: [PATCH 034/306] propogate dynamic password handling --- main.tf | 20 ++++++++++---------- variables.tf | 1 + 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/main.tf b/main.tf index 9953267..00b71b7 100644 --- a/main.tf +++ b/main.tf @@ -114,7 +114,7 @@ resource "aws_eip" "openvpnip" { provisioner "remote-exec" { connection { - user = "${var.openvpn_user}" + user = "${var.openvpn_admin_user}" host = "${aws_eip.openvpnip.public_ip}" private_key = "${var.private_key}" timeout = "10m" @@ -142,7 +142,7 @@ resource "aws_eip" "openvpnip" { provisioner "remote-exec" { connection { - user = "${var.openvpn_user}" + user = "${var.openvpn_admin_user}" host = "${aws_eip.openvpnip.public_ip}" private_key = "${var.private_key}" timeout = "10m" @@ -151,17 +151,17 @@ resource "aws_eip" "openvpnip" { inline = [ "cd /usr/local/openvpn_as/scripts/", - # todo : need to correct this test user to be dynamic based on user input. + # todo : need to add a user that is different to the admin user. currently they must be identical. "echo ${var.openvpn_admin_pw} | sudo -S mkdir seperate", "set -x", # this enables auto login: todo : check if theres a problem with not having this above the start command - "sudo ./sacli --user openvpnas --key 'prop_autologin' --value 'true' UserPropPut", + "sudo ./sacli --user ${var.openvpn_user} --key 'prop_autologin' --value 'true' UserPropPut", - "sudo ./sacli --user openvpnas AutoGenerateOnBehalfOf", - "sudo ./sacli -o ./seperate --cn openvpnas get5", - "sudo chown openvpnas seperate/*", + "sudo ./sacli --user ${var.openvpn_user} AutoGenerateOnBehalfOf", + "sudo ./sacli -o ./seperate --cn ${var.openvpn_user} get5", + "sudo chown ${var.openvpn_user} seperate/*", "ls -la seperate", ] } @@ -184,10 +184,10 @@ resource "aws_eip" "openvpnip" { rm -f client_route.conf scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -r -i '${var.local_key_path}' openvpnas@${aws_eip.openvpnip.public_ip}:/usr/local/openvpn_as/scripts/seperate/* ~/openvpn_config/ ls -la - echo 'openvpnas' >> yourserver.txt - echo 'SecurityThroughObscurity99' >> yourserver.txt + echo '${var.openvpn_user}' >> yourserver.txt + echo '${var.openvpn_user_pw}' >> yourserver.txt sed -i 's/auth-user-pass/auth-user-pass yourserver.txt\npush "redirect-gateway def1 bypass-dhcp"/g' client.ovpn - sed -i '/# OVPN_ACCESS_SERVER_PROFILE=/c\# OVPN_ACCESS_SERVER_PROFILE=openvpnas@${aws_eip.openvpnip.public_ip}/AUTOLOGIN\n# OVPN_ACCESS_SERVER_AUTOLOGIN=1' client.ovpn + sed -i '/# OVPN_ACCESS_SERVER_PROFILE=/c\# OVPN_ACCESS_SERVER_PROFILE=${var.openvpn_user}@${aws_eip.openvpnip.public_ip}/AUTOLOGIN\n# OVPN_ACCESS_SERVER_AUTOLOGIN=1' client.ovpn mv client.ovpn openvpn.conf EOT } diff --git a/variables.tf b/variables.tf index 3897856..6dac67b 100644 --- a/variables.tf +++ b/variables.tf @@ -21,6 +21,7 @@ variable "local_key_path" {} variable "ami" {} variable "instance_type" {} variable "openvpn_user" {} +variable "openvpn_user_pw" {} variable "openvpn_admin_user" {} variable "openvpn_admin_pw" {} variable "vpn_cidr" {} From 42f9a191234a4daece9ceb91af66f760fae94451 Mon Sep 17 00:00:00 2001 From: user Date: Tue, 22 Jan 2019 16:55:39 -0800 Subject: [PATCH 035/306] dynamic user name fix --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 00b71b7..71f3fb4 100644 --- a/main.tf +++ b/main.tf @@ -182,7 +182,7 @@ resource "aws_eip" "openvpnip" { rm -f ca.crt rm -f yourserver.txt rm -f client_route.conf - scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -r -i '${var.local_key_path}' openvpnas@${aws_eip.openvpnip.public_ip}:/usr/local/openvpn_as/scripts/seperate/* ~/openvpn_config/ + scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -r -i '${var.local_key_path}' ${var.openvpn_admin_user}@${aws_eip.openvpnip.public_ip}:/usr/local/openvpn_as/scripts/seperate/* ~/openvpn_config/ ls -la echo '${var.openvpn_user}' >> yourserver.txt echo '${var.openvpn_user_pw}' >> yourserver.txt From 9fb443f374efcf2c3b40ee7e3ffda7137dc29cbb Mon Sep 17 00:00:00 2001 From: user Date: Tue, 22 Jan 2019 20:14:46 -0800 Subject: [PATCH 036/306] add ability to start when sleep disabled. --- main.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/main.tf b/main.tf index 71f3fb4..018c18d 100644 --- a/main.tf +++ b/main.tf @@ -98,6 +98,15 @@ admin_pw=${var.openvpn_admin_pw} USERDATA } +#wakeup a node after sleep +resource "null_resource" "start-node" { + count = "${var.sleep ? 0 : 1}" + + provisioner "local-exec" { + command = "aws ec2 start-instances --instance-ids ${aws_instance.openvpn.id}" + } +} + resource "null_resource" shutdownvpn { count = "${var.sleep ? 1 : 0}" From 143fb995a7e8cb493ab0fd9c9b7c1839367cdac7 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 5 Feb 2019 01:43:17 +1000 Subject: [PATCH 037/306] use relative paths to the repository --- main.tf | 3 ++- startvpn.sh | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 018c18d..159e572 100644 --- a/main.tf +++ b/main.tf @@ -216,7 +216,8 @@ resource "null_resource" "start_vpn" { provisioner "local-exec" { command = < +#sudo chown root:root #Now set the SetUID bit, make it executable for all and writable only by root: From 04526977b4a488db041fca27e306e7464998772b Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 5 Feb 2019 10:31:51 +1000 Subject: [PATCH 038/306] updates to docs and startvpn --- main.tf | 2 +- startvpn.sh | 12 +++++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 159e572..0321036 100644 --- a/main.tf +++ b/main.tf @@ -181,7 +181,7 @@ resource "aws_eip" "openvpnip" { provisioner "local-exec" { command = < Date: Tue, 5 Feb 2019 14:52:48 +1000 Subject: [PATCH 039/306] improved sudo handling for autologin --- README.md | 12 ++++++++---- main.tf | 23 ++++++++++++++--------- startvpn.sh | 43 ++++++++++++++++++++++++++++++------------- 3 files changed, 52 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 4556dad..8f1e1e5 100644 --- a/README.md +++ b/README.md @@ -80,8 +80,8 @@ These are the manual steps I'm doing to get both private subnets to connect, and Yes, enable routing 2.0 Specify the private subnets to which all clients should be given access (one per line): -10.0.101.0/24 -10.0.1.0/24 +10.0.101.0/24 +10.0.1.0/24 (these subnets are in aws, the open vpn access server resides in the 10.0.101.0/24 subnet) 3.0 Allow access from these private subnets to all VPN client IP addresses and subnets : on @@ -90,9 +90,13 @@ Yes, enable routing configure vpn gateway: yes -5.0 Allow client to act as VPN gateway +5.0 Allow client to act as VPN gateway (enter the cidr block for your onsite network) for these client-side subnets: -192.168.0.0/24 +192.168.92.0/24 + +At this point, your client side vpn client should be able to ping any private ip, and if you ssh into one of those ips, it whould be able to ping your client side ip with its private ip address. + +If not you will have to trouble shoot before you can continue further because this functionality is required. if you intend to provide access to other systems on your local network, promiscuous mode must enabled on host ethernet adapters. for example, if openvpn client is in ubuntu vm, and we are running the vm with bridged ethernet in a linux host, then enabling promiscuous mode, and setting up a static route is needed in the host. https://askubuntu.com/questions/430355/configure-a-network-interface-into-promiscuous-mode diff --git a/main.tf b/main.tf index 0321036..e1b9a19 100644 --- a/main.tf +++ b/main.tf @@ -183,14 +183,14 @@ resource "aws_eip" "openvpnip" { set -x mkdir -p ~/openvpn_config cd ~/openvpn_config - rm -f ta.key - rm -f client.ovpn - rm -f client.conf - rm -f client.key - rm -f client.crt - rm -f ca.crt - rm -f yourserver.txt - rm -f client_route.conf + rm -f ~/openvpn_config/ta.key + rm -f ~/openvpn_config/client.ovpn + rm -f ~/openvpn_config/client.conf + rm -f ~/openvpn_config/client.key + rm -f ~/openvpn_config/client.crt + rm -f ~/openvpn_config/ca.crt + rm -f ~/openvpn_config/yourserver.txt + rm -f ~/openvpn_config/client_route.conf scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -r -i '${var.local_key_path}' ${var.openvpn_admin_user}@${aws_eip.openvpnip.public_ip}:/usr/local/openvpn_as/scripts/seperate/* ~/openvpn_config/ ls -la echo '${var.openvpn_user}' >> yourserver.txt @@ -212,7 +212,12 @@ variable "start_vpn" { resource "null_resource" "start_vpn" { depends_on = ["aws_eip.openvpnip"] - count = "${var.start_vpn}" + + triggers { + instanceid = "${ aws_eip.openvpnip.id }" + } + + count = "${var.start_vpn}" provisioner "local-exec" { command = < -#edit the sudoers file to conatin this line, which will allow the command to be run without a password. -#usernamebob ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa * /etc/openvpn/. -#usernamebob ALL=(ALL:ALL) NOPASSWD:/bin/systemctl daemon-reload -#usernamebob ALL=(ALL:ALL) NOPASSWD:/usr/sbin/service openvpn restart +#edit the sudoers file to conatin this line, which will allow these vpn autologin files to be copied to /etc without a password. -#or +# deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/ca.crt /etc/openvpn/. +# deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/client.crt /etc/openvpn/. +# deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/client.key /etc/openvpn/. +# deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/openvpn.conf /etc/openvpn/. +# deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/ta.key /etc/openvpn/. +# deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/yourserver.txt /etc/openvpn/. -#%usergroup ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa * /etc/openvpn/. -#%usergroup ALL=(ALL:ALL) NOPASSWD:/bin/systemctl daemon-reload -#%usergroup ALL=(ALL:ALL) NOPASSWD:/usr/sbin/service openvpn restart +# /home/deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/systemctl daemon-reload +# /home/deadlineuser ALL=(ALL:ALL) NOPASSWD:/usr/sbin/service openvpn restart -#Keep in mind if this script will allow any input or editing of files, this will also be done as root. +#instead, you may want to allow a group of users to be able to do this. EDIT THIS DIDN'T WORK BECAUSE WE CANT USE RELATIVE PATHS -#https://bbs.archlinux.org/viewtopic.php?id=126126 +# %deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/ca.crt /etc/openvpn/. +# %deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/client.crt /etc/openvpn/. +# %deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/client.key /etc/openvpn/. +# %deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/openvpn.conf /etc/openvpn/. +# %deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/ta.key /etc/openvpn/. +# %deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/yourserver.txt /etc/openvpn/. -#https://askubuntu.com/questions/229800/how-to-auto-start-openvpn-client-on-ubuntu-cli +# %deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/systemctl daemon-reload +# %deadlineanduser ALL=(ALL:ALL) NOPASSWD:/usr/sbin/service openvpn restart +#Keep in mind if this script will allow any input or editing of files, this will also be done as root. +#https://bbs.archlinux.org/viewtopic.php?id=126126 +#https://askubuntu.com/questions/229800/how-to-auto-start-openvpn-client-on-ubuntu-cli #https://serverfault.com/questions/480909/how-can-i-run-openvpn-as-daemon-sending-a-config-file #echo openvpnas | sudo /usr/local/sbin/openvpn --config ./client.ovpn -cd ~/openvpn_config/ +set -x +mkdir -p /home/deadlineuser/openvpn_config/ +cd /home/deadlineuser/openvpn_config/ echo '--- copying openvpn config files ---' -sudo /bin/cp -rfa * /etc/openvpn/. +sudo /bin/cp -rfa /home/deadlineuser/openvpn_config/ca.crt /etc/openvpn/. +sudo /bin/cp -rfa /home/deadlineuser/openvpn_config/client.crt /etc/openvpn/. +sudo /bin/cp -rfa /home/deadlineuser/openvpn_config/client.key /etc/openvpn/. +sudo /bin/cp -rfa /home/deadlineuser/openvpn_config/openvpn.conf /etc/openvpn/. +sudo /bin/cp -rfa /home/deadlineuser/openvpn_config/ta.key /etc/openvpn/. +sudo /bin/cp -rfa /home/deadlineuser/openvpn_config/yourserver.txt /etc/openvpn/. echo 'finished copy.' echo 'restarting service' From 8b3be67af0045e0295884ac26363706ac5ae7952 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Thu, 14 Feb 2019 23:54:25 +1000 Subject: [PATCH 040/306] update readme for startvpn.sh --- README.md | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++- startvpn.sh | 43 ---------------------------------------- 2 files changed, 56 insertions(+), 44 deletions(-) diff --git a/README.md b/README.md index 8f1e1e5..1c0d85d 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,62 @@ Terraform module which creates OpenVPN on AWS -## This module is creating the following resources: +# Important steps for permissions and startvpn.sh + +*IMPORTANT: you will need to have the permissions locked down tight in on startvpn.sh for this to be secure. +Make the file owned by root and group root:* + + sudo chown root:root startvpn.sh + +Now set the SetUID bit, make it executable for all and writable only by root: + + sudo chmod 4755 startvpn.sh + sudo chmod +s startvpn.sh + + +edit the sudoers file to conatin this line, which will allow these vpn autologin files to be copied to /etc without a password. + +``` +deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/ca.crt /etc/openvpn/. +deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/client.crt /etc/openvpn/. +deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/client.key /etc/openvpn/. +deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/openvpn.conf /etc/openvpn/. +deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/ta.key /etc/openvpn/. +deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/yourserver.txt /etc/openvpn/. + +/home/deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/systemctl daemon-reload +/home/deadlineuser ALL=(ALL:ALL) NOPASSWD:/usr/sbin/service openvpn restart +``` + +instead, you may want to allow a group of users to be able to do this. + +Edit: THIS DIDN'T ACTUALLY WORK BECAUSE WE CANT USE RELATIVE PATHS IN SUDOERS. +the right way to do it if needed would be to have a non home dir path temp location, with appropraite permissions to read and write by the group on within that path. + +``` +%deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/ca.crt /etc/openvpn/. +%deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/client.crt /etc/openvpn/. +%deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/client.key /etc/openvpn/. +%deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/openvpn.conf /etc/openvpn/. +%deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/ta.key /etc/openvpn/. +%deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/yourserver.txt /etc/openvpn/. + +%deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/systemctl daemon-reload +%deadlineanduser ALL=(ALL:ALL) NOPASSWD:/usr/sbin/service openvpn restart +``` + +Keep in mind if this script will allow any input or editing of files, this will also be done as root. some more references on related subjects: +https://bbs.archlinux.org/viewtopic.php?id=126126 +https://askubuntu.com/questions/229800/how-to-auto-start-openvpn-client-on-ubuntu-cli +https://serverfault.com/questions/480909/how-can-i-run-openvpn-as-daemon-sending-a-config-file + +startvpn.sh is currently how open vpn configuration is handled locally. the files retrieved from remote access server +are needed for auto login to work. + +It would be better to replace this with an Ansible playbook instead. + + +## the tf_aws_openvpn module is creating the following resources: 1. Two Route53 Records a. vpn-web.domain.com diff --git a/startvpn.sh b/startvpn.sh index 8f40b13..34b86fe 100755 --- a/startvpn.sh +++ b/startvpn.sh @@ -1,48 +1,5 @@ #!/bin/bash -#IMPORTANT: you will need to have the permissions locked down tight in this file for this to be secure. -#Make the file owned by root and group root: - -#sudo chown root:root - -#Now set the SetUID bit, make it executable for all and writable only by root: - -#sudo chmod 4755 -#sudo chmod +s - - -#edit the sudoers file to conatin this line, which will allow these vpn autologin files to be copied to /etc without a password. - -# deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/ca.crt /etc/openvpn/. -# deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/client.crt /etc/openvpn/. -# deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/client.key /etc/openvpn/. -# deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/openvpn.conf /etc/openvpn/. -# deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/ta.key /etc/openvpn/. -# deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa /home/deadlineuser/openvpn_config/yourserver.txt /etc/openvpn/. - -# /home/deadlineuser ALL=(ALL:ALL) NOPASSWD:/bin/systemctl daemon-reload -# /home/deadlineuser ALL=(ALL:ALL) NOPASSWD:/usr/sbin/service openvpn restart - - -#instead, you may want to allow a group of users to be able to do this. EDIT THIS DIDN'T WORK BECAUSE WE CANT USE RELATIVE PATHS - -# %deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/ca.crt /etc/openvpn/. -# %deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/client.crt /etc/openvpn/. -# %deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/client.key /etc/openvpn/. -# %deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/openvpn.conf /etc/openvpn/. -# %deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/ta.key /etc/openvpn/. -# %deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/cp -rfa ~/openvpn_config/yourserver.txt /etc/openvpn/. - -# %deadlineanduser ALL=(ALL:ALL) NOPASSWD:/bin/systemctl daemon-reload -# %deadlineanduser ALL=(ALL:ALL) NOPASSWD:/usr/sbin/service openvpn restart - -#Keep in mind if this script will allow any input or editing of files, this will also be done as root. -#https://bbs.archlinux.org/viewtopic.php?id=126126 -#https://askubuntu.com/questions/229800/how-to-auto-start-openvpn-client-on-ubuntu-cli -#https://serverfault.com/questions/480909/how-can-i-run-openvpn-as-daemon-sending-a-config-file - -#echo openvpnas | sudo /usr/local/sbin/openvpn --config ./client.ovpn - set -x mkdir -p /home/deadlineuser/openvpn_config/ cd /home/deadlineuser/openvpn_config/ From 1266ef90ede1cb2f35f938e576d3c60d81f927e2 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 15 Feb 2019 00:00:05 +1000 Subject: [PATCH 041/306] doc update --- README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 1c0d85d..3237b4a 100644 --- a/README.md +++ b/README.md @@ -116,7 +116,7 @@ module "openvpn" { } ``` -## Additional Notes for Routing +## Important Notes for Routing: You can check /var/log/syslog to confirm vpn connection. check autoload is set to all or openvpn in /etc/default @@ -128,24 +128,25 @@ https://askubuntu.com/questions/612840/adding-route-on-client-using-openvpn You will need ip forwarding on client and server if routing both sides. https://community.openvpn.net/openvpn/wiki/265-how-do-i-enable-ip-forwarding -These are the manual steps I'm doing to get both private subnets to connect, and I'd love to figure out the equivalent commands that I can drop in when I'm provisioning the access server to automate them, but for now these are manual steps. + +**These are the manual steps required to get both private subnets to connect, and we'd love to figure out the equivalent commands drop in when I'm provisioning the access server to automate them, but for now these are manual steps.** -1.0 Should VPN clients have access to private subnets +- Should VPN clients have access to private subnets (non-public networks on the server side)? Yes, enable routing -2.0 Specify the private subnets to which all clients should be given access (one per line): +- Specify the private subnets to which all clients should be given access (one per line): 10.0.101.0/24 10.0.1.0/24 (these subnets are in aws, the open vpn access server resides in the 10.0.101.0/24 subnet) -3.0 Allow access from these private subnets to all VPN client IP addresses and subnets : on +- Allow access from these private subnets to all VPN client IP addresses and subnets : on -4.0 in user permissions / user +- in user permissions / user configure vpn gateway: yes -5.0 Allow client to act as VPN gateway (enter the cidr block for your onsite network) +- Allow client to act as VPN gateway (enter the cidr block for your onsite network) for these client-side subnets: 192.168.92.0/24 From 032b1b7f94b99e0e4f5117c06ac414402c2a7600 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 22 Feb 2019 21:50:20 +1000 Subject: [PATCH 042/306] create dev branch and preparing for ansible to handle auto login. --- main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/main.tf b/main.tf index e1b9a19..10e7112 100644 --- a/main.tf +++ b/main.tf @@ -222,7 +222,6 @@ resource "null_resource" "start_vpn" { provisioner "local-exec" { command = < Date: Sat, 23 Feb 2019 00:16:16 +1000 Subject: [PATCH 043/306] temp disable load balancer --- main.tf | 136 ++++++++++++++++++++++++++--------------------------- outputs.tf | 12 ++--- 2 files changed, 74 insertions(+), 74 deletions(-) diff --git a/main.tf b/main.tf index 10e7112..b31ac6f 100644 --- a/main.tf +++ b/main.tf @@ -210,71 +210,71 @@ variable "start_vpn" { default = true } -resource "null_resource" "start_vpn" { - depends_on = ["aws_eip.openvpnip"] - - triggers { - instanceid = "${ aws_eip.openvpnip.id }" - } - - count = "${var.start_vpn}" - - provisioner "local-exec" { - command = < Date: Sun, 24 Feb 2019 00:56:27 +1000 Subject: [PATCH 044/306] install python on openvpn to enable ansible --- main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/main.tf b/main.tf index b31ac6f..3b3784c 100644 --- a/main.tf +++ b/main.tf @@ -92,9 +92,11 @@ resource "aws_instance" "openvpn" { # `admin_user` and `admin_pw` need to be passed in to the appliance through `user_data`, see docs --> # https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/amazon-ec2-appliance-ami-quick-start-guide/ + # Python is required for Ansible to function. user_data = < Date: Sun, 24 Feb 2019 01:05:34 +1000 Subject: [PATCH 045/306] enable routes for public zone --- main.tf | 90 ++++++++++++++++++++++++++++----------------------------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/main.tf b/main.tf index 3b3784c..3a92a86 100644 --- a/main.tf +++ b/main.tf @@ -230,53 +230,53 @@ variable "start_vpn" { # } # } -# resource "aws_elb" "openvpn" { -# name = "openvpn-elb" -# subnets = ["${var.public_subnet_ids}"] -# internal = false -# idle_timeout = 30 -# connection_draining = true -# connection_draining_timeout = 30 -# instances = ["${aws_instance.openvpn.id}"] -# security_groups = ["${aws_security_group.openvpn.id}"] - -# listener { -# instance_port = 443 -# instance_protocol = "https" -# lb_port = 443 -# lb_protocol = "https" -# ssl_certificate_id = "${var.cert_arn}" -# } +resource "aws_elb" "openvpn" { + name = "openvpn-elb" + subnets = ["${var.public_subnet_ids}"] + internal = false + idle_timeout = 30 + connection_draining = true + connection_draining_timeout = 30 + instances = ["${aws_instance.openvpn.id}"] + security_groups = ["${aws_security_group.openvpn.id}"] + + listener { + instance_port = 443 + instance_protocol = "https" + lb_port = 443 + lb_protocol = "https" + ssl_certificate_id = "${var.cert_arn}" + } -# health_check { -# healthy_threshold = 2 -# unhealthy_threshold = 2 -# timeout = 5 -# target = "TCP:443" -# interval = 20 -# } + health_check { + healthy_threshold = 2 + unhealthy_threshold = 2 + timeout = 5 + target = "TCP:443" + interval = 20 + } -# tags { -# Name = "openvpn-elb" -# } -# } + tags { + Name = "openvpn-elb" + } +} -# resource "aws_route53_record" "openvpn-web" { -# zone_id = "${var.route_zone_id}" -# name = "vpn-web.${var.domain_name}" -# type = "A" +resource "aws_route53_record" "openvpn-web" { + zone_id = "${var.route_zone_id}" + name = "vpn-web.${var.domain_name}" + type = "A" -# alias { -# name = "${aws_elb.openvpn.dns_name}" -# zone_id = "${aws_elb.openvpn.zone_id}" -# evaluate_target_health = false -# } -# } + alias { + name = "${aws_elb.openvpn.dns_name}" + zone_id = "${aws_elb.openvpn.zone_id}" + evaluate_target_health = false + } +} -# resource "aws_route53_record" "openvpn" { -# zone_id = "${var.route_zone_id}" -# name = "vpn.${var.domain_name}" -# type = "A" -# ttl = 300 -# records = ["${aws_eip.openvpnip.public_ip}"] -# } +resource "aws_route53_record" "openvpn" { + zone_id = "${var.route_zone_id}" + name = "vpn.${var.domain_name}" + type = "A" + ttl = 300 + records = ["${aws_eip.openvpnip.public_ip}"] +} From 1ae5c2aaa001432c1b6ef2444f9d058acb2a5816 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 24 Feb 2019 01:24:06 +1000 Subject: [PATCH 046/306] fix python install line. --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 3a92a86..40f8802 100644 --- a/main.tf +++ b/main.tf @@ -96,7 +96,7 @@ resource "aws_instance" "openvpn" { user_data = < Date: Sun, 24 Feb 2019 14:18:21 +1000 Subject: [PATCH 047/306] remove elb --- main.tf | 77 +++++++++++++++++++++++++++++---------------------------- 1 file changed, 39 insertions(+), 38 deletions(-) diff --git a/main.tf b/main.tf index 40f8802..fe28e19 100644 --- a/main.tf +++ b/main.tf @@ -88,6 +88,7 @@ resource "aws_instance" "openvpn" { tags { Name = "${var.name}" + Role = "vpn" } # `admin_user` and `admin_pw` need to be passed in to the appliance through `user_data`, see docs --> @@ -230,48 +231,48 @@ variable "start_vpn" { # } # } -resource "aws_elb" "openvpn" { - name = "openvpn-elb" - subnets = ["${var.public_subnet_ids}"] - internal = false - idle_timeout = 30 - connection_draining = true - connection_draining_timeout = 30 - instances = ["${aws_instance.openvpn.id}"] - security_groups = ["${aws_security_group.openvpn.id}"] - - listener { - instance_port = 443 - instance_protocol = "https" - lb_port = 443 - lb_protocol = "https" - ssl_certificate_id = "${var.cert_arn}" - } +# resource "aws_elb" "openvpn" { +# name = "openvpn-elb" +# subnets = ["${var.public_subnet_ids}"] +# internal = false +# idle_timeout = 30 +# connection_draining = true +# connection_draining_timeout = 30 +# instances = ["${aws_instance.openvpn.id}"] +# security_groups = ["${aws_security_group.openvpn.id}"] + +# listener { +# instance_port = 443 +# instance_protocol = "https" +# lb_port = 443 +# lb_protocol = "https" +# ssl_certificate_id = "${var.cert_arn}" +# } - health_check { - healthy_threshold = 2 - unhealthy_threshold = 2 - timeout = 5 - target = "TCP:443" - interval = 20 - } +# health_check { +# healthy_threshold = 2 +# unhealthy_threshold = 2 +# timeout = 5 +# target = "TCP:443" +# interval = 20 +# } - tags { - Name = "openvpn-elb" - } -} +# tags { +# Name = "openvpn-elb" +# } +# } -resource "aws_route53_record" "openvpn-web" { - zone_id = "${var.route_zone_id}" - name = "vpn-web.${var.domain_name}" - type = "A" +# resource "aws_route53_record" "openvpn-web" { +# zone_id = "${var.route_zone_id}" +# name = "vpn-web.${var.domain_name}" +# type = "A" - alias { - name = "${aws_elb.openvpn.dns_name}" - zone_id = "${aws_elb.openvpn.zone_id}" - evaluate_target_health = false - } -} +# alias { +# name = "${aws_elb.openvpn.dns_name}" +# zone_id = "${aws_elb.openvpn.zone_id}" +# evaluate_target_health = false +# } +# } resource "aws_route53_record" "openvpn" { zone_id = "${var.route_zone_id}" From 9c224b69f15bd1780356a0403d6304f4b6cd0535 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 24 Feb 2019 15:01:21 +1000 Subject: [PATCH 048/306] move role --- main.tf | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index fe28e19..c8c5511 100644 --- a/main.tf +++ b/main.tf @@ -88,7 +88,7 @@ resource "aws_instance" "openvpn" { tags { Name = "${var.name}" - Role = "vpn" + } # `admin_user` and `admin_pw` need to be passed in to the appliance through `user_data`, see docs --> @@ -120,10 +120,16 @@ resource "null_resource" shutdownvpn { #configuration of the vpn instance must occur after the eip is assigned. normally a provisioner would want to reside in the aws_instance resource, but in this case, #it must reside in the aws_eip resource to be able to establish a connection + resource "aws_eip" "openvpnip" { + vpc = true instance = "${aws_instance.openvpn.id}" + tags { + Role = "vpn" + } + provisioner "remote-exec" { connection { user = "${var.openvpn_admin_user}" From a8882a4bb5b0a0e3218c4599062230de3e78155c Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 24 Feb 2019 18:56:05 +1000 Subject: [PATCH 049/306] add key to ssh hosts local. --- main.tf | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index c8c5511..22c4866 100644 --- a/main.tf +++ b/main.tf @@ -97,7 +97,7 @@ resource "aws_instance" "openvpn" { user_data = <> ~/.ssh/known_hosts mkdir -p ~/openvpn_config cd ~/openvpn_config rm -f ~/openvpn_config/ta.key @@ -280,7 +284,7 @@ variable "start_vpn" { # } # } -resource "aws_route53_record" "openvpn" { +resource "aws_route53_record" "openvpn_record" { zone_id = "${var.route_zone_id}" name = "vpn.${var.domain_name}" type = "A" From 91f9bc59612d32ce59b1cb10af4a9c521a5b3bf2 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 25 Feb 2019 14:30:01 +1000 Subject: [PATCH 050/306] add port 943 --- main.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/main.tf b/main.tf index 22c4866..5273c00 100644 --- a/main.tf +++ b/main.tf @@ -37,6 +37,14 @@ resource "aws_security_group" "openvpn" { cidr_blocks = ["${var.remote_vpn_ip_cidr}"] description = "https" } + # see https://openvpn.net/vpn-server-resources/amazon-web-services-ec2-tiered-appliance-quick-start-guide/ + ingress { + protocol = "tcp" + from_port = 943 + to_port = 943 + cidr_blocks = ["${var.remote_vpn_ip_cidr}"] + description = "admin ui" + } ingress { protocol = "udp" from_port = 1194 From 483151f9efea1e8697b655a068f0c9ab422271c8 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 25 Feb 2019 20:06:59 +1000 Subject: [PATCH 051/306] remove functions to be taken over by ansible. --- main.tf | 46 +++++++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/main.tf b/main.tf index 5273c00..a295ba8 100644 --- a/main.tf +++ b/main.tf @@ -198,29 +198,29 @@ resource "aws_eip" "openvpnip" { #we download the connection config files, and alter the client.ovpn file to use a password file. ### note user must follow instructions on startvpn.sh to function ### todo : would be better to avoid all file movement in local exec. startvpn should only start the service and nothing else. - provisioner "local-exec" { - command = <> ~/.ssh/known_hosts - mkdir -p ~/openvpn_config - cd ~/openvpn_config - rm -f ~/openvpn_config/ta.key - rm -f ~/openvpn_config/client.ovpn - rm -f ~/openvpn_config/client.conf - rm -f ~/openvpn_config/client.key - rm -f ~/openvpn_config/client.crt - rm -f ~/openvpn_config/ca.crt - rm -f ~/openvpn_config/yourserver.txt - rm -f ~/openvpn_config/client_route.conf - scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -r -i '${var.local_key_path}' ${var.openvpn_admin_user}@${aws_eip.openvpnip.public_ip}:/usr/local/openvpn_as/scripts/seperate/* ~/openvpn_config/ - ls -la - echo '${var.openvpn_user}' >> yourserver.txt - echo '${var.openvpn_user_pw}' >> yourserver.txt - sed -i 's/auth-user-pass/auth-user-pass yourserver.txt\npush "redirect-gateway def1 bypass-dhcp"/g' client.ovpn - sed -i '/# OVPN_ACCESS_SERVER_PROFILE=/c\# OVPN_ACCESS_SERVER_PROFILE=${var.openvpn_user}@${aws_eip.openvpnip.public_ip}/AUTOLOGIN\n# OVPN_ACCESS_SERVER_AUTOLOGIN=1' client.ovpn - mv client.ovpn openvpn.conf - EOT - } + # provisioner "local-exec" { + # command = <> ~/.ssh/known_hosts + # mkdir -p ~/openvpn_config + # cd ~/openvpn_config + # rm -f ~/openvpn_config/ta.key + # rm -f ~/openvpn_config/client.ovpn + # rm -f ~/openvpn_config/client.conf + # rm -f ~/openvpn_config/client.key + # rm -f ~/openvpn_config/client.crt + # rm -f ~/openvpn_config/ca.crt + # rm -f ~/openvpn_config/yourserver.txt + # rm -f ~/openvpn_config/client_route.conf + # scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -r -i '${var.local_key_path}' ${var.openvpn_admin_user}@${aws_eip.openvpnip.public_ip}:/usr/local/openvpn_as/scripts/seperate/* ~/openvpn_config/ + # ls -la + # echo '${var.openvpn_user}' >> yourserver.txt + # echo '${var.openvpn_user_pw}' >> yourserver.txt + # sed -i 's/auth-user-pass/auth-user-pass yourserver.txt\npush "redirect-gateway def1 bypass-dhcp"/g' client.ovpn + # sed -i '/# OVPN_ACCESS_SERVER_PROFILE=/c\# OVPN_ACCESS_SERVER_PROFILE=${var.openvpn_user}@${aws_eip.openvpnip.public_ip}/AUTOLOGIN\n# OVPN_ACCESS_SERVER_AUTOLOGIN=1' client.ovpn + # mv client.ovpn openvpn.conf + # EOT + # } # read docs at readme.md for more information needed on routing. # todo : need to document for users how to create start vpn script and add to sudoers. script should exist in /etc/openvpn. From a78c7d9eefdef05c5207a2856e440e7b1da96762 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 25 Feb 2019 20:11:18 +1000 Subject: [PATCH 052/306] remove outputs attempt. they break things. --- outputs.tf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/outputs.tf b/outputs.tf index ab6a31c..905f0a0 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,14 +1,14 @@ -output "id" { - value = "${aws_instance.openvpn.id}" -} +# output "id" { +# value = "${aws_instance.openvpn.id}" +# } -output "private_ip" { - value = "${aws_instance.openvpn.private_ip}" -} +# output "private_ip" { +# value = "${aws_instance.openvpn.private_ip}" +# } -output "public_ip" { - value = "${aws_eip.openvpnip.public_ip}" -} +# output "public_ip" { +# value = "${aws_eip.openvpnip.public_ip}" +# } # output "public_web_fqdn" { # value = "${aws_route53_record.openvpn-web.fqdn}" From 7d06fd54005db0dd1113f39f4460d95a5c01c6f0 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 25 Feb 2019 20:36:58 +1000 Subject: [PATCH 053/306] disable provisioning of openvpn --- main.tf | 98 ++++++++++++++++++++++++++++++------------------------ outputs.tf | 10 ------ 2 files changed, 55 insertions(+), 53 deletions(-) diff --git a/main.tf b/main.tf index a295ba8..dc69cda 100644 --- a/main.tf +++ b/main.tf @@ -138,62 +138,62 @@ resource "aws_eip" "openvpnip" { Role = "vpn" } - provisioner "remote-exec" { - connection { - user = "${var.openvpn_admin_user}" - host = "${aws_eip.openvpnip.public_ip}" - private_key = "${var.private_key}" - timeout = "10m" - } + # provisioner "remote-exec" { + # connection { + # user = "${var.openvpn_admin_user}" + # host = "${aws_eip.openvpnip.public_ip}" + # private_key = "${var.private_key}" + # timeout = "10m" + # } - inline = [ - #allow echo of input in bash. Won't display pipes though! - "set -x", + # inline = [ + # #allow echo of input in bash. Won't display pipes though! + # "set -x", - # Sleep 60 seconds until AMI is ready - "sleep 60", + # # Sleep 60 seconds until AMI is ready + # "sleep 60", - # Install python for ansible - "sudo apt-get -y install python", + # # Install python for ansible + # "sudo apt-get -y install python", - # Set VPN network info - "sudo /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.network -v ${element(split("/", var.vpn_cidr), 0)} ConfigPut", + # # Set VPN network info + # "sudo /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.network -v ${element(split("/", var.vpn_cidr), 0)} ConfigPut", - "sudo /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.netmask_bits -v ${element(split("/", var.vpn_cidr), 1)} ConfigPut", + # "sudo /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.netmask_bits -v ${element(split("/", var.vpn_cidr), 1)} ConfigPut", - # here we enable tls which is required if we are to generate ta.key and client.ovpn files - "sudo /usr/local/openvpn_as/scripts/sacli --key 'vpn.server.tls_auth' --value ='true' ConfigPut", + # # here we enable tls which is required if we are to generate ta.key and client.ovpn files + # "sudo /usr/local/openvpn_as/scripts/sacli --key 'vpn.server.tls_auth' --value ='true' ConfigPut", - # Do a warm restart so the config is picked up - "sudo /usr/local/openvpn_as/scripts/sacli start", - ] - } + # # Do a warm restart so the config is picked up + # "sudo /usr/local/openvpn_as/scripts/sacli start", + # ] + # } - provisioner "remote-exec" { - connection { - user = "${var.openvpn_admin_user}" - host = "${aws_eip.openvpnip.public_ip}" - private_key = "${var.private_key}" - timeout = "10m" - } + # provisioner "remote-exec" { + # connection { + # user = "${var.openvpn_admin_user}" + # host = "${aws_eip.openvpnip.public_ip}" + # private_key = "${var.private_key}" + # timeout = "10m" + # } - inline = [ - "cd /usr/local/openvpn_as/scripts/", + # inline = [ + # "cd /usr/local/openvpn_as/scripts/", - # todo : need to add a user that is different to the admin user. currently they must be identical. - "echo ${var.openvpn_admin_pw} | sudo -S mkdir seperate", + # # todo : need to add a user that is different to the admin user. currently they must be identical. + # "echo ${var.openvpn_admin_pw} | sudo -S mkdir seperate", - "set -x", + # "set -x", - # this enables auto login: todo : check if theres a problem with not having this above the start command - "sudo ./sacli --user ${var.openvpn_user} --key 'prop_autologin' --value 'true' UserPropPut", + # # this enables auto login: todo : check if theres a problem with not having this above the start command + # "sudo ./sacli --user ${var.openvpn_user} --key 'prop_autologin' --value 'true' UserPropPut", - "sudo ./sacli --user ${var.openvpn_user} AutoGenerateOnBehalfOf", - "sudo ./sacli -o ./seperate --cn ${var.openvpn_user} get5", - "sudo chown ${var.openvpn_user} seperate/*", - "ls -la seperate", - ] - } + # "sudo ./sacli --user ${var.openvpn_user} AutoGenerateOnBehalfOf", + # "sudo ./sacli -o ./seperate --cn ${var.openvpn_user} get5", + # "sudo chown ${var.openvpn_user} seperate/*", + # "ls -la seperate", + # ] + # } #we download the connection config files, and alter the client.ovpn file to use a password file. ### note user must follow instructions on startvpn.sh to function @@ -227,6 +227,18 @@ resource "aws_eip" "openvpnip" { # the visudo permissions should be more specific, dont * copy to folder in this script. } +output "id" { + value = "${aws_instance.openvpn.id}" +} + +output "private_ip" { + value = "${aws_instance.openvpn.private_ip}" +} + +output "public_ip" { + value = "${aws_eip.openvpnip.public_ip}" +} + variable "start_vpn" { default = true } diff --git a/outputs.tf b/outputs.tf index 905f0a0..5483c21 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,14 +1,4 @@ -# output "id" { -# value = "${aws_instance.openvpn.id}" -# } - -# output "private_ip" { -# value = "${aws_instance.openvpn.private_ip}" -# } -# output "public_ip" { -# value = "${aws_eip.openvpnip.public_ip}" -# } # output "public_web_fqdn" { # value = "${aws_route53_record.openvpn-web.fqdn}" From 5ba63dc345b9ddbf6dba9803bd91bcf00f78020c Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 25 Feb 2019 20:55:36 +1000 Subject: [PATCH 054/306] allow more groups temp --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index dc69cda..02952a1 100644 --- a/main.tf +++ b/main.tf @@ -17,7 +17,7 @@ resource "aws_security_group" "openvpn" { protocol = "-1" from_port = 0 to_port = 0 - cidr_blocks = ["${var.vpc_cidr}"] + cidr_blocks = ["${var.vpc_cidr}", "172.27.232.0/24", "192.168.92.0/24"] description = "all incoming traffic from vpc" } From 5cb9016a47f6d7578a2e4002258bdc49c95e1f9f Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 25 Feb 2019 21:17:11 +1000 Subject: [PATCH 055/306] extra groups --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 02952a1..152e947 100644 --- a/main.tf +++ b/main.tf @@ -17,7 +17,7 @@ resource "aws_security_group" "openvpn" { protocol = "-1" from_port = 0 to_port = 0 - cidr_blocks = ["${var.vpc_cidr}", "172.27.232.0/24", "192.168.92.0/24"] + cidr_blocks = ["${var.vpc_cidr}", "172.27.232.0/24", "192.168.92.0/24", "172.27.236.0/24"] description = "all incoming traffic from vpc" } From b06be07140650ca113f8203a6b5d695f7cc3345f Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Wed, 27 Feb 2019 22:04:10 +1000 Subject: [PATCH 056/306] update cidr blocks --- main.tf | 160 ++++++++++++++++++++++----------------------------- variables.tf | 4 +- 2 files changed, 72 insertions(+), 92 deletions(-) diff --git a/main.tf b/main.tf index 152e947..e1990bf 100644 --- a/main.tf +++ b/main.tf @@ -17,7 +17,7 @@ resource "aws_security_group" "openvpn" { protocol = "-1" from_port = 0 to_port = 0 - cidr_blocks = ["${var.vpc_cidr}", "172.27.232.0/24", "192.168.92.0/24", "172.27.236.0/24"] + cidr_blocks = ["${var.vpc_cidr}", "${var.vpn_cidr}", "${var.remote_subnet_cidr}"] description = "all incoming traffic from vpc" } @@ -96,7 +96,7 @@ resource "aws_instance" "openvpn" { tags { Name = "${var.name}" - + route = "public" } # `admin_user` and `admin_pw` need to be passed in to the appliance through `user_data`, see docs --> @@ -135,96 +135,74 @@ resource "aws_eip" "openvpnip" { instance = "${aws_instance.openvpn.id}" tags { - Role = "vpn" + role = "vpn" } - # provisioner "remote-exec" { - # connection { - # user = "${var.openvpn_admin_user}" - # host = "${aws_eip.openvpnip.public_ip}" - # private_key = "${var.private_key}" - # timeout = "10m" - # } - - # inline = [ - # #allow echo of input in bash. Won't display pipes though! - # "set -x", - - # # Sleep 60 seconds until AMI is ready - # "sleep 60", - - # # Install python for ansible - # "sudo apt-get -y install python", - - # # Set VPN network info - # "sudo /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.network -v ${element(split("/", var.vpn_cidr), 0)} ConfigPut", - - # "sudo /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.netmask_bits -v ${element(split("/", var.vpn_cidr), 1)} ConfigPut", - - # # here we enable tls which is required if we are to generate ta.key and client.ovpn files - # "sudo /usr/local/openvpn_as/scripts/sacli --key 'vpn.server.tls_auth' --value ='true' ConfigPut", - - # # Do a warm restart so the config is picked up - # "sudo /usr/local/openvpn_as/scripts/sacli start", - # ] - # } - - # provisioner "remote-exec" { - # connection { - # user = "${var.openvpn_admin_user}" - # host = "${aws_eip.openvpnip.public_ip}" - # private_key = "${var.private_key}" - # timeout = "10m" - # } - - # inline = [ - # "cd /usr/local/openvpn_as/scripts/", - - # # todo : need to add a user that is different to the admin user. currently they must be identical. - # "echo ${var.openvpn_admin_pw} | sudo -S mkdir seperate", - - # "set -x", - - # # this enables auto login: todo : check if theres a problem with not having this above the start command - # "sudo ./sacli --user ${var.openvpn_user} --key 'prop_autologin' --value 'true' UserPropPut", - - # "sudo ./sacli --user ${var.openvpn_user} AutoGenerateOnBehalfOf", - # "sudo ./sacli -o ./seperate --cn ${var.openvpn_user} get5", - # "sudo chown ${var.openvpn_user} seperate/*", - # "ls -la seperate", - # ] - # } - - #we download the connection config files, and alter the client.ovpn file to use a password file. - ### note user must follow instructions on startvpn.sh to function - ### todo : would be better to avoid all file movement in local exec. startvpn should only start the service and nothing else. - # provisioner "local-exec" { - # command = <> ~/.ssh/known_hosts - # mkdir -p ~/openvpn_config - # cd ~/openvpn_config - # rm -f ~/openvpn_config/ta.key - # rm -f ~/openvpn_config/client.ovpn - # rm -f ~/openvpn_config/client.conf - # rm -f ~/openvpn_config/client.key - # rm -f ~/openvpn_config/client.crt - # rm -f ~/openvpn_config/ca.crt - # rm -f ~/openvpn_config/yourserver.txt - # rm -f ~/openvpn_config/client_route.conf - # scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -r -i '${var.local_key_path}' ${var.openvpn_admin_user}@${aws_eip.openvpnip.public_ip}:/usr/local/openvpn_as/scripts/seperate/* ~/openvpn_config/ - # ls -la - # echo '${var.openvpn_user}' >> yourserver.txt - # echo '${var.openvpn_user_pw}' >> yourserver.txt - # sed -i 's/auth-user-pass/auth-user-pass yourserver.txt\npush "redirect-gateway def1 bypass-dhcp"/g' client.ovpn - # sed -i '/# OVPN_ACCESS_SERVER_PROFILE=/c\# OVPN_ACCESS_SERVER_PROFILE=${var.openvpn_user}@${aws_eip.openvpnip.public_ip}/AUTOLOGIN\n# OVPN_ACCESS_SERVER_AUTOLOGIN=1' client.ovpn - # mv client.ovpn openvpn.conf - # EOT - # } - - # read docs at readme.md for more information needed on routing. - # todo : need to document for users how to create start vpn script and add to sudoers. script should exist in /etc/openvpn. - # the visudo permissions should be more specific, dont * copy to folder in this script. + provisioner "remote-exec" { + connection { + user = "${var.openvpn_admin_user}" + host = "${aws_eip.openvpnip.public_ip}" + private_key = "${var.private_key}" + timeout = "10m" + } + + inline = [ + #allow echo of input in bash. Won't display pipes though! + "set -x", + + # Sleep 60 seconds until AMI is ready + "sleep 60", + + # Install python for ansible + "sudo apt-get -y install python", + + # Set VPN network info + "sudo /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.network -v ${element(split("/", var.vpn_cidr), 0)} ConfigPut", + + "sudo /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.netmask_bits -v ${element(split("/", var.vpn_cidr), 1)} ConfigPut", + + # here we enable tls which is required if we are to generate ta.key and client.ovpn files + "sudo /usr/local/openvpn_as/scripts/sacli --key 'vpn.server.tls_auth' --value ='true' ConfigPut", + + # Do a warm restart so the config is picked up + "sudo /usr/local/openvpn_as/scripts/sacli start", + ] + } + + provisioner "remote-exec" { + connection { + user = "${var.openvpn_admin_user}" + host = "${aws_eip.openvpnip.public_ip}" + private_key = "${var.private_key}" + timeout = "10m" + } + + inline = [ + "cd /usr/local/openvpn_as/scripts/", + + # todo : need to add a user that is different to the admin user. currently they must be identical. + "echo ${var.openvpn_admin_pw} | sudo -S mkdir seperate", + + "set -x", + + # this enables auto login: todo : check if theres a problem with not having this above the start command + "sudo ./sacli --user ${var.openvpn_user} --key 'prop_autologin' --value 'true' UserPropPut", + + "sudo ./sacli --user ${var.openvpn_user} AutoGenerateOnBehalfOf", + "sudo ./sacli -o ./seperate --cn ${var.openvpn_user} get5", + "sudo chown ${var.openvpn_user} seperate/*", + "ls -la seperate", + ] + } + + + # After a remote exec, its possible to use local exec to add the ssh keys to the known hosts file. this is done only once. + provisioner "local-exec" { + command = <> ~/.ssh/known_hosts + EOT + } } output "id" { @@ -306,7 +284,7 @@ variable "start_vpn" { resource "aws_route53_record" "openvpn_record" { zone_id = "${var.route_zone_id}" - name = "vpn.${var.domain_name}" + name = "vpn.${var.public_domain_name}" type = "A" ttl = 300 records = ["${aws_eip.openvpnip.public_ip}"] diff --git a/variables.tf b/variables.tf index 6dac67b..6360067 100644 --- a/variables.tf +++ b/variables.tf @@ -9,6 +9,8 @@ variable "remote_vpn_ip_cidr" { default = "0.0.0.0/0" } +variable "remote_subnet_cidr" {} + variable "public_subnet_ids" { default = [] } @@ -25,7 +27,7 @@ variable "openvpn_user_pw" {} variable "openvpn_admin_user" {} variable "openvpn_admin_pw" {} variable "vpn_cidr" {} -variable "domain_name" {} +variable "public_domain_name" {} variable "route_zone_id" {} variable "sleep" { From ee2245f083bb904cee335fdf155d6d4dec1df09e Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 2 Mar 2019 17:45:12 +1000 Subject: [PATCH 057/306] update label --- main.tf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index e1990bf..49a8210 100644 --- a/main.tf +++ b/main.tf @@ -18,7 +18,8 @@ resource "aws_security_group" "openvpn" { from_port = 0 to_port = 0 cidr_blocks = ["${var.vpc_cidr}", "${var.vpn_cidr}", "${var.remote_subnet_cidr}"] - description = "all incoming traffic from vpc" + + description = "all incoming traffic from vpc, vpn dhcp, and remote subnet" } # For OpenVPN Client Web Server & Admin Web UI @@ -95,7 +96,7 @@ resource "aws_instance" "openvpn" { vpc_security_group_ids = ["${aws_security_group.openvpn.id}"] tags { - Name = "${var.name}" + Name = "${var.name}" route = "public" } @@ -130,7 +131,6 @@ resource "null_resource" shutdownvpn { #it must reside in the aws_eip resource to be able to establish a connection resource "aws_eip" "openvpnip" { - vpc = true instance = "${aws_instance.openvpn.id}" @@ -195,7 +195,6 @@ resource "aws_eip" "openvpnip" { ] } - # After a remote exec, its possible to use local exec to add the ssh keys to the known hosts file. this is done only once. provisioner "local-exec" { command = < Date: Fri, 8 Mar 2019 10:19:25 +1000 Subject: [PATCH 058/306] remove load balancer --- main.tf | 61 --------------------------------------------------------- 1 file changed, 61 deletions(-) diff --git a/main.tf b/main.tf index 49a8210..61c02e3 100644 --- a/main.tf +++ b/main.tf @@ -220,67 +220,6 @@ variable "start_vpn" { default = true } -# resource "null_resource" "start_vpn" { -# depends_on = ["aws_eip.openvpnip"] - -# triggers { -# instanceid = "${ aws_eip.openvpnip.id }" -# } - -# count = "${var.start_vpn}" - -# provisioner "local-exec" { -# command = < Date: Thu, 14 Mar 2019 22:25:49 +1100 Subject: [PATCH 059/306] migrate openvpn provisioning into ansible --- main.tf | 119 +++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 75 insertions(+), 44 deletions(-) diff --git a/main.tf b/main.tf index 61c02e3..b53c134 100644 --- a/main.tf +++ b/main.tf @@ -138,68 +138,99 @@ resource "aws_eip" "openvpnip" { role = "vpn" } - provisioner "remote-exec" { - connection { - user = "${var.openvpn_admin_user}" - host = "${aws_eip.openvpnip.public_ip}" - private_key = "${var.private_key}" - timeout = "10m" - } + # provisioner "remote-exec" { + # connection { + # user = "${var.openvpn_admin_user}" + # host = "${aws_eip.openvpnip.public_ip}" + # private_key = "${var.private_key}" + # timeout = "10m" + # } - inline = [ - #allow echo of input in bash. Won't display pipes though! - "set -x", + # inline = [ + # #allow echo of input in bash. Won't display pipes though! + # "set -x", - # Sleep 60 seconds until AMI is ready - "sleep 60", + # # Sleep 60 seconds until AMI is ready + # "sleep 60", - # Install python for ansible - "sudo apt-get -y install python", + # # Install python for ansible + # "sudo apt-get -y install python", - # Set VPN network info - "sudo /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.network -v ${element(split("/", var.vpn_cidr), 0)} ConfigPut", + # # Set VPN network info + # "sudo /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.network -v ${element(split("/", var.vpn_cidr), 0)} ConfigPut", - "sudo /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.netmask_bits -v ${element(split("/", var.vpn_cidr), 1)} ConfigPut", + # "sudo /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.netmask_bits -v ${element(split("/", var.vpn_cidr), 1)} ConfigPut", - # here we enable tls which is required if we are to generate ta.key and client.ovpn files - "sudo /usr/local/openvpn_as/scripts/sacli --key 'vpn.server.tls_auth' --value ='true' ConfigPut", + # # here we enable tls which is required if we are to generate ta.key and client.ovpn files + # "sudo /usr/local/openvpn_as/scripts/sacli --key 'vpn.server.tls_auth' --value ='true' ConfigPut", - # Do a warm restart so the config is picked up - "sudo /usr/local/openvpn_as/scripts/sacli start", - ] - } + # # Do a warm restart so the config is picked up + # "sudo /usr/local/openvpn_as/scripts/sacli start", + # ] + # } - provisioner "remote-exec" { - connection { - user = "${var.openvpn_admin_user}" - host = "${aws_eip.openvpnip.public_ip}" - private_key = "${var.private_key}" - timeout = "10m" - } + # provisioner "remote-exec" { + # connection { + # user = "${var.openvpn_admin_user}" + # host = "${aws_eip.openvpnip.public_ip}" + # private_key = "${var.private_key}" + # timeout = "10m" + # } - inline = [ - "cd /usr/local/openvpn_as/scripts/", + # inline = [ + # "cd /usr/local/openvpn_as/scripts/", - # todo : need to add a user that is different to the admin user. currently they must be identical. - "echo ${var.openvpn_admin_pw} | sudo -S mkdir seperate", + # # todo : need to add a user that is different to the admin user. currently they must be identical. + # "echo ${var.openvpn_admin_pw} | sudo -S mkdir seperate", - "set -x", + # "set -x", - # this enables auto login: todo : check if theres a problem with not having this above the start command - "sudo ./sacli --user ${var.openvpn_user} --key 'prop_autologin' --value 'true' UserPropPut", + # # this enables auto login: todo : check if theres a problem with not having this above the start command + # "sudo ./sacli --user ${var.openvpn_user} --key 'prop_autologin' --value 'true' UserPropPut", - "sudo ./sacli --user ${var.openvpn_user} AutoGenerateOnBehalfOf", - "sudo ./sacli -o ./seperate --cn ${var.openvpn_user} get5", - "sudo chown ${var.openvpn_user} seperate/*", - "ls -la seperate", - ] - } + # "sudo ./sacli --user ${var.openvpn_user} AutoGenerateOnBehalfOf", + # "sudo ./sacli -o ./seperate --cn ${var.openvpn_user} get5", + # "sudo chown ${var.openvpn_user} seperate/*", + # "ls -la seperate", + # ] + # } # After a remote exec, its possible to use local exec to add the ssh keys to the known hosts file. this is done only once. + # provisioner "local-exec" { + # command = <> ~/.ssh/known_hosts + # EOT + # } +} + +resource "null_resource" "provision_vpn" { + depends_on = ["aws_instance.openvpn", "aws_eip.openvpnip", "aws_route53_record.openvpn_record"] + + triggers { + instanceid = "${ aws_instance.openvpn.id }" + } + + provisioner "remote-exec" { + connection { + user = "${var.openvpn_admin_user}" + host = "${aws_eip.openvpnip.public_ip}" + #bastion_host = "bastion.firehawkfilm.com" + private_key = "${var.private_key}" + #bastion_private_key = "${var.private_key}" + type = "ssh" + timeout = "10m" + } + + inline = ["set -x && sleep 20 && sudo apt-get install -y python"] + } + provisioner "local-exec" { command = <> ~/.ssh/known_hosts + cd /vagrant + ansible-playbook -i ansible/inventory ansible/ssh-add-public-host.yaml -v --extra-vars "public_ip=${aws_eip.openvpnip.public_ip} public_hostname=vpn.${var.public_domain_name} set_bastion=false" + ansible-playbook -i ansible/inventory ansible/openvpn.yaml -v --extra-vars "client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}" EOT } } From a6418f3c8605805aa8011269747e79adcba16465 Mon Sep 17 00:00:00 2001 From: user Date: Fri, 15 Mar 2019 03:39:52 +1100 Subject: [PATCH 060/306] fix apt lock --- main.tf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index b53c134..a18704b 100644 --- a/main.tf +++ b/main.tf @@ -222,13 +222,20 @@ resource "null_resource" "provision_vpn" { timeout = "10m" } - inline = ["set -x && sleep 20 && sudo apt-get install -y python"] + #inline = ["set -x && sleep 60 && sudo apt-get -y install python"] + inline = [ + #allow echo of input in bash. Won't display pipes though! + "set -x", + # Sleep 60 seconds until AMI is ready + "sleep 60", + ] } provisioner "local-exec" { command = < Date: Fri, 15 Mar 2019 23:42:31 +1100 Subject: [PATCH 061/306] attempt dependency on aws_internet_gateway. --- main.tf | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index a18704b..36ecf3a 100644 --- a/main.tf +++ b/main.tf @@ -87,6 +87,7 @@ variable "source_dest_check" { } resource "aws_instance" "openvpn" { + depends_on = ["aws_internet_gateway.this"] ami = "${var.ami}" instance_type = "${var.instance_type}" key_name = "${var.key_name}" @@ -235,8 +236,26 @@ resource "null_resource" "provision_vpn" { command = < Date: Sat, 16 Mar 2019 01:21:44 +1100 Subject: [PATCH 062/306] add igw gateway dependency to openvpn --- main.tf | 76 +++++++---------------------------------------------- outputs.tf | 9 ------- startvpn.sh | 19 -------------- 3 files changed, 9 insertions(+), 95 deletions(-) delete mode 100644 outputs.tf delete mode 100755 startvpn.sh diff --git a/main.tf b/main.tf index 36ecf3a..612a04d 100644 --- a/main.tf +++ b/main.tf @@ -86,8 +86,16 @@ variable "source_dest_check" { default = true } +variable "igw_id" {} + +resource "null_resource" "gateway_dependency" { + triggers { + igw_id = "${var.igw_id}" + } +} + resource "aws_instance" "openvpn" { - depends_on = ["aws_internet_gateway.this"] + depends_on = ["null_resource.gateway_dependency"] ami = "${var.ami}" instance_type = "${var.instance_type}" key_name = "${var.key_name}" @@ -107,7 +115,6 @@ resource "aws_instance" "openvpn" { user_data = <> ~/.ssh/known_hosts - # EOT - # } } resource "null_resource" "provision_vpn" { diff --git a/outputs.tf b/outputs.tf deleted file mode 100644 index 5483c21..0000000 --- a/outputs.tf +++ /dev/null @@ -1,9 +0,0 @@ - - -# output "public_web_fqdn" { -# value = "${aws_route53_record.openvpn-web.fqdn}" -# } - -# output "public_fqdn" { -# value = "${aws_route53_record.openvpn.fqdn}" -# } diff --git a/startvpn.sh b/startvpn.sh deleted file mode 100755 index 34b86fe..0000000 --- a/startvpn.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -set -x -mkdir -p /home/deadlineuser/openvpn_config/ -cd /home/deadlineuser/openvpn_config/ - -echo '--- copying openvpn config files ---' -sudo /bin/cp -rfa /home/deadlineuser/openvpn_config/ca.crt /etc/openvpn/. -sudo /bin/cp -rfa /home/deadlineuser/openvpn_config/client.crt /etc/openvpn/. -sudo /bin/cp -rfa /home/deadlineuser/openvpn_config/client.key /etc/openvpn/. -sudo /bin/cp -rfa /home/deadlineuser/openvpn_config/openvpn.conf /etc/openvpn/. -sudo /bin/cp -rfa /home/deadlineuser/openvpn_config/ta.key /etc/openvpn/. -sudo /bin/cp -rfa /home/deadlineuser/openvpn_config/yourserver.txt /etc/openvpn/. - -echo 'finished copy.' -echo 'restarting service' -sudo systemctl daemon-reload -sudo /usr/sbin/service openvpn restart -echo '--- openvpn restarted ---' From 5cb1d5e8c3a1ea6a68786b5de551c9c344c506b1 Mon Sep 17 00:00:00 2001 From: user Date: Sun, 24 Mar 2019 21:46:17 +1000 Subject: [PATCH 063/306] needed to pass the remote subnet cidr with tf. --- main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 612a04d..8a0a1e8 100644 --- a/main.tf +++ b/main.tf @@ -198,7 +198,8 @@ resource "null_resource" "provision_vpn" { provisioner "local-exec" { command = < Date: Mon, 25 Mar 2019 19:01:59 +1000 Subject: [PATCH 064/306] unknown why vars must be passed from commandline --- main.tf | 7 +++---- variables.tf | 7 +++++++ 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 8a0a1e8..81d6e84 100644 --- a/main.tf +++ b/main.tf @@ -86,8 +86,6 @@ variable "source_dest_check" { default = true } -variable "igw_id" {} - resource "null_resource" "gateway_dependency" { triggers { igw_id = "${var.igw_id}" @@ -198,8 +196,9 @@ resource "null_resource" "provision_vpn" { provisioner "local-exec" { command = < Date: Mon, 25 Mar 2019 19:10:06 +1000 Subject: [PATCH 065/306] use list of subnets --- main.tf | 2 +- variables.tf | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/main.tf b/main.tf index 81d6e84..7abafad 100644 --- a/main.tf +++ b/main.tf @@ -198,7 +198,7 @@ resource "null_resource" "provision_vpn" { set -x echo "TF_VAR_remote_subnet_cidr: $TF_VAR_remote_subnet_cidr" echo "remote_subnet_cidr: ${var.remote_subnet_cidr}" - ansible-playbook -i ansible/inventory ansible/openvpn.yaml -v --extra-vars "private_subnet1=${var.private_subnet1} public_subnet1=${var.public_subnet1} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}" + ansible-playbook -i ansible/inventory ansible/openvpn.yaml -v --extra-vars "private_subnet1=${element(var.private_subnets, 1)} public_subnet1=${element(var.public_subnets, 1)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}" EOT } } diff --git a/variables.tf b/variables.tf index 9d5e51b..5d70372 100644 --- a/variables.tf +++ b/variables.tf @@ -36,7 +36,9 @@ variable "sleep" { variable "igw_id" {} -variable "private_subnet1" {} -variable "private_subnet2" {} -variable "public_subnet1" {} -variable "public_subnet2" {} \ No newline at end of file +variable "private_subnets" { + default = [] +} +variable "public_subnets" { + default = [] +} \ No newline at end of file From 673d711b69365c24f06ec29c4bb47bfa06a2bcaf Mon Sep 17 00:00:00 2001 From: user Date: Tue, 2 Apr 2019 15:23:03 +1000 Subject: [PATCH 066/306] update vpn for dynamic cidr ranges --- main.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 7abafad..243e46b 100644 --- a/main.tf +++ b/main.tf @@ -198,7 +198,9 @@ resource "null_resource" "provision_vpn" { set -x echo "TF_VAR_remote_subnet_cidr: $TF_VAR_remote_subnet_cidr" echo "remote_subnet_cidr: ${var.remote_subnet_cidr}" - ansible-playbook -i ansible/inventory ansible/openvpn.yaml -v --extra-vars "private_subnet1=${element(var.private_subnets, 1)} public_subnet1=${element(var.public_subnets, 1)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}" + echo "private_subnet1: ${element(var.private_subnets, 0)}" + echo "public_subnet1: ${element(var.public_subnets, 0)}" + ansible-playbook -i ansible/inventory ansible/openvpn.yaml -v --extra-vars "private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}" EOT } } From 1c3b054a254fc61df87e677c5e4a5967e4a49df7 Mon Sep 17 00:00:00 2001 From: user Date: Tue, 2 Apr 2019 18:01:22 +1000 Subject: [PATCH 067/306] test change --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 243e46b..c4eee9b 100644 --- a/main.tf +++ b/main.tf @@ -196,6 +196,7 @@ resource "null_resource" "provision_vpn" { provisioner "local-exec" { command = < Date: Thu, 4 Apr 2019 14:18:37 +1000 Subject: [PATCH 068/306] start and stop vpn service with sleep --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index c4eee9b..709b79b 100644 --- a/main.tf +++ b/main.tf @@ -121,7 +121,7 @@ resource "null_resource" "start-node" { count = "${var.sleep ? 0 : 1}" provisioner "local-exec" { - command = "aws ec2 start-instances --instance-ids ${aws_instance.openvpn.id}" + command = "aws ec2 start-instances --instance-ids ${aws_instance.openvpn.id} && sudo service openvpn restart" } } @@ -129,7 +129,7 @@ resource "null_resource" shutdownvpn { count = "${var.sleep ? 1 : 0}" provisioner "local-exec" { - command = "aws ec2 stop-instances --instance-ids ${aws_instance.openvpn.id}" + command = "aws ec2 stop-instances --instance-ids ${aws_instance.openvpn.id} && sudo service openvpn stop" } } From 3915bd7883377d5126c05f70210c995d9e46015d Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 20 May 2019 15:12:14 +1000 Subject: [PATCH 069/306] added routes to be configured on vpn install --- main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/main.tf b/main.tf index 709b79b..e50e520 100644 --- a/main.tf +++ b/main.tf @@ -202,6 +202,8 @@ resource "null_resource" "provision_vpn" { echo "private_subnet1: ${element(var.private_subnets, 0)}" echo "public_subnet1: ${element(var.public_subnets, 0)}" ansible-playbook -i ansible/inventory ansible/openvpn.yaml -v --extra-vars "private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}" + # configure routes on onsite workstation/render nodes + ansible-playbook -i "$TF_VAR_inventory" ansible/node-centos-routes.yaml -v -v --extra-vars "variable_host=workstation.firehawkvfx.com variable_user=deadlineuser hostname=workstation.firehawkvfx.com ansible_ssh_private_key_file=/home/vagrant/.ssh/id_rsa" EOT } } From 8bde7be39270398191bba8b7143122b455d42df8 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 27 May 2019 20:44:56 +1000 Subject: [PATCH 070/306] TF_VAR_onsite_workstation_ssh_key --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index e50e520..47401e8 100644 --- a/main.tf +++ b/main.tf @@ -203,7 +203,7 @@ resource "null_resource" "provision_vpn" { echo "public_subnet1: ${element(var.public_subnets, 0)}" ansible-playbook -i ansible/inventory ansible/openvpn.yaml -v --extra-vars "private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}" # configure routes on onsite workstation/render nodes - ansible-playbook -i "$TF_VAR_inventory" ansible/node-centos-routes.yaml -v -v --extra-vars "variable_host=workstation.firehawkvfx.com variable_user=deadlineuser hostname=workstation.firehawkvfx.com ansible_ssh_private_key_file=/home/vagrant/.ssh/id_rsa" + ansible-playbook -i "$TF_VAR_inventory" ansible/node-centos-routes.yaml -v -v --extra-vars "variable_host=workstation.firehawkvfx.com variable_user=deadlineuser hostname=workstation.firehawkvfx.com ansible_ssh_private_key_file=$TF_VAR_onsite_workstation_ssh_key" EOT } } From 4bc02bd95f4131cb7c0a97e102b4b8969f8e606e Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 17 Aug 2019 16:38:48 +1000 Subject: [PATCH 071/306] upgrade command --- main.tf | 113 ++++++++++++++++++++++++++++----------------------- variables.tf | 67 ++++++++++++++++++++++-------- versions.tf | 4 ++ 3 files changed, 115 insertions(+), 69 deletions(-) create mode 100644 versions.tf diff --git a/main.tf b/main.tf index 47401e8..d0b3c3a 100644 --- a/main.tf +++ b/main.tf @@ -5,19 +5,19 @@ # You should define this variable as your remote static ip adress to limit vpn exposure to the public internet resource "aws_security_group" "openvpn" { - name = "${var.name}" - vpc_id = "${var.vpc_id}" + name = var.name + vpc_id = var.vpc_id description = "OpenVPN security group" - tags { - Name = "${var.name}" + tags = { + Name = var.name } ingress { protocol = "-1" from_port = 0 to_port = 0 - cidr_blocks = ["${var.vpc_cidr}", "${var.vpn_cidr}", "${var.remote_subnet_cidr}"] + cidr_blocks = [var.vpc_cidr, var.vpn_cidr, var.remote_subnet_cidr] description = "all incoming traffic from vpc, vpn dhcp, and remote subnet" } @@ -28,49 +28,50 @@ resource "aws_security_group" "openvpn" { protocol = "tcp" from_port = 22 to_port = 22 - cidr_blocks = ["${var.remote_vpn_ip_cidr}"] + cidr_blocks = [var.remote_vpn_ip_cidr] description = "ssh" } ingress { protocol = "tcp" from_port = 443 to_port = 443 - cidr_blocks = ["${var.remote_vpn_ip_cidr}"] + cidr_blocks = [var.remote_vpn_ip_cidr] description = "https" } + # see https://openvpn.net/vpn-server-resources/amazon-web-services-ec2-tiered-appliance-quick-start-guide/ ingress { protocol = "tcp" from_port = 943 to_port = 943 - cidr_blocks = ["${var.remote_vpn_ip_cidr}"] + cidr_blocks = [var.remote_vpn_ip_cidr] description = "admin ui" } ingress { protocol = "udp" from_port = 1194 to_port = 1194 - cidr_blocks = ["${var.remote_vpn_ip_cidr}"] + cidr_blocks = [var.remote_vpn_ip_cidr] } ingress { protocol = "icmp" from_port = 8 to_port = 0 - cidr_blocks = ["${var.remote_vpn_ip_cidr}"] + cidr_blocks = [var.remote_vpn_ip_cidr] description = "icmp" } egress { protocol = "-1" from_port = 0 to_port = 0 - cidr_blocks = ["${var.remote_vpn_ip_cidr}"] + cidr_blocks = [var.remote_vpn_ip_cidr] description = "all outgoing traffic to vpn client remote ip" } egress { protocol = "-1" from_port = 0 to_port = 0 - cidr_blocks = ["${var.vpc_cidr}"] + cidr_blocks = [var.vpc_cidr] description = "all outgoing traffic to vpc" } egress { @@ -87,23 +88,23 @@ variable "source_dest_check" { } resource "null_resource" "gateway_dependency" { - triggers { - igw_id = "${var.igw_id}" + triggers = { + igw_id = var.igw_id } } resource "aws_instance" "openvpn" { - depends_on = ["null_resource.gateway_dependency"] - ami = "${var.ami}" - instance_type = "${var.instance_type}" - key_name = "${var.key_name}" - subnet_id = "${element(var.public_subnet_ids, count.index)}" - source_dest_check = "${var.source_dest_check}" + depends_on = [null_resource.gateway_dependency] + ami = var.ami + instance_type = var.instance_type + key_name = var.key_name + subnet_id = element(var.public_subnet_ids, count.index) + source_dest_check = var.source_dest_check - vpc_security_group_ids = ["${aws_security_group.openvpn.id}"] + vpc_security_group_ids = [aws_security_group.openvpn.id] - tags { - Name = "${var.name}" + tags = { + Name = var.name route = "public" } @@ -114,19 +115,20 @@ resource "aws_instance" "openvpn" { admin_user=${var.openvpn_admin_user} admin_pw=${var.openvpn_admin_pw} USERDATA + } #wakeup a node after sleep resource "null_resource" "start-node" { - count = "${var.sleep ? 0 : 1}" + count = var.sleep ? 0 : 1 provisioner "local-exec" { command = "aws ec2 start-instances --instance-ids ${aws_instance.openvpn.id} && sudo service openvpn restart" } } -resource "null_resource" shutdownvpn { - count = "${var.sleep ? 1 : 0}" +resource "null_resource" "shutdownvpn" { + count = var.sleep ? 1 : 0 provisioner "local-exec" { command = "aws ec2 stop-instances --instance-ids ${aws_instance.openvpn.id} && sudo service openvpn stop" @@ -138,36 +140,40 @@ resource "null_resource" shutdownvpn { resource "aws_eip" "openvpnip" { vpc = true - instance = "${aws_instance.openvpn.id}" + instance = aws_instance.openvpn.id - tags { + tags = { role = "vpn" } } resource "null_resource" "provision_vpn" { - depends_on = ["aws_instance.openvpn", "aws_eip.openvpnip", "aws_route53_record.openvpn_record"] + depends_on = [ + aws_instance.openvpn, + aws_eip.openvpnip, + aws_route53_record.openvpn_record, + ] - triggers { - instanceid = "${ aws_instance.openvpn.id }" + triggers = { + instanceid = aws_instance.openvpn.id } provisioner "remote-exec" { connection { - user = "${var.openvpn_admin_user}" - host = "${aws_eip.openvpnip.public_ip}" + user = var.openvpn_admin_user + host = aws_eip.openvpnip.public_ip + #bastion_host = "bastion.firehawkfilm.com" - private_key = "${var.private_key}" + private_key = var.private_key + #bastion_private_key = "${var.private_key}" - type = "ssh" - timeout = "10m" + type = "ssh" + timeout = "10m" } #inline = ["set -x && sleep 60 && sudo apt-get -y install python"] inline = [ - #allow echo of input in bash. Won't display pipes though! "set -x", - # Sleep 60 seconds until AMI is ready "sleep 60", ] } @@ -178,19 +184,21 @@ resource "null_resource" "provision_vpn" { cd /vagrant ansible-playbook -i ansible/inventory/hosts ansible/ssh-add-public-host.yaml -v --extra-vars "public_ip=${aws_eip.openvpnip.public_ip} public_hostname=vpn.${var.public_domain_name} set_bastion=false" aws ec2 reboot-instances --instance-ids ${aws_instance.openvpn.id} && sleep 60 - EOT + +EOT + } provisioner "remote-exec" { connection { - user = "${var.openvpn_admin_user}" - host = "${aws_eip.openvpnip.public_ip}" - private_key = "${var.private_key}" - type = "ssh" - timeout = "10m" + user = var.openvpn_admin_user + host = aws_eip.openvpnip.public_ip + private_key = var.private_key + type = "ssh" + timeout = "10m" } inline = [ "set -x", - "sudo apt-get -y install python" + "sudo apt-get -y install python", ] } provisioner "local-exec" { @@ -204,20 +212,22 @@ resource "null_resource" "provision_vpn" { ansible-playbook -i ansible/inventory ansible/openvpn.yaml -v --extra-vars "private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}" # configure routes on onsite workstation/render nodes ansible-playbook -i "$TF_VAR_inventory" ansible/node-centos-routes.yaml -v -v --extra-vars "variable_host=workstation.firehawkvfx.com variable_user=deadlineuser hostname=workstation.firehawkvfx.com ansible_ssh_private_key_file=$TF_VAR_onsite_workstation_ssh_key" - EOT + +EOT + } } output "id" { - value = "${aws_instance.openvpn.id}" + value = aws_instance.openvpn.id } output "private_ip" { - value = "${aws_instance.openvpn.private_ip}" + value = aws_instance.openvpn.private_ip } output "public_ip" { - value = "${aws_eip.openvpnip.public_ip}" + value = aws_eip.openvpnip.public_ip } variable "start_vpn" { @@ -225,9 +235,10 @@ variable "start_vpn" { } resource "aws_route53_record" "openvpn_record" { - zone_id = "${var.route_zone_id}" + zone_id = var.route_zone_id name = "vpn.${var.public_domain_name}" type = "A" ttl = 300 - records = ["${aws_eip.openvpnip.public_ip}"] + records = [aws_eip.openvpnip.public_ip] } + diff --git a/variables.tf b/variables.tf index 5d70372..6a1426b 100644 --- a/variables.tf +++ b/variables.tf @@ -2,43 +2,74 @@ variable "name" { default = "openvpn" } -variable "vpc_id" {} -variable "vpc_cidr" {} +variable "vpc_id" { +} + +variable "vpc_cidr" { +} variable "remote_vpn_ip_cidr" { default = "0.0.0.0/0" } -variable "remote_subnet_cidr" {} +variable "remote_subnet_cidr" { +} variable "public_subnet_ids" { default = [] } -variable "cert_arn" {} -variable "key_name" {} -variable "private_key" {} +variable "cert_arn" { +} + +variable "key_name" { +} + +variable "private_key" { +} + +variable "local_key_path" { +} + +variable "ami" { +} + +variable "instance_type" { +} + +variable "openvpn_user" { +} + +variable "openvpn_user_pw" { +} + +variable "openvpn_admin_user" { +} + +variable "openvpn_admin_pw" { +} + +variable "vpn_cidr" { +} + +variable "public_domain_name" { +} -variable "local_key_path" {} -variable "ami" {} -variable "instance_type" {} -variable "openvpn_user" {} -variable "openvpn_user_pw" {} -variable "openvpn_admin_user" {} -variable "openvpn_admin_pw" {} -variable "vpn_cidr" {} -variable "public_domain_name" {} -variable "route_zone_id" {} +variable "route_zone_id" { +} variable "sleep" { default = false } -variable "igw_id" {} +variable "igw_id" { +} variable "private_subnets" { default = [] } + variable "public_subnets" { default = [] -} \ No newline at end of file +} + diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} From 463a93456123ea69c814406d908700298bda254a Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 17 Aug 2019 17:03:44 +1000 Subject: [PATCH 072/306] fix element pull index 0 --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index d0b3c3a..8bbfc20 100644 --- a/main.tf +++ b/main.tf @@ -98,7 +98,7 @@ resource "aws_instance" "openvpn" { ami = var.ami instance_type = var.instance_type key_name = var.key_name - subnet_id = element(var.public_subnet_ids, count.index) + subnet_id = element(var.public_subnet_ids, 0) source_dest_check = var.source_dest_check vpc_security_group_ids = [aws_security_group.openvpn.id] From ebdea42ad61a5bd9e6b6d510d1276f346418ebd3 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 18 Aug 2019 10:28:12 +1000 Subject: [PATCH 073/306] disable local workstation routes add open vpn to hosts --- main.tf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 8bbfc20..f86a791 100644 --- a/main.tf +++ b/main.tf @@ -183,6 +183,7 @@ resource "null_resource" "provision_vpn" { set -x cd /vagrant ansible-playbook -i ansible/inventory/hosts ansible/ssh-add-public-host.yaml -v --extra-vars "public_ip=${aws_eip.openvpnip.public_ip} public_hostname=vpn.${var.public_domain_name} set_bastion=false" + ansible-playbook -i ansible/inventory ansible/hosts-add.yaml -v --extra-vars "host_name=openvpnip host_ip=${aws_eip.openvpnip.public_ip}" aws ec2 reboot-instances --instance-ids ${aws_instance.openvpn.id} && sleep 60 EOT @@ -209,9 +210,9 @@ EOT echo "remote_subnet_cidr: ${var.remote_subnet_cidr}" echo "private_subnet1: ${element(var.private_subnets, 0)}" echo "public_subnet1: ${element(var.public_subnets, 0)}" - ansible-playbook -i ansible/inventory ansible/openvpn.yaml -v --extra-vars "private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}" - # configure routes on onsite workstation/render nodes - ansible-playbook -i "$TF_VAR_inventory" ansible/node-centos-routes.yaml -v -v --extra-vars "variable_host=workstation.firehawkvfx.com variable_user=deadlineuser hostname=workstation.firehawkvfx.com ansible_ssh_private_key_file=$TF_VAR_onsite_workstation_ssh_key" + ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn.yaml -v --extra-vars "variable_host=openvpnip private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}" + # configure routes on onsite workstation/render nodes - consider disabling if workstation not present. + # ansible-playbook -i "$TF_VAR_inventory" ansible/node-centos-routes.yaml -v -v --extra-vars "variable_host=workstation.firehawkvfx.com variable_user=deadlineuser hostname=workstation.firehawkvfx.com ansible_ssh_private_key_file=$TF_VAR_onsite_workstation_ssh_key" EOT From 18b6a83878f642b5f296f42fa89bb309d064250e Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 18 Aug 2019 19:10:19 +1000 Subject: [PATCH 074/306] update dynamic inventory --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index f86a791..190a356 100644 --- a/main.tf +++ b/main.tf @@ -183,7 +183,7 @@ resource "null_resource" "provision_vpn" { set -x cd /vagrant ansible-playbook -i ansible/inventory/hosts ansible/ssh-add-public-host.yaml -v --extra-vars "public_ip=${aws_eip.openvpnip.public_ip} public_hostname=vpn.${var.public_domain_name} set_bastion=false" - ansible-playbook -i ansible/inventory ansible/hosts-add.yaml -v --extra-vars "host_name=openvpnip host_ip=${aws_eip.openvpnip.public_ip}" + ansible-playbook -i ansible/inventory ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip host_ip=${aws_eip.openvpnip.public_ip}" aws ec2 reboot-instances --instance-ids ${aws_instance.openvpn.id} && sleep 60 EOT From e5ae8533932ddb9c4def2be5d9f13346ea6b710d Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 20 Aug 2019 12:26:58 +1000 Subject: [PATCH 075/306] add bastion ip for private route to vpn server --- main.tf | 4 +++- variables.tf | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 190a356..f9ebc77 100644 --- a/main.tf +++ b/main.tf @@ -183,7 +183,9 @@ resource "null_resource" "provision_vpn" { set -x cd /vagrant ansible-playbook -i ansible/inventory/hosts ansible/ssh-add-public-host.yaml -v --extra-vars "public_ip=${aws_eip.openvpnip.public_ip} public_hostname=vpn.${var.public_domain_name} set_bastion=false" - ansible-playbook -i ansible/inventory ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip host_ip=${aws_eip.openvpnip.public_ip}" + ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip host_ip=${aws_eip.openvpnip.public_ip}" + ansible-playbook -i "$TF_VAR_inventory" ansible/ssh-add-private-host.yaml -v --extra-vars "private_ip=${aws_eip.openvpnip.private_ip} bastion_ip=${var.bastion_ip}" + ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip_private.$TF_VAR_public_domain host_ip=${aws_eip.openvpnip.private_ip}" aws ec2 reboot-instances --instance-ids ${aws_instance.openvpn.id} && sleep 60 EOT diff --git a/variables.tf b/variables.tf index 6a1426b..e700d8f 100644 --- a/variables.tf +++ b/variables.tf @@ -25,6 +25,9 @@ variable "cert_arn" { variable "key_name" { } +variable "bastion_ip" { +} + variable "private_key" { } From 9358df9dacc6a0160b5b19518d58d72b9f4a3473 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 23 Dec 2019 15:05:08 +1030 Subject: [PATCH 076/306] optionally use vpn ip address in place of web address --- main.tf | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/main.tf b/main.tf index f9ebc77..375480a 100644 --- a/main.tf +++ b/main.tf @@ -147,6 +147,11 @@ resource "aws_eip" "openvpnip" { } } +locals { + vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}":"${aws_eip.openvpnip.public_ip}" +} + + resource "null_resource" "provision_vpn" { depends_on = [ aws_instance.openvpn, @@ -182,7 +187,7 @@ resource "null_resource" "provision_vpn" { command = < Date: Mon, 23 Dec 2019 15:10:16 +1030 Subject: [PATCH 077/306] trigger reprovisioning if ip address changes for vpn --- main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/main.tf b/main.tf index 375480a..60b5a9c 100644 --- a/main.tf +++ b/main.tf @@ -161,6 +161,8 @@ resource "null_resource" "provision_vpn" { triggers = { instanceid = aws_instance.openvpn.id + # If the address changes, the vpn must be provisioned again. + vpn_address = local.vpn_address } provisioner "remote-exec" { From 58659bcef5f3dc562064da395f9d3a5b1a9aca39 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 23 Dec 2019 15:34:36 +1030 Subject: [PATCH 078/306] remove comments --- main.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/main.tf b/main.tf index 60b5a9c..2d25ddc 100644 --- a/main.tf +++ b/main.tf @@ -169,11 +169,7 @@ resource "null_resource" "provision_vpn" { connection { user = var.openvpn_admin_user host = aws_eip.openvpnip.public_ip - - #bastion_host = "bastion.firehawkfilm.com" private_key = var.private_key - - #bastion_private_key = "${var.private_key}" type = "ssh" timeout = "10m" } From b61ca4abc5cdde3114fbc8e7febda218aba40546 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 24 Dec 2019 18:05:45 +1030 Subject: [PATCH 079/306] rename open vpn host name --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 2d25ddc..e52912d 100644 --- a/main.tf +++ b/main.tf @@ -188,7 +188,7 @@ resource "null_resource" "provision_vpn" { ansible-playbook -i ansible/inventory/hosts ansible/ssh-add-public-host.yaml -v --extra-vars "public_ip=${aws_eip.openvpnip.public_ip} public_address=${local.vpn_address} set_bastion=false" ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip host_ip=${aws_eip.openvpnip.public_ip}" ansible-playbook -i "$TF_VAR_inventory" ansible/ssh-add-private-host.yaml -v --extra-vars "private_ip=${aws_eip.openvpnip.private_ip} bastion_ip=${var.bastion_ip}" - ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip_private.$TF_VAR_public_domain host_ip=${aws_eip.openvpnip.private_ip}" + ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip_private host_ip=${aws_eip.openvpnip.private_ip}" aws ec2 reboot-instances --instance-ids ${aws_instance.openvpn.id} && sleep 60 EOT From 08ad9927004c99263432721a626cdc6e090145df Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 27 Dec 2019 11:24:13 +1030 Subject: [PATCH 080/306] make vpn use count to disable --- main.tf | 56 ++++++++++++++++++++++++++++------------------------ variables.tf | 2 ++ 2 files changed, 32 insertions(+), 26 deletions(-) diff --git a/main.tf b/main.tf index e52912d..2090c25 100644 --- a/main.tf +++ b/main.tf @@ -5,6 +5,7 @@ # You should define this variable as your remote static ip adress to limit vpn exposure to the public internet resource "aws_security_group" "openvpn" { + count = var.create_vpn ? 1 : 0 name = var.name vpc_id = var.vpc_id description = "OpenVPN security group" @@ -94,6 +95,7 @@ resource "null_resource" "gateway_dependency" { } resource "aws_instance" "openvpn" { + count = var.create_vpn ? 1 : 0 depends_on = [null_resource.gateway_dependency] ami = var.ami instance_type = var.instance_type @@ -101,7 +103,7 @@ resource "aws_instance" "openvpn" { subnet_id = element(var.public_subnet_ids, 0) source_dest_check = var.source_dest_check - vpc_security_group_ids = [aws_security_group.openvpn.id] + vpc_security_group_ids = [local.security_group_id] tags = { Name = var.name @@ -120,18 +122,18 @@ USERDATA #wakeup a node after sleep resource "null_resource" "start-node" { - count = var.sleep ? 0 : 1 + count = ( ! var.sleep && var.create_vpn ) ? 1 : 0 provisioner "local-exec" { - command = "aws ec2 start-instances --instance-ids ${aws_instance.openvpn.id} && sudo service openvpn restart" + command = "aws ec2 start-instances --instance-ids ${aws_instance.openvpn[count.index].id} && sudo service openvpn restart" } } resource "null_resource" "shutdownvpn" { - count = var.sleep ? 1 : 0 + count = var.sleep && var.create_vpn ? 1 : 0 provisioner "local-exec" { - command = "aws ec2 stop-instances --instance-ids ${aws_instance.openvpn.id} && sudo service openvpn stop" + command = "aws ec2 stop-instances --instance-ids ${aws_instance.openvpn[count.index].id} && sudo service openvpn stop" } } @@ -139,8 +141,9 @@ resource "null_resource" "shutdownvpn" { #it must reside in the aws_eip resource to be able to establish a connection resource "aws_eip" "openvpnip" { + count = var.create_vpn ? 1 : 0 vpc = true - instance = aws_instance.openvpn.id + instance = aws_instance.openvpn[count.index].id tags = { role = "vpn" @@ -148,19 +151,20 @@ resource "aws_eip" "openvpnip" { } locals { - vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}":"${aws_eip.openvpnip.public_ip}" + private_ip = "${element(concat(aws_instance.openvpn.*.private_ip, list("")), 0)}" + public_ip = "${element(concat(aws_eip.openvpnip.*.public_ip, list("")), 0)}" + id = "${element(concat(aws_instance.openvpn.*.id, list("")), 0)}" + security_group_id = "${element(concat(aws_security_group.openvpn.*.id, list("")), 0)}" + vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}":"${local.public_ip}" } resource "null_resource" "provision_vpn" { - depends_on = [ - aws_instance.openvpn, - aws_eip.openvpnip, - aws_route53_record.openvpn_record, - ] + count = var.create_vpn ? 1 : 0 + depends_on = [aws_eip.openvpnip, aws_route53_record.openvpn_record] triggers = { - instanceid = aws_instance.openvpn.id + instanceid = element(concat(list(aws_instance.openvpn.*.id), list("")), 0) # If the address changes, the vpn must be provisioned again. vpn_address = local.vpn_address } @@ -168,7 +172,7 @@ resource "null_resource" "provision_vpn" { provisioner "remote-exec" { connection { user = var.openvpn_admin_user - host = aws_eip.openvpnip.public_ip + host = local.public_ip private_key = var.private_key type = "ssh" timeout = "10m" @@ -185,11 +189,11 @@ resource "null_resource" "provision_vpn" { command = < Date: Fri, 27 Dec 2019 18:00:29 +1030 Subject: [PATCH 081/306] fix ref to local id --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 2090c25..7c3f75b 100644 --- a/main.tf +++ b/main.tf @@ -164,7 +164,7 @@ resource "null_resource" "provision_vpn" { depends_on = [aws_eip.openvpnip, aws_route53_record.openvpn_record] triggers = { - instanceid = element(concat(list(aws_instance.openvpn.*.id), list("")), 0) + instanceid = local.id # If the address changes, the vpn must be provisioned again. vpn_address = local.vpn_address } From c71c76eccb91f1374c12b91133ce45afbcb367fa Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 27 Dec 2019 23:09:01 +1030 Subject: [PATCH 082/306] delete ebs on termination --- main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/main.tf b/main.tf index 7c3f75b..00f603d 100644 --- a/main.tf +++ b/main.tf @@ -105,6 +105,10 @@ resource "aws_instance" "openvpn" { vpc_security_group_ids = [local.security_group_id] + root_block_device { + delete_on_termination = true + } + tags = { Name = var.name route = "public" From 43af8de460dd16c4dea46251902f1e8ead6c3445 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Thu, 2 Jan 2020 22:55:30 +1030 Subject: [PATCH 083/306] added bastion dependency --- main.tf | 8 +++++++- variables.tf | 1 + 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 00f603d..6f004d2 100644 --- a/main.tf +++ b/main.tf @@ -94,9 +94,15 @@ resource "null_resource" "gateway_dependency" { } } +resource "null_resource" "bastion_dependency" { + triggers = { + bastion_dependency = var.bastion_dependency + } +} + resource "aws_instance" "openvpn" { count = var.create_vpn ? 1 : 0 - depends_on = [null_resource.gateway_dependency] + depends_on = [null_resource.gateway_dependency, null_resource.bastion_dependency] ami = var.ami instance_type = var.instance_type key_name = var.key_name diff --git a/variables.tf b/variables.tf index f96f9f2..4c4e1bf 100644 --- a/variables.tf +++ b/variables.tf @@ -78,3 +78,4 @@ variable "public_subnets" { default = [] } +variable "bastion_dependency" {} \ No newline at end of file From 74a3ce6549a96aab8e38e7215a24fa3daff53485 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 18 Jan 2020 21:18:12 +1030 Subject: [PATCH 084/306] delinting --- main.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/main.tf b/main.tf index 6f004d2..06637fd 100644 --- a/main.tf +++ b/main.tf @@ -230,8 +230,6 @@ EOT echo "private_subnet1: ${element(var.private_subnets, 0)}" echo "public_subnet1: ${element(var.public_subnets, 0)}" ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn.yaml -v --extra-vars "variable_host=openvpnip vpn_address=${local.vpn_address} private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}" - # configure routes on onsite workstation/render nodes - consider disabling if workstation not present. - # ansible-playbook -i "$TF_VAR_inventory" ansible/node-centos-routes.yaml -v -v --extra-vars "variable_host=workstation.firehawkvfx.com variable_user=deadlineuser hostname=workstation.firehawkvfx.com ansible_ssh_private_key_file=$TF_VAR_onsite_workstation_ssh_key" EOT From 03c85689dbe55719227629d3e2179affe10fa76a Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 27 Jan 2020 01:20:19 +1030 Subject: [PATCH 085/306] add key info to multiple hosts --- main.tf | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/main.tf b/main.tf index 06637fd..7edb8e9 100644 --- a/main.tf +++ b/main.tf @@ -135,7 +135,10 @@ resource "null_resource" "start-node" { count = ( ! var.sleep && var.create_vpn ) ? 1 : 0 provisioner "local-exec" { - command = "aws ec2 start-instances --instance-ids ${aws_instance.openvpn[count.index].id} && sudo service openvpn restart" + command = < Date: Sat, 1 Feb 2020 21:17:43 +1030 Subject: [PATCH 086/306] rename base dir --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 06637fd..2a405da 100644 --- a/main.tf +++ b/main.tf @@ -198,7 +198,7 @@ resource "null_resource" "provision_vpn" { provisioner "local-exec" { command = < Date: Sun, 2 Feb 2020 22:29:37 +1030 Subject: [PATCH 087/306] specify vpn in hosts file --- main.tf | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/main.tf b/main.tf index 2a405da..9306e36 100644 --- a/main.tf +++ b/main.tf @@ -199,14 +199,12 @@ resource "null_resource" "provision_vpn" { command = < Date: Sat, 8 Feb 2020 18:04:00 +1030 Subject: [PATCH 088/306] ensure vpn host is added with a key path --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 9306e36..0c6d2b1 100644 --- a/main.tf +++ b/main.tf @@ -200,9 +200,9 @@ resource "null_resource" "provision_vpn" { set -x cd /deployuser ansible-playbook -i "$TF_VAR_inventory" ansible/ssh-add-public-host.yaml -v --extra-vars "public_ip=${local.public_ip} public_address=${local.vpn_address} bastion_address=${var.bastion_ip} vpn_address=${local.vpn_address} set_bastion=true" - ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip host_ip=${local.public_ip}" + ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip host_ip=${local.public_ip} insert_ssh_key_string=ansible_ssh_private_key_file=$TF_VAR_local_key_path" ansible-playbook -i "$TF_VAR_inventory" ansible/ssh-add-private-host.yaml -v --extra-vars "private_ip=${local.private_ip} bastion_ip=${var.bastion_ip}" - ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip_private host_ip=${local.private_ip}" + ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip_private host_ip=${local.private_ip} insert_ssh_key_string=ansible_ssh_private_key_file=$TF_VAR_local_key_path" aws ec2 reboot-instances --instance-ids ${aws_instance.openvpn[count.index].id} && sleep 60 EOT } From 7ae88c20e7b356485636c019a003ef1a9ae90f12 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 8 Feb 2020 21:24:44 +1030 Subject: [PATCH 089/306] wait to resolve dpkg conflict --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 0c6d2b1..8c3413a 100644 --- a/main.tf +++ b/main.tf @@ -216,6 +216,7 @@ EOT } inline = [ "set -x", + "sleep 30", "sudo apt-get -y install python", ] } From 5c0187349511fa53791059b955d3a78da71d23b8 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 9 Feb 2020 01:56:43 +1030 Subject: [PATCH 090/306] fix route dependencies for destroy --- main.tf | 114 +++++++++++++++++++++++++++++++++++++++++++++------ variables.tf | 5 ++- 2 files changed, 105 insertions(+), 14 deletions(-) diff --git a/main.tf b/main.tf index 02868a5..f46fef7 100644 --- a/main.tf +++ b/main.tf @@ -172,8 +172,21 @@ locals { id = "${element(concat(aws_instance.openvpn.*.id, list("")), 0)}" security_group_id = "${element(concat(aws_security_group.openvpn.*.id, list("")), 0)}" vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}":"${local.public_ip}" + private_route_table_id = "${element(concat(var.private_route_table_ids, list("")), 0)}" + public_route_table_id = "${element(concat(var.public_route_table_ids, list("")), 0)}" } +variable "route_public_domain_name" { +} + +resource "aws_route53_record" "openvpn_record" { + count = var.route_public_domain_name && var.create_vpn ? 1 : 0 + zone_id = element(concat(list(var.route_zone_id), list("")), 0) + name = element(concat(list("vpn.${var.public_domain_name}"), list("")), 0) + type = "A" + ttl = 300 + records = [local.public_ip] +} resource "null_resource" "provision_vpn" { count = var.create_vpn ? 1 : 0 @@ -185,6 +198,32 @@ resource "null_resource" "provision_vpn" { vpn_address = local.vpn_address } +### START this segment is termporary to deal with a cloud init bug + provisioner "remote-exec" { + connection { + user = var.openvpn_admin_user + host = local.public_ip + private_key = var.private_key + type = "ssh" + timeout = "10m" + } + #inline = ["set -x && sleep 60 && sudo apt-get -y install python"] + inline = [ + "set -x", + "echo 'instance up'", + "sleep 30", + ] + } + provisioner "local-exec" { + command = < Date: Sun, 9 Feb 2020 02:18:58 +1030 Subject: [PATCH 091/306] update and reboot required --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index f46fef7..3369520 100644 --- a/main.tf +++ b/main.tf @@ -212,6 +212,7 @@ resource "null_resource" "provision_vpn" { "set -x", "echo 'instance up'", "sleep 30", + "sudo apt-get -y update", ] } provisioner "local-exec" { From 0c20531fbe5cba092b89ee665d77e45db229dd94 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 13 Mar 2020 23:12:25 +1030 Subject: [PATCH 092/306] Run vpn ping tests after reset. --- main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 3369520..950b9f3 100644 --- a/main.tf +++ b/main.tf @@ -281,7 +281,8 @@ EOT echo "remote_subnet_cidr: ${var.remote_subnet_cidr}" echo "private_subnet1: ${element(var.private_subnets, 0)}" echo "public_subnet1: ${element(var.public_subnets, 0)}" - ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn.yaml -v --extra-vars "variable_host=openvpnip vpn_address=${local.vpn_address} private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}" + ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn.yaml -v --extra-vars "variable_host=openvpnip vpn_address=${local.vpn_address} private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}"; exit_test + . /vagrant/scripts/tests/test-openvpn.sh --ip "${local.private_ip}"; exit_test EOT } } From 6f3dca3c9c0348728d58b58112e0e2b32c623084 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 14 Mar 2020 10:28:09 +1030 Subject: [PATCH 093/306] update test --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 950b9f3..935db7f 100644 --- a/main.tf +++ b/main.tf @@ -282,7 +282,7 @@ EOT echo "private_subnet1: ${element(var.private_subnets, 0)}" echo "public_subnet1: ${element(var.public_subnets, 0)}" ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn.yaml -v --extra-vars "variable_host=openvpnip vpn_address=${local.vpn_address} private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}"; exit_test - . /vagrant/scripts/tests/test-openvpn.sh --ip "${local.private_ip}"; exit_test + sleep 30; /vagrant/scripts/tests/test-openvpn.sh --ip "${local.private_ip}"; exit_test EOT } } From 22dff0411b10a2b38116b44cf0c44fde0ffd9038 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 14 Mar 2020 16:02:01 +1030 Subject: [PATCH 094/306] don't update twice --- main.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 935db7f..4493446 100644 --- a/main.tf +++ b/main.tf @@ -212,6 +212,7 @@ resource "null_resource" "provision_vpn" { "set -x", "echo 'instance up'", "sleep 30", + "ps aux | grep [a]pt", "sudo apt-get -y update", ] } @@ -236,9 +237,11 @@ EOT #inline = ["set -x && sleep 60 && sudo apt-get -y install python"] inline = [ "set -x", + "ls /var/lib/cloud/instance/", # "sleep 35", # "until [[ -f /var/lib/cloud/instance/boot-finished ]]; do sleep 1; done", - "sudo apt-get -y update", + # "sudo apt-get -y update", + "ps aux | grep [a]pt", "sudo apt-get -y install python", ] } From 7bc189b54bf1268fc4feb30103b3d43334339677 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 15 Mar 2020 02:23:09 +1030 Subject: [PATCH 095/306] force remove apt-get lock on openvpn to fix update --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 4493446..c1c1caf 100644 --- a/main.tf +++ b/main.tf @@ -242,6 +242,7 @@ EOT # "until [[ -f /var/lib/cloud/instance/boot-finished ]]; do sleep 1; done", # "sudo apt-get -y update", "ps aux | grep [a]pt", + "sudo rm /var/lib/apt/lists/lock", # remove lock, bug with openvpn ami. Only ever do this after a reboot. "sudo apt-get -y install python", ] } From d0f2f1984243111290787b9b8425c5ab831e99a7 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 15 Mar 2020 10:26:55 +1030 Subject: [PATCH 096/306] force remove lock --- main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/main.tf b/main.tf index c1c1caf..cd40f8f 100644 --- a/main.tf +++ b/main.tf @@ -214,6 +214,9 @@ resource "null_resource" "provision_vpn" { "sleep 30", "ps aux | grep [a]pt", "sudo apt-get -y update", + "ps aux | grep [a]pt", + "sleep 30", + "ps aux | grep [a]pt", ] } provisioner "local-exec" { @@ -243,6 +246,7 @@ EOT # "sudo apt-get -y update", "ps aux | grep [a]pt", "sudo rm /var/lib/apt/lists/lock", # remove lock, bug with openvpn ami. Only ever do this after a reboot. + "sudo rm /var/lib/dpkg/lock", "sudo apt-get -y install python", ] } From a732ce09733a5d7f506aa6c2b4f83b1ab900efdb Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 15 Mar 2020 10:37:15 +1030 Subject: [PATCH 097/306] Implement fix to apt update issue --- main.tf | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/main.tf b/main.tf index cd40f8f..74f4018 100644 --- a/main.tf +++ b/main.tf @@ -207,15 +207,21 @@ resource "null_resource" "provision_vpn" { type = "ssh" timeout = "10m" } - #inline = ["set -x && sleep 60 && sudo apt-get -y install python"] + # this resolves update issue https://unix.stackexchange.com/questions/315502/how-to-disable-apt-daily-service-on-ubuntu-cloud-vm-image inline = [ "set -x", "echo 'instance up'", - "sleep 30", "ps aux | grep [a]pt", + "systemctl stop apt-daily.service", + "systemctl kill --kill-who=all apt-daily.service", + # wait until `apt-get updated` has been killed + "while ! (systemctl list-units --all apt-daily.service | egrep -q '(dead|failed)'); do sleep 1; done", + "ps aux | grep [a]pt", + # now proceed with own APT tasks + # apt install -y python "sudo apt-get -y update", "ps aux | grep [a]pt", - "sleep 30", + "sudo apt-get -y install python", "ps aux | grep [a]pt", ] } @@ -240,14 +246,15 @@ EOT #inline = ["set -x && sleep 60 && sudo apt-get -y install python"] inline = [ "set -x", - "ls /var/lib/cloud/instance/", - # "sleep 35", - # "until [[ -f /var/lib/cloud/instance/boot-finished ]]; do sleep 1; done", - # "sudo apt-get -y update", - "ps aux | grep [a]pt", - "sudo rm /var/lib/apt/lists/lock", # remove lock, bug with openvpn ami. Only ever do this after a reboot. - "sudo rm /var/lib/dpkg/lock", - "sudo apt-get -y install python", + "echo 'instance up'", + # "ls /var/lib/cloud/instance/", + # # "sleep 35", + # # "until [[ -f /var/lib/cloud/instance/boot-finished ]]; do sleep 1; done", + # # "sudo apt-get -y update", + # "ps aux | grep [a]pt", + # "sudo rm /var/lib/apt/lists/lock", # remove lock, bug with openvpn ami. Only ever do this after a reboot. + # "sudo rm /var/lib/dpkg/lock", + # "sudo apt-get -y install python", ] } From e0a59116aab3927ac495d6482758ce4fd278f311 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 15 Mar 2020 10:40:38 +1030 Subject: [PATCH 098/306] use sudo --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 74f4018..ef9b0f9 100644 --- a/main.tf +++ b/main.tf @@ -212,10 +212,10 @@ resource "null_resource" "provision_vpn" { "set -x", "echo 'instance up'", "ps aux | grep [a]pt", - "systemctl stop apt-daily.service", - "systemctl kill --kill-who=all apt-daily.service", + "sudo systemctl stop apt-daily.service", + "sudo systemctl kill --kill-who=all apt-daily.service", # wait until `apt-get updated` has been killed - "while ! (systemctl list-units --all apt-daily.service | egrep -q '(dead|failed)'); do sleep 1; done", + "while ! (sudo systemctl list-units --all apt-daily.service | egrep -q '(dead|failed)'); do sleep 1; done", "ps aux | grep [a]pt", # now proceed with own APT tasks # apt install -y python From 31b161aeb69b800663fe286864993a9945150031 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 15 Mar 2020 10:43:42 +1030 Subject: [PATCH 099/306] fix last line error --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index ef9b0f9..d83a87a 100644 --- a/main.tf +++ b/main.tf @@ -222,7 +222,7 @@ resource "null_resource" "provision_vpn" { "sudo apt-get -y update", "ps aux | grep [a]pt", "sudo apt-get -y install python", - "ps aux | grep [a]pt", + "echo '...Finished bootstrapping'", ] } provisioner "local-exec" { From a115a755796bab9b28f8823479f038a5d6838b25 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 15 Mar 2020 10:50:28 +1030 Subject: [PATCH 100/306] remove post ping test --- main.tf | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/main.tf b/main.tf index d83a87a..0fb40d6 100644 --- a/main.tf +++ b/main.tf @@ -214,11 +214,8 @@ resource "null_resource" "provision_vpn" { "ps aux | grep [a]pt", "sudo systemctl stop apt-daily.service", "sudo systemctl kill --kill-who=all apt-daily.service", - # wait until `apt-get updated` has been killed - "while ! (sudo systemctl list-units --all apt-daily.service | egrep -q '(dead|failed)'); do sleep 1; done", + "while ! (sudo systemctl list-units --all apt-daily.service | egrep -q '(dead|failed)'); do sleep 1; done", # wait until `apt-get updated` has been killed "ps aux | grep [a]pt", - # now proceed with own APT tasks - # apt install -y python "sudo apt-get -y update", "ps aux | grep [a]pt", "sudo apt-get -y install python", @@ -245,16 +242,7 @@ EOT } #inline = ["set -x && sleep 60 && sudo apt-get -y install python"] inline = [ - "set -x", "echo 'instance up'", - # "ls /var/lib/cloud/instance/", - # # "sleep 35", - # # "until [[ -f /var/lib/cloud/instance/boot-finished ]]; do sleep 1; done", - # # "sudo apt-get -y update", - # "ps aux | grep [a]pt", - # "sudo rm /var/lib/apt/lists/lock", # remove lock, bug with openvpn ami. Only ever do this after a reboot. - # "sudo rm /var/lib/dpkg/lock", - # "sudo apt-get -y install python", ] } From 8f0a3c7a16cb49228a8c3ce37567a7e92d494044 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 28 Mar 2020 13:46:20 +1030 Subject: [PATCH 101/306] use exit test --- main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 0fb40d6..bf57299 100644 --- a/main.tf +++ b/main.tf @@ -253,10 +253,10 @@ EOT . /vagrant/scripts/exit_test.sh set -x cd /deployuser - ansible-playbook -i "$TF_VAR_inventory" ansible/ssh-add-public-host.yaml -v --extra-vars "public_ip=${local.public_ip} public_address=${local.vpn_address} bastion_address=${var.bastion_ip} vpn_address=${local.vpn_address} set_vpn=true" - ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip host_ip=${local.public_ip} insert_ssh_key_string=ansible_ssh_private_key_file=$TF_VAR_local_key_path" - ansible-playbook -i "$TF_VAR_inventory" ansible/ssh-add-private-host.yaml -v --extra-vars "private_ip=${local.private_ip} bastion_ip=${var.bastion_ip}" - ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip_private host_ip=${local.private_ip} insert_ssh_key_string=ansible_ssh_private_key_file=$TF_VAR_local_key_path" + ansible-playbook -i "$TF_VAR_inventory" ansible/ssh-add-public-host.yaml -v --extra-vars "public_ip=${local.public_ip} public_address=${local.vpn_address} bastion_address=${var.bastion_ip} vpn_address=${local.vpn_address} set_vpn=true"; exit_test + ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip host_ip=${local.public_ip} insert_ssh_key_string=ansible_ssh_private_key_file=$TF_VAR_local_key_path"; exit_test + ansible-playbook -i "$TF_VAR_inventory" ansible/ssh-add-private-host.yaml -v --extra-vars "private_ip=${local.private_ip} bastion_ip=${var.bastion_ip}"; exit_test + ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip_private host_ip=${local.private_ip} insert_ssh_key_string=ansible_ssh_private_key_file=$TF_VAR_local_key_path"; exit_test aws ec2 reboot-instances --instance-ids ${aws_instance.openvpn[count.index].id} && sleep 30 EOT } From be6852194a1d42cbbd8a77dbce30eb661819ca84 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 10 Apr 2020 14:50:48 +0930 Subject: [PATCH 102/306] set python to 2.7 --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index bf57299..4e2f41b 100644 --- a/main.tf +++ b/main.tf @@ -218,7 +218,7 @@ resource "null_resource" "provision_vpn" { "ps aux | grep [a]pt", "sudo apt-get -y update", "ps aux | grep [a]pt", - "sudo apt-get -y install python", + "sudo apt-get -y install python2.7", "echo '...Finished bootstrapping'", ] } From c7c3580634b494fdec57378809e6e616a77738fc Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 10 Apr 2020 15:12:53 +0930 Subject: [PATCH 103/306] which python test --- main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/main.tf b/main.tf index 4e2f41b..bd5dd92 100644 --- a/main.tf +++ b/main.tf @@ -284,6 +284,8 @@ EOT echo "remote_subnet_cidr: ${var.remote_subnet_cidr}" echo "private_subnet1: ${element(var.private_subnets, 0)}" echo "public_subnet1: ${element(var.public_subnets, 0)}" + which python; exit_test + ls /usr/bin; exit_test ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn.yaml -v --extra-vars "variable_host=openvpnip vpn_address=${local.vpn_address} private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}"; exit_test sleep 30; /vagrant/scripts/tests/test-openvpn.sh --ip "${local.private_ip}"; exit_test EOT From d15ae07607f491dcdd054eb6d26f067c5665c548 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 10 Apr 2020 15:24:14 +0930 Subject: [PATCH 104/306] check python location after install --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index bd5dd92..9ed4262 100644 --- a/main.tf +++ b/main.tf @@ -219,6 +219,8 @@ resource "null_resource" "provision_vpn" { "sudo apt-get -y update", "ps aux | grep [a]pt", "sudo apt-get -y install python2.7", + "which python", + "ls /usr/bin", "echo '...Finished bootstrapping'", ] } @@ -284,8 +286,6 @@ EOT echo "remote_subnet_cidr: ${var.remote_subnet_cidr}" echo "private_subnet1: ${element(var.private_subnets, 0)}" echo "public_subnet1: ${element(var.public_subnets, 0)}" - which python; exit_test - ls /usr/bin; exit_test ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn.yaml -v --extra-vars "variable_host=openvpnip vpn_address=${local.vpn_address} private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}"; exit_test sleep 30; /vagrant/scripts/tests/test-openvpn.sh --ip "${local.private_ip}"; exit_test EOT From 6181c398e25de898c6c6c177c5a284d4462b2fcf Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 10 Apr 2020 20:18:24 +0930 Subject: [PATCH 105/306] update and upgrade --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 9ed4262..3b5819e 100644 --- a/main.tf +++ b/main.tf @@ -216,7 +216,7 @@ resource "null_resource" "provision_vpn" { "sudo systemctl kill --kill-who=all apt-daily.service", "while ! (sudo systemctl list-units --all apt-daily.service | egrep -q '(dead|failed)'); do sleep 1; done", # wait until `apt-get updated` has been killed "ps aux | grep [a]pt", - "sudo apt-get -y update", + "sudo apt-get -y update && sudo apt-get -y upgrade", "ps aux | grep [a]pt", "sudo apt-get -y install python2.7", "which python", From b0992c1fab9b1d9b5f44979edd969016dd12b100 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 10 Apr 2020 20:49:11 +0930 Subject: [PATCH 106/306] make upgrade noninteractive --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 3b5819e..a6b7c21 100644 --- a/main.tf +++ b/main.tf @@ -216,7 +216,7 @@ resource "null_resource" "provision_vpn" { "sudo systemctl kill --kill-who=all apt-daily.service", "while ! (sudo systemctl list-units --all apt-daily.service | egrep -q '(dead|failed)'); do sleep 1; done", # wait until `apt-get updated` has been killed "ps aux | grep [a]pt", - "sudo apt-get -y update && sudo apt-get -y upgrade", + "sudo apt-get -y update && sudo DEBIAN_FRONTEND=noninteractive apt-get -y upgrade", "ps aux | grep [a]pt", "sudo apt-get -y install python2.7", "which python", From e5225374978ff37260b970584049f2af8d6ffc3b Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 10 Apr 2020 21:19:47 +0930 Subject: [PATCH 107/306] don't upgrade --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index a6b7c21..9ed4262 100644 --- a/main.tf +++ b/main.tf @@ -216,7 +216,7 @@ resource "null_resource" "provision_vpn" { "sudo systemctl kill --kill-who=all apt-daily.service", "while ! (sudo systemctl list-units --all apt-daily.service | egrep -q '(dead|failed)'); do sleep 1; done", # wait until `apt-get updated` has been killed "ps aux | grep [a]pt", - "sudo apt-get -y update && sudo DEBIAN_FRONTEND=noninteractive apt-get -y upgrade", + "sudo apt-get -y update", "ps aux | grep [a]pt", "sudo apt-get -y install python2.7", "which python", From 6a6de43ae4692a3260a3a6763826ed4185f8f630 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 10 Apr 2020 21:48:27 +0930 Subject: [PATCH 108/306] add minimal --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 9ed4262..1092e2b 100644 --- a/main.tf +++ b/main.tf @@ -218,8 +218,8 @@ resource "null_resource" "provision_vpn" { "ps aux | grep [a]pt", "sudo apt-get -y update", "ps aux | grep [a]pt", - "sudo apt-get -y install python2.7", - "which python", + "sudo apt-get -y install python2.7-minimal python2.7", + "which python2.7", "ls /usr/bin", "echo '...Finished bootstrapping'", ] From e28a7fcc594d181da65198ec21f24495be2d6e40 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 10 Apr 2020 23:58:51 +0930 Subject: [PATCH 109/306] test python 2.7 --- main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/main.tf b/main.tf index 1092e2b..b8a4264 100644 --- a/main.tf +++ b/main.tf @@ -217,10 +217,12 @@ resource "null_resource" "provision_vpn" { "while ! (sudo systemctl list-units --all apt-daily.service | egrep -q '(dead|failed)'); do sleep 1; done", # wait until `apt-get updated` has been killed "ps aux | grep [a]pt", "sudo apt-get -y update", + "sleep 10", "ps aux | grep [a]pt", "sudo apt-get -y install python2.7-minimal python2.7", "which python2.7", "ls /usr/bin", + "test=$(which python2.7); if [[ $test != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi" "echo '...Finished bootstrapping'", ] } From 764ceafd2df88ec9df08ff8909d00ee7b83beeaf Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 11 Apr 2020 01:27:24 +0930 Subject: [PATCH 110/306] install python after reboot --- main.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/main.tf b/main.tf index b8a4264..b45ce82 100644 --- a/main.tf +++ b/main.tf @@ -218,12 +218,6 @@ resource "null_resource" "provision_vpn" { "ps aux | grep [a]pt", "sudo apt-get -y update", "sleep 10", - "ps aux | grep [a]pt", - "sudo apt-get -y install python2.7-minimal python2.7", - "which python2.7", - "ls /usr/bin", - "test=$(which python2.7); if [[ $test != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi" - "echo '...Finished bootstrapping'", ] } provisioner "local-exec" { @@ -246,6 +240,12 @@ EOT } #inline = ["set -x && sleep 60 && sudo apt-get -y install python"] inline = [ + "ps aux | grep [a]pt", + "sudo apt-get -y install python2.7-minimal python2.7", + "which python2.7", + "ls /usr/bin", + "test=$(which python2.7); if [[ $test != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi" + "echo '...Finished bootstrapping'", "echo 'instance up'", ] } From 833119671a19c2a87373bbf861ed15157022b21d Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 11 Apr 2020 08:56:05 +0930 Subject: [PATCH 111/306] fix missing item seperators --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index b45ce82..629e060 100644 --- a/main.tf +++ b/main.tf @@ -244,7 +244,7 @@ EOT "sudo apt-get -y install python2.7-minimal python2.7", "which python2.7", "ls /usr/bin", - "test=$(which python2.7); if [[ $test != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi" + "test=$(which python2.7); if [[ $test != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi", "echo '...Finished bootstrapping'", "echo 'instance up'", ] From bf832c24ac8ade917186dca2cfbc6ffcb705ba12 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 11 Apr 2020 09:20:28 +0930 Subject: [PATCH 112/306] more verbosity --- main.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/main.tf b/main.tf index 629e060..d80c735 100644 --- a/main.tf +++ b/main.tf @@ -211,11 +211,16 @@ resource "null_resource" "provision_vpn" { inline = [ "set -x", "echo 'instance up'", + "lsb_release -a", "ps aux | grep [a]pt", "sudo systemctl stop apt-daily.service", "sudo systemctl kill --kill-who=all apt-daily.service", "while ! (sudo systemctl list-units --all apt-daily.service | egrep -q '(dead|failed)'); do sleep 1; done", # wait until `apt-get updated` has been killed "ps aux | grep [a]pt", + "systemctl status apt-daily.service", + "sudo systemctl stop apt.systemd.daily", + "sudo systemctl kill --kill-who=all apt.systemd.daily", + "while ! (sudo systemctl list-units --all apt.systemd.daily | egrep -q '(dead|failed)'); do sleep 1; done", # wait until `apt.systemd.daily` has been killed "sudo apt-get -y update", "sleep 10", ] @@ -244,6 +249,7 @@ EOT "sudo apt-get -y install python2.7-minimal python2.7", "which python2.7", "ls /usr/bin", + "sudo fuser -v /var/cache/debconf/config.dat", # get info if anything else has a lock on this file "test=$(which python2.7); if [[ $test != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi", "echo '...Finished bootstrapping'", "echo 'instance up'", From fc859f8f1c54626b9feb541dbcedba0b7cc5bcd8 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 11 Apr 2020 09:52:00 +0930 Subject: [PATCH 113/306] disable daily update --- main.tf | 48 ++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 38 insertions(+), 10 deletions(-) diff --git a/main.tf b/main.tf index d80c735..6e458e3 100644 --- a/main.tf +++ b/main.tf @@ -213,16 +213,11 @@ resource "null_resource" "provision_vpn" { "echo 'instance up'", "lsb_release -a", "ps aux | grep [a]pt", - "sudo systemctl stop apt-daily.service", - "sudo systemctl kill --kill-who=all apt-daily.service", - "while ! (sudo systemctl list-units --all apt-daily.service | egrep -q '(dead|failed)'); do sleep 1; done", # wait until `apt-get updated` has been killed - "ps aux | grep [a]pt", - "systemctl status apt-daily.service", - "sudo systemctl stop apt.systemd.daily", - "sudo systemctl kill --kill-who=all apt.systemd.daily", - "while ! (sudo systemctl list-units --all apt.systemd.daily | egrep -q '(dead|failed)'); do sleep 1; done", # wait until `apt.systemd.daily` has been killed - "sudo apt-get -y update", - "sleep 10", + # "systemd-run --property='After=apt-daily.service apt-daily-upgrade.service' --wait /bin/true", + # "sleep 30", # wait until its started + # "sudo systemctl start apt-daily.service", # cannot smtop or kill unless its started + "sudo systemctl disable apt-daily.timer", + "sudo systemctl disable apt-daily-upgrade.timer", # the timers way start the daily update, they need to be disabled, but it wont apply until after reboot. stop will also not resolve this. ] } provisioner "local-exec" { @@ -245,6 +240,16 @@ EOT } #inline = ["set -x && sleep 60 && sudo apt-get -y install python"] inline = [ + "sudo systemctl stop apt-daily.service", + "sudo systemctl kill --kill-who=all apt-daily.service", + "while ! (sudo systemctl list-units --all apt-daily.service | egrep -q '(dead|failed)'); do sleep 1; done", # wait until `apt-get updated` has been killed + "ps aux | grep [a]pt", + "systemctl status apt-daily.service", + # "sudo systemctl stop apt.systemd.daily", + # "sudo systemctl kill --kill-who=all apt.systemd.daily", + # "while ! (sudo systemctl list-units --all apt.systemd.daily | egrep -q '(dead|failed)'); do sleep 1; done", # wait until `apt.systemd.daily` has been killed + "sudo apt-get -y update", + "sleep 10", "ps aux | grep [a]pt", "sudo apt-get -y install python2.7-minimal python2.7", "which python2.7", @@ -252,6 +257,29 @@ EOT "sudo fuser -v /var/cache/debconf/config.dat", # get info if anything else has a lock on this file "test=$(which python2.7); if [[ $test != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi", "echo '...Finished bootstrapping'", + # "echo 'instance up'", + ] + } + + provisioner "local-exec" { + command = < Date: Sat, 11 Apr 2020 09:54:13 +0930 Subject: [PATCH 114/306] remove status --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 6e458e3..fb4047d 100644 --- a/main.tf +++ b/main.tf @@ -244,7 +244,7 @@ EOT "sudo systemctl kill --kill-who=all apt-daily.service", "while ! (sudo systemctl list-units --all apt-daily.service | egrep -q '(dead|failed)'); do sleep 1; done", # wait until `apt-get updated` has been killed "ps aux | grep [a]pt", - "systemctl status apt-daily.service", + # "systemctl status apt-daily.service", # "sudo systemctl stop apt.systemd.daily", # "sudo systemctl kill --kill-who=all apt.systemd.daily", # "while ! (sudo systemctl list-units --all apt.systemd.daily | egrep -q '(dead|failed)'); do sleep 1; done", # wait until `apt.systemd.daily` has been killed From ca47e4f41de707a2413204a34aeed48088cb754d Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 11 Apr 2020 10:13:54 +0930 Subject: [PATCH 115/306] escape chars --- main.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/main.tf b/main.tf index fb4047d..6f65ddb 100644 --- a/main.tf +++ b/main.tf @@ -255,9 +255,8 @@ EOT "which python2.7", "ls /usr/bin", "sudo fuser -v /var/cache/debconf/config.dat", # get info if anything else has a lock on this file - "test=$(which python2.7); if [[ $test != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi", + "test=$(which python2.7); if [[ \"$test\" != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi", "echo '...Finished bootstrapping'", - # "echo 'instance up'", ] } From 751cb18e1d9acba179c8fff1300117d402da5c22 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 11 Apr 2020 11:48:16 +0930 Subject: [PATCH 116/306] enable daily service again --- main.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 6f65ddb..c2c6e0f 100644 --- a/main.tf +++ b/main.tf @@ -217,7 +217,7 @@ resource "null_resource" "provision_vpn" { # "sleep 30", # wait until its started # "sudo systemctl start apt-daily.service", # cannot smtop or kill unless its started "sudo systemctl disable apt-daily.timer", - "sudo systemctl disable apt-daily-upgrade.timer", # the timers way start the daily update, they need to be disabled, but it wont apply until after reboot. stop will also not resolve this. + "sudo systemctl disable apt-daily-upgrade.timer", # the timers may start the daily update, they need to be disabled, but it wont apply until after reboot. stop will also not resolve this. ] } provisioner "local-exec" { @@ -256,6 +256,8 @@ EOT "ls /usr/bin", "sudo fuser -v /var/cache/debconf/config.dat", # get info if anything else has a lock on this file "test=$(which python2.7); if [[ \"$test\" != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi", + "sudo systemctl enable apt-daily.timer", # enable again to allow updates + "sudo systemctl enable apt-daily-upgrade.timer", "echo '...Finished bootstrapping'", ] } From fb5752191de539c1a6e863b01289d022ff0e5572 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 11 Apr 2020 13:19:25 +0930 Subject: [PATCH 117/306] fix quotations --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index c2c6e0f..23d9783 100644 --- a/main.tf +++ b/main.tf @@ -253,9 +253,9 @@ EOT "ps aux | grep [a]pt", "sudo apt-get -y install python2.7-minimal python2.7", "which python2.7", - "ls /usr/bin", + "ls /usr/bin/*ython*", "sudo fuser -v /var/cache/debconf/config.dat", # get info if anything else has a lock on this file - "test=$(which python2.7); if [[ \"$test\" != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi", + "test=$(which python2.7); if [[ $test != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi", "sudo systemctl enable apt-daily.timer", # enable again to allow updates "sudo systemctl enable apt-daily-upgrade.timer", "echo '...Finished bootstrapping'", From 6e56929be296286748239802b6f623974bf29c56 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 11 Apr 2020 15:04:23 +0930 Subject: [PATCH 118/306] dont disable daily service update --- main.tf | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/main.tf b/main.tf index 23d9783..7bd320b 100644 --- a/main.tf +++ b/main.tf @@ -214,10 +214,8 @@ resource "null_resource" "provision_vpn" { "lsb_release -a", "ps aux | grep [a]pt", # "systemd-run --property='After=apt-daily.service apt-daily-upgrade.service' --wait /bin/true", - # "sleep 30", # wait until its started - # "sudo systemctl start apt-daily.service", # cannot smtop or kill unless its started - "sudo systemctl disable apt-daily.timer", - "sudo systemctl disable apt-daily-upgrade.timer", # the timers may start the daily update, they need to be disabled, but it wont apply until after reboot. stop will also not resolve this. + # "sudo systemctl disable apt-daily.timer", + # "sudo systemctl disable apt-daily-upgrade.timer", # the timers may start the daily update, they need to be disabled, but it wont apply until after reboot. stop will also not resolve this. ] } provisioner "local-exec" { @@ -256,8 +254,8 @@ EOT "ls /usr/bin/*ython*", "sudo fuser -v /var/cache/debconf/config.dat", # get info if anything else has a lock on this file "test=$(which python2.7); if [[ $test != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi", - "sudo systemctl enable apt-daily.timer", # enable again to allow updates - "sudo systemctl enable apt-daily-upgrade.timer", + # "sudo systemctl enable apt-daily.timer", # enable again to allow updates + # "sudo systemctl enable apt-daily-upgrade.timer", "echo '...Finished bootstrapping'", ] } From 9f8d1a9cabaa7b7dd65305b125a109bccc0e8526 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 11 Apr 2020 15:35:45 +0930 Subject: [PATCH 119/306] revert to 751cb18e1d9acba179c8fff1300117d402da5c22 --- main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 7bd320b..7de5bff 100644 --- a/main.tf +++ b/main.tf @@ -251,11 +251,11 @@ EOT "ps aux | grep [a]pt", "sudo apt-get -y install python2.7-minimal python2.7", "which python2.7", - "ls /usr/bin/*ython*", + "ls /usr/bin", "sudo fuser -v /var/cache/debconf/config.dat", # get info if anything else has a lock on this file - "test=$(which python2.7); if [[ $test != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi", - # "sudo systemctl enable apt-daily.timer", # enable again to allow updates - # "sudo systemctl enable apt-daily-upgrade.timer", + "test=$(which python2.7); if [[ \"$test\" != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi", + "sudo systemctl enable apt-daily.timer", # enable again to allow updates + "sudo systemctl enable apt-daily-upgrade.timer", "echo '...Finished bootstrapping'", ] } From 5318f0e95c266d81c804bf6f15ef2b633f23ebe8 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 11 Apr 2020 15:47:40 +0930 Subject: [PATCH 120/306] test wait before update --- main.tf | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 7de5bff..0bafc09 100644 --- a/main.tf +++ b/main.tf @@ -213,7 +213,9 @@ resource "null_resource" "provision_vpn" { "echo 'instance up'", "lsb_release -a", "ps aux | grep [a]pt", - # "systemd-run --property='After=apt-daily.service apt-daily-upgrade.service' --wait /bin/true", + "systemd-run --property='After=apt-daily.service apt-daily-upgrade.service' --wait /bin/true", + "sudo apt-get -y update", + "sudo apt-get -y install python2.7-minimal python2.7", # "sudo systemctl disable apt-daily.timer", # "sudo systemctl disable apt-daily-upgrade.timer", # the timers may start the daily update, they need to be disabled, but it wont apply until after reboot. stop will also not resolve this. ] @@ -254,8 +256,8 @@ EOT "ls /usr/bin", "sudo fuser -v /var/cache/debconf/config.dat", # get info if anything else has a lock on this file "test=$(which python2.7); if [[ \"$test\" != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi", - "sudo systemctl enable apt-daily.timer", # enable again to allow updates - "sudo systemctl enable apt-daily-upgrade.timer", + # "sudo systemctl enable apt-daily.timer", # enable again to allow updates + # "sudo systemctl enable apt-daily-upgrade.timer", "echo '...Finished bootstrapping'", ] } From bd4d40efa1d9292b1152ba35f48def37154bf6c8 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 11 Apr 2020 15:54:19 +0930 Subject: [PATCH 121/306] sudo wait for service --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 0bafc09..53e0bf2 100644 --- a/main.tf +++ b/main.tf @@ -213,7 +213,7 @@ resource "null_resource" "provision_vpn" { "echo 'instance up'", "lsb_release -a", "ps aux | grep [a]pt", - "systemd-run --property='After=apt-daily.service apt-daily-upgrade.service' --wait /bin/true", + "sudo systemd-run --property='After=apt-daily.service apt-daily-upgrade.service' --wait /bin/true", "sudo apt-get -y update", "sudo apt-get -y install python2.7-minimal python2.7", # "sudo systemctl disable apt-daily.timer", From 58e136f4c86293feed476221041a6bad3b86933a Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 11 Apr 2020 16:21:19 +0930 Subject: [PATCH 122/306] cleanup --- main.tf | 39 +-------------------------------------- 1 file changed, 1 insertion(+), 38 deletions(-) diff --git a/main.tf b/main.tf index 53e0bf2..16cbc09 100644 --- a/main.tf +++ b/main.tf @@ -213,51 +213,14 @@ resource "null_resource" "provision_vpn" { "echo 'instance up'", "lsb_release -a", "ps aux | grep [a]pt", + "sudo cat /etc/systemd/system.conf", "sudo systemd-run --property='After=apt-daily.service apt-daily-upgrade.service' --wait /bin/true", "sudo apt-get -y update", "sudo apt-get -y install python2.7-minimal python2.7", - # "sudo systemctl disable apt-daily.timer", - # "sudo systemctl disable apt-daily-upgrade.timer", # the timers may start the daily update, they need to be disabled, but it wont apply until after reboot. stop will also not resolve this. - ] - } - provisioner "local-exec" { - command = < Date: Sat, 11 Apr 2020 18:14:44 +0930 Subject: [PATCH 123/306] ls python only --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 16cbc09..ec49d56 100644 --- a/main.tf +++ b/main.tf @@ -218,7 +218,7 @@ resource "null_resource" "provision_vpn" { "sudo apt-get -y update", "sudo apt-get -y install python2.7-minimal python2.7", "which python2.7", - "ls /usr/bin", + "ls /usr/bin/*ython*", "sudo fuser -v /var/cache/debconf/config.dat", # get info if anything else has a lock on this file "test=$(which python2.7); if [[ \"$test\" != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi", "echo '...Finished bootstrapping'", From 554b193ae50b4857fef8698fe0e51f27b2116223 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 18 Apr 2020 18:05:52 +0930 Subject: [PATCH 124/306] improve output dependencies for openvpn to fix outbound ping errors on other nodes --- main.tf | 42 ++++++++++++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/main.tf b/main.tf index ec49d56..d0e9be8 100644 --- a/main.tf +++ b/main.tf @@ -292,18 +292,6 @@ EOT } } -output "id" { - value = local.id -} - -output "private_ip" { - value = local.private_ip -} - -output "public_ip" { - value = local.public_ip -} - variable "start_vpn" { default = true } @@ -361,4 +349,34 @@ resource "aws_route" "public_openvpn_remote_subnet_vpndhcp_gateway" { timeouts { create = "5m" } +} + +output "id" { + value = local.id + depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured + aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, + aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , + aws_route.public_openvpn_remote_subnet_gateway, + aws_route.private_openvpn_remote_subnet_gateway + ] +} + +output "private_ip" { + value = local.private_ip + depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured + aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, + aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , + aws_route.public_openvpn_remote_subnet_gateway, + aws_route.private_openvpn_remote_subnet_gateway + ] +} + +output "public_ip" { + value = local.public_ip + depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured + aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, + aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , + aws_route.public_openvpn_remote_subnet_gateway, + aws_route.private_openvpn_remote_subnet_gateway + ] } \ No newline at end of file From d2a96d9070015b7b1a7be7ad7a72c63dbd3d371f Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 19 Apr 2020 17:51:29 +0930 Subject: [PATCH 125/306] remove ip depends for vpn. may not be needed --- main.tf | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/main.tf b/main.tf index d0e9be8..6e2107e 100644 --- a/main.tf +++ b/main.tf @@ -353,30 +353,30 @@ resource "aws_route" "public_openvpn_remote_subnet_vpndhcp_gateway" { output "id" { value = local.id - depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured - aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, - aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , - aws_route.public_openvpn_remote_subnet_gateway, - aws_route.private_openvpn_remote_subnet_gateway - ] + # depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured + # aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, + # aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , + # aws_route.public_openvpn_remote_subnet_gateway, + # aws_route.private_openvpn_remote_subnet_gateway + # ] } output "private_ip" { value = local.private_ip - depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured - aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, - aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , - aws_route.public_openvpn_remote_subnet_gateway, - aws_route.private_openvpn_remote_subnet_gateway - ] + # depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured + # aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, + # aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , + # aws_route.public_openvpn_remote_subnet_gateway, + # aws_route.private_openvpn_remote_subnet_gateway + # ] } output "public_ip" { value = local.public_ip - depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured - aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, - aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , - aws_route.public_openvpn_remote_subnet_gateway, - aws_route.private_openvpn_remote_subnet_gateway - ] + # depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured + # aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, + # aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , + # aws_route.public_openvpn_remote_subnet_gateway, + # aws_route.private_openvpn_remote_subnet_gateway + # ] } \ No newline at end of file From 5a52d1c9039ea53505341321f89c3f45a8f980ed Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Wed, 22 Apr 2020 11:47:27 +0930 Subject: [PATCH 126/306] fix order depends --- main.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/main.tf b/main.tf index 6e2107e..c339995 100644 --- a/main.tf +++ b/main.tf @@ -353,6 +353,9 @@ resource "aws_route" "public_openvpn_remote_subnet_vpndhcp_gateway" { output "id" { value = local.id + depends_on = [ + null_resource.provision_vpn + ] # depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured # aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, # aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , @@ -363,6 +366,9 @@ output "id" { output "private_ip" { value = local.private_ip + depends_on = [ + null_resource.provision_vpn + ] # depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured # aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, # aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , @@ -373,6 +379,9 @@ output "private_ip" { output "public_ip" { value = local.public_ip + depends_on = [ + null_resource.provision_vpn + ] # depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured # aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, # aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , From c7f71cbb70a04d6db4d267e028c3cd1394c866cf Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 25 Apr 2020 09:36:06 +0930 Subject: [PATCH 127/306] get eip to depend on vpn --- main.tf | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/main.tf b/main.tf index c339995..d12a608 100644 --- a/main.tf +++ b/main.tf @@ -130,6 +130,20 @@ USERDATA } +#configuration of the vpn instance must occur after the eip is assigned. normally a provisioner would want to reside in the aws_instance resource, but in this case, +#it must reside in the aws_eip resource to be able to establish a connection + +resource "aws_eip" "openvpnip" { + count = var.create_vpn ? 1 : 0 + vpc = true + instance = aws_instance.openvpn[count.index].id + depends_on = [aws_instance.openvpn] + + tags = { + role = "vpn" + } +} + #wakeup a node after sleep resource "null_resource" "start-node" { count = ( ! var.sleep && var.create_vpn ) ? 1 : 0 @@ -153,18 +167,7 @@ EOT } } -#configuration of the vpn instance must occur after the eip is assigned. normally a provisioner would want to reside in the aws_instance resource, but in this case, -#it must reside in the aws_eip resource to be able to establish a connection - -resource "aws_eip" "openvpnip" { - count = var.create_vpn ? 1 : 0 - vpc = true - instance = aws_instance.openvpn[count.index].id - tags = { - role = "vpn" - } -} locals { private_ip = "${element(concat(aws_instance.openvpn.*.private_ip, list("")), 0)}" From 58d2b01df5f83c103f5a5f2b49875eb668f7e55e Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 3 May 2020 13:41:17 +0930 Subject: [PATCH 128/306] Use bash for default tf interpreter --- main.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/main.tf b/main.tf index d12a608..9586eb5 100644 --- a/main.tf +++ b/main.tf @@ -149,6 +149,7 @@ resource "null_resource" "start-node" { count = ( ! var.sleep && var.create_vpn ) ? 1 : 0 provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] command = < Date: Sun, 3 May 2020 22:06:23 +0930 Subject: [PATCH 129/306] remove [[ when not in bash --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 9586eb5..f9bc4fe 100644 --- a/main.tf +++ b/main.tf @@ -225,7 +225,7 @@ resource "null_resource" "provision_vpn" { "which python2.7", "ls /usr/bin/*ython*", "sudo fuser -v /var/cache/debconf/config.dat", # get info if anything else has a lock on this file - "test=$(which python2.7); if [[ \"$test\" != '/usr/bin/python2.7' ]]; then echo 'failed to use /usr/bin/python2.7'; fi", + "test=$(which python2.7); if [ \"$test\" != '/usr/bin/python2.7' ]; then echo 'failed to use /usr/bin/python2.7'; fi", "echo '...Finished bootstrapping'", ] } From 9b8217e901d49c92e5074689029de576b213b74d Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Thu, 7 May 2020 21:19:52 +0930 Subject: [PATCH 130/306] Revert "Use bash for default tf interpreter" This reverts commit 58d2b01df5f83c103f5a5f2b49875eb668f7e55e. --- main.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/main.tf b/main.tf index f9bc4fe..917c778 100644 --- a/main.tf +++ b/main.tf @@ -149,7 +149,6 @@ resource "null_resource" "start-node" { count = ( ! var.sleep && var.create_vpn ) ? 1 : 0 provisioner "local-exec" { - interpreter = ["/bin/bash", "-c"] command = < Date: Fri, 8 May 2020 08:31:16 +0930 Subject: [PATCH 131/306] set bash as default interpreter --- main.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/main.tf b/main.tf index 917c778..f9bc4fe 100644 --- a/main.tf +++ b/main.tf @@ -149,6 +149,7 @@ resource "null_resource" "start-node" { count = ( ! var.sleep && var.create_vpn ) ? 1 : 0 provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] command = < Date: Fri, 8 May 2020 19:38:56 +0930 Subject: [PATCH 132/306] cleanup --- main.tf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/main.tf b/main.tf index f9bc4fe..b6d5247 100644 --- a/main.tf +++ b/main.tf @@ -254,13 +254,10 @@ EOT ] } - - provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] command = < Date: Sat, 9 May 2020 23:28:47 +0930 Subject: [PATCH 133/306] stadardise tags --- main.tf | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/main.tf b/main.tf index b6d5247..9dc7f85 100644 --- a/main.tf +++ b/main.tf @@ -4,15 +4,21 @@ # You should define this variable as your remote static ip adress to limit vpn exposure to the public internet +variable "common_tags" {} +locals { + extra_tags = { + role = "vpn" + route = "public" + } +} + resource "aws_security_group" "openvpn" { count = var.create_vpn ? 1 : 0 name = var.name vpc_id = var.vpc_id description = "OpenVPN security group" - tags = { - Name = var.name - } + tags = merge(map("Name", format("%s", var.name)), var.common_tags, local.extra_tags) ingress { protocol = "-1" @@ -115,10 +121,7 @@ resource "aws_instance" "openvpn" { delete_on_termination = true } - tags = { - Name = var.name - route = "public" - } + tags = merge(map("Name", format("%s", var.name)), var.common_tags, local.extra_tags) # `admin_user` and `admin_pw` need to be passed in to the appliance through `user_data`, see docs --> # https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/amazon-ec2-appliance-ami-quick-start-guide/ @@ -139,9 +142,8 @@ resource "aws_eip" "openvpnip" { instance = aws_instance.openvpn[count.index].id depends_on = [aws_instance.openvpn] - tags = { - role = "vpn" - } + tags = merge(map("Name", format("%s", var.name)), var.common_tags, local.extra_tags) + } #wakeup a node after sleep From 2c023f93809ddb6e3f13d089360eea73abdc9dc8 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 11 May 2020 12:07:41 +0930 Subject: [PATCH 134/306] rempve set -x --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 9dc7f85..8ce0406 100644 --- a/main.tf +++ b/main.tf @@ -236,7 +236,7 @@ resource "null_resource" "provision_vpn" { interpreter = ["/bin/bash", "-c"] command = < Date: Sun, 17 May 2020 20:41:19 +0930 Subject: [PATCH 135/306] bug-reliable-cleanup --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 9dc7f85..d859955 100644 --- a/main.tf +++ b/main.tf @@ -112,7 +112,7 @@ resource "aws_instance" "openvpn" { ami = var.ami instance_type = var.instance_type key_name = var.key_name - subnet_id = element(var.public_subnet_ids, 0) + subnet_id = element(concat(var.public_subnet_ids, list("")), 0) source_dest_check = var.source_dest_check vpc_security_group_ids = [local.security_group_id] @@ -236,7 +236,7 @@ resource "null_resource" "provision_vpn" { interpreter = ["/bin/bash", "-c"] command = < Date: Sat, 23 May 2020 15:15:31 +0930 Subject: [PATCH 136/306] enable set -x --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index d859955..7a17f38 100644 --- a/main.tf +++ b/main.tf @@ -236,7 +236,7 @@ resource "null_resource" "provision_vpn" { interpreter = ["/bin/bash", "-c"] command = < Date: Sat, 23 May 2020 18:54:35 +0930 Subject: [PATCH 137/306] use env var to show commands --- main.tf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 7a17f38..b7ce16e 100644 --- a/main.tf +++ b/main.tf @@ -216,7 +216,7 @@ resource "null_resource" "provision_vpn" { } # this resolves update issue https://unix.stackexchange.com/questions/315502/how-to-disable-apt-daily-service-on-ubuntu-cloud-vm-image inline = [ - "set -x", + "set -x; export SHOWCOMMANDS=true", "echo 'instance up'", "lsb_release -a", "ps aux | grep [a]pt", @@ -236,7 +236,7 @@ resource "null_resource" "provision_vpn" { interpreter = ["/bin/bash", "-c"] command = < Date: Sun, 24 May 2020 17:38:38 +0930 Subject: [PATCH 138/306] flip showcommands var --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index b7ce16e..3405174 100644 --- a/main.tf +++ b/main.tf @@ -216,7 +216,7 @@ resource "null_resource" "provision_vpn" { } # this resolves update issue https://unix.stackexchange.com/questions/315502/how-to-disable-apt-daily-service-on-ubuntu-cloud-vm-image inline = [ - "set -x; export SHOWCOMMANDS=true", + "export SHOWCOMMANDS=true; set -x", "echo 'instance up'", "lsb_release -a", "ps aux | grep [a]pt", @@ -236,7 +236,7 @@ resource "null_resource" "provision_vpn" { interpreter = ["/bin/bash", "-c"] command = < Date: Sun, 21 Jun 2020 11:35:09 +0930 Subject: [PATCH 139/306] feature-green-blue-deployments --- README.md | 2 +- main.tf | 6 +++--- variables.tf | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 3237b4a..6de22f0 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ module "openvpn" { vpc_cidr = "${var.vpc_cidr}" public_subnet_ids = "${var.public_subnet_ids}" # EC2 Inputs - key_name = "${var.key_name}" + key_name = "${var.aws_key_name}" private_key = "${var.private_key}" ami = "${var.ami}" instance_type = "${var.instance_type}" diff --git a/main.tf b/main.tf index 3405174..60de681 100644 --- a/main.tf +++ b/main.tf @@ -111,7 +111,7 @@ resource "aws_instance" "openvpn" { depends_on = [null_resource.gateway_dependency, null_resource.bastion_dependency] ami = var.ami instance_type = var.instance_type - key_name = var.key_name + key_name = var.aws_key_name subnet_id = element(concat(var.public_subnet_ids, list("")), 0) source_dest_check = var.source_dest_check @@ -261,9 +261,9 @@ EOT . /vagrant/scripts/exit_test.sh cd /deployuser ansible-playbook -i "$TF_VAR_inventory" ansible/ssh-add-public-host.yaml -v --extra-vars "public_ip=${local.public_ip} public_address=${local.vpn_address} bastion_address=${var.bastion_ip} vpn_address=${local.vpn_address} set_vpn=true"; exit_test - ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip host_ip=${local.public_ip} insert_ssh_key_string=ansible_ssh_private_key_file=$TF_VAR_local_key_path"; exit_test + ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip host_ip=${local.public_ip} insert_ssh_key_string=ansible_ssh_private_key_file=$TF_VAR_aws_private_key_path"; exit_test ansible-playbook -i "$TF_VAR_inventory" ansible/ssh-add-private-host.yaml -v --extra-vars "private_ip=${local.private_ip} bastion_ip=${var.bastion_ip}"; exit_test - ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip_private host_ip=${local.private_ip} insert_ssh_key_string=ansible_ssh_private_key_file=$TF_VAR_local_key_path"; exit_test + ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip_private host_ip=${local.private_ip} insert_ssh_key_string=ansible_ssh_private_key_file=$TF_VAR_aws_private_key_path"; exit_test aws ec2 reboot-instances --instance-ids ${aws_instance.openvpn[count.index].id} && sleep 30 EOT } diff --git a/variables.tf b/variables.tf index d8c3696..cdb4ce3 100644 --- a/variables.tf +++ b/variables.tf @@ -24,7 +24,7 @@ variable "public_subnet_ids" { variable "cert_arn" { } -variable "key_name" { +variable "aws_key_name" { } variable "bastion_ip" { @@ -33,7 +33,7 @@ variable "bastion_ip" { variable "private_key" { } -variable "local_key_path" { +variable "aws_private_key_path" { } variable "ami" { From 15c31d174eff46cd00ae240f52d83c92f4aa9f44 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 21 Jun 2020 18:43:29 +0930 Subject: [PATCH 140/306] alter comment --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 60de681..6351255 100644 --- a/main.tf +++ b/main.tf @@ -205,7 +205,7 @@ resource "null_resource" "provision_vpn" { vpn_address = local.vpn_address } -### START this segment is termporary to deal with a cloud init bug + ### START this segment is termporary to deal with a cloud init bug provisioner "remote-exec" { connection { user = var.openvpn_admin_user From b02dd3f7d00b85356e34be6ac68ccb411108e7c6 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 21 Jun 2020 19:47:56 +0930 Subject: [PATCH 141/306] add routes on ansible control --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 6351255..a9e09e6 100644 --- a/main.tf +++ b/main.tf @@ -289,6 +289,7 @@ EOT echo "private_subnet1: ${element(var.private_subnets, 0)}" echo "public_subnet1: ${element(var.public_subnets, 0)}" ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn.yaml -v --extra-vars "variable_host=openvpnip vpn_address=${local.vpn_address} private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}"; exit_test + ansible-playbook -i "$TF_VAR_inventory" ansible/node-centos-routes.yaml -v --extra-vars "variable_host=ansible_control variable_user=deployuser hostname=ansible_control ethernet_interface=eth1" # configure routes for ansible control to the gateway to test the connection sleep 30; /vagrant/scripts/tests/test-openvpn.sh --ip "${local.private_ip}"; exit_test EOT } From ecc68660d41abfac47791d5939166398c4f700ce Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 21 Jun 2020 20:45:45 +0930 Subject: [PATCH 142/306] assert firehawkgateway exists --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index a9e09e6..b569c4b 100644 --- a/main.tf +++ b/main.tf @@ -288,6 +288,7 @@ EOT echo "remote_subnet_cidr: ${var.remote_subnet_cidr}" echo "private_subnet1: ${element(var.private_subnets, 0)}" echo "public_subnet1: ${element(var.public_subnets, 0)}" + set -x ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn.yaml -v --extra-vars "variable_host=openvpnip vpn_address=${local.vpn_address} private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}"; exit_test ansible-playbook -i "$TF_VAR_inventory" ansible/node-centos-routes.yaml -v --extra-vars "variable_host=ansible_control variable_user=deployuser hostname=ansible_control ethernet_interface=eth1" # configure routes for ansible control to the gateway to test the connection sleep 30; /vagrant/scripts/tests/test-openvpn.sh --ip "${local.private_ip}"; exit_test From 4e465faa233869575c1c96b98432b2ed0b8dac6a Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 21 Jun 2020 23:49:42 +0930 Subject: [PATCH 143/306] test-no-vpn-public-inventory --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index b569c4b..99d07e0 100644 --- a/main.tf +++ b/main.tf @@ -261,9 +261,9 @@ EOT . /vagrant/scripts/exit_test.sh cd /deployuser ansible-playbook -i "$TF_VAR_inventory" ansible/ssh-add-public-host.yaml -v --extra-vars "public_ip=${local.public_ip} public_address=${local.vpn_address} bastion_address=${var.bastion_ip} vpn_address=${local.vpn_address} set_vpn=true"; exit_test - ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip host_ip=${local.public_ip} insert_ssh_key_string=ansible_ssh_private_key_file=$TF_VAR_aws_private_key_path"; exit_test + # ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip host_ip=${local.public_ip} insert_ssh_key_string=ansible_ssh_private_key_file=$TF_VAR_aws_private_key_path"; exit_test ansible-playbook -i "$TF_VAR_inventory" ansible/ssh-add-private-host.yaml -v --extra-vars "private_ip=${local.private_ip} bastion_ip=${var.bastion_ip}"; exit_test - ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip_private host_ip=${local.private_ip} insert_ssh_key_string=ansible_ssh_private_key_file=$TF_VAR_aws_private_key_path"; exit_test + ansible-playbook -i "$TF_VAR_inventory" ansible/inventory-add.yaml -v --extra-vars "host_name=openvpnip_private group_name=role_openvpn_access_server host_ip=${local.private_ip} insert_ssh_key_string=ansible_ssh_private_key_file=$TF_VAR_aws_private_key_path"; exit_test aws ec2 reboot-instances --instance-ids ${aws_instance.openvpn[count.index].id} && sleep 30 EOT } @@ -289,7 +289,7 @@ EOT echo "private_subnet1: ${element(var.private_subnets, 0)}" echo "public_subnet1: ${element(var.public_subnets, 0)}" set -x - ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn.yaml -v --extra-vars "variable_host=openvpnip vpn_address=${local.vpn_address} private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}"; exit_test + ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn.yaml -v --extra-vars "vpn_address=${local.vpn_address} private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}"; exit_test ansible-playbook -i "$TF_VAR_inventory" ansible/node-centos-routes.yaml -v --extra-vars "variable_host=ansible_control variable_user=deployuser hostname=ansible_control ethernet_interface=eth1" # configure routes for ansible control to the gateway to test the connection sleep 30; /vagrant/scripts/tests/test-openvpn.sh --ip "${local.private_ip}"; exit_test EOT From 6897dc2cc9cd7c2c836c848e94473fd18325fca9 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 6 Jul 2020 01:28:12 +0930 Subject: [PATCH 144/306] add exit tests --- main.tf | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 99d07e0..07b3d35 100644 --- a/main.tf +++ b/main.tf @@ -153,8 +153,9 @@ resource "null_resource" "start-node" { provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] command = < Date: Sun, 19 Jul 2020 12:23:16 +0930 Subject: [PATCH 145/306] Don't configure routes on workstation unless specified [ci skip] --- main.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/main.tf b/main.tf index 07b3d35..bf809fc 100644 --- a/main.tf +++ b/main.tf @@ -293,6 +293,11 @@ EOT set -x ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn.yaml -v --extra-vars "vpn_address=${local.vpn_address} private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}"; exit_test ansible-playbook -i "$TF_VAR_inventory" ansible/node-centos-routes.yaml -v --extra-vars "variable_host=ansible_control variable_user=deployuser hostname=ansible_control ethernet_interface=eth1" # configure routes for ansible control to the gateway to test the connection + + if [[ "$TF_VAR_set_routes_on_workstation" = "true" ]]; then # Intended for a dev envoronment only where multiple parralel deployments may occur, we cant provision a router for each subnet + ansible-playbook -i "$TF_VAR_inventory" ansible/node-centos-routes.yaml -v -v --extra-vars "variable_host=workstation1 variable_user=deployuser hostname=workstation1 ansible_ssh_private_key_file=$TF_VAR_onsite_workstation_private_ssh_key ethernet_interface=$TF_VAR_workstation_ethernet_interface"; exit_test + fi + sleep 30; /vagrant/scripts/tests/test-openvpn.sh --ip "${local.private_ip}"; exit_test EOT } From 6e45c76d65221cc7fcd9bcbab69d4654f7a45d8e Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 20 Jul 2020 08:40:11 +0930 Subject: [PATCH 146/306] imp-auto-ami-vpn --- main.tf | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 74 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index bf809fc..8624ae1 100644 --- a/main.tf +++ b/main.tf @@ -106,10 +106,83 @@ resource "null_resource" "bastion_dependency" { } } +data "aws_ami_ids" "centos_v7" { + owners = ["679593333241"] # the softnas account id + filter { + name = "description" + values = ["OpenVPN Access Server 2.7.5"] + } +} + +variable "allow_prebuilt_openvpn_access_server_ami" { + default = false +} + +variable "openvpn_access_server_ami_option" { # Where multiple data aws_ami_ids queries are available, this allows us to select one. + default = "centos_v7" +} + +locals { + keys = ["centos_v7"] # Where multiple data aws_ami_ids queries are available, this is the full list of options. + empty_list = list("") + values = ["${element( concat(data.aws_ami_ids.centos_v7.ids, local.empty_list ), 0 )}"] # the list of ami id's + openvpn_access_server_consumption_map = zipmap( local.keys , local.values ) +} + +locals { # select the found ami to use based on the map lookup + base_ami = lookup(local.openvpn_access_server_consumption_map, var.openvpn_access_server_ami_option) +} + +data "aws_ami_ids" "prebuilt_openvpn_access_server_ami_list" { # search for a prebuilt tagged ami with the same base image. if there is a match, it can be used instead, allowing us to skip provisioning. + owners = ["self"] + filter { + name = "tag:base_ami" + values = ["${local.base_ami}"] + } + filter { + name = "name" + values = ["openvpn_access_server_prebuilt_*"] + } +} + +locals { + prebuilt_openvpn_access_server_ami_list = data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.ids + first_element = element( data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.*.ids, 0) + mod_list = concat( local.prebuilt_openvpn_access_server_ami_list , list("") ) + aquired_ami = "${element( local.mod_list , 0)}" # aquired ami will use the ami in the list if found, otherwise it will default to the original ami. + use_prebuilt_openvpn_access_server_ami = var.allow_prebuilt_openvpn_access_server_ami && length(local.mod_list) > 1 ? true : false + ami = local.use_prebuilt_openvpn_access_server_ami ? local.aquired_ami : local.base_ami +} + +output "base_ami" { + value = local.base_ami +} + +output "prebuilt_openvpn_access_server_ami_list" { + value = local.prebuilt_openvpn_access_server_ami_list +} + +output "first_element" { + value = local.first_element +} + +output "aquired_ami" { + value = local.aquired_ami +} + +output "use_prebuilt_openvpn_access_server_ami" { + value = local.use_prebuilt_openvpn_access_server_ami +} + +output "ami" { + value = local.ami +} + resource "aws_instance" "openvpn" { count = var.create_vpn ? 1 : 0 depends_on = [null_resource.gateway_dependency, null_resource.bastion_dependency] - ami = var.ami + # ami = var.ami + ami = local.ami instance_type = var.instance_type key_name = var.aws_key_name subnet_id = element(concat(var.public_subnet_ids, list("")), 0) From 83f22593a931742a09d811c5310cc012276a3094 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 20 Jul 2020 18:33:58 +0930 Subject: [PATCH 147/306] test wild card for vpn image --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 8624ae1..3b6fb9a 100644 --- a/main.tf +++ b/main.tf @@ -110,7 +110,7 @@ data "aws_ami_ids" "centos_v7" { owners = ["679593333241"] # the softnas account id filter { name = "description" - values = ["OpenVPN Access Server 2.7.5"] + values = ["OpenVPN Access Server 2.7.5*"] } } From bb4e4760eecfe981182869090916db1274bc70e1 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 20 Jul 2020 19:27:21 +0930 Subject: [PATCH 148/306] update filter values again --- main.tf | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/main.tf b/main.tf index 3b6fb9a..79d26bf 100644 --- a/main.tf +++ b/main.tf @@ -106,11 +106,15 @@ resource "null_resource" "bastion_dependency" { } } -data "aws_ami_ids" "centos_v7" { - owners = ["679593333241"] # the softnas account id +# These filters below aquire the ami for your region. If they are not working in your region try running: +# aws ec2 describe-images --filters "Name=name,Values=OpenVPN Access Server 2.7.5-*" +# ... and update the filters appropriately +# We dont use image id's directly because they dont work in multiple regions. +data "aws_ami_ids" "openvpn_2_7_5" { + owners = ["679593333241"] # the account id filter { - name = "description" - values = ["OpenVPN Access Server 2.7.5*"] + name = "name" + values = ["OpenVPN Access Server 2.7.5-*-ami-0c56f53c16ad84dcd.4"] # the * replaces part of the serial that varies by region. } } @@ -119,13 +123,13 @@ variable "allow_prebuilt_openvpn_access_server_ami" { } variable "openvpn_access_server_ami_option" { # Where multiple data aws_ami_ids queries are available, this allows us to select one. - default = "centos_v7" + default = "openvpn_2_7_5" } locals { - keys = ["centos_v7"] # Where multiple data aws_ami_ids queries are available, this is the full list of options. + keys = ["openvpn_2_7_5"] # Where multiple data aws_ami_ids queries are available, this is the full list of options. empty_list = list("") - values = ["${element( concat(data.aws_ami_ids.centos_v7.ids, local.empty_list ), 0 )}"] # the list of ami id's + values = ["${element( concat(data.aws_ami_ids.openvpn_2_7_5.ids, local.empty_list ), 0 )}"] # the list of ami id's openvpn_access_server_consumption_map = zipmap( local.keys , local.values ) } From c3871776471416f56c1de4e87b6221210642aa98 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 20 Jul 2020 19:42:47 +0930 Subject: [PATCH 149/306] provide pointers on filets and allow ci skip branch --- main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/main.tf b/main.tf index 79d26bf..ccd7439 100644 --- a/main.tf +++ b/main.tf @@ -107,6 +107,8 @@ resource "null_resource" "bastion_dependency" { } # These filters below aquire the ami for your region. If they are not working in your region try running: +# aws ec2 describe-images --image-ids {image id} +# and then progress to filtering from that information instead of the image id: # aws ec2 describe-images --filters "Name=name,Values=OpenVPN Access Server 2.7.5-*" # ... and update the filters appropriately # We dont use image id's directly because they dont work in multiple regions. From 0fcd0f006499f198d41bba9bfe945a58a1ed3b45 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 20 Jul 2020 20:47:45 +0930 Subject: [PATCH 150/306] test auto aquire ami for workstation --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index ccd7439..474ba6c 100644 --- a/main.tf +++ b/main.tf @@ -113,6 +113,7 @@ resource "null_resource" "bastion_dependency" { # ... and update the filters appropriately # We dont use image id's directly because they dont work in multiple regions. data "aws_ami_ids" "openvpn_2_7_5" { + most_recent = true owners = ["679593333241"] # the account id filter { name = "name" From 6edc6c8079d208d4c3b458e1fb3e0873596d8b8d Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 20 Jul 2020 21:43:45 +0930 Subject: [PATCH 151/306] aws_ami most_recent for workstation --- main.tf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/main.tf b/main.tf index 474ba6c..e4ebb7e 100644 --- a/main.tf +++ b/main.tf @@ -112,7 +112,7 @@ resource "null_resource" "bastion_dependency" { # aws ec2 describe-images --filters "Name=name,Values=OpenVPN Access Server 2.7.5-*" # ... and update the filters appropriately # We dont use image id's directly because they dont work in multiple regions. -data "aws_ami_ids" "openvpn_2_7_5" { +data "aws_ami" "openvpn_2_7_5" { most_recent = true owners = ["679593333241"] # the account id filter { @@ -125,14 +125,14 @@ variable "allow_prebuilt_openvpn_access_server_ami" { default = false } -variable "openvpn_access_server_ami_option" { # Where multiple data aws_ami_ids queries are available, this allows us to select one. +variable "openvpn_access_server_ami_option" { # Where multiple data aws_ami queries are available, this allows us to select one. default = "openvpn_2_7_5" } locals { - keys = ["openvpn_2_7_5"] # Where multiple data aws_ami_ids queries are available, this is the full list of options. + keys = ["openvpn_2_7_5"] # Where multiple data aws_ami queries are available, this is the full list of options. empty_list = list("") - values = ["${element( concat(data.aws_ami_ids.openvpn_2_7_5.ids, local.empty_list ), 0 )}"] # the list of ami id's + values = ["${element( concat(data.aws_ami.openvpn_2_7_5.ids, local.empty_list ), 0 )}"] # the list of ami id's openvpn_access_server_consumption_map = zipmap( local.keys , local.values ) } @@ -140,7 +140,7 @@ locals { # select the found ami to use based on the map lookup base_ami = lookup(local.openvpn_access_server_consumption_map, var.openvpn_access_server_ami_option) } -data "aws_ami_ids" "prebuilt_openvpn_access_server_ami_list" { # search for a prebuilt tagged ami with the same base image. if there is a match, it can be used instead, allowing us to skip provisioning. +data "aws_ami" "prebuilt_openvpn_access_server_ami_list" { # search for a prebuilt tagged ami with the same base image. if there is a match, it can be used instead, allowing us to skip provisioning. owners = ["self"] filter { name = "tag:base_ami" @@ -153,8 +153,8 @@ data "aws_ami_ids" "prebuilt_openvpn_access_server_ami_list" { # search for a pr } locals { - prebuilt_openvpn_access_server_ami_list = data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.ids - first_element = element( data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.*.ids, 0) + prebuilt_openvpn_access_server_ami_list = data.aws_ami.prebuilt_openvpn_access_server_ami_list.ids + first_element = element( data.aws_ami.prebuilt_openvpn_access_server_ami_list.*.ids, 0) mod_list = concat( local.prebuilt_openvpn_access_server_ami_list , list("") ) aquired_ami = "${element( local.mod_list , 0)}" # aquired ami will use the ami in the list if found, otherwise it will default to the original ami. use_prebuilt_openvpn_access_server_ami = var.allow_prebuilt_openvpn_access_server_ami && length(local.mod_list) > 1 ? true : false From 0df73466980eb1bc6a2e56b3388f5656e28b5631 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 20 Jul 2020 21:51:49 +0930 Subject: [PATCH 152/306] try *.id --- main.tf | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index e4ebb7e..36e31fd 100644 --- a/main.tf +++ b/main.tf @@ -113,6 +113,7 @@ resource "null_resource" "bastion_dependency" { # ... and update the filters appropriately # We dont use image id's directly because they dont work in multiple regions. data "aws_ami" "openvpn_2_7_5" { + count = 1 most_recent = true owners = ["679593333241"] # the account id filter { @@ -132,7 +133,7 @@ variable "openvpn_access_server_ami_option" { # Where multiple data aws_ami quer locals { keys = ["openvpn_2_7_5"] # Where multiple data aws_ami queries are available, this is the full list of options. empty_list = list("") - values = ["${element( concat(data.aws_ami.openvpn_2_7_5.ids, local.empty_list ), 0 )}"] # the list of ami id's + values = ["${element( concat(data.aws_ami.openvpn_2_7_5.*.id, local.empty_list ), 0 )}"] # the list of ami id's openvpn_access_server_consumption_map = zipmap( local.keys , local.values ) } @@ -141,6 +142,7 @@ locals { # select the found ami to use based on the map lookup } data "aws_ami" "prebuilt_openvpn_access_server_ami_list" { # search for a prebuilt tagged ami with the same base image. if there is a match, it can be used instead, allowing us to skip provisioning. + count = 1 owners = ["self"] filter { name = "tag:base_ami" @@ -153,8 +155,8 @@ data "aws_ami" "prebuilt_openvpn_access_server_ami_list" { # search for a prebui } locals { - prebuilt_openvpn_access_server_ami_list = data.aws_ami.prebuilt_openvpn_access_server_ami_list.ids - first_element = element( data.aws_ami.prebuilt_openvpn_access_server_ami_list.*.ids, 0) + prebuilt_openvpn_access_server_ami_list = data.aws_ami.prebuilt_openvpn_access_server_ami_list.*.id + first_element = element( data.aws_ami.prebuilt_openvpn_access_server_ami_list.*.id, 0) mod_list = concat( local.prebuilt_openvpn_access_server_ami_list , list("") ) aquired_ami = "${element( local.mod_list , 0)}" # aquired ami will use the ami in the list if found, otherwise it will default to the original ami. use_prebuilt_openvpn_access_server_ami = var.allow_prebuilt_openvpn_access_server_ami && length(local.mod_list) > 1 ? true : false From d4c812b46235124491ba1cf1c7cf0268103adb5c Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 20 Jul 2020 21:57:21 +0930 Subject: [PATCH 153/306] aws_ami_ids for prebuilt search --- main.tf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 36e31fd..7a37898 100644 --- a/main.tf +++ b/main.tf @@ -141,8 +141,7 @@ locals { # select the found ami to use based on the map lookup base_ami = lookup(local.openvpn_access_server_consumption_map, var.openvpn_access_server_ami_option) } -data "aws_ami" "prebuilt_openvpn_access_server_ami_list" { # search for a prebuilt tagged ami with the same base image. if there is a match, it can be used instead, allowing us to skip provisioning. - count = 1 +data "aws_ami_ids" "prebuilt_openvpn_access_server_ami_list" { # search for a prebuilt tagged ami with the same base image. if there is a match, it can be used instead, allowing us to skip provisioning. owners = ["self"] filter { name = "tag:base_ami" @@ -155,8 +154,8 @@ data "aws_ami" "prebuilt_openvpn_access_server_ami_list" { # search for a prebui } locals { - prebuilt_openvpn_access_server_ami_list = data.aws_ami.prebuilt_openvpn_access_server_ami_list.*.id - first_element = element( data.aws_ami.prebuilt_openvpn_access_server_ami_list.*.id, 0) + prebuilt_openvpn_access_server_ami_list = data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.ids + first_element = element( data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.ids, 0) mod_list = concat( local.prebuilt_openvpn_access_server_ami_list , list("") ) aquired_ami = "${element( local.mod_list , 0)}" # aquired ami will use the ami in the list if found, otherwise it will default to the original ami. use_prebuilt_openvpn_access_server_ami = var.allow_prebuilt_openvpn_access_server_ami && length(local.mod_list) > 1 ? true : false From 014849296d33ec7158c48a26720bae158ff07c25 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 20 Jul 2020 21:59:30 +0930 Subject: [PATCH 154/306] fix first element --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 7a37898..e74f217 100644 --- a/main.tf +++ b/main.tf @@ -155,7 +155,7 @@ data "aws_ami_ids" "prebuilt_openvpn_access_server_ami_list" { # search for a pr locals { prebuilt_openvpn_access_server_ami_list = data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.ids - first_element = element( data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.ids, 0) + first_element = element( data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.*.ids, 0) mod_list = concat( local.prebuilt_openvpn_access_server_ami_list , list("") ) aquired_ami = "${element( local.mod_list , 0)}" # aquired ami will use the ami in the list if found, otherwise it will default to the original ami. use_prebuilt_openvpn_access_server_ami = var.allow_prebuilt_openvpn_access_server_ami && length(local.mod_list) > 1 ? true : false From 6fbbf633b9ccdf663dbfc78c4c7e3df69bfb2469 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 20 Jul 2020 22:33:41 +0930 Subject: [PATCH 155/306] check dir for grid --- main.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/main.tf b/main.tf index e74f217..aa211da 100644 --- a/main.tf +++ b/main.tf @@ -112,7 +112,9 @@ resource "null_resource" "bastion_dependency" { # aws ec2 describe-images --filters "Name=name,Values=OpenVPN Access Server 2.7.5-*" # ... and update the filters appropriately # We dont use image id's directly because they dont work in multiple regions. + data "aws_ami" "openvpn_2_7_5" { + # aws_ami function with most_recent is best when seeking a single ami, like the latest version from filters known to produce output. count = 1 most_recent = true owners = ["679593333241"] # the account id @@ -142,6 +144,7 @@ locals { # select the found ami to use based on the map lookup } data "aws_ami_ids" "prebuilt_openvpn_access_server_ami_list" { # search for a prebuilt tagged ami with the same base image. if there is a match, it can be used instead, allowing us to skip provisioning. + # aws_ami_ids function produces a list matching the filters. owners = ["self"] filter { name = "tag:base_ami" From 776213eb5202b70667a5288c03b2b569966d9dec Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 15 Aug 2020 12:38:37 +0930 Subject: [PATCH 156/306] Use the vpn private ip as the DNS resolver --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index aa211da..c708ba0 100644 --- a/main.tf +++ b/main.tf @@ -375,7 +375,7 @@ EOT echo "private_subnet1: ${element(var.private_subnets, 0)}" echo "public_subnet1: ${element(var.public_subnets, 0)}" set -x - ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn.yaml -v --extra-vars "vpn_address=${local.vpn_address} private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}"; exit_test + ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn.yaml -v --extra-vars "vpn_address=${local.vpn_address} private_ip=${local.private_ip} private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}"; exit_test ansible-playbook -i "$TF_VAR_inventory" ansible/node-centos-routes.yaml -v --extra-vars "variable_host=ansible_control variable_user=deployuser hostname=ansible_control ethernet_interface=eth1" # configure routes for ansible control to the gateway to test the connection if [[ "$TF_VAR_set_routes_on_workstation" = "true" ]]; then # Intended for a dev envoronment only where multiple parralel deployments may occur, we cant provision a router for each subnet From ea36cee59449d179cca5d47fe9b74f84906b0491 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 15 Aug 2020 12:55:40 +0930 Subject: [PATCH 157/306] remove unneeded vars --- variables.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/variables.tf b/variables.tf index cdb4ce3..55fc79c 100644 --- a/variables.tf +++ b/variables.tf @@ -36,9 +36,6 @@ variable "private_key" { variable "aws_private_key_path" { } -variable "ami" { -} - variable "instance_type" { } From 8fecb23ff3a678cc8ed9ed738b41fd3abb40caf8 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 15 Aug 2020 13:07:56 +0930 Subject: [PATCH 158/306] update OpenVPN Access Server 2.8.5 --- main.tf | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/main.tf b/main.tf index c708ba0..20b9a5d 100644 --- a/main.tf +++ b/main.tf @@ -113,14 +113,15 @@ resource "null_resource" "bastion_dependency" { # ... and update the filters appropriately # We dont use image id's directly because they dont work in multiple regions. -data "aws_ami" "openvpn_2_7_5" { +data "aws_ami" "openvpn_2_8_5" { # aws_ami function with most_recent is best when seeking a single ami, like the latest version from filters known to produce output. count = 1 most_recent = true owners = ["679593333241"] # the account id filter { name = "name" - values = ["OpenVPN Access Server 2.7.5-*-ami-0c56f53c16ad84dcd.4"] # the * replaces part of the serial that varies by region. + # values = ["OpenVPN Access Server 2.7.5-*-ami-0c56f53c16ad84dcd.4"] # the * replaces part of the serial that varies by region. + values = ["OpenVPN Access Server 2.8.5-*"] # The * replaces part of the serial that varies by region. } } @@ -129,13 +130,13 @@ variable "allow_prebuilt_openvpn_access_server_ami" { } variable "openvpn_access_server_ami_option" { # Where multiple data aws_ami queries are available, this allows us to select one. - default = "openvpn_2_7_5" + default = "openvpn_2_8_5" } locals { - keys = ["openvpn_2_7_5"] # Where multiple data aws_ami queries are available, this is the full list of options. + keys = ["openvpn_2_8_5"] # Where multiple data aws_ami queries are available, this is the full list of options. empty_list = list("") - values = ["${element( concat(data.aws_ami.openvpn_2_7_5.*.id, local.empty_list ), 0 )}"] # the list of ami id's + values = ["${element( concat(data.aws_ami.openvpn_2_8_5.*.id, local.empty_list ), 0 )}"] # the list of ami id's openvpn_access_server_consumption_map = zipmap( local.keys , local.values ) } From fcef435a9b790c6b31bc457405b2b6d32fa226ab Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 15 Aug 2020 14:25:29 +0930 Subject: [PATCH 159/306] update open vpn filters --- main.tf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/main.tf b/main.tf index 20b9a5d..13c6896 100644 --- a/main.tf +++ b/main.tf @@ -113,15 +113,15 @@ resource "null_resource" "bastion_dependency" { # ... and update the filters appropriately # We dont use image id's directly because they dont work in multiple regions. -data "aws_ami" "openvpn_2_8_5" { +data "aws_ami" "openvpn_2_8" { # aws_ami function with most_recent is best when seeking a single ami, like the latest version from filters known to produce output. count = 1 most_recent = true - owners = ["679593333241"] # the account id + owners = ["679593333241"] # The account id filter { - name = "name" + name = "description" # values = ["OpenVPN Access Server 2.7.5-*-ami-0c56f53c16ad84dcd.4"] # the * replaces part of the serial that varies by region. - values = ["OpenVPN Access Server 2.8.5-*"] # The * replaces part of the serial that varies by region. + values = ["OpenVPN Access Server 2.8.* publisher image from https://www.openvpn.net/*"] # The * replaces part of the serial that varies by region. } } @@ -130,13 +130,13 @@ variable "allow_prebuilt_openvpn_access_server_ami" { } variable "openvpn_access_server_ami_option" { # Where multiple data aws_ami queries are available, this allows us to select one. - default = "openvpn_2_8_5" + default = "openvpn_2_8" } locals { - keys = ["openvpn_2_8_5"] # Where multiple data aws_ami queries are available, this is the full list of options. + keys = ["openvpn_2_8"] # Where multiple data aws_ami queries are available, this is the full list of options. empty_list = list("") - values = ["${element( concat(data.aws_ami.openvpn_2_8_5.*.id, local.empty_list ), 0 )}"] # the list of ami id's + values = ["${element( concat(data.aws_ami.openvpn_2_8.*.id, local.empty_list ), 0 )}"] # the list of ami id's openvpn_access_server_consumption_map = zipmap( local.keys , local.values ) } From b946c2bdf96e1bee963ef2d76e8417935bc0d636 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 15 Aug 2020 14:56:01 +0930 Subject: [PATCH 160/306] test using product code in filters --- main.tf | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 13c6896..3b905da 100644 --- a/main.tf +++ b/main.tf @@ -118,10 +118,15 @@ data "aws_ami" "openvpn_2_8" { count = 1 most_recent = true owners = ["679593333241"] # The account id + filter { name = "description" - # values = ["OpenVPN Access Server 2.7.5-*-ami-0c56f53c16ad84dcd.4"] # the * replaces part of the serial that varies by region. - values = ["OpenVPN Access Server 2.8.* publisher image from https://www.openvpn.net/*"] # The * replaces part of the serial that varies by region. + values = ["OpenVPN Access Server 2.8.3 publisher image from https://www.openvpn.net/."] # The * replaces part of the serial that varies by region. + } + + filter { + name = "product-code" + values = "f2ew2wrz425a1jagnifd02u5t" } } From cedbea1a3dbec3bbf807f9e2041b3b669e2a4d0f Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 15 Aug 2020 14:58:33 +0930 Subject: [PATCH 161/306] list of strings were required --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 3b905da..bc57361 100644 --- a/main.tf +++ b/main.tf @@ -118,7 +118,7 @@ data "aws_ami" "openvpn_2_8" { count = 1 most_recent = true owners = ["679593333241"] # The account id - + filter { name = "description" values = ["OpenVPN Access Server 2.8.3 publisher image from https://www.openvpn.net/."] # The * replaces part of the serial that varies by region. @@ -126,7 +126,7 @@ data "aws_ami" "openvpn_2_8" { filter { name = "product-code" - values = "f2ew2wrz425a1jagnifd02u5t" + values = ["f2ew2wrz425a1jagnifd02u5t"] } } From 1394e7daf8dbfe15f54258e6783d4ca39786cb09 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 15 Aug 2020 15:28:26 +0930 Subject: [PATCH 162/306] update security groups --- main.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/main.tf b/main.tf index bc57361..2ab7a3c 100644 --- a/main.tf +++ b/main.tf @@ -54,6 +54,13 @@ resource "aws_security_group" "openvpn" { cidr_blocks = [var.remote_vpn_ip_cidr] description = "admin ui" } + ingress { + protocol = "tcp" + from_port = 945 + to_port = 945 + cidr_blocks = [var.remote_vpn_ip_cidr] + description = "admin ui" + } ingress { protocol = "udp" from_port = 1194 From 41f9f921d0dbb1fe190eb019f426d851f195b69e Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 15 Aug 2020 18:43:52 +0930 Subject: [PATCH 163/306] set permissions on init bootstrapping instead --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 2ab7a3c..bd6a59d 100644 --- a/main.tf +++ b/main.tf @@ -327,6 +327,7 @@ resource "null_resource" "provision_vpn" { "ls /usr/bin/*ython*", "sudo fuser -v /var/cache/debconf/config.dat", # get info if anything else has a lock on this file "test=$(which python2.7); if [ \"$test\" != '/usr/bin/python2.7' ]; then echo 'failed to use /usr/bin/python2.7'; fi", + "sudo chown openvpnas:openvpnas /home/openvpnas" # This must be a bug with 2.8.5 open vpn ami. "echo '...Finished bootstrapping'", ] } From 37de6ee9116ac3584a7d9649ac894942ec1ff2ef Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 15 Aug 2020 18:46:53 +0930 Subject: [PATCH 164/306] fix comma syntax error --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index bd6a59d..f2fc4a1 100644 --- a/main.tf +++ b/main.tf @@ -327,7 +327,7 @@ resource "null_resource" "provision_vpn" { "ls /usr/bin/*ython*", "sudo fuser -v /var/cache/debconf/config.dat", # get info if anything else has a lock on this file "test=$(which python2.7); if [ \"$test\" != '/usr/bin/python2.7' ]; then echo 'failed to use /usr/bin/python2.7'; fi", - "sudo chown openvpnas:openvpnas /home/openvpnas" # This must be a bug with 2.8.5 open vpn ami. + "sudo chown openvpnas:openvpnas /home/openvpnas", # This must be a bug with 2.8.5 open vpn ami. "echo '...Finished bootstrapping'", ] } From 42933a76c21065bea843fc5a6f1c788ec26703fe Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 15 Aug 2020 20:12:23 +0930 Subject: [PATCH 165/306] test instance up first --- main.tf | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index f2fc4a1..4d9b27b 100644 --- a/main.tf +++ b/main.tf @@ -303,6 +303,18 @@ resource "null_resource" "provision_vpn" { # If the address changes, the vpn must be provisioned again. vpn_address = local.vpn_address } + provisioner "remote-exec" { + connection { + user = var.openvpn_admin_user + host = local.public_ip + private_key = var.private_key + type = "ssh" + timeout = "10m" + } + inline = [ + "echo 'instance up'", # test connection + ] + } ### START this segment is termporary to deal with a cloud init bug provisioner "remote-exec" { @@ -316,7 +328,6 @@ resource "null_resource" "provision_vpn" { # this resolves update issue https://unix.stackexchange.com/questions/315502/how-to-disable-apt-daily-service-on-ubuntu-cloud-vm-image inline = [ "export SHOWCOMMANDS=true; set -x", - "echo 'instance up'", "lsb_release -a", "ps aux | grep [a]pt", "sudo cat /etc/systemd/system.conf", From f4bbca146324edea2aed8636cda7c69ebeadf022 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 15 Aug 2020 20:37:29 +0930 Subject: [PATCH 166/306] sleep 60 --- main.tf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/main.tf b/main.tf index 4d9b27b..fec6f96 100644 --- a/main.tf +++ b/main.tf @@ -303,6 +303,17 @@ resource "null_resource" "provision_vpn" { # If the address changes, the vpn must be provisioned again. vpn_address = local.vpn_address } + + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + command = < Date: Sat, 15 Aug 2020 22:16:24 +0930 Subject: [PATCH 167/306] add gateway dependency --- main.tf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index fec6f96..2c04d7c 100644 --- a/main.tf +++ b/main.tf @@ -294,9 +294,16 @@ resource "aws_route53_record" "openvpn_record" { records = [local.public_ip] } +variable "firehawk_init_dependency" {} +resource "null_resource" "firehawk_init_dependency" { # ensure that the firehawk gateway has finished being prrovisioned because the next process may interupt its network connection + triggers = { + firehawk_init_dependency = var.firehawk_init_dependency + } +} + resource "null_resource" "provision_vpn" { count = var.create_vpn ? 1 : 0 - depends_on = [aws_eip.openvpnip, aws_route53_record.openvpn_record] + depends_on = [aws_eip.openvpnip, aws_route53_record.openvpn_record, null_resource.firehawk_init_dependency] triggers = { instanceid = local.id From 0dc167ee4202b160bc27576f979b94991c6ae154 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 15 Aug 2020 23:21:52 +0930 Subject: [PATCH 168/306] openvpn-restart-client.yaml --- main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/main.tf b/main.tf index 2c04d7c..195e59b 100644 --- a/main.tf +++ b/main.tf @@ -425,6 +425,8 @@ EOT ansible-playbook -i "$TF_VAR_inventory" ansible/node-centos-routes.yaml -v -v --extra-vars "variable_host=workstation1 variable_user=deployuser hostname=workstation1 ansible_ssh_private_key_file=$TF_VAR_onsite_workstation_private_ssh_key ethernet_interface=$TF_VAR_workstation_ethernet_interface"; exit_test fi + ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn-restart-client.yaml + sleep 30; /vagrant/scripts/tests/test-openvpn.sh --ip "${local.private_ip}"; exit_test EOT } From 5750a838260c1597488cd62f282f5b3ec6824c83 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 16 Aug 2020 03:00:46 +0930 Subject: [PATCH 169/306] try to wait before restart --- main.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 195e59b..fc98495 100644 --- a/main.tf +++ b/main.tf @@ -425,9 +425,13 @@ EOT ansible-playbook -i "$TF_VAR_inventory" ansible/node-centos-routes.yaml -v -v --extra-vars "variable_host=workstation1 variable_user=deployuser hostname=workstation1 ansible_ssh_private_key_file=$TF_VAR_onsite_workstation_private_ssh_key ethernet_interface=$TF_VAR_workstation_ethernet_interface"; exit_test fi + sleep 30 + ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn-restart-client.yaml - sleep 30; /vagrant/scripts/tests/test-openvpn.sh --ip "${local.private_ip}"; exit_test + sleep 30 + + /vagrant/scripts/tests/test-openvpn.sh --ip "${local.private_ip}"; exit_test EOT } } From 723a720fcd949cdfa04e131f3ddc93b33452ad0e Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 21 Aug 2020 20:44:10 +0930 Subject: [PATCH 170/306] update to tf .13 --- versions.tf | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/versions.tf b/versions.tf index ac97c6a..f6734bd 100644 --- a/versions.tf +++ b/versions.tf @@ -1,4 +1,12 @@ terraform { - required_version = ">= 0.12" + required_version = ">= 0.13" + required_providers { + aws = { + source = "hashicorp/aws" + } + null = { + source = "hashicorp/null" + } + } } From 25ca567bdc2e178c598d3a4b1a2de07cf002758e Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 22 Aug 2020 00:33:31 +0930 Subject: [PATCH 171/306] test python 3 for vpn --- main.tf | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index fc98495..0dc5be3 100644 --- a/main.tf +++ b/main.tf @@ -351,11 +351,13 @@ EOT "sudo cat /etc/systemd/system.conf", "sudo systemd-run --property='After=apt-daily.service apt-daily-upgrade.service' --wait /bin/true", "sudo apt-get -y update", - "sudo apt-get -y install python2.7-minimal python2.7", - "which python2.7", - "ls /usr/bin/*ython*", + "sudo apt-get -y install python3", + "sudo apt-get -y install python-apt", + # "sudo apt-get -y install python2.7-minimal python2.7", + # "which python2.7", + # "ls /usr/bin/*ython*", "sudo fuser -v /var/cache/debconf/config.dat", # get info if anything else has a lock on this file - "test=$(which python2.7); if [ \"$test\" != '/usr/bin/python2.7' ]; then echo 'failed to use /usr/bin/python2.7'; fi", + # "test=$(which python2.7); if [ \"$test\" != '/usr/bin/python2.7' ]; then echo 'failed to use /usr/bin/python2.7'; fi", "sudo chown openvpnas:openvpnas /home/openvpnas", # This must be a bug with 2.8.5 open vpn ami. "echo '...Finished bootstrapping'", ] From 7baa3c55030586a572590d0aee8f937c9483450f Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 22 Aug 2020 00:55:01 +0930 Subject: [PATCH 172/306] try to clean cache --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 0dc5be3..a7e177f 100644 --- a/main.tf +++ b/main.tf @@ -408,6 +408,7 @@ EOT } inline = [ "echo 'instance up'", + "sudo apt-get -y clean && sudo apt-get -y autoclean", ] } provisioner "local-exec" { From 3db796c347691162272359969556ed05c6393d0b Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 22 Aug 2020 21:13:19 +0930 Subject: [PATCH 173/306] revert to tf .12 --- versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.tf b/versions.tf index f6734bd..d6a6b1e 100644 --- a/versions.tf +++ b/versions.tf @@ -1,6 +1,6 @@ terraform { - required_version = ">= 0.13" + required_version = ">= 0.12.29" required_providers { aws = { source = "hashicorp/aws" From c868ce1ece358fa10fcf92f6bec9781f1b42da58 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 22 Aug 2020 22:15:46 +0930 Subject: [PATCH 174/306] remove versions.tf --- versions.tf | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 versions.tf diff --git a/versions.tf b/versions.tf deleted file mode 100644 index d6a6b1e..0000000 --- a/versions.tf +++ /dev/null @@ -1,12 +0,0 @@ - -terraform { - required_version = ">= 0.12.29" - required_providers { - aws = { - source = "hashicorp/aws" - } - null = { - source = "hashicorp/null" - } - } -} From d0dc0c5efe6a0ba4968780a6061d30326aa328d7 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 23 Aug 2020 15:35:55 +0930 Subject: [PATCH 175/306] search dns --- main.tf | 2 +- variables.tf | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index a7e177f..4684984 100644 --- a/main.tf +++ b/main.tf @@ -421,7 +421,7 @@ EOT echo "private_subnet1: ${element(var.private_subnets, 0)}" echo "public_subnet1: ${element(var.public_subnets, 0)}" set -x - ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn.yaml -v --extra-vars "vpn_address=${local.vpn_address} private_ip=${local.private_ip} private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}"; exit_test + ansible-playbook -i "$TF_VAR_inventory" ansible/openvpn.yaml -v --extra-vars "vpn_address=${local.vpn_address} private_domain_name=${var.private_domain_name} private_ip=${local.private_ip} private_subnet1=${element(var.private_subnets, 0)} public_subnet1=${element(var.public_subnets, 0)} remote_subnet_cidr=${var.remote_subnet_cidr} client_network=${element(split("/", var.vpn_cidr), 0)} client_netmask_bits=${element(split("/", var.vpn_cidr), 1)}"; exit_test ansible-playbook -i "$TF_VAR_inventory" ansible/node-centos-routes.yaml -v --extra-vars "variable_host=ansible_control variable_user=deployuser hostname=ansible_control ethernet_interface=eth1" # configure routes for ansible control to the gateway to test the connection if [[ "$TF_VAR_set_routes_on_workstation" = "true" ]]; then # Intended for a dev envoronment only where multiple parralel deployments may occur, we cant provision a router for each subnet diff --git a/variables.tf b/variables.tf index 55fc79c..325ae0b 100644 --- a/variables.tf +++ b/variables.tf @@ -78,4 +78,6 @@ variable "public_subnets" { variable "bastion_dependency" {} variable "private_route_table_ids" {} -variable "public_route_table_ids" {} \ No newline at end of file +variable "public_route_table_ids" {} + +variable "private_domain_name" {} \ No newline at end of file From 77d6a6e5e44545342827d9d3f42cf782ca16958f Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 7 Sep 2020 20:45:47 +0930 Subject: [PATCH 176/306] remove extra space --- main.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/main.tf b/main.tf index 4684984..c24c1cf 100644 --- a/main.tf +++ b/main.tf @@ -270,8 +270,6 @@ EOT } } - - locals { private_ip = "${element(concat(aws_instance.openvpn.*.private_ip, list("")), 0)}" public_ip = "${element(concat(aws_eip.openvpnip.*.public_ip, list("")), 0)}" From df5c3ebff90cda27681649abd66aeef1e4c2f3f9 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 17 Oct 2020 05:27:42 +0000 Subject: [PATCH 177/306] upgrade to tf.13 --- main.tf | 20 ++++++++++---------- versions.tf | 11 +++++++++++ 2 files changed, 21 insertions(+), 10 deletions(-) create mode 100644 versions.tf diff --git a/main.tf b/main.tf index c24c1cf..e01b2a4 100644 --- a/main.tf +++ b/main.tf @@ -148,7 +148,7 @@ variable "openvpn_access_server_ami_option" { # Where multiple data aws_ami quer locals { keys = ["openvpn_2_8"] # Where multiple data aws_ami queries are available, this is the full list of options. empty_list = list("") - values = ["${element( concat(data.aws_ami.openvpn_2_8.*.id, local.empty_list ), 0 )}"] # the list of ami id's + values = [element( concat(data.aws_ami.openvpn_2_8.*.id, local.empty_list ), 0 )] # the list of ami id's openvpn_access_server_consumption_map = zipmap( local.keys , local.values ) } @@ -161,7 +161,7 @@ data "aws_ami_ids" "prebuilt_openvpn_access_server_ami_list" { # search for a pr owners = ["self"] filter { name = "tag:base_ami" - values = ["${local.base_ami}"] + values = [local.base_ami] } filter { name = "name" @@ -173,7 +173,7 @@ locals { prebuilt_openvpn_access_server_ami_list = data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.ids first_element = element( data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.*.ids, 0) mod_list = concat( local.prebuilt_openvpn_access_server_ami_list , list("") ) - aquired_ami = "${element( local.mod_list , 0)}" # aquired ami will use the ami in the list if found, otherwise it will default to the original ami. + aquired_ami = element( local.mod_list , 0) # aquired ami will use the ami in the list if found, otherwise it will default to the original ami. use_prebuilt_openvpn_access_server_ami = var.allow_prebuilt_openvpn_access_server_ami && length(local.mod_list) > 1 ? true : false ami = local.use_prebuilt_openvpn_access_server_ami ? local.aquired_ami : local.base_ami } @@ -271,13 +271,13 @@ EOT } locals { - private_ip = "${element(concat(aws_instance.openvpn.*.private_ip, list("")), 0)}" - public_ip = "${element(concat(aws_eip.openvpnip.*.public_ip, list("")), 0)}" - id = "${element(concat(aws_instance.openvpn.*.id, list("")), 0)}" - security_group_id = "${element(concat(aws_security_group.openvpn.*.id, list("")), 0)}" - vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}":"${local.public_ip}" - private_route_table_id = "${element(concat(var.private_route_table_ids, list("")), 0)}" - public_route_table_id = "${element(concat(var.public_route_table_ids, list("")), 0)}" + private_ip = element(concat(aws_instance.openvpn.*.private_ip, list("")), 0) + public_ip = element(concat(aws_eip.openvpnip.*.public_ip, list("")), 0) + id = element(concat(aws_instance.openvpn.*.id, list("")), 0) + security_group_id = element(concat(aws_security_group.openvpn.*.id, list("")), 0) + vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}":local.public_ip + private_route_table_id = element(concat(var.private_route_table_ids, list("")), 0) + public_route_table_id = element(concat(var.public_route_table_ids, list("")), 0) } variable "route_public_domain_name" { diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..7f62e23 --- /dev/null +++ b/versions.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + null = { + source = "hashicorp/null" + } + } + required_version = ">= 0.13" +} From cd4e62cadafb274de3a82a77ce00c32ec2681135 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 8 Nov 2020 20:29:08 +1030 Subject: [PATCH 178/306] Add python bootstrap again for testing --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index e01b2a4..e7763e8 100644 --- a/main.tf +++ b/main.tf @@ -329,6 +329,7 @@ EOT } inline = [ "echo 'instance up'", # test connection + "set -x && sudo yum install -y python python3" # this line is only required if not included in the ami already ] } From e2135bb40674b20e5e342a81e067ec8add9c01d8 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 8 Nov 2020 20:34:16 +1030 Subject: [PATCH 179/306] add python 3 install --- main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/main.tf b/main.tf index e7763e8..e01b2a4 100644 --- a/main.tf +++ b/main.tf @@ -329,7 +329,6 @@ EOT } inline = [ "echo 'instance up'", # test connection - "set -x && sudo yum install -y python python3" # this line is only required if not included in the ami already ] } From dd0bc3f6c68723670b006e341493a3a5aec4e468 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 10 Jan 2021 12:02:01 +1030 Subject: [PATCH 180/306] cleanup --- main.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/main.tf b/main.tf index e01b2a4..07ef3c5 100644 --- a/main.tf +++ b/main.tf @@ -351,11 +351,7 @@ EOT "sudo apt-get -y update", "sudo apt-get -y install python3", "sudo apt-get -y install python-apt", - # "sudo apt-get -y install python2.7-minimal python2.7", - # "which python2.7", - # "ls /usr/bin/*ython*", "sudo fuser -v /var/cache/debconf/config.dat", # get info if anything else has a lock on this file - # "test=$(which python2.7); if [ \"$test\" != '/usr/bin/python2.7' ]; then echo 'failed to use /usr/bin/python2.7'; fi", "sudo chown openvpnas:openvpnas /home/openvpnas", # This must be a bug with 2.8.5 open vpn ami. "echo '...Finished bootstrapping'", ] From d727860a7c54f64b1536fb48fa5805a6030756af Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 23 Jan 2021 18:47:00 +1030 Subject: [PATCH 181/306] imp-vpn-use-preconfigured-ami-vault --- main.tf | 384 +++++++++++++++++++++++++-------------------------- variables.tf | 31 ++++- 2 files changed, 222 insertions(+), 193 deletions(-) diff --git a/main.tf b/main.tf index 07ef3c5..d53e594 100644 --- a/main.tf +++ b/main.tf @@ -120,93 +120,93 @@ resource "null_resource" "bastion_dependency" { # ... and update the filters appropriately # We dont use image id's directly because they dont work in multiple regions. -data "aws_ami" "openvpn_2_8" { - # aws_ami function with most_recent is best when seeking a single ami, like the latest version from filters known to produce output. - count = 1 - most_recent = true - owners = ["679593333241"] # The account id - - filter { - name = "description" - values = ["OpenVPN Access Server 2.8.3 publisher image from https://www.openvpn.net/."] # The * replaces part of the serial that varies by region. - } - - filter { - name = "product-code" - values = ["f2ew2wrz425a1jagnifd02u5t"] - } -} - -variable "allow_prebuilt_openvpn_access_server_ami" { - default = false -} - -variable "openvpn_access_server_ami_option" { # Where multiple data aws_ami queries are available, this allows us to select one. - default = "openvpn_2_8" -} - -locals { - keys = ["openvpn_2_8"] # Where multiple data aws_ami queries are available, this is the full list of options. - empty_list = list("") - values = [element( concat(data.aws_ami.openvpn_2_8.*.id, local.empty_list ), 0 )] # the list of ami id's - openvpn_access_server_consumption_map = zipmap( local.keys , local.values ) -} - -locals { # select the found ami to use based on the map lookup - base_ami = lookup(local.openvpn_access_server_consumption_map, var.openvpn_access_server_ami_option) -} - -data "aws_ami_ids" "prebuilt_openvpn_access_server_ami_list" { # search for a prebuilt tagged ami with the same base image. if there is a match, it can be used instead, allowing us to skip provisioning. - # aws_ami_ids function produces a list matching the filters. - owners = ["self"] - filter { - name = "tag:base_ami" - values = [local.base_ami] - } - filter { - name = "name" - values = ["openvpn_access_server_prebuilt_*"] - } -} - -locals { - prebuilt_openvpn_access_server_ami_list = data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.ids - first_element = element( data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.*.ids, 0) - mod_list = concat( local.prebuilt_openvpn_access_server_ami_list , list("") ) - aquired_ami = element( local.mod_list , 0) # aquired ami will use the ami in the list if found, otherwise it will default to the original ami. - use_prebuilt_openvpn_access_server_ami = var.allow_prebuilt_openvpn_access_server_ami && length(local.mod_list) > 1 ? true : false - ami = local.use_prebuilt_openvpn_access_server_ami ? local.aquired_ami : local.base_ami -} - -output "base_ami" { - value = local.base_ami -} - -output "prebuilt_openvpn_access_server_ami_list" { - value = local.prebuilt_openvpn_access_server_ami_list -} - -output "first_element" { - value = local.first_element -} - -output "aquired_ami" { - value = local.aquired_ami -} - -output "use_prebuilt_openvpn_access_server_ami" { - value = local.use_prebuilt_openvpn_access_server_ami -} - -output "ami" { - value = local.ami -} +# data "aws_ami" "openvpn_2_8" { +# # aws_ami function with most_recent is best when seeking a single ami, like the latest version from filters known to produce output. +# count = 1 +# most_recent = true +# owners = ["679593333241"] # The account id + +# filter { +# name = "description" +# values = ["OpenVPN Access Server 2.8.3 publisher image from https://www.openvpn.net/."] # The * replaces part of the serial that varies by region. +# } + +# filter { +# name = "product-code" +# values = ["f2ew2wrz425a1jagnifd02u5t"] +# } +# } + +# variable "allow_prebuilt_openvpn_access_server_ami" { +# default = false +# } + +# variable "openvpn_access_server_ami_option" { # Where multiple data aws_ami queries are available, this allows us to select one. +# default = "openvpn_2_8" +# } + +# locals { +# keys = ["openvpn_2_8"] # Where multiple data aws_ami queries are available, this is the full list of options. +# empty_list = list("") +# values = [element( concat(data.aws_ami.openvpn_2_8.*.id, local.empty_list ), 0 )] # the list of ami id's +# openvpn_access_server_consumption_map = zipmap( local.keys , local.values ) +# } + +# locals { # select the found ami to use based on the map lookup +# base_ami = lookup(local.openvpn_access_server_consumption_map, var.openvpn_access_server_ami_option) +# } + +# data "aws_ami_ids" "prebuilt_openvpn_access_server_ami_list" { # search for a prebuilt tagged ami with the same base image. if there is a match, it can be used instead, allowing us to skip provisioning. +# # aws_ami_ids function produces a list matching the filters. +# owners = ["self"] +# filter { +# name = "tag:base_ami" +# values = [local.base_ami] +# } +# filter { +# name = "name" +# values = ["openvpn_access_server_prebuilt_*"] +# } +# } + +# locals { +# prebuilt_openvpn_access_server_ami_list = data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.ids +# first_element = element( data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.*.ids, 0) +# mod_list = concat( local.prebuilt_openvpn_access_server_ami_list , list("") ) +# aquired_ami = element( local.mod_list , 0) # aquired ami will use the ami in the list if found, otherwise it will default to the original ami. +# use_prebuilt_openvpn_access_server_ami = var.allow_prebuilt_openvpn_access_server_ami && length(local.mod_list) > 1 ? true : false +# ami = local.use_prebuilt_openvpn_access_server_ami ? local.aquired_ami : local.base_ami +# } + +# output "base_ami" { +# value = local.base_ami +# } + +# output "prebuilt_openvpn_access_server_ami_list" { +# value = local.prebuilt_openvpn_access_server_ami_list +# } + +# output "first_element" { +# value = local.first_element +# } + +# output "aquired_ami" { +# value = local.aquired_ami +# } + +# output "use_prebuilt_openvpn_access_server_ami" { +# value = local.use_prebuilt_openvpn_access_server_ami +# } + +# output "ami" { +# value = local.ami +# } resource "aws_instance" "openvpn" { count = var.create_vpn ? 1 : 0 depends_on = [null_resource.gateway_dependency, null_resource.bastion_dependency] - # ami = var.ami - ami = local.ami + ami = var.ami + # ami = local.ami instance_type = var.instance_type key_name = var.aws_key_name subnet_id = element(concat(var.public_subnet_ids, list("")), 0) @@ -252,7 +252,7 @@ resource "null_resource" "start-node" { command = <= 8 + ) + error_message = "The openvpn_user_pw configured in vault must be at least 8 characters in length." + } } variable "openvpn_admin_user" { + description = "The admin user name used to configure OpenVPN Access Server" + default = "openvpnas" } variable "openvpn_admin_pw" { + description = "The admin password used to login to Open VPN Access Server." + type = string + validation { + condition = ( + length(var.openvpn_admin_pw) >= 8 + ) + error_message = "The openvpn_admin_pw configured in vault must be at least 8 characters in length." + } } variable "vpn_cidr" { @@ -75,7 +102,9 @@ variable "public_subnets" { default = [] } -variable "bastion_dependency" {} +variable "bastion_dependency" { + default = "None" +} variable "private_route_table_ids" {} variable "public_route_table_ids" {} From 38bbfb418bf302f9b13c77f6c919d4f555db4027 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 24 Jan 2021 00:33:54 +1030 Subject: [PATCH 182/306] fix some required vars --- main.tf | 54 ++++++++++++++++++++++++++-------------------------- variables.tf | 12 ++++++------ 2 files changed, 33 insertions(+), 33 deletions(-) diff --git a/main.tf b/main.tf index d53e594..036af33 100644 --- a/main.tf +++ b/main.tf @@ -292,22 +292,22 @@ resource "aws_route53_record" "openvpn_record" { records = [local.public_ip] } -variable "firehawk_init_dependency" {} -resource "null_resource" "firehawk_init_dependency" { # ensure that the firehawk gateway has finished being prrovisioned because the next process may interupt its network connection - triggers = { - firehawk_init_dependency = var.firehawk_init_dependency - } -} +# variable "firehawk_init_dependency" {} +# resource "null_resource" "firehawk_init_dependency" { # ensure that the firehawk gateway has finished being prrovisioned because the next process may interupt its network connection +# triggers = { +# firehawk_init_dependency = var.firehawk_init_dependency +# } +# } -resource "null_resource" "provision_vpn" { - count = var.create_vpn ? 1 : 0 - depends_on = [aws_eip.openvpnip, aws_route53_record.openvpn_record, null_resource.firehawk_init_dependency] +# resource "null_resource" "provision_vpn" { +# count = var.create_vpn ? 1 : 0 +# depends_on = [aws_eip.openvpnip, aws_route53_record.openvpn_record, null_resource.firehawk_init_dependency] - triggers = { - instanceid = local.id - # If the address changes, the vpn must be provisioned again. - vpn_address = local.vpn_address - } +# triggers = { +# instanceid = local.id +# # If the address changes, the vpn must be provisioned again. +# vpn_address = local.vpn_address +# } # provisioner "local-exec" { # interpreter = ["/bin/bash", "-c"] @@ -319,18 +319,18 @@ resource "null_resource" "provision_vpn" { # EOT # } - provisioner "remote-exec" { - connection { - user = var.openvpn_admin_user - host = local.public_ip - private_key = var.private_key - type = "ssh" - timeout = "10m" - } - inline = [ - "echo 'instance up'", # test connection - ] - } + # provisioner "remote-exec" { + # connection { + # user = var.openvpn_admin_user + # host = local.public_ip + # private_key = var.private_key + # type = "ssh" + # timeout = "10m" + # } + # inline = [ + # "echo 'instance up'", # test connection + # ] + # } # ### START this segment is termporary to deal with a cloud init bug # provisioner "remote-exec" { @@ -431,7 +431,7 @@ resource "null_resource" "provision_vpn" { # /vagrant/scripts/tests/test-openvpn.sh --ip "${local.private_ip}"; exit_test # EOT # } -} +# } variable "start_vpn" { default = true diff --git a/variables.tf b/variables.tf index 1f5a102..101ab87 100644 --- a/variables.tf +++ b/variables.tf @@ -21,8 +21,8 @@ variable "public_subnet_ids" { default = [] } -variable "cert_arn" { -} +# variable "cert_arn" { +# } variable "aws_key_name" { } @@ -39,11 +39,11 @@ variable "bastion_ip" { default = "none" } -variable "private_key" { -} +# variable "private_key" { +# } -variable "aws_private_key_path" { -} +# variable "aws_private_key_path" { +# } variable "instance_type" { } From 7e911cc2dce8f25e7dd9e03a4dc6f6b0c8b5ef57 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 24 Jan 2021 00:58:29 +1030 Subject: [PATCH 183/306] add ami var --- variables.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 101ab87..1920a58 100644 --- a/variables.tf +++ b/variables.tf @@ -109,4 +109,6 @@ variable "bastion_dependency" { variable "private_route_table_ids" {} variable "public_route_table_ids" {} -variable "private_domain_name" {} \ No newline at end of file +variable "private_domain_name" {} + +variable "ami" {} \ No newline at end of file From 1b5fe1e0d6c2324a8c6aa3aa33f74bf66e2795de Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 24 Jan 2021 01:03:26 +1030 Subject: [PATCH 184/306] add default dependency --- main.tf | 36 ++++++++++++++++++------------------ variables.tf | 4 ++++ 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/main.tf b/main.tf index 036af33..36b5a36 100644 --- a/main.tf +++ b/main.tf @@ -292,16 +292,16 @@ resource "aws_route53_record" "openvpn_record" { records = [local.public_ip] } -# variable "firehawk_init_dependency" {} -# resource "null_resource" "firehawk_init_dependency" { # ensure that the firehawk gateway has finished being prrovisioned because the next process may interupt its network connection -# triggers = { -# firehawk_init_dependency = var.firehawk_init_dependency -# } -# } +variable "firehawk_init_dependency" {} +resource "null_resource" "firehawk_init_dependency" { # ensure that the firehawk gateway has finished being prrovisioned because the next process may interupt its network connection + triggers = { + firehawk_init_dependency = var.firehawk_init_dependency + } +} -# resource "null_resource" "provision_vpn" { -# count = var.create_vpn ? 1 : 0 -# depends_on = [aws_eip.openvpnip, aws_route53_record.openvpn_record, null_resource.firehawk_init_dependency] +resource "null_resource" "provision_vpn" { + count = var.create_vpn ? 1 : 0 + depends_on = [aws_eip.openvpnip, aws_route53_record.openvpn_record, null_resource.firehawk_init_dependency] # triggers = { # instanceid = local.id @@ -309,15 +309,15 @@ resource "aws_route53_record" "openvpn_record" { # vpn_address = local.vpn_address # } -# provisioner "local-exec" { -# interpreter = ["/bin/bash", "-c"] -# command = < Date: Sun, 24 Jan 2021 01:06:21 +1030 Subject: [PATCH 185/306] close block --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 36b5a36..4014764 100644 --- a/main.tf +++ b/main.tf @@ -431,7 +431,7 @@ EOT # /vagrant/scripts/tests/test-openvpn.sh --ip "${local.private_ip}"; exit_test # EOT # } -# } +} variable "start_vpn" { default = true From 18f65faf5b74bfe457eeaf411fd703390dcd3e1f Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 24 Jan 2021 01:08:36 +1030 Subject: [PATCH 186/306] remove duplicate --- main.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/main.tf b/main.tf index 4014764..c620403 100644 --- a/main.tf +++ b/main.tf @@ -291,8 +291,6 @@ resource "aws_route53_record" "openvpn_record" { ttl = 300 records = [local.public_ip] } - -variable "firehawk_init_dependency" {} resource "null_resource" "firehawk_init_dependency" { # ensure that the firehawk gateway has finished being prrovisioned because the next process may interupt its network connection triggers = { firehawk_init_dependency = var.firehawk_init_dependency From 2c898099de2281d42a7a329718ae458654363ffe Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 24 Jan 2021 11:09:17 +1030 Subject: [PATCH 187/306] fix route table ids var --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index c620403..58a8fe3 100644 --- a/main.tf +++ b/main.tf @@ -276,8 +276,8 @@ locals { id = element(concat(aws_instance.openvpn.*.id, list("")), 0) security_group_id = element(concat(aws_security_group.openvpn.*.id, list("")), 0) vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}":local.public_ip - private_route_table_id = element(concat(var.private_route_table_ids, list("")), 0) - public_route_table_id = element(concat(var.public_route_table_ids, list("")), 0) + # private_route_table_id = element(concat(var.private_route_table_ids, list("")), 0) + # public_route_table_id = element(concat(var.public_route_table_ids, list("")), 0) } variable "route_public_domain_name" { From 083fbcff3eb5975428abc2a91a0b1649550b416b Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 24 Jan 2021 11:18:10 +1030 Subject: [PATCH 188/306] use setunion --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 58a8fe3..f6b0306 100644 --- a/main.tf +++ b/main.tf @@ -209,7 +209,7 @@ resource "aws_instance" "openvpn" { # ami = local.ami instance_type = var.instance_type key_name = var.aws_key_name - subnet_id = element(concat(var.public_subnet_ids, list("")), 0) + subnet_id = element( setunion(var.public_subnet_ids, list("")), 0 ) source_dest_check = var.source_dest_check vpc_security_group_ids = [local.security_group_id] From 314f7e9e2ad37eee4ce21e135e7c2bd8516a7576 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 24 Jan 2021 11:21:21 +1030 Subject: [PATCH 189/306] sort --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index f6b0306..15c1422 100644 --- a/main.tf +++ b/main.tf @@ -209,7 +209,7 @@ resource "aws_instance" "openvpn" { # ami = local.ami instance_type = var.instance_type key_name = var.aws_key_name - subnet_id = element( setunion(var.public_subnet_ids, list("")), 0 ) + subnet_id = sort( setunion(var.public_subnet_ids, list("")) )[0] source_dest_check = var.source_dest_check vpc_security_group_ids = [local.security_group_id] From 9db017d177d7f18c03e901b9869d4ee6566612dd Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 24 Jan 2021 11:23:27 +1030 Subject: [PATCH 190/306] test sort --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 15c1422..72a6aa3 100644 --- a/main.tf +++ b/main.tf @@ -209,7 +209,7 @@ resource "aws_instance" "openvpn" { # ami = local.ami instance_type = var.instance_type key_name = var.aws_key_name - subnet_id = sort( setunion(var.public_subnet_ids, list("")) )[0] + subnet_id = concat( sort(var.public_subnet_ids, list("")) )[0] source_dest_check = var.source_dest_check vpc_security_group_ids = [local.security_group_id] From d509dddd3ffc7f4a3a42a3b4201bbff5f1f86851 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 24 Jan 2021 11:24:36 +1030 Subject: [PATCH 191/306] fix ( --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 72a6aa3..06a8a74 100644 --- a/main.tf +++ b/main.tf @@ -209,7 +209,7 @@ resource "aws_instance" "openvpn" { # ami = local.ami instance_type = var.instance_type key_name = var.aws_key_name - subnet_id = concat( sort(var.public_subnet_ids, list("")) )[0] + subnet_id = concat( sort(var.public_subnet_ids) , list("") )[0] source_dest_check = var.source_dest_check vpc_security_group_ids = [local.security_group_id] From 330f6c35a0a46d9de0e027529b01a2299bd42cc0 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 24 Jan 2021 11:33:36 +1030 Subject: [PATCH 192/306] remove provision vpn --- main.tf | 60 ++++++++++++++++++++++++++------------------------------- 1 file changed, 27 insertions(+), 33 deletions(-) diff --git a/main.tf b/main.tf index 06a8a74..73e3351 100644 --- a/main.tf +++ b/main.tf @@ -250,7 +250,7 @@ resource "null_resource" "start-node" { provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] command = < Date: Sun, 24 Jan 2021 11:41:13 +1030 Subject: [PATCH 193/306] remove exit_test --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 73e3351..a8ee0f5 100644 --- a/main.tf +++ b/main.tf @@ -251,7 +251,7 @@ resource "null_resource" "start-node" { interpreter = ["/bin/bash", "-c"] command = < Date: Sun, 24 Jan 2021 12:02:24 +1030 Subject: [PATCH 194/306] output startup --- main.tf | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index a8ee0f5..8ec750c 100644 --- a/main.tf +++ b/main.tf @@ -244,8 +244,15 @@ resource "aws_eip" "openvpnip" { } #wakeup a node after sleep + +locals { + startup = ( ! var.sleep && var.create_vpn ) ? 1 : 0 +} +output "startup" { + value = local.startup +} resource "null_resource" "start-node" { - count = ( ! var.sleep && var.create_vpn ) ? 1 : 0 + count = local.startup provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] @@ -257,8 +264,14 @@ EOT } } +locals { + shutdown = var.sleep && var.create_vpn ? 1 : 0 +} +output "shutdown" { + value = local.shutdown +} resource "null_resource" "shutdownvpn" { - count = var.sleep && var.create_vpn ? 1 : 0 + count = local.shutdown provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] From f9a40b2b7bda787963f32ec0d0723b01757f7247 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 24 Jan 2021 15:12:11 +1030 Subject: [PATCH 195/306] create iam_instance_profile for vpn --- main.tf | 82 +++++++++++++++++++++++++++++---------------------------- 1 file changed, 42 insertions(+), 40 deletions(-) diff --git a/main.tf b/main.tf index 8ec750c..618f258 100644 --- a/main.tf +++ b/main.tf @@ -7,7 +7,7 @@ variable "common_tags" {} locals { extra_tags = { - role = "vpn" + role = "vpn" route = "public" } } @@ -203,14 +203,16 @@ resource "null_resource" "bastion_dependency" { # } resource "aws_instance" "openvpn" { - count = var.create_vpn ? 1 : 0 - depends_on = [null_resource.gateway_dependency, null_resource.bastion_dependency] - ami = var.ami + count = var.create_vpn ? 1 : 0 + depends_on = [null_resource.gateway_dependency, null_resource.bastion_dependency] + ami = var.ami # ami = local.ami - instance_type = var.instance_type - key_name = var.aws_key_name - subnet_id = concat( sort(var.public_subnet_ids) , list("") )[0] - source_dest_check = var.source_dest_check + # needs VPNServerRole + iam_instance_profile = "VPNServerProfile" + instance_type = var.instance_type + key_name = var.aws_key_name + subnet_id = concat(sort(var.public_subnet_ids), list(""))[0] + source_dest_check = var.source_dest_check vpc_security_group_ids = [local.security_group_id] @@ -234,19 +236,19 @@ USERDATA #it must reside in the aws_eip resource to be able to establish a connection resource "aws_eip" "openvpnip" { - count = var.create_vpn ? 1 : 0 - vpc = true - instance = aws_instance.openvpn[count.index].id + count = var.create_vpn ? 1 : 0 + vpc = true + instance = aws_instance.openvpn[count.index].id depends_on = [aws_instance.openvpn] tags = merge(map("Name", format("%s", var.name)), var.common_tags, local.extra_tags) - + } #wakeup a node after sleep locals { - startup = ( ! var.sleep && var.create_vpn ) ? 1 : 0 + startup = (! var.sleep && var.create_vpn) ? 1 : 0 } output "startup" { value = local.startup @@ -256,7 +258,7 @@ resource "null_resource" "start-node" { provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] - command = < Date: Sun, 24 Jan 2021 16:40:00 +1030 Subject: [PATCH 196/306] update sg group for cloud 9 ssh --- main.tf | 2 +- variables.tf | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 618f258..d52daa9 100644 --- a/main.tf +++ b/main.tf @@ -35,7 +35,7 @@ resource "aws_security_group" "openvpn" { protocol = "tcp" from_port = 22 to_port = 22 - cidr_blocks = [var.remote_vpn_ip_cidr] + cidr_blocks = [var.remote_ssh_ip_cidr] description = "ssh" } ingress { diff --git a/variables.tf b/variables.tf index 7406711..bb3a42c 100644 --- a/variables.tf +++ b/variables.tf @@ -14,6 +14,10 @@ variable "remote_vpn_ip_cidr" { default = "0.0.0.0/0" } +variable "remote_ssh_ip_cidr" { + description = "The IP used to ssh to the access server for admin." +} + variable "remote_subnet_cidr" { } From 11d8fde5ed5a16d083b18a0d12946314eea047e5 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 25 Jan 2021 20:57:44 +1030 Subject: [PATCH 197/306] auth vpn vault --- main.tf | 22 ++++-- user-data-auth-client.sh | 143 +++++++++++++++++++++++++++++++++++++++ variables.tf | 16 +++++ 3 files changed, 177 insertions(+), 4 deletions(-) create mode 100644 user-data-auth-client.sh diff --git a/main.tf b/main.tf index d52daa9..373bb1f 100644 --- a/main.tf +++ b/main.tf @@ -225,11 +225,25 @@ resource "aws_instance" "openvpn" { # `admin_user` and `admin_pw` need to be passed in to the appliance through `user_data`, see docs --> # https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/amazon-ec2-appliance-ami-quick-start-guide/ # Python is required for Ansible to function. - user_data = < >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 + +# These variables are passed in via Terraform template interpolation +/opt/consul/bin/run-consul --client --cluster-tag-key "${consul_cluster_tag_key}" --cluster-tag-value "${consul_cluster_tag_value}" + +# Log the given message. All logs are written to stderr with a timestamp. +function log { + local -r message="$1" + local -r timestamp=$(date +"%Y-%m-%d %H:%M:%S") + >&2 echo -e "$timestamp $message" +} + +# A retry function that attempts to run a command a number of times and returns the output +function retry { + local -r cmd="$1" + local -r description="$2" + + for i in $(seq 1 30); do + log "$description" + + # The boolean operations with the exit status are there to temporarily circumvent the "set -e" at the + # beginning of this script which exits the script immediatelly for error status while not losing the exit status code + output=$(eval "$cmd") && exit_status=0 || exit_status=$? + errors=$(echo "$output") | grep '^{' | jq -r .errors + + log "$output" + + if [[ $exit_status -eq 0 && -n "$output" && -z "$errors" ]]; then + echo "$output" + return + fi + log "$description failed. Will sleep for 10 seconds and try again." + sleep 10 + done; + + log "$description failed after 30 attempts." + exit $exit_status +} + +# Retrieves the pkcs7 certificate from instance metadata +# The vault role name is filled by terraform +# The role itself is created when configuting the vault cluster +pkcs7=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n') +data=$(cat < index.html +python -m SimpleHTTPServer 8080 & diff --git a/variables.tf b/variables.tf index bb3a42c..2e201bc 100644 --- a/variables.tf +++ b/variables.tf @@ -1,3 +1,19 @@ +variable "example_role_name" { + description = "The name of the vault role" + type = string + default = "example-role" +} +variable "consul_cluster_name" { + description = "What to name the Consul server cluster and all of its associated resources" + type = string + default = "consul-example" +} + +variable "consul_cluster_tag_key" { + description = "The tag the Consul EC2 Instances will look for to automatically discover each other and form a cluster." + type = string + default = "consul-servers" +} variable "name" { default = "openvpn" } From 61ebbfec55344b2f24ddb1d63cdb50844bbfe117 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 25 Jan 2021 22:01:17 +1030 Subject: [PATCH 198/306] correct vault role --- user-data-auth-client.sh | 24 +++++++++++++----------- variables.tf | 2 +- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/user-data-auth-client.sh b/user-data-auth-client.sh index 0b029bc..3ac67a0 100644 --- a/user-data-auth-client.sh +++ b/user-data-auth-client.sh @@ -123,21 +123,23 @@ login_output=$(retry \ # } # } -# We can then use the client token from this output -token=$(echo $login_output | jq -r .auth.client_token) +# # We can then use the client token from this output +# token=$(echo $login_output | jq -r .auth.client_token) -# And use the token to perform operations on vault such as reading a secret -response=$(retry \ - "curl --fail -H 'X-Vault-Token: $token' -X GET https://vault.service.consul:8200/v1/secret/example_gruntwork" \ - "Trying to read secret from vault") +# # And use the token to perform operations on vault such as reading a secret +# response=$(retry \ +# "curl --fail -H 'X-Vault-Token: $token' -X GET https://vault.service.consul:8200/v1/secret/example_gruntwork" \ +# "Trying to read secret from vault") # If vault cli is installed we can also perform these operations with vault cli # The necessary environment variables have to be set # export VAULT_TOKEN=$token -# export VAULT_ADDR=https://vault.service.consul:8200 +export VAULT_ADDR=https://vault.service.consul:8200 # /opt/vault/bin/vault read secret/example_gruntwork +vault login -method=aws header_value=vault.service.consul role=${example_role_name} +vault kv get /$resourcetier/files/usr/local/openvpn_as/scripts/seperate/ca.crt >> /usr/local/openvpn_as/scripts/seperate/ca_test.crt -# Serves the answer in a web server so we can test that this auth client is -# authenticating to vault and fetching data correctly -echo $response | jq -r .data.the_answer > index.html -python -m SimpleHTTPServer 8080 & +# # Serves the answer in a web server so we can test that this auth client is +# # authenticating to vault and fetching data correctly +# echo $response | jq -r .data.the_answer > index.html +# python -m SimpleHTTPServer 8080 & diff --git a/variables.tf b/variables.tf index 2e201bc..0a2cabe 100644 --- a/variables.tf +++ b/variables.tf @@ -1,5 +1,5 @@ variable "example_role_name" { - description = "The name of the vault role" + description = "The name of the vault role. (Note: This is not the AWS role name.)" type = string default = "example-role" } From cfe88e69b60b1bc594fea776884922b9f2f0d50b Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 25 Jan 2021 22:06:02 +1030 Subject: [PATCH 199/306] use resourcetier --- main.tf | 1 + variables.tf | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/main.tf b/main.tf index 373bb1f..a89304b 100644 --- a/main.tf +++ b/main.tf @@ -243,6 +243,7 @@ data "template_file" "user_data_auth_client" { example_role_name = var.example_role_name openvpn_admin_user = var.openvpn_admin_user openvpn_admin_pw = var.openvpn_admin_pw + resourcetier = var.resourcetier } } diff --git a/variables.tf b/variables.tf index 0a2cabe..6c6e4da 100644 --- a/variables.tf +++ b/variables.tf @@ -1,3 +1,13 @@ +variable "resourcetier" { + description = "The resource tier speicifies a unique name for a resource based on the environment. eg: dev, green, blue, main." + type = string +} + +variable "pipelineid" { + description = "The pipelineid variable can be used to uniquely specify and identify resource names for a given deployment. The pipeline ID could be set to a job ID in CI software for example. The default of 0 is fine if no more than one concurrent deployment run will occur." + type = string + default = "0" +} variable "example_role_name" { description = "The name of the vault role. (Note: This is not the AWS role name.)" type = string From 9ca8f40111d1485911ff9d49ce49c4af4ded04ed Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 25 Jan 2021 22:36:43 +1030 Subject: [PATCH 200/306] test vault agent --- user-data-auth-client-delete.sh | 159 ++++++++++++++++++++++++++++++++ user-data-auth-client.sh | 125 +++++++------------------ 2 files changed, 191 insertions(+), 93 deletions(-) create mode 100644 user-data-auth-client-delete.sh diff --git a/user-data-auth-client-delete.sh b/user-data-auth-client-delete.sh new file mode 100644 index 0000000..9bee30a --- /dev/null +++ b/user-data-auth-client-delete.sh @@ -0,0 +1,159 @@ +#!/bin/bash +# This script is meant to be run in the User Data of each EC2 Instance while it's booting. The script uses the +# run-consul script to configure and start Consul in client mode. Note that this script assumes it's running in an AMI +# built from the Packer template in examples/vault-consul-ami/vault-consul.json. + +set -e + +admin_user="${openvpn_admin_user}" +admin_pw="${openvpn_admin_pw}" +# TODO these will be replaced with calls to vault. + +# Send the log output from this script to user-data.log, syslog, and the console +# From: https://alestic.com/2010/12/ec2-user-data-output/ +exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 + +# These variables are passed in via Terraform template interpolation +/opt/consul/bin/run-consul --client --cluster-tag-key "${consul_cluster_tag_key}" --cluster-tag-value "${consul_cluster_tag_value}" + +# Log the given message. All logs are written to stderr with a timestamp. +function log { + local -r message="$1" + local -r timestamp=$(date +"%Y-%m-%d %H:%M:%S") + >&2 echo -e "$timestamp $message" +} + +# A retry function that attempts to run a command a number of times and returns the output +function retry { + local -r cmd="$1" + local -r description="$2" + + for i in $(seq 1 30); do + log "$description" + + # The boolean operations with the exit status are there to temporarily circumvent the "set -e" at the + # beginning of this script which exits the script immediatelly for error status while not losing the exit status code + output=$(eval "$cmd") && exit_status=0 || exit_status=$? + errors=$(echo "$output") | grep '^{' | jq -r .errors + + log "$output" + + if [[ $exit_status -eq 0 && -n "$output" && -z "$errors" ]]; then + echo "$output" + return + fi + log "$description failed. Will sleep for 10 seconds and try again." + sleep 10 + done; + + log "$description failed after 30 attempts." + exit $exit_status +} + +# Retrieves the pkcs7 certificate from instance metadata +# The vault role name is filled by terraform +# The role itself is created when configuting the vault cluster +# pkcs7=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n') +# data=$(cat <> /usr/local/openvpn_as/scripts/seperate/ca_test.crt + +# # Serves the answer in a web server so we can test that this auth client is +# # authenticating to vault and fetching data correctly +# echo $response | jq -r .data.the_answer > index.html +# python -m SimpleHTTPServer 8080 & diff --git a/user-data-auth-client.sh b/user-data-auth-client.sh index 3ac67a0..5e9b216 100644 --- a/user-data-auth-client.sh +++ b/user-data-auth-client.sh @@ -2,20 +2,17 @@ # This script is meant to be run in the User Data of each EC2 Instance while it's booting. The script uses the # run-consul script to configure and start Consul in client mode. Note that this script assumes it's running in an AMI # built from the Packer template in examples/vault-consul-ami/vault-consul.json. +# It then uses Vault agent to automatically authenticate to the Vault server. After login, Vault agent writes the +# authentication token to a file location, which you can use for your applications. Note that by default, only the `vault` +# user has access to the file, so you may need to grant the appropriate permissions to your application. +# Finally, this script reads a secret and exposes it in a simple web server for test purposes. set -e -admin_user="${openvpn_admin_user}" -admin_pw="${openvpn_admin_pw}" -# TODO these will be replaced with calls to vault. - # Send the log output from this script to user-data.log, syslog, and the console # From: https://alestic.com/2010/12/ec2-user-data-output/ exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 -# These variables are passed in via Terraform template interpolation -/opt/consul/bin/run-consul --client --cluster-tag-key "${consul_cluster_tag_key}" --cluster-tag-value "${consul_cluster_tag_value}" - # Log the given message. All logs are written to stderr with a timestamp. function log { local -r message="$1" @@ -50,96 +47,38 @@ function retry { exit $exit_status } -# Retrieves the pkcs7 certificate from instance metadata -# The vault role name is filled by terraform -# The role itself is created when configuting the vault cluster -pkcs7=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n') -data=$(cat <> /usr/local/openvpn_as/scripts/seperate/ca_test.crt -# # Serves the answer in a web server so we can test that this auth client is -# # authenticating to vault and fetching data correctly -# echo $response | jq -r .data.the_answer > index.html +response=$(retry \ + "vault kv get -format=json /$resourcetier/files/usr/local/openvpn_as/scripts/seperate/ca.crt" \ + "Trying to read secret from vault") + +# /opt/vault/bin/vault read secret/example_gruntwork +# Serves the answer in a web server so we can test that this auth client is +# authenticating to vault and fetching data correctly +echo $response | jq -r .data > /usr/local/openvpn_as/scripts/seperate/ca_test.crt # python -m SimpleHTTPServer 8080 & From 2080c17ef3515a374ba6b12710ce5014f177edcf Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 25 Jan 2021 23:09:13 +1030 Subject: [PATCH 201/306] update auth method and policies --- user-data-auth-client-agent.sh | 86 +++++++++++++++++ user-data-auth-client-delete.sh | 159 -------------------------------- user-data-auth-client.sh | 129 ++++++++++++++++++++------ 3 files changed, 188 insertions(+), 186 deletions(-) create mode 100644 user-data-auth-client-agent.sh delete mode 100644 user-data-auth-client-delete.sh diff --git a/user-data-auth-client-agent.sh b/user-data-auth-client-agent.sh new file mode 100644 index 0000000..d739315 --- /dev/null +++ b/user-data-auth-client-agent.sh @@ -0,0 +1,86 @@ +#!/bin/bash +# This script is meant to be run in the User Data of each EC2 Instance while it's booting. The script uses the +# run-consul script to configure and start Consul in client mode. Note that this script assumes it's running in an AMI +# built from the Packer template in examples/vault-consul-ami/vault-consul.json. +# It then uses Vault agent to automatically authenticate to the Vault server. After login, Vault agent writes the +# authentication token to a file location, which you can use for your applications. Note that by default, only the `vault` +# user has access to the file, so you may need to grant the appropriate permissions to your application. +# Finally, this script reads a secret and exposes it in a simple web server for test purposes. + +set -e + +# Send the log output from this script to user-data.log, syslog, and the console +# From: https://alestic.com/2010/12/ec2-user-data-output/ +exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 + +# Log the given message. All logs are written to stderr with a timestamp. +function log { + local -r message="$1" + local -r timestamp=$(date +"%Y-%m-%d %H:%M:%S") + >&2 echo -e "$timestamp $message" +} + +# A retry function that attempts to run a command a number of times and returns the output +function retry { + local -r cmd="$1" + local -r description="$2" + + for i in $(seq 1 30); do + log "$description" + + # The boolean operations with the exit status are there to temporarily circumvent the "set -e" at the + # beginning of this script which exits the script immediatelly for error status while not losing the exit status code + output=$(eval "$cmd") && exit_status=0 || exit_status=$? + errors=$(echo "$output") | grep '^{' | jq -r .errors + + log "$output" + + if [[ $exit_status -eq 0 && -n "$output" && -z "$errors" ]]; then + echo "$output" + return + fi + log "$description failed. Will sleep for 10 seconds and try again." + sleep 10 + done; + + log "$description failed after 30 attempts." + exit $exit_status +} + +# These variables are passed in via Terraform template interpolation +/opt/consul/bin/run-consul --client --cluster-tag-key "${consul_cluster_tag_key}" --cluster-tag-value "${consul_cluster_tag_value}" + +# Start the Vault agent +export VAULT_ADDR=https://vault.service.consul:8200 + +/opt/vault/bin/run-vault --agent --agent-auth-type iam --agent-auth-role "${example_role_name}" + +# Retry and wait for the Vault Agent to write the token out to a file. This could be +# because the Vault server is still booting and unsealing, or because run-consul +# running on the background didn't finish yet +retry \ + "[[ -s /opt/vault/data/vault-token ]] && echo 'vault token file created'" \ + "waiting for Vault agent to write out token to sink" + +# We can then use the client token from the login output once login was successful +token=$(cat /opt/vault/data/vault-token) + +# And use the token to perform operations on vault such as reading a secret +# These is being retried because race conditions were causing this to come up null sometimes +# response=$(retry \ +# "curl --fail -H 'X-Vault-Token: $token' -X GET https://vault.service.consul:8200/v1/secret/example_gruntwork" \ +# "Trying to read secret from vault") + +# Vault CLI alternative: +export VAULT_TOKEN=$token + + +response=$(retry \ + "vault kv get -format=json /$resourcetier/files/usr/local/openvpn_as/scripts/seperate/ca.crt" \ + "Trying to read secret from vault") + +# /opt/vault/bin/vault read secret/example_gruntwork +# Serves the answer in a web server so we can test that this auth client is +# authenticating to vault and fetching data correctly +echo $response | jq -r .data > /usr/local/openvpn_as/scripts/seperate/ca_test.crt +# python -m SimpleHTTPServer 8080 & diff --git a/user-data-auth-client-delete.sh b/user-data-auth-client-delete.sh deleted file mode 100644 index 9bee30a..0000000 --- a/user-data-auth-client-delete.sh +++ /dev/null @@ -1,159 +0,0 @@ -#!/bin/bash -# This script is meant to be run in the User Data of each EC2 Instance while it's booting. The script uses the -# run-consul script to configure and start Consul in client mode. Note that this script assumes it's running in an AMI -# built from the Packer template in examples/vault-consul-ami/vault-consul.json. - -set -e - -admin_user="${openvpn_admin_user}" -admin_pw="${openvpn_admin_pw}" -# TODO these will be replaced with calls to vault. - -# Send the log output from this script to user-data.log, syslog, and the console -# From: https://alestic.com/2010/12/ec2-user-data-output/ -exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 - -# These variables are passed in via Terraform template interpolation -/opt/consul/bin/run-consul --client --cluster-tag-key "${consul_cluster_tag_key}" --cluster-tag-value "${consul_cluster_tag_value}" - -# Log the given message. All logs are written to stderr with a timestamp. -function log { - local -r message="$1" - local -r timestamp=$(date +"%Y-%m-%d %H:%M:%S") - >&2 echo -e "$timestamp $message" -} - -# A retry function that attempts to run a command a number of times and returns the output -function retry { - local -r cmd="$1" - local -r description="$2" - - for i in $(seq 1 30); do - log "$description" - - # The boolean operations with the exit status are there to temporarily circumvent the "set -e" at the - # beginning of this script which exits the script immediatelly for error status while not losing the exit status code - output=$(eval "$cmd") && exit_status=0 || exit_status=$? - errors=$(echo "$output") | grep '^{' | jq -r .errors - - log "$output" - - if [[ $exit_status -eq 0 && -n "$output" && -z "$errors" ]]; then - echo "$output" - return - fi - log "$description failed. Will sleep for 10 seconds and try again." - sleep 10 - done; - - log "$description failed after 30 attempts." - exit $exit_status -} - -# Retrieves the pkcs7 certificate from instance metadata -# The vault role name is filled by terraform -# The role itself is created when configuting the vault cluster -# pkcs7=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n') -# data=$(cat <> /usr/local/openvpn_as/scripts/seperate/ca_test.crt - -# # Serves the answer in a web server so we can test that this auth client is -# # authenticating to vault and fetching data correctly -# echo $response | jq -r .data.the_answer > index.html -# python -m SimpleHTTPServer 8080 & diff --git a/user-data-auth-client.sh b/user-data-auth-client.sh index 5e9b216..1da4d80 100644 --- a/user-data-auth-client.sh +++ b/user-data-auth-client.sh @@ -2,17 +2,20 @@ # This script is meant to be run in the User Data of each EC2 Instance while it's booting. The script uses the # run-consul script to configure and start Consul in client mode. Note that this script assumes it's running in an AMI # built from the Packer template in examples/vault-consul-ami/vault-consul.json. -# It then uses Vault agent to automatically authenticate to the Vault server. After login, Vault agent writes the -# authentication token to a file location, which you can use for your applications. Note that by default, only the `vault` -# user has access to the file, so you may need to grant the appropriate permissions to your application. -# Finally, this script reads a secret and exposes it in a simple web server for test purposes. set -e +admin_user="${openvpn_admin_user}" +admin_pw="${openvpn_admin_pw}" +# TODO these will be replaced with calls to vault. + # Send the log output from this script to user-data.log, syslog, and the console # From: https://alestic.com/2010/12/ec2-user-data-output/ exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 +# These variables are passed in via Terraform template interpolation +/opt/consul/bin/run-consul --client --cluster-tag-key "${consul_cluster_tag_key}" --cluster-tag-value "${consul_cluster_tag_value}" + # Log the given message. All logs are written to stderr with a timestamp. function log { local -r message="$1" @@ -47,38 +50,110 @@ function retry { exit $exit_status } -# These variables are passed in via Terraform template interpolation -/opt/consul/bin/run-consul --client --cluster-tag-key "${consul_cluster_tag_key}" --cluster-tag-value "${consul_cluster_tag_value}" +# Retrieves the pkcs7 certificate from instance metadata +# The vault role name is filled by terraform +# The role itself is created when configuting the vault cluster +# pkcs7=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n') +# data=$(cat < /usr/local/openvpn_as/scripts/seperate/ca_test.crt -# /opt/vault/bin/vault read secret/example_gruntwork -# Serves the answer in a web server so we can test that this auth client is -# authenticating to vault and fetching data correctly -echo $response | jq -r .data > /usr/local/openvpn_as/scripts/seperate/ca_test.crt +# # Serves the answer in a web server so we can test that this auth client is +# # authenticating to vault and fetching data correctly +# echo $response | jq -r .data.the_answer > index.html # python -m SimpleHTTPServer 8080 & From d1b09626dff7a2942dd2742b750d292038a769f6 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 25 Jan 2021 23:40:48 +1030 Subject: [PATCH 202/306] missing brackets --- user-data-auth-client.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user-data-auth-client.sh b/user-data-auth-client.sh index 1da4d80..728be7d 100644 --- a/user-data-auth-client.sh +++ b/user-data-auth-client.sh @@ -151,7 +151,7 @@ retry \ # /opt/vault/bin/vault read secret/example_gruntwork -vault kv get /$resourcetier/files/usr/local/openvpn_as/scripts/seperate/ca.crt > /usr/local/openvpn_as/scripts/seperate/ca_test.crt +vault kv get /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt > /usr/local/openvpn_as/scripts/seperate/ca_test.crt # # Serves the answer in a web server so we can test that this auth client is # # authenticating to vault and fetching data correctly From 3ea7cf1097bbec263c53820787996889eeddf972 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 26 Jan 2021 11:33:29 +1030 Subject: [PATCH 203/306] test secret aquisition --- user-data-auth-client.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user-data-auth-client.sh b/user-data-auth-client.sh index 728be7d..4edd2a3 100644 --- a/user-data-auth-client.sh +++ b/user-data-auth-client.sh @@ -144,14 +144,14 @@ export VAULT_ADDR=https://vault.service.consul:8200 # running on the background didn't finish yet retry \ "vault login -method=aws header_value=vault.service.consul role=${example_role_name}" \ - "waiting for Vault login" + "Waiting for Vault login" # # We can then use the client token from the login output once login was successful # token=$(cat /opt/vault/data/vault-token) # /opt/vault/bin/vault read secret/example_gruntwork -vault kv get /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt > /usr/local/openvpn_as/scripts/seperate/ca_test.crt +# vault kv get /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt > /usr/local/openvpn_as/scripts/seperate/ca_test.crt # # Serves the answer in a web server so we can test that this auth client is # # authenticating to vault and fetching data correctly From 663823a7e0ad68ec32f971f7b14e508900af15a1 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 26 Jan 2021 13:30:35 +1030 Subject: [PATCH 204/306] dynamic-aws-key --- main.tf | 10 +- user-data-auth-client-aws-secret.sh | 163 ++++++++++++++++++++++++++++ 2 files changed, 172 insertions(+), 1 deletion(-) create mode 100644 user-data-auth-client-aws-secret.sh diff --git a/main.tf b/main.tf index a89304b..3636745 100644 --- a/main.tf +++ b/main.tf @@ -234,8 +234,14 @@ resource "aws_instance" "openvpn" { } +data "vault_aws_access_credentials" "creds" { + # dynamically generated AWS key. + backend = "aws" + role = "vpn-server-vault-iam-creds-role" +} + data "template_file" "user_data_auth_client" { - template = file("${path.module}/user-data-auth-client.sh") + template = file("${path.module}/user-data-auth-client-aws-secret.sh") vars = { consul_cluster_tag_key = var.consul_cluster_tag_key @@ -244,6 +250,8 @@ data "template_file" "user_data_auth_client" { openvpn_admin_user = var.openvpn_admin_user openvpn_admin_pw = var.openvpn_admin_pw resourcetier = var.resourcetier + aws_secret_access_key = data.vault_aws_access_credentials.creds.access_key + aws_access_key_id = data.vault_aws_access_credentials.creds.secret_key } } diff --git a/user-data-auth-client-aws-secret.sh b/user-data-auth-client-aws-secret.sh new file mode 100644 index 0000000..f525672 --- /dev/null +++ b/user-data-auth-client-aws-secret.sh @@ -0,0 +1,163 @@ +#!/bin/bash +# This script is meant to be run in the User Data of each EC2 Instance while it's booting. The script uses the +# run-consul script to configure and start Consul in client mode. Note that this script assumes it's running in an AMI +# built from the Packer template in examples/vault-consul-ami/vault-consul.json. + +set -e + +admin_user="${openvpn_admin_user}" +admin_pw="${openvpn_admin_pw}" +# TODO these will be replaced with calls to vault. + +# Send the log output from this script to user-data.log, syslog, and the console +# From: https://alestic.com/2010/12/ec2-user-data-output/ +exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 + +# These variables are passed in via Terraform template interpolation +/opt/consul/bin/run-consul --client --cluster-tag-key "${consul_cluster_tag_key}" --cluster-tag-value "${consul_cluster_tag_value}" + +# Log the given message. All logs are written to stderr with a timestamp. +function log { + local -r message="$1" + local -r timestamp=$(date +"%Y-%m-%d %H:%M:%S") + >&2 echo -e "$timestamp $message" +} + +# A retry function that attempts to run a command a number of times and returns the output +function retry { + local -r cmd="$1" + local -r description="$2" + + for i in $(seq 1 30); do + log "$description" + + # The boolean operations with the exit status are there to temporarily circumvent the "set -e" at the + # beginning of this script which exits the script immediatelly for error status while not losing the exit status code + output=$(eval "$cmd") && exit_status=0 || exit_status=$? + errors=$(echo "$output") | grep '^{' | jq -r .errors + + log "$output" + + if [[ $exit_status -eq 0 && -n "$output" && -z "$errors" ]]; then + echo "$output" + return + fi + log "$description failed. Will sleep for 10 seconds and try again." + sleep 10 + done; + + log "$description failed after 30 attempts." + exit $exit_status +} + +# Retrieves the pkcs7 certificate from instance metadata +# The vault role name is filled by terraform +# The role itself is created when configuting the vault cluster +# pkcs7=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n') +# data=$(cat < \ +# aws_secret_access_key= + +# # We can then use the client token from the login output once login was successful +# token=$(cat /opt/vault/data/vault-token) + +# /opt/vault/bin/vault read secret/example_gruntwork + +# vault kv get /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt > /usr/local/openvpn_as/scripts/seperate/ca_test.crt + +# # Serves the answer in a web server so we can test that this auth client is +# # authenticating to vault and fetching data correctly +# echo $response | jq -r .data.the_answer > index.html +# python -m SimpleHTTPServer 8080 & From 32db4cf0996897e0a0234ee1f9d9336ca3d86ac9 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 26 Jan 2021 16:25:48 +1030 Subject: [PATCH 205/306] vault-token-auth-vpn --- main.tf | 18 ++- user-data-auth-client-vault-token.sh | 163 +++++++++++++++++++++++++++ 2 files changed, 178 insertions(+), 3 deletions(-) create mode 100644 user-data-auth-client-vault-token.sh diff --git a/main.tf b/main.tf index 3636745..3745e35 100644 --- a/main.tf +++ b/main.tf @@ -240,8 +240,19 @@ data "vault_aws_access_credentials" "creds" { role = "vpn-server-vault-iam-creds-role" } +resource "vault_token" "vpn_admin" { + # dynamically generate a token with constrained permisions for the vpn role. + role_name = "vpn-server-vault-token-creds-role" + + policies = ["vpn_server"] + + renewable = true + ttl = "600s" + period = "300s" +} + data "template_file" "user_data_auth_client" { - template = file("${path.module}/user-data-auth-client-aws-secret.sh") + template = file("${path.module}/user-data-auth-client-vault-token.sh") vars = { consul_cluster_tag_key = var.consul_cluster_tag_key @@ -250,8 +261,9 @@ data "template_file" "user_data_auth_client" { openvpn_admin_user = var.openvpn_admin_user openvpn_admin_pw = var.openvpn_admin_pw resourcetier = var.resourcetier - aws_secret_access_key = data.vault_aws_access_credentials.creds.access_key - aws_access_key_id = data.vault_aws_access_credentials.creds.secret_key + # aws_secret_access_key = data.vault_aws_access_credentials.creds.access_key + # aws_access_key_id = data.vault_aws_access_credentials.creds.secret_key + vault_token = vault_token.vpn_admin.client_token } } diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh new file mode 100644 index 0000000..231f036 --- /dev/null +++ b/user-data-auth-client-vault-token.sh @@ -0,0 +1,163 @@ +#!/bin/bash +# This script is meant to be run in the User Data of each EC2 Instance while it's booting. The script uses the +# run-consul script to configure and start Consul in client mode. Note that this script assumes it's running in an AMI +# built from the Packer template in examples/vault-consul-ami/vault-consul.json. + +set -e + +admin_user="${openvpn_admin_user}" +admin_pw="${openvpn_admin_pw}" +# TODO these will be replaced with calls to vault. + +# Send the log output from this script to user-data.log, syslog, and the console +# From: https://alestic.com/2010/12/ec2-user-data-output/ +exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 + +# These variables are passed in via Terraform template interpolation +/opt/consul/bin/run-consul --client --cluster-tag-key "${consul_cluster_tag_key}" --cluster-tag-value "${consul_cluster_tag_value}" + +# Log the given message. All logs are written to stderr with a timestamp. +function log { + local -r message="$1" + local -r timestamp=$(date +"%Y-%m-%d %H:%M:%S") + >&2 echo -e "$timestamp $message" +} + +# A retry function that attempts to run a command a number of times and returns the output +function retry { + local -r cmd="$1" + local -r description="$2" + + for i in $(seq 1 30); do + log "$description" + + # The boolean operations with the exit status are there to temporarily circumvent the "set -e" at the + # beginning of this script which exits the script immediatelly for error status while not losing the exit status code + output=$(eval "$cmd") && exit_status=0 || exit_status=$? + errors=$(echo "$output") | grep '^{' | jq -r .errors + + log "$output" + + if [[ $exit_status -eq 0 && -n "$output" && -z "$errors" ]]; then + echo "$output" + return + fi + log "$description failed. Will sleep for 10 seconds and try again." + sleep 10 + done; + + log "$description failed after 30 attempts." + exit $exit_status +} + +# Retrieves the pkcs7 certificate from instance metadata +# The vault role name is filled by terraform +# The role itself is created when configuting the vault cluster +# pkcs7=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n') +# data=$(cat < \ +# aws_secret_access_key= + +# # We can then use the client token from the login output once login was successful +# token=$(cat /opt/vault/data/vault-token) + +# /opt/vault/bin/vault read secret/example_gruntwork + +vault kv get /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt > /usr/local/openvpn_as/scripts/seperate/ca_test.crt + +# # Serves the answer in a web server so we can test that this auth client is +# # authenticating to vault and fetching data correctly +# echo $response | jq -r .data.the_answer > index.html +# python -m SimpleHTTPServer 8080 & From ab42a1392dfe4a356f7aa84242f9fe9d69cf47a3 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 26 Jan 2021 16:33:42 +1030 Subject: [PATCH 206/306] remove vault_aws_access_credentials --- main.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/main.tf b/main.tf index 3745e35..2aa3cf3 100644 --- a/main.tf +++ b/main.tf @@ -234,11 +234,11 @@ resource "aws_instance" "openvpn" { } -data "vault_aws_access_credentials" "creds" { - # dynamically generated AWS key. - backend = "aws" - role = "vpn-server-vault-iam-creds-role" -} +# data "vault_aws_access_credentials" "creds" { +# # dynamically generated AWS key. +# backend = "aws" +# role = "vpn-server-vault-iam-creds-role" +# } resource "vault_token" "vpn_admin" { # dynamically generate a token with constrained permisions for the vpn role. From 2cd8298c06ba15351e8f37355a38e7b3ee87e3f1 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 26 Jan 2021 16:43:15 +1030 Subject: [PATCH 207/306] test output token --- main.tf | 4 ++++ user-data-auth-client-vault-token.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 2aa3cf3..a74d4f2 100644 --- a/main.tf +++ b/main.tf @@ -251,6 +251,10 @@ resource "vault_token" "vpn_admin" { period = "300s" } +output "vault_token.vpn_admin.client_token" { + value = vault_token.vpn_admin.client_token +} + data "template_file" "user_data_auth_client" { template = file("${path.module}/user-data-auth-client-vault-token.sh") diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 231f036..08dade4 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -143,7 +143,7 @@ export VAULT_ADDR=https://vault.service.consul:8200 # because the Vault server is still booting and unsealing, or because run-consul # running on the background didn't finish yet retry \ - " vault login ${vault_token}" \ + "vault login ${vault_token}" \ "Waiting for Vault login" # vault login -method=aws header_value=vault.example.com role=dev-role-iam \ From d3e544ca5cc6a361c1cbc551eaf08d1bf8405a36 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 26 Jan 2021 16:46:14 +1030 Subject: [PATCH 208/306] update vault token name --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index a74d4f2..a4663fc 100644 --- a/main.tf +++ b/main.tf @@ -251,7 +251,7 @@ resource "vault_token" "vpn_admin" { period = "300s" } -output "vault_token.vpn_admin.client_token" { +output "vault_token" { value = vault_token.vpn_admin.client_token } From 81ecef50fb44d7c7fc711fb8ae652d5f86570abc Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 26 Jan 2021 17:39:33 +1030 Subject: [PATCH 209/306] set token num uses --- user-data-auth-client-vault-token.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 08dade4..a314643 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -143,7 +143,7 @@ export VAULT_ADDR=https://vault.service.consul:8200 # because the Vault server is still booting and unsealing, or because run-consul # running on the background didn't finish yet retry \ - "vault login ${vault_token}" \ + "vault login --no-print ${vault_token}" \ "Waiting for Vault login" # vault login -method=aws header_value=vault.example.com role=dev-role-iam \ @@ -157,6 +157,9 @@ retry \ vault kv get /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt > /usr/local/openvpn_as/scripts/seperate/ca_test.crt +# if this script fails, we can set the instance health status but we need to capture a fault +# aws autoscaling set-instance-health --instance-id i-0b03e12682e74746e --health-status Unhealthy + # # Serves the answer in a web server so we can test that this auth client is # # authenticating to vault and fetching data correctly # echo $response | jq -r .data.the_answer > index.html From 31a97dafc43a2007fea8d56c984e29c0ccefe332 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 26 Jan 2021 18:11:12 +1030 Subject: [PATCH 210/306] onlye use exit status --- main.tf | 4 ---- user-data-auth-client-vault-token.sh | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/main.tf b/main.tf index a4663fc..2aa3cf3 100644 --- a/main.tf +++ b/main.tf @@ -251,10 +251,6 @@ resource "vault_token" "vpn_admin" { period = "300s" } -output "vault_token" { - value = vault_token.vpn_admin.client_token -} - data "template_file" "user_data_auth_client" { template = file("${path.module}/user-data-auth-client-vault-token.sh") diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index a314643..0682b78 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -38,7 +38,7 @@ function retry { log "$output" - if [[ $exit_status -eq 0 && -n "$output" && -z "$errors" ]]; then + if [[ $exit_status -eq 0 && -z "$errors" ]]; then echo "$output" return fi From d2b762fb2543f0b95b7ba9babe44cb48c87ac426 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 26 Jan 2021 18:40:52 +1030 Subject: [PATCH 211/306] aquire file with permissions --- user-data-auth-client-agent.sh | 1 - user-data-auth-client-vault-token.sh | 22 +++++++++++++++++++--- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/user-data-auth-client-agent.sh b/user-data-auth-client-agent.sh index d739315..70dcf2d 100644 --- a/user-data-auth-client-agent.sh +++ b/user-data-auth-client-agent.sh @@ -74,7 +74,6 @@ token=$(cat /opt/vault/data/vault-token) # Vault CLI alternative: export VAULT_TOKEN=$token - response=$(retry \ "vault kv get -format=json /$resourcetier/files/usr/local/openvpn_as/scripts/seperate/ca.crt" \ "Trying to read secret from vault") diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 0682b78..9dfa5ca 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -154,9 +154,25 @@ retry \ # token=$(cat /opt/vault/data/vault-token) # /opt/vault/bin/vault read secret/example_gruntwork - -vault kv get /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt > /usr/local/openvpn_as/scripts/seperate/ca_test.crt - +echo "Aquiring vault data..." +# data=$(vault kv get -format=json /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt) + +# vault kv get -field=file /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt > /usr/local/openvpn_as/scripts/seperate/ca_test.crt + +file_path=/usr/local/openvpn_as/scripts/seperate/ca.crt +response=$(retry \ + "vault kv get -format=json /${resourcetier}/files/$file_path" \ + "Trying to read secret from vault") +echo $response | jq -r .data.file > $file_path +permissions=$(echo $response | jq -r .data.permissions) +uid=$(echo $response | jq -r .data.uid) +gid=$(echo $response | jq -r .data.gid) +echo "Setting:" +echo "uid:$uid gid:$gid permissions:$permissions file_path:$file_path" +chown $uid:$gid $file_path +chmod $permissions $file_path + +echo "Done." # if this script fails, we can set the instance health status but we need to capture a fault # aws autoscaling set-instance-health --instance-id i-0b03e12682e74746e --health-status Unhealthy From 06b9fd0554cd9b744a3cdbffa46119e027057e0a Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 26 Jan 2021 18:50:33 +1030 Subject: [PATCH 212/306] fix double data ref --- user-data-auth-client-vault-token.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 9dfa5ca..bd3db84 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -157,16 +157,16 @@ retry \ echo "Aquiring vault data..." # data=$(vault kv get -format=json /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt) -# vault kv get -field=file /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt > /usr/local/openvpn_as/scripts/seperate/ca_test.crt - file_path=/usr/local/openvpn_as/scripts/seperate/ca.crt +vault kv get -format=json /${resourcetier}/files/$file_path > /usr/local/openvpn_as/scripts/seperate/ca_test.crt + response=$(retry \ "vault kv get -format=json /${resourcetier}/files/$file_path" \ "Trying to read secret from vault") -echo $response | jq -r .data.file > $file_path -permissions=$(echo $response | jq -r .data.permissions) -uid=$(echo $response | jq -r .data.uid) -gid=$(echo $response | jq -r .data.gid) +echo $response | jq -r .data.data.file > $file_path +permissions=$(echo $response | jq -r .data.data.permissions) +uid=$(echo $response | jq -r .data.data.uid) +gid=$(echo $response | jq -r .data.data.gid) echo "Setting:" echo "uid:$uid gid:$gid permissions:$permissions file_path:$file_path" chown $uid:$gid $file_path From 9b7f21d1726b2574b9a4a7e011ed2a82cffc8df1 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 26 Jan 2021 19:01:30 +1030 Subject: [PATCH 213/306] retrieve multiple files --- user-data-auth-client-vault-token.sh | 33 ++++++++++++++++++---------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index bd3db84..1c0b21c 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -157,20 +157,31 @@ retry \ echo "Aquiring vault data..." # data=$(vault kv get -format=json /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt) -file_path=/usr/local/openvpn_as/scripts/seperate/ca.crt -vault kv get -format=json /${resourcetier}/files/$file_path > /usr/local/openvpn_as/scripts/seperate/ca_test.crt +function retrieve_file { + local -r file_path="$1" + # file_path=/usr/local/openvpn_as/scripts/seperate/ca.crt + # vault kv get -format=json /${resourcetier}/files/$file_path > /usr/local/openvpn_as/scripts/seperate/ca_test.crt -response=$(retry \ + local -r response=$(retry \ "vault kv get -format=json /${resourcetier}/files/$file_path" \ "Trying to read secret from vault") -echo $response | jq -r .data.data.file > $file_path -permissions=$(echo $response | jq -r .data.data.permissions) -uid=$(echo $response | jq -r .data.data.uid) -gid=$(echo $response | jq -r .data.data.gid) -echo "Setting:" -echo "uid:$uid gid:$gid permissions:$permissions file_path:$file_path" -chown $uid:$gid $file_path -chmod $permissions $file_path + echo $response | jq -r .data.data.file > $file_path + local -r permissions=$(echo $response | jq -r .data.data.permissions) + local -r uid=$(echo $response | jq -r .data.data.uid) + local -r gid=$(echo $response | jq -r .data.data.gid) + echo "Setting:" + echo "uid:$uid gid:$gid permissions:$permissions file_path:$file_path" + chown $uid:$gid $file_path + chmod $permissions $file_path +} + +# Retrieve previously generated secrets from Vault. Would be better if we can use vault as an intermediary to generate certs. + +retrieve_file "/usr/local/openvpn_as/scripts/seperate/ca.crt" +retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.crt" +retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.key" +retrieve_file "/usr/local/openvpn_as/scripts/seperate/ta.key" +retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.ovpn" echo "Done." # if this script fails, we can set the instance health status but we need to capture a fault From 4dc21ad30312aaaa205f25189910802f78cc2115 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 15 Feb 2021 20:57:04 +1030 Subject: [PATCH 214/306] internal-vaut-client --- main.tf | 6 +++--- variables.tf | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 2aa3cf3..03f2acc 100644 --- a/main.tf +++ b/main.tf @@ -18,7 +18,7 @@ resource "aws_security_group" "openvpn" { vpc_id = var.vpc_id description = "OpenVPN security group" - tags = merge(map("Name", format("%s", var.name)), var.common_tags, local.extra_tags) + tags = merge(map("Name", var.name), var.common_tags, local.extra_tags) ingress { protocol = "-1" @@ -220,7 +220,7 @@ resource "aws_instance" "openvpn" { delete_on_termination = true } - tags = merge(map("Name", format("%s", var.name)), var.common_tags, local.extra_tags) + tags = merge(map("Name", var.name), var.common_tags, local.extra_tags) # `admin_user` and `admin_pw` need to be passed in to the appliance through `user_data`, see docs --> # https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/amazon-ec2-appliance-ami-quick-start-guide/ @@ -276,7 +276,7 @@ resource "aws_eip" "openvpnip" { instance = aws_instance.openvpn[count.index].id depends_on = [aws_instance.openvpn] - tags = merge(map("Name", format("%s", var.name)), var.common_tags, local.extra_tags) + tags = merge(map("Name", var.name), var.common_tags, local.extra_tags) } diff --git a/variables.tf b/variables.tf index 6c6e4da..4c1f7b0 100644 --- a/variables.tf +++ b/variables.tf @@ -26,6 +26,7 @@ variable "consul_cluster_tag_key" { } variable "name" { default = "openvpn" + type = string } variable "create_vpn" {} From b2b4d48ae175ff8e314fc123e277f62fb480f738 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 21 Feb 2021 11:00:24 +1030 Subject: [PATCH 215/306] request vault file --- request_vault_file.sh | 92 ++++++++++++++++++++++++++++ user-data-auth-client-vault-token.sh | 4 +- 2 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 request_vault_file.sh diff --git a/request_vault_file.sh b/request_vault_file.sh new file mode 100644 index 0000000..85ba6c1 --- /dev/null +++ b/request_vault_file.sh @@ -0,0 +1,92 @@ +#!/bin/bash +# This script is meant to be run in the User Data of each EC2 Instance while it's booting. The script uses the +# run-consul script to configure and start Consul in client mode. Note that this script assumes it's running in an AMI +# built from the Packer template in examples/vault-consul-ami/vault-consul.json. + +set -e + +resourcetier="${resourcetier}" +attempts=1 + +# Log the given message. All logs are written to stderr with a timestamp. +function log { + local -r message="$1" + local -r timestamp=$(date +"%Y-%m-%d %H:%M:%S") + >&2 echo -e "$timestamp $message" +} + +# A retry function that attempts to run a command a number of times and returns the output +function retry { + local -r cmd="$1" + local -r description="$2" + + for i in $(seq 1 $attempts); do + log "$description" + + # The boolean operations with the exit status are there to temporarily circumvent the "set -e" at the + # beginning of this script which exits the script immediatelly for error status while not losing the exit status code + output=$(eval "$cmd") && exit_status=0 || exit_status=$? + errors=$(echo "$output") | grep '^{' | jq -r .errors + + log "$output" + + if [[ $exit_status -eq 0 && -z "$errors" ]]; then + echo "$output" + return + fi + log "$description failed. Will sleep for 10 seconds and try again." + sleep 10 + done; + + log "$description failed after 30 attempts." + exit $exit_status +} +# export VAULT_TOKEN=${vault_token} +export VAULT_ADDR=https://vault.service.consul:8200 + +# Retry and wait for the Vault Agent to write the token out to a file. This could be +# because the Vault server is still booting and unsealing, or because run-consul +# running on the background didn't finish yet +retry \ + "vault login --no-print $VAULT_TOKEN" \ + "Waiting for Vault login" + +# vault login -method=aws header_value=vault.example.com role=dev-role-iam \ +# aws_access_key_id= \ +# aws_secret_access_key= + +# # We can then use the client token from the login output once login was successful +# token=$(cat /opt/vault/data/vault-token) + +# /opt/vault/bin/vault read secret/example_gruntwork +echo "Aquiring vault data..." +# data=$(vault kv get -format=json /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt) + +function retrieve_file { + local -r file_path="$1" + # file_path=/usr/local/openvpn_as/scripts/seperate/ca.crt + # vault kv get -format=json /${resourcetier}/files/$file_path > /usr/local/openvpn_as/scripts/seperate/ca_test.crt + + local -r response=$(retry \ + "vault kv get -format=json /$resourcetier/files/$file_path" \ + "Trying to read secret from vault") + mkdir -p $(dirname $file_path) # ensure the directory exists + echo $response | jq -r .data.data.file > $file_path + local -r permissions=$(echo $response | jq -r .data.data.permissions) + local -r uid=$(echo $response | jq -r .data.data.uid) + local -r gid=$(echo $response | jq -r .data.data.gid) + echo "Setting:" + echo "uid:$uid gid:$gid permissions:$permissions file_path:$file_path" + chown $uid:$gid $file_path + chmod $permissions $file_path +} + +# Retrieve previously generated secrets from Vault. Would be better if we can use vault as an intermediary to generate certs. + +retrieve_file "/usr/local/openvpn_as/scripts/seperate/ca.crt" +retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.crt" +retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.key" +retrieve_file "/usr/local/openvpn_as/scripts/seperate/ta.key" +retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.ovpn" + +echo "Done." \ No newline at end of file diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 1c0b21c..e125c36 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -7,6 +7,7 @@ set -e admin_user="${openvpn_admin_user}" admin_pw="${openvpn_admin_pw}" +resourcetier="${resourcetier}" # TODO these will be replaced with calls to vault. # Send the log output from this script to user-data.log, syslog, and the console @@ -163,8 +164,9 @@ function retrieve_file { # vault kv get -format=json /${resourcetier}/files/$file_path > /usr/local/openvpn_as/scripts/seperate/ca_test.crt local -r response=$(retry \ - "vault kv get -format=json /${resourcetier}/files/$file_path" \ + "vault kv get -format=json /$resourcetier/files/$file_path" \ "Trying to read secret from vault") + mkdir -p $(dirname $file_path) # ensure the directory exists echo $response | jq -r .data.data.file > $file_path local -r permissions=$(echo $response | jq -r .data.data.permissions) local -r uid=$(echo $response | jq -r .data.data.uid) From 533982aa6a36c5c456c9195fffe3b0424705e32b Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 21 Feb 2021 13:09:50 +1030 Subject: [PATCH 216/306] request vpn files to client --- request_vault_file.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/request_vault_file.sh b/request_vault_file.sh index 85ba6c1..318724e 100644 --- a/request_vault_file.sh +++ b/request_vault_file.sh @@ -5,7 +5,12 @@ set -e -resourcetier="${resourcetier}" +if [[ -z "$1" ]]; then + echo "arg dev/green/blue must be provided." + exit 1 +fi + +resourcetier="$1" attempts=1 # Log the given message. All logs are written to stderr with a timestamp. From 83a041c12acc06cca7a809d9e6fe74af3f00ca90 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 21 Feb 2021 13:35:15 +1030 Subject: [PATCH 217/306] request-vpn-conf --- request_vault_file.sh | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) mode change 100644 => 100755 request_vault_file.sh diff --git a/request_vault_file.sh b/request_vault_file.sh old mode 100644 new mode 100755 index 318724e..74d5d4d --- a/request_vault_file.sh +++ b/request_vault_file.sh @@ -1,12 +1,10 @@ #!/bin/bash -# This script is meant to be run in the User Data of each EC2 Instance while it's booting. The script uses the -# run-consul script to configure and start Consul in client mode. Note that this script assumes it's running in an AMI -# built from the Packer template in examples/vault-consul-ami/vault-consul.json. +# This script aquire needed vpn client files from vault set -e if [[ -z "$1" ]]; then - echo "arg dev/green/blue must be provided." + echo "Error: Arg dev/green/blue/main must be provided." exit 1 fi @@ -75,15 +73,15 @@ function retrieve_file { local -r response=$(retry \ "vault kv get -format=json /$resourcetier/files/$file_path" \ "Trying to read secret from vault") - mkdir -p $(dirname $file_path) # ensure the directory exists - echo $response | jq -r .data.data.file > $file_path + sudo mkdir -p $(dirname $file_path) # ensure the directory exists + echo $response | jq -r .data.data.file | sudo tee $file_path local -r permissions=$(echo $response | jq -r .data.data.permissions) local -r uid=$(echo $response | jq -r .data.data.uid) local -r gid=$(echo $response | jq -r .data.data.gid) echo "Setting:" echo "uid:$uid gid:$gid permissions:$permissions file_path:$file_path" - chown $uid:$gid $file_path - chmod $permissions $file_path + sudo chown $uid:$gid $file_path + sudo chmod $permissions $file_path } # Retrieve previously generated secrets from Vault. Would be better if we can use vault as an intermediary to generate certs. From 77a826f66d357aa96af21906fc8b45c2a91c5558 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 21 Feb 2021 14:48:25 +1030 Subject: [PATCH 218/306] store files in home dir --- request_vault_file.sh | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/request_vault_file.sh b/request_vault_file.sh index 74d5d4d..8006040 100755 --- a/request_vault_file.sh +++ b/request_vault_file.sh @@ -66,30 +66,35 @@ echo "Aquiring vault data..." # data=$(vault kv get -format=json /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt) function retrieve_file { - local -r file_path="$1" - # file_path=/usr/local/openvpn_as/scripts/seperate/ca.crt - # vault kv get -format=json /${resourcetier}/files/$file_path > /usr/local/openvpn_as/scripts/seperate/ca_test.crt + local -r source_path="$1" + if [[ -z "$2" ]]; then + local -r target_path="$source_path" + else + local -r target_path="$2" + fi + # target_path=/usr/local/openvpn_as/scripts/seperate/ca.crt + # vault kv get -format=json /${resourcetier}/files/$target_path > /usr/local/openvpn_as/scripts/seperate/ca_test.crt local -r response=$(retry \ - "vault kv get -format=json /$resourcetier/files/$file_path" \ + "vault kv get -format=json /$resourcetier/files/$source_path" \ "Trying to read secret from vault") - sudo mkdir -p $(dirname $file_path) # ensure the directory exists - echo $response | jq -r .data.data.file | sudo tee $file_path + sudo mkdir -p $(dirname $target_path) # ensure the directory exists + echo $response | jq -r .data.data.file | sudo tee $target_path local -r permissions=$(echo $response | jq -r .data.data.permissions) local -r uid=$(echo $response | jq -r .data.data.uid) local -r gid=$(echo $response | jq -r .data.data.gid) echo "Setting:" - echo "uid:$uid gid:$gid permissions:$permissions file_path:$file_path" - sudo chown $uid:$gid $file_path - sudo chmod $permissions $file_path + echo "uid:$uid gid:$gid permissions:$permissions target_path:$target_path" + sudo chown $uid:$gid $target_path + sudo chmod $permissions $target_path } # Retrieve previously generated secrets from Vault. Would be better if we can use vault as an intermediary to generate certs. -retrieve_file "/usr/local/openvpn_as/scripts/seperate/ca.crt" -retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.crt" -retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.key" -retrieve_file "/usr/local/openvpn_as/scripts/seperate/ta.key" -retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.ovpn" +retrieve_file "/usr/local/openvpn_as/scripts/seperate/ca.crt" "$HOME/tmp/usr/local/openvpn_as/scripts/seperate/ca.crt" +retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.crt" "$HOME/tmp/usr/local/openvpn_as/scripts/seperate/client.crt" +retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.key" "$HOME/tmp/usr/local/openvpn_as/scripts/seperate/client.key" +retrieve_file "/usr/local/openvpn_as/scripts/seperate/ta.key" "$HOME/tmp/usr/local/openvpn_as/scripts/seperate/ta.key" +retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.ovpn" "$HOME/tmp/usr/local/openvpn_as/scripts/seperate/client.ovpn" echo "Done." \ No newline at end of file From f1faee9b189632b7130c0de9f41622ab0fb0ee06 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 21 Feb 2021 16:42:34 +1030 Subject: [PATCH 219/306] disable permissions --- request_vault_file.sh | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/request_vault_file.sh b/request_vault_file.sh index 8006040..964fcb3 100755 --- a/request_vault_file.sh +++ b/request_vault_file.sh @@ -80,13 +80,14 @@ function retrieve_file { "Trying to read secret from vault") sudo mkdir -p $(dirname $target_path) # ensure the directory exists echo $response | jq -r .data.data.file | sudo tee $target_path - local -r permissions=$(echo $response | jq -r .data.data.permissions) - local -r uid=$(echo $response | jq -r .data.data.uid) - local -r gid=$(echo $response | jq -r .data.data.gid) - echo "Setting:" - echo "uid:$uid gid:$gid permissions:$permissions target_path:$target_path" - sudo chown $uid:$gid $target_path - sudo chmod $permissions $target_path + # skipping permissions + # local -r permissions=$(echo $response | jq -r .data.data.permissions) + # local -r uid=$(echo $response | jq -r .data.data.uid) + # local -r gid=$(echo $response | jq -r .data.data.gid) + # echo "Setting:" + # echo "uid:$uid gid:$gid permissions:$permissions target_path:$target_path" + # sudo chown $uid:$gid $target_path + # sudo chmod $permissions $target_path } # Retrieve previously generated secrets from Vault. Would be better if we can use vault as an intermediary to generate certs. From 1163c6cc480c5cffc7889fc9e3e5cff8bca1648c Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 21 Feb 2021 16:43:06 +1030 Subject: [PATCH 220/306] update docs --- request_vault_file.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/request_vault_file.sh b/request_vault_file.sh index 964fcb3..7f7d70a 100755 --- a/request_vault_file.sh +++ b/request_vault_file.sh @@ -1,5 +1,5 @@ #!/bin/bash -# This script aquire needed vpn client files from vault +# This script aquires needed vpn client files from vault to an intermediary bastion set -e From b06d44f3e24a1a9886f1e27a49c6c80dbb9602a5 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 21 Feb 2021 16:46:09 +1030 Subject: [PATCH 221/306] pull json blob --- request_vault_file.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/request_vault_file.sh b/request_vault_file.sh index 7f7d70a..a01cbf3 100755 --- a/request_vault_file.sh +++ b/request_vault_file.sh @@ -79,7 +79,7 @@ function retrieve_file { "vault kv get -format=json /$resourcetier/files/$source_path" \ "Trying to read secret from vault") sudo mkdir -p $(dirname $target_path) # ensure the directory exists - echo $response | jq -r .data.data.file | sudo tee $target_path + echo $response | jq -r .data.data | sudo tee $target_path # retrieve full json blob to later pass permissions if required. # skipping permissions # local -r permissions=$(echo $response | jq -r .data.data.permissions) # local -r uid=$(echo $response | jq -r .data.data.uid) From a5e377b16187df1e50260b0c1d09972081e1e1aa Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 22 Feb 2021 19:35:36 +1030 Subject: [PATCH 222/306] copy vault file from bastion --- copy_vault_file_from_bastion.sh | 46 +++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100755 copy_vault_file_from_bastion.sh diff --git a/copy_vault_file_from_bastion.sh b/copy_vault_file_from_bastion.sh new file mode 100755 index 0000000..d6f927c --- /dev/null +++ b/copy_vault_file_from_bastion.sh @@ -0,0 +1,46 @@ +#!/bin/bash +# This script aquires needed vpn client files from vault to an intermediary bastion + +set -e + +if [[ -z "$1" ]]; then + echo "Error: 1st arg bastion host must be provided. eg: centos@ec2-54-253-11-29.ap-southeast-2.compute.amazonaws.com" + exit 1 +fi + +if [[ -z "$2" ]]; then + echo "Error: 2nd arg vault client must be provided. eg: centos@i-00265f3f7614cbbee.node.consul" + exit 1 +fi + +host1="$1" +host2="$2" + +# Log the given message. All logs are written to stderr with a timestamp. +function log { + local -r message="$1" + local -r timestamp=$(date +"%Y-%m-%d %H:%M:%S") + >&2 echo -e "$timestamp $message" +} + +function retrieve_file { + local -r source_path="$1" + local -r target_path="$(basename $source_path)" + + scp -i ~/.ssh/id_rsa-cert.pub -i ~/.ssh/id_rsa -o ProxyCommand="ssh -i ~/.ssh/id_rsa-cert.pub -i ~/.ssh/id_rsa -W %h:%p $host1" $host2:$source_path ./json_blob.json +# local -r response=$(jq json_blob.json) +# echo $response | jq -r .file | tee $target_path # retrieve full json blob to later pass permissions if required. + jq -r .file json_blob.json | tee $target_path + rm ./json_blob.json + chmod 0600 $target_path +} + +# Retrieve previously generated secrets from Vault. Would be better if we can use vault as an intermediary to generate certs. + +retrieve_file "/home/centos/tmp/usr/local/openvpn_as/scripts/seperate/ca.crt" +retrieve_file "/home/centos/tmp/usr/local/openvpn_as/scripts/seperate/client.crt" +retrieve_file "/home/centos/tmp/usr/local/openvpn_as/scripts/seperate/client.key" +retrieve_file "/home/centos/tmp/usr/local/openvpn_as/scripts/seperate/ta.key" +retrieve_file "/home/centos/tmp/usr/local/openvpn_as/scripts/seperate/client.ovpn" + +echo "Done." \ No newline at end of file From ab3e6a497cbfb301bd0b55e416548e38bfa12e57 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Wed, 24 Feb 2021 20:35:42 +1030 Subject: [PATCH 223/306] add extra vars requird for user data --- main.tf | 17 +++- user-data-auth-client-vault-token.sh | 135 +++++++++++++++------------ 2 files changed, 89 insertions(+), 63 deletions(-) diff --git a/main.tf b/main.tf index 03f2acc..90eb785 100644 --- a/main.tf +++ b/main.tf @@ -247,8 +247,8 @@ resource "vault_token" "vpn_admin" { policies = ["vpn_server"] renewable = true - ttl = "600s" - period = "300s" + ttl = "600s" + period = "300s" } data "template_file" "user_data_auth_client" { @@ -260,10 +260,17 @@ data "template_file" "user_data_auth_client" { example_role_name = var.example_role_name openvpn_admin_user = var.openvpn_admin_user openvpn_admin_pw = var.openvpn_admin_pw + openvpn_user = var.openvpn_user + openvpn_user_pw = var.openvpn_user_pw resourcetier = var.resourcetier - # aws_secret_access_key = data.vault_aws_access_credentials.creds.access_key - # aws_access_key_id = data.vault_aws_access_credentials.creds.secret_key - vault_token = vault_token.vpn_admin.client_token + vault_token = vault_token.vpn_admin.client_token + + client_network = element(split("/", var.vpn_cidr), 0) + client_netmask_bits = element(split("/", var.vpn_cidr), 1) + private_subnet1 = element(var.private_subnets, 0) + public_subnet1 = element(var.public_subnets, 0) + aws_internal_domain = ".consul" + remote_subnet_cidr = var.remote_subnet_cidr } } diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index e125c36..46bc338 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -5,8 +5,11 @@ set -e -admin_user="${openvpn_admin_user}" +admin_user="${openvpn_admin_user}" admin_pw="${openvpn_admin_pw}" + +openvpn_user="${openvpn_user}" # TODO temporary use of admin for testing. Should be replaced with another user. +openvpn_user_pw="${openvpn_user_pw}" resourcetier="${resourcetier}" # TODO these will be replaced with calls to vault. @@ -132,64 +135,80 @@ function retry { # "curl --fail -H 'X-Vault-Token: $token' -X GET https://vault.service.consul:8200/v1/secret/example_gruntwork" \ # "Trying to read secret from vault") -# If vault cli is installed we can also perform these operations with vault cli -# The necessary environment variables have to be set -# export VAULT_TOKEN=$token -export VAULT_ADDR=https://vault.service.consul:8200 - -# Start the Vault agent -# /opt/vault/bin/run-vault --agent --agent-auth-type iam --agent-auth-role "${example_role_name}" - -# Retry and wait for the Vault Agent to write the token out to a file. This could be -# because the Vault server is still booting and unsealing, or because run-consul -# running on the background didn't finish yet -retry \ - "vault login --no-print ${vault_token}" \ - "Waiting for Vault login" - -# vault login -method=aws header_value=vault.example.com role=dev-role-iam \ -# aws_access_key_id= \ -# aws_secret_access_key= - -# # We can then use the client token from the login output once login was successful -# token=$(cat /opt/vault/data/vault-token) - -# /opt/vault/bin/vault read secret/example_gruntwork -echo "Aquiring vault data..." -# data=$(vault kv get -format=json /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt) - -function retrieve_file { - local -r file_path="$1" - # file_path=/usr/local/openvpn_as/scripts/seperate/ca.crt - # vault kv get -format=json /${resourcetier}/files/$file_path > /usr/local/openvpn_as/scripts/seperate/ca_test.crt - - local -r response=$(retry \ - "vault kv get -format=json /$resourcetier/files/$file_path" \ - "Trying to read secret from vault") - mkdir -p $(dirname $file_path) # ensure the directory exists - echo $response | jq -r .data.data.file > $file_path - local -r permissions=$(echo $response | jq -r .data.data.permissions) - local -r uid=$(echo $response | jq -r .data.data.uid) - local -r gid=$(echo $response | jq -r .data.data.gid) - echo "Setting:" - echo "uid:$uid gid:$gid permissions:$permissions file_path:$file_path" - chown $uid:$gid $file_path - chmod $permissions $file_path -} +client_network=${client_network} +client_netmask_bits=${client_netmask_bits} +private_subnet1=${private_subnet1} +public_subnet1=${public_subnet1} +aws_internal_domain=${aws_internal_domain} +remote_subnet_cidr=${remote_subnet_cidr} + +ls -la /usr/local/openvpn_as/scripts/ +/usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.network -v $client_network ConfigPut +/usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.netmask_bits -v $client_netmask_bits ConfigPut +/usr/local/openvpn_as/scripts/sacli --key 'vpn.server.tls_auth' --value 'true' ConfigPut +/usr/local/openvpn_as/scripts/sacli --key vpn.server.routing.gateway_access --value 'true' ConfigPut +/usr/local/openvpn_as/scripts/sacli --key vpn.server.routing.private_network.0 --value "$private_subnet1" ConfigPut +/usr/local/openvpn_as/scripts/sacli --key vpn.server.routing.private_network.1 --value "$public_subnet1" ConfigPut +/usr/local/openvpn_as/scripts/sacli --key vpn.server.routing.private_network.2 --value "$client_network/$client_netmask_bits" ConfigPut +/usr/local/openvpn_as/scripts/sacli --key vpn.server.routing.private_access --value 'route' ConfigPut +/usr/local/openvpn_as/scripts/sacli --key 'vpn.client.routing.reroute_dns' --value 'true' ConfigPut +/usr/local/openvpn_as/scripts/sacli --key 'vpn.server.dhcp_option.domain' --value "$aws_internal_domain" ConfigPut +/usr/local/openvpn_as/scripts/sacli --key 'vpn.server.routing.allow_private_nets_to_clients' --value 'true' ConfigPut +/usr/local/openvpn_as/scripts/sacli start +cd /usr/local/openvpn_as/scripts/ +./sacli --user $openvpn_user --key 'prop_autologin' --value 'true' UserPropPut +./sacli --user $openvpn_user --key 'c2s_route.0' --value "$remote_subnet_cidr" UserPropPut +./sacli --user $openvpn_user AutoGenerateOnBehalfOf +./sacli -o ./seperate --cn $openvpn_user get5 +chown $openvpn_user seperate/* +/usr/local/openvpn_as/scripts/sacli start +ls -la seperate + + +# ### Method to reqaquire existing certs from vault ### + +# # If vault cli is installed we can also perform these operations with vault cli +# # The necessary environment variables have to be set +# # export VAULT_TOKEN=$token +# export VAULT_ADDR=https://vault.service.consul:8200 + +# # Start the Vault agent +# # /opt/vault/bin/run-vault --agent --agent-auth-type iam --agent-auth-role "${example_role_name}" + +# # Retry and wait for the Vault Agent to write the token out to a file. This could be +# # because the Vault server is still booting and unsealing, or because run-consul +# # running on the background didn't finish yet +# retry \ +# "vault login --no-print ${vault_token}" \ +# "Waiting for Vault login" + +# echo "Aquiring vault data..." + +# function retrieve_file { +# local -r file_path="$1" +# # file_path=/usr/local/openvpn_as/scripts/seperate/ca.crt +# # vault kv get -format=json /${resourcetier}/files/$file_path > /usr/local/openvpn_as/scripts/seperate/ca_test.crt + +# local -r response=$(retry \ +# "vault kv get -format=json /$resourcetier/files/$file_path" \ +# "Trying to read secret from vault") +# mkdir -p $(dirname $file_path) # ensure the directory exists +# echo $response | jq -r .data.data.file > $file_path +# local -r permissions=$(echo $response | jq -r .data.data.permissions) +# local -r uid=$(echo $response | jq -r .data.data.uid) +# local -r gid=$(echo $response | jq -r .data.data.gid) +# echo "Setting:" +# echo "uid:$uid gid:$gid permissions:$permissions file_path:$file_path" +# chown $uid:$gid $file_path +# chmod $permissions $file_path +# } -# Retrieve previously generated secrets from Vault. Would be better if we can use vault as an intermediary to generate certs. +# # Retrieve previously generated secrets from Vault. Would be better if we can use vault as an intermediary to generate certs. -retrieve_file "/usr/local/openvpn_as/scripts/seperate/ca.crt" -retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.crt" -retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.key" -retrieve_file "/usr/local/openvpn_as/scripts/seperate/ta.key" -retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.ovpn" +# retrieve_file "/usr/local/openvpn_as/scripts/seperate/ca.crt" +# retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.crt" +# retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.key" +# retrieve_file "/usr/local/openvpn_as/scripts/seperate/ta.key" +# retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.ovpn" echo "Done." -# if this script fails, we can set the instance health status but we need to capture a fault -# aws autoscaling set-instance-health --instance-id i-0b03e12682e74746e --health-status Unhealthy - -# # Serves the answer in a web server so we can test that this auth client is -# # authenticating to vault and fetching data correctly -# echo $response | jq -r .data.the_answer > index.html -# python -m SimpleHTTPServer 8080 & From 8cabaffea8e07e8265f9da8a320afb45e2097c3d Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 26 Feb 2021 19:48:20 +1030 Subject: [PATCH 224/306] test --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 8b642d3..d95d243 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ private-variables.tf + From a1543718417deb2bc011813087dc77c35d6425c5 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 26 Feb 2021 20:22:54 +1030 Subject: [PATCH 225/306] echo inputs --- user-data-auth-client-vault-token.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 46bc338..2275c46 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -134,6 +134,7 @@ function retry { # response=$(retry \ # "curl --fail -H 'X-Vault-Token: $token' -X GET https://vault.service.consul:8200/v1/secret/example_gruntwork" \ # "Trying to read secret from vault") +set -x client_network=${client_network} client_netmask_bits=${client_netmask_bits} From c070ee2e879391f76326b2e0c783721dead7ebf6 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 26 Feb 2021 21:39:42 +1030 Subject: [PATCH 226/306] no-gen-certs-build --- user-data-auth-client-vault-token.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 2275c46..80021af 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -136,6 +136,11 @@ function retry { # "Trying to read secret from vault") set -x +timeout 180 /bin/bash -c 'until stat /var/lib/cloud/instance/boot-finished &>/dev/null; do echo waiting...; sleep 6; done' +echo "=== System Packages ===" +echo 'Connected success. Wait for updates to finish...' # Open VPN AMI runs apt daily update which must end before we continue. +systemd-run --property='After=apt-daily.service apt-daily-upgrade.service' --wait /bin/true; echo \"exit $?\" + client_network=${client_network} client_netmask_bits=${client_netmask_bits} private_subnet1=${private_subnet1} From a08dcb5ef743f63e5760f2aac179e6c820c35d97 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 26 Feb 2021 22:14:49 +1030 Subject: [PATCH 227/306] remove wait boot --- user-data-auth-client-vault-token.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 80021af..7e3b71a 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -136,7 +136,6 @@ function retry { # "Trying to read secret from vault") set -x -timeout 180 /bin/bash -c 'until stat /var/lib/cloud/instance/boot-finished &>/dev/null; do echo waiting...; sleep 6; done' echo "=== System Packages ===" echo 'Connected success. Wait for updates to finish...' # Open VPN AMI runs apt daily update which must end before we continue. systemd-run --property='After=apt-daily.service apt-daily-upgrade.service' --wait /bin/true; echo \"exit $?\" From 3e68e9bab2cbc62d6d0bfdce322d6d9e8aa4e662 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 26 Feb 2021 22:23:44 +1030 Subject: [PATCH 228/306] mkdir seperate --- user-data-auth-client-vault-token.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 7e3b71a..59fcca4 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -164,6 +164,7 @@ cd /usr/local/openvpn_as/scripts/ ./sacli --user $openvpn_user --key 'prop_autologin' --value 'true' UserPropPut ./sacli --user $openvpn_user --key 'c2s_route.0' --value "$remote_subnet_cidr" UserPropPut ./sacli --user $openvpn_user AutoGenerateOnBehalfOf +mkdir seperate ./sacli -o ./seperate --cn $openvpn_user get5 chown $openvpn_user seperate/* /usr/local/openvpn_as/scripts/sacli start From 3382269005c71ae736595a47c66ae51e6357ca8a Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 27 Feb 2021 10:06:33 +1030 Subject: [PATCH 229/306] store certs in vault --- main.tf | 2 +- user-data-auth-client-vault-token.sh | 131 ++++++++++++++++++++------- 2 files changed, 97 insertions(+), 36 deletions(-) diff --git a/main.tf b/main.tf index 90eb785..86bb84f 100644 --- a/main.tf +++ b/main.tf @@ -244,7 +244,7 @@ resource "vault_token" "vpn_admin" { # dynamically generate a token with constrained permisions for the vpn role. role_name = "vpn-server-vault-token-creds-role" - policies = ["vpn_server"] + policies = ["vpn_server","ssh_host"] renewable = true ttl = "600s" diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 59fcca4..50b210a 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -165,56 +165,117 @@ cd /usr/local/openvpn_as/scripts/ ./sacli --user $openvpn_user --key 'c2s_route.0' --value "$remote_subnet_cidr" UserPropPut ./sacli --user $openvpn_user AutoGenerateOnBehalfOf mkdir seperate -./sacli -o ./seperate --cn $openvpn_user get5 +./sacli -o ./seperate --cn "${openvpn_user}_AUTOLOGIN" get5 chown $openvpn_user seperate/* /usr/local/openvpn_as/scripts/sacli start ls -la seperate -# ### Method to reqaquire existing certs from vault ### +### Method to put or aquire certs from vault ### -# # If vault cli is installed we can also perform these operations with vault cli -# # The necessary environment variables have to be set -# # export VAULT_TOKEN=$token -# export VAULT_ADDR=https://vault.service.consul:8200 +# If vault cli is installed we can also perform these operations with vault cli +# The necessary environment variables have to be set +# export VAULT_TOKEN=$token +export VAULT_ADDR=https://vault.service.consul:8200 # # Start the Vault agent # # /opt/vault/bin/run-vault --agent --agent-auth-type iam --agent-auth-role "${example_role_name}" -# # Retry and wait for the Vault Agent to write the token out to a file. This could be -# # because the Vault server is still booting and unsealing, or because run-consul -# # running on the background didn't finish yet -# retry \ -# "vault login --no-print ${vault_token}" \ -# "Waiting for Vault login" +# Retry and wait for the Vault Agent to write the token out to a file. This could be +# because the Vault server is still booting and unsealing, or because run-consul +# running on the background didn't finish yet +retry \ + "vault login --no-print ${vault_token}" \ + "Waiting for Vault login" + +log "Request Vault sign's the SSH host key and becomes a known host for other machines." +# Allow access from clients signed by the CA. +trusted_ca="/etc/ssh/trusted-user-ca-keys.pem" +# Aquire the public CA cert to approve an authority +vault read -field=public_key ssh-client-signer/config/ca | tee $trusted_ca +if test ! -f "$trusted_ca"; then + log "Missing $trusted_ca" + exit 1 +fi +### Sign SSH host key +if test ! -f "/etc/ssh/ssh_host_rsa_key.pub"; then + log "Missing public host key /etc/ssh/ssh_host_rsa_key.pub" + exit 1 +fi +# Sign this host's public key +vault write -format=json ssh-host-signer/sign/hostrole \ + cert_type=host \ + public_key=@/etc/ssh/ssh_host_rsa_key.pub +# Aquire the cert +vault write -field=signed_key ssh-host-signer/sign/hostrole \ + cert_type=host \ + public_key=@/etc/ssh/ssh_host_rsa_key.pub | tee /etc/ssh/ssh_host_rsa_key-cert.pub +if test ! -f "/etc/ssh/ssh_host_rsa_key-cert.pub"; then + log "Failed to aquire /etc/ssh/ssh_host_rsa_key-cert.pub" + exit 1 +fi +chmod 0640 /etc/ssh/ssh_host_rsa_key-cert.pub +# Private key and cert are both required for ssh to another host. Multiple entries for host key may exist. +grep -q "^HostKey /etc/ssh/ssh_host_rsa_key" /etc/ssh/sshd_config || echo 'HostKey /etc/ssh/ssh_host_rsa_key' | tee --append /etc/ssh/sshd_config +# Configure host cert to be recognised as a known host. +grep -q "^HostCertificate" /etc/ssh/sshd_config || echo 'HostCertificate' | tee --append /etc/ssh/sshd_config +sed -i 's@HostCertificate.*@HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub@g' /etc/ssh/sshd_config + +### Store Generated keys with vault + +echo "Storing keys with vault..." +function retrieve_file { + local -r file_path="$1" + local -r response=$(retry \ + "vault kv get -format=json /$resourcetier/files/$file_path" \ + "Trying to read secret from vault") + mkdir -p $(dirname $file_path) # ensure the directory exists + echo $response | jq -r .data.data.file > $file_path + local -r permissions=$(echo $response | jq -r .data.data.permissions) + local -r uid=$(echo $response | jq -r .data.data.uid) + local -r gid=$(echo $response | jq -r .data.data.gid) + echo "Setting:" + echo "uid:$uid gid:$gid permissions:$permissions file_path:$file_path" + chown $uid:$gid $file_path + chmod $permissions $file_path +} + +function store_file { + local -r file_path="$1" + local -r target="$2" + file_dir=$(dirname $file_path) + target="$resourcetier/files/$target" + + if sudo test -f "$file_path"; then + # vault login -no-print -address="$VAULT_ADDR" -method=aws header_value=vault.service.consul role=provisioner-vault-role + vault kv put -address="$VAULT_ADDR" -format=json $target file="$(sudo cat $file_path)" + if [[ "$OSTYPE" == "darwin"* ]]; then # Acquire file permissions. + octal_permissions=$(sudo stat -f %A $file_path | rev | sed -E 's/^([[:digit:]]{4})([^[:space:]]+)/\1/' | rev ) # clip to 4 zeroes + else + octal_permissions=$(sudo stat --format '%a' $file_path | rev | sed -E 's/^([[:digit:]]{4})([^[:space:]]+)/\1/' | rev) # clip to 4 zeroes + fi + octal_permissions=$( python -c "print( \"$octal_permissions\".zfill(4) )" ) # pad to 4 zeroes + vault kv patch -address="$VAULT_ADDR" -format=json $target permissions="$octal_permissions" + file_uid="$(sudo stat --format '%u' $file_path)" + vault kv patch -address="$VAULT_ADDR" -format=json $target owner="$(sudo id -un -- $file_uid)" + vault kv patch -address="$VAULT_ADDR" -format=json $target uid="$file_uid" + file_gid="$(sudo stat --format '%g' $file_path)" + vault kv patch -address="$VAULT_ADDR" -format=json $target gid="$file_gid" + else + print "Error: file not found: $file_path" + exit 1 + fi +} -# echo "Aquiring vault data..." -# function retrieve_file { -# local -r file_path="$1" -# # file_path=/usr/local/openvpn_as/scripts/seperate/ca.crt -# # vault kv get -format=json /${resourcetier}/files/$file_path > /usr/local/openvpn_as/scripts/seperate/ca_test.crt -# local -r response=$(retry \ -# "vault kv get -format=json /$resourcetier/files/$file_path" \ -# "Trying to read secret from vault") -# mkdir -p $(dirname $file_path) # ensure the directory exists -# echo $response | jq -r .data.data.file > $file_path -# local -r permissions=$(echo $response | jq -r .data.data.permissions) -# local -r uid=$(echo $response | jq -r .data.data.uid) -# local -r gid=$(echo $response | jq -r .data.data.gid) -# echo "Setting:" -# echo "uid:$uid gid:$gid permissions:$permissions file_path:$file_path" -# chown $uid:$gid $file_path -# chmod $permissions $file_path -# } # # Retrieve previously generated secrets from Vault. Would be better if we can use vault as an intermediary to generate certs. -# retrieve_file "/usr/local/openvpn_as/scripts/seperate/ca.crt" -# retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.crt" -# retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.key" -# retrieve_file "/usr/local/openvpn_as/scripts/seperate/ta.key" -# retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.ovpn" +store_file "/usr/local/openvpn_as/scripts/seperate/ca.crt" +store_file "/usr/local/openvpn_as/scripts/seperate/client.crt" +store_file "/usr/local/openvpn_as/scripts/seperate/client.key" +store_file "/usr/local/openvpn_as/scripts/seperate/ta.key" +store_file "/usr/local/openvpn_as/scripts/seperate/client.ovpn" echo "Done." From 311f57321814328bdfc76ad8322928c82ac3d8df Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 27 Feb 2021 10:59:20 +1030 Subject: [PATCH 230/306] fix apt daily timer --- user-data-auth-client-vault-token.sh | 107 +++++++++++++-------------- 1 file changed, 53 insertions(+), 54 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 50b210a..36584fc 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -54,6 +54,55 @@ function retry { exit $exit_status } +# If vault cli is installed we can also perform these operations with vault cli +# The necessary environment variables have to be set +# export VAULT_TOKEN=$token +export VAULT_ADDR=https://vault.service.consul:8200 + +# # Start the Vault agent +# # /opt/vault/bin/run-vault --agent --agent-auth-type iam --agent-auth-role "${example_role_name}" + +# Retry and wait for the Vault Agent to write the token out to a file. This could be +# because the Vault server is still booting and unsealing, or because run-consul +# running on the background didn't finish yet +retry \ + "vault login --no-print ${vault_token}" \ + "Waiting for Vault login" + +log "Request Vault sign's the SSH host key and becomes a known host for other machines." +# Allow access from clients signed by the CA. +trusted_ca="/etc/ssh/trusted-user-ca-keys.pem" +# Aquire the public CA cert to approve an authority +vault read -field=public_key ssh-client-signer/config/ca | tee $trusted_ca +if test ! -f "$trusted_ca"; then + log "Missing $trusted_ca" + exit 1 +fi +### Sign SSH host key +if test ! -f "/etc/ssh/ssh_host_rsa_key.pub"; then + log "Missing public host key /etc/ssh/ssh_host_rsa_key.pub" + exit 1 +fi +# Sign this host's public key +vault write -format=json ssh-host-signer/sign/hostrole \ + cert_type=host \ + public_key=@/etc/ssh/ssh_host_rsa_key.pub +# Aquire the cert +vault write -field=signed_key ssh-host-signer/sign/hostrole \ + cert_type=host \ + public_key=@/etc/ssh/ssh_host_rsa_key.pub | tee /etc/ssh/ssh_host_rsa_key-cert.pub +if test ! -f "/etc/ssh/ssh_host_rsa_key-cert.pub"; then + log "Failed to aquire /etc/ssh/ssh_host_rsa_key-cert.pub" + exit 1 +fi +chmod 0640 /etc/ssh/ssh_host_rsa_key-cert.pub +# Private key and cert are both required for ssh to another host. Multiple entries for host key may exist. +grep -q "^HostKey /etc/ssh/ssh_host_rsa_key" /etc/ssh/sshd_config || echo 'HostKey /etc/ssh/ssh_host_rsa_key' | tee --append /etc/ssh/sshd_config +# Configure host cert to be recognised as a known host. +grep -q "^HostCertificate" /etc/ssh/sshd_config || echo 'HostCertificate' | tee --append /etc/ssh/sshd_config +sed -i 's@HostCertificate.*@HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub@g' /etc/ssh/sshd_config + + # Retrieves the pkcs7 certificate from instance metadata # The vault role name is filled by terraform # The role itself is created when configuting the vault cluster @@ -136,9 +185,10 @@ function retry { # "Trying to read secret from vault") set -x -echo "=== System Packages ===" -echo 'Connected success. Wait for updates to finish...' # Open VPN AMI runs apt daily update which must end before we continue. -systemd-run --property='After=apt-daily.service apt-daily-upgrade.service' --wait /bin/true; echo \"exit $?\" +# if apt prevents operations during boot, you may need to wait, but this should have been fixed in the ami with override.conf +# echo "=== System Packages ===" +# echo 'Connected success. Wait for updates to finish...' # Open VPN AMI runs apt daily update which must end before we continue. +# systemd-run --property='After=apt-daily.service apt-daily-upgrade.service' --wait /bin/true; echo \"exit $?\" client_network=${client_network} client_netmask_bits=${client_netmask_bits} @@ -170,57 +220,6 @@ chown $openvpn_user seperate/* /usr/local/openvpn_as/scripts/sacli start ls -la seperate - -### Method to put or aquire certs from vault ### - -# If vault cli is installed we can also perform these operations with vault cli -# The necessary environment variables have to be set -# export VAULT_TOKEN=$token -export VAULT_ADDR=https://vault.service.consul:8200 - -# # Start the Vault agent -# # /opt/vault/bin/run-vault --agent --agent-auth-type iam --agent-auth-role "${example_role_name}" - -# Retry and wait for the Vault Agent to write the token out to a file. This could be -# because the Vault server is still booting and unsealing, or because run-consul -# running on the background didn't finish yet -retry \ - "vault login --no-print ${vault_token}" \ - "Waiting for Vault login" - -log "Request Vault sign's the SSH host key and becomes a known host for other machines." -# Allow access from clients signed by the CA. -trusted_ca="/etc/ssh/trusted-user-ca-keys.pem" -# Aquire the public CA cert to approve an authority -vault read -field=public_key ssh-client-signer/config/ca | tee $trusted_ca -if test ! -f "$trusted_ca"; then - log "Missing $trusted_ca" - exit 1 -fi -### Sign SSH host key -if test ! -f "/etc/ssh/ssh_host_rsa_key.pub"; then - log "Missing public host key /etc/ssh/ssh_host_rsa_key.pub" - exit 1 -fi -# Sign this host's public key -vault write -format=json ssh-host-signer/sign/hostrole \ - cert_type=host \ - public_key=@/etc/ssh/ssh_host_rsa_key.pub -# Aquire the cert -vault write -field=signed_key ssh-host-signer/sign/hostrole \ - cert_type=host \ - public_key=@/etc/ssh/ssh_host_rsa_key.pub | tee /etc/ssh/ssh_host_rsa_key-cert.pub -if test ! -f "/etc/ssh/ssh_host_rsa_key-cert.pub"; then - log "Failed to aquire /etc/ssh/ssh_host_rsa_key-cert.pub" - exit 1 -fi -chmod 0640 /etc/ssh/ssh_host_rsa_key-cert.pub -# Private key and cert are both required for ssh to another host. Multiple entries for host key may exist. -grep -q "^HostKey /etc/ssh/ssh_host_rsa_key" /etc/ssh/sshd_config || echo 'HostKey /etc/ssh/ssh_host_rsa_key' | tee --append /etc/ssh/sshd_config -# Configure host cert to be recognised as a known host. -grep -q "^HostCertificate" /etc/ssh/sshd_config || echo 'HostCertificate' | tee --append /etc/ssh/sshd_config -sed -i 's@HostCertificate.*@HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub@g' /etc/ssh/sshd_config - ### Store Generated keys with vault echo "Storing keys with vault..." From ff79305b620416cce5b00e547421a55de54deb5f Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 27 Feb 2021 12:07:35 +1030 Subject: [PATCH 231/306] fix target logic --- user-data-auth-client-vault-token.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 36584fc..0d7910f 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -241,10 +241,12 @@ function retrieve_file { function store_file { local -r file_path="$1" - local -r target="$2" - file_dir=$(dirname $file_path) - target="$resourcetier/files/$target" - + if [[ -z "$2" ]]; then + local target="$resourcetier/files/$target" + else + local target="$2" + fi + if sudo test -f "$file_path"; then # vault login -no-print -address="$VAULT_ADDR" -method=aws header_value=vault.service.consul role=provisioner-vault-role vault kv put -address="$VAULT_ADDR" -format=json $target file="$(sudo cat $file_path)" From 6d7c25806d624076dc0a47148d7183674783d497 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 27 Feb 2021 12:25:10 +1030 Subject: [PATCH 232/306] test longer ttl --- main.tf | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/main.tf b/main.tf index 86bb84f..185929b 100644 --- a/main.tf +++ b/main.tf @@ -243,12 +243,9 @@ resource "aws_instance" "openvpn" { resource "vault_token" "vpn_admin" { # dynamically generate a token with constrained permisions for the vpn role. role_name = "vpn-server-vault-token-creds-role" - policies = ["vpn_server","ssh_host"] - - renewable = true - ttl = "600s" - period = "300s" + renewable = false + explicit_max_ttl = "600s" } data "template_file" "user_data_auth_client" { From acaab2c9868b63aef9025037bab27cdd48851f67 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 27 Feb 2021 12:34:03 +1030 Subject: [PATCH 233/306] update target --- user-data-auth-client-vault-token.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 0d7910f..09fb83e 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -242,11 +242,11 @@ function retrieve_file { function store_file { local -r file_path="$1" if [[ -z "$2" ]]; then - local target="$resourcetier/files/$target" + local target="$resourcetier/files/$file_path" else local target="$2" fi - + if sudo test -f "$file_path"; then # vault login -no-print -address="$VAULT_ADDR" -method=aws header_value=vault.service.consul role=provisioner-vault-role vault kv put -address="$VAULT_ADDR" -format=json $target file="$(sudo cat $file_path)" From bc212dc87eac25dd36319c083bc7cc9b3077906c Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 27 Feb 2021 13:28:24 +1030 Subject: [PATCH 234/306] make vault request and download files from remote --- copy_vault_file_from_bastion.sh | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/copy_vault_file_from_bastion.sh b/copy_vault_file_from_bastion.sh index d6f927c..45ca78d 100755 --- a/copy_vault_file_from_bastion.sh +++ b/copy_vault_file_from_bastion.sh @@ -4,12 +4,20 @@ set -e if [[ -z "$1" ]]; then - echo "Error: 1st arg bastion host must be provided. eg: centos@ec2-54-253-11-29.ap-southeast-2.compute.amazonaws.com" + echo "Error: 1st arg bastion host must be provided. eg:" + echo "VAULT_TOKEN=s.kjh1k4jfdsfhkNe ./copy_vault_file_from_bastion.sh centos@ec2-3-25-143-13.ap-southeast-2.compute.amazonaws.com centos@i-0df3060971160cdd6.node.consul" exit 1 fi if [[ -z "$2" ]]; then echo "Error: 2nd arg vault client must be provided. eg: centos@i-00265f3f7614cbbee.node.consul" + echo "VAULT_TOKEN=s.kjh1k4jfdsfhkNe ./copy_vault_file_from_bastion.sh centos@ec2-3-25-143-13.ap-southeast-2.compute.amazonaws.com centos@i-0df3060971160cdd6.node.consul" + exit 1 +fi + +if [[ -z "$2" ]]; then + echo "Error: env var VAULT_TOKEN must be provided. eg: VAULT_TOKEN=s.kjh1k4jfdsfhkNe" + echo "VAULT_TOKEN=s.kjh1k4jfdsfhkNe ./copy_vault_file_from_bastion.sh centos@ec2-3-25-143-13.ap-southeast-2.compute.amazonaws.com centos@i-0df3060971160cdd6.node.consul" exit 1 fi @@ -23,13 +31,14 @@ function log { >&2 echo -e "$timestamp $message" } +log "Requesting files from vault to client in private subnet" +ssh -o ProxyCommand="ssh $host1 -W %h:%p" $host2 "VAULT_TOKEN=$VAULT_TOKEN bash -s" < ./request_vault_file.sh main + function retrieve_file { local -r source_path="$1" local -r target_path="$(basename $source_path)" scp -i ~/.ssh/id_rsa-cert.pub -i ~/.ssh/id_rsa -o ProxyCommand="ssh -i ~/.ssh/id_rsa-cert.pub -i ~/.ssh/id_rsa -W %h:%p $host1" $host2:$source_path ./json_blob.json -# local -r response=$(jq json_blob.json) -# echo $response | jq -r .file | tee $target_path # retrieve full json blob to later pass permissions if required. jq -r .file json_blob.json | tee $target_path rm ./json_blob.json chmod 0600 $target_path @@ -43,4 +52,7 @@ retrieve_file "/home/centos/tmp/usr/local/openvpn_as/scripts/seperate/client.key retrieve_file "/home/centos/tmp/usr/local/openvpn_as/scripts/seperate/ta.key" retrieve_file "/home/centos/tmp/usr/local/openvpn_as/scripts/seperate/client.ovpn" +log "...Cleaning up" +ssh -o ProxyCommand="ssh $host1 -W %h:%p" $host2 "sudo rm -frv /home/centos/tmp/*" + echo "Done." \ No newline at end of file From 2d3a831938f8790d606f697f35bc6277c3281209 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 27 Feb 2021 16:32:04 +1030 Subject: [PATCH 235/306] copy files from vault and track ip history --- copy_vault_file_from_bastion.sh | 2 ++ user-data-auth-client-vault-token.sh | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/copy_vault_file_from_bastion.sh b/copy_vault_file_from_bastion.sh index 45ca78d..58077eb 100755 --- a/copy_vault_file_from_bastion.sh +++ b/copy_vault_file_from_bastion.sh @@ -52,6 +52,8 @@ retrieve_file "/home/centos/tmp/usr/local/openvpn_as/scripts/seperate/client.key retrieve_file "/home/centos/tmp/usr/local/openvpn_as/scripts/seperate/ta.key" retrieve_file "/home/centos/tmp/usr/local/openvpn_as/scripts/seperate/client.ovpn" +cp ./client.ovpn ./openvpn.conf + log "...Cleaning up" ssh -o ProxyCommand="ssh $host1 -W %h:%p" $host2 "sudo rm -frv /home/centos/tmp/*" diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 09fb83e..988a2de 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -54,6 +54,9 @@ function retry { exit $exit_status } +echo "Public IP: $(aws ec2 describe-instances --query 'Reservations[*].Instances[*].PublicIpAddress' --output=text)" +echo "Private IP: $(aws ec2 describe-instances --query 'Reservations[*].Instances[*].PrivateIpAddress' --output=text)" + # If vault cli is installed we can also perform these operations with vault cli # The necessary environment variables have to be set # export VAULT_TOKEN=$token @@ -214,7 +217,7 @@ cd /usr/local/openvpn_as/scripts/ ./sacli --user $openvpn_user --key 'prop_autologin' --value 'true' UserPropPut ./sacli --user $openvpn_user --key 'c2s_route.0' --value "$remote_subnet_cidr" UserPropPut ./sacli --user $openvpn_user AutoGenerateOnBehalfOf -mkdir seperate +mkdir -p seperate ./sacli -o ./seperate --cn "${openvpn_user}_AUTOLOGIN" get5 chown $openvpn_user seperate/* /usr/local/openvpn_as/scripts/sacli start From 18509eb16e4eedfc97e3077864592819cfe0df15 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 27 Feb 2021 16:54:57 +1030 Subject: [PATCH 236/306] Provide var option for use eip --- main.tf | 20 ++++++++++---------- variables.tf | 6 ++++++ 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/main.tf b/main.tf index 185929b..5e1c4cb 100644 --- a/main.tf +++ b/main.tf @@ -275,7 +275,7 @@ data "template_file" "user_data_auth_client" { #it must reside in the aws_eip resource to be able to establish a connection resource "aws_eip" "openvpnip" { - count = var.create_vpn ? 1 : 0 + count = var.create_vpn && var.use_eip ? 1 : 0 vpc = true instance = aws_instance.openvpn[count.index].id depends_on = [aws_instance.openvpn] @@ -326,7 +326,7 @@ EOT locals { private_ip = element(concat(aws_instance.openvpn.*.private_ip, list("")), 0) - public_ip = element(concat(aws_eip.openvpnip.*.public_ip, list("")), 0) + public_ip = element(concat( if( var.use_eip ? aws_eip.openvpnip.*.public_ip : aws_instance.openvpn.*.public_ip ), list("")), 0) id = element(concat(aws_instance.openvpn.*.id, list("")), 0) security_group_id = element(concat(aws_security_group.openvpn.*.id, list("")), 0) vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}" : local.public_ip @@ -353,7 +353,7 @@ resource "null_resource" "firehawk_init_dependency" { # ensure that the firehawk # resource "null_resource" "provision_vpn" { # count = var.create_vpn ? 1 : 0 -# depends_on = [aws_eip.openvpnip, aws_route53_record.openvpn_record, null_resource.firehawk_init_dependency] +# depends_on = [local.public_ip, aws_route53_record.openvpn_record, null_resource.firehawk_init_dependency] # # triggers = { # # instanceid = local.id @@ -493,7 +493,7 @@ variable "start_vpn" { resource "aws_route" "private_openvpn_remote_subnet_gateway" { count = var.create_vpn ? length(var.private_route_table_ids) : 0 - depends_on = [aws_eip.openvpnip, aws_route53_record.openvpn_record] + depends_on = [local.public_ip, aws_route53_record.openvpn_record] route_table_id = element(concat(var.private_route_table_ids, list("")), count.index) destination_cidr_block = var.remote_subnet_cidr @@ -506,7 +506,7 @@ resource "aws_route" "private_openvpn_remote_subnet_gateway" { resource "aws_route" "public_openvpn_remote_subnet_gateway" { count = var.create_vpn ? length(var.public_route_table_ids) : 0 - depends_on = [aws_eip.openvpnip, aws_route53_record.openvpn_record] + depends_on = [local.public_ip, aws_route53_record.openvpn_record] route_table_id = element(concat(var.public_route_table_ids, list("")), count.index) destination_cidr_block = var.remote_subnet_cidr @@ -520,7 +520,7 @@ resource "aws_route" "public_openvpn_remote_subnet_gateway" { ### routes may be needed for traffic going back to open vpn dhcp adresses resource "aws_route" "private_openvpn_remote_subnet_vpndhcp_gateway" { count = var.create_vpn ? length(var.private_route_table_ids) : 0 - depends_on = [aws_eip.openvpnip, aws_route53_record.openvpn_record] + depends_on = [local.public_ip, aws_route53_record.openvpn_record] route_table_id = element(concat(var.private_route_table_ids, list("")), count.index) destination_cidr_block = var.vpn_cidr @@ -533,7 +533,7 @@ resource "aws_route" "private_openvpn_remote_subnet_vpndhcp_gateway" { resource "aws_route" "public_openvpn_remote_subnet_vpndhcp_gateway" { count = var.create_vpn ? length(var.public_route_table_ids) : 0 - depends_on = [aws_eip.openvpnip, aws_route53_record.openvpn_record] + depends_on = [local.public_ip, aws_route53_record.openvpn_record] route_table_id = element(concat(var.public_route_table_ids, list("")), count.index) destination_cidr_block = var.vpn_cidr @@ -546,7 +546,7 @@ resource "aws_route" "public_openvpn_remote_subnet_vpndhcp_gateway" { output "id" { value = local.id - depends_on = [aws_eip.openvpnip, aws_route53_record.openvpn_record] + depends_on = [local.public_ip, aws_route53_record.openvpn_record] # depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured # aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, # aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , @@ -557,7 +557,7 @@ output "id" { output "private_ip" { value = local.private_ip - depends_on = [aws_eip.openvpnip, aws_route53_record.openvpn_record] + depends_on = [local.public_ip, aws_route53_record.openvpn_record] # depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured # aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, # aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , @@ -568,7 +568,7 @@ output "private_ip" { output "public_ip" { value = local.public_ip - depends_on = [aws_eip.openvpnip, aws_route53_record.openvpn_record] + depends_on = [local.public_ip, aws_route53_record.openvpn_record] # depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured # aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, # aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , diff --git a/variables.tf b/variables.tf index 4c1f7b0..78a945e 100644 --- a/variables.tf +++ b/variables.tf @@ -109,6 +109,12 @@ variable "openvpn_admin_pw" { } } +variable "use_eip" { + description = "Allows the provisioning of an elsatice IP" + type = bool + default = false +} + variable "vpn_cidr" { } From 85aa482de06245aa6a1d95ead5f8c6f4eb5622fe Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 27 Feb 2021 17:20:35 +1030 Subject: [PATCH 237/306] correct condition --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 5e1c4cb..ceb6d80 100644 --- a/main.tf +++ b/main.tf @@ -326,7 +326,7 @@ EOT locals { private_ip = element(concat(aws_instance.openvpn.*.private_ip, list("")), 0) - public_ip = element(concat( if( var.use_eip ? aws_eip.openvpnip.*.public_ip : aws_instance.openvpn.*.public_ip ), list("")), 0) + public_ip = element(concat( var.use_eip ? aws_eip.openvpnip.*.public_ip : aws_instance.openvpn.*.public_ip , list("")), 0) id = element(concat(aws_instance.openvpn.*.id, list("")), 0) security_group_id = element(concat(aws_security_group.openvpn.*.id, list("")), 0) vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}" : local.public_ip From 51d874f3ee53598fd676fd3e71d39754bc8d43f5 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 27 Feb 2021 18:59:36 +1030 Subject: [PATCH 238/306] try init --- user-data-auth-client-vault-token.sh | 88 +--------------------------- 1 file changed, 2 insertions(+), 86 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 988a2de..3232cd7 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -105,94 +105,8 @@ grep -q "^HostKey /etc/ssh/ssh_host_rsa_key" /etc/ssh/sshd_config || echo 'HostK grep -q "^HostCertificate" /etc/ssh/sshd_config || echo 'HostCertificate' | tee --append /etc/ssh/sshd_config sed -i 's@HostCertificate.*@HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub@g' /etc/ssh/sshd_config - -# Retrieves the pkcs7 certificate from instance metadata -# The vault role name is filled by terraform -# The role itself is created when configuting the vault cluster -# pkcs7=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n') -# data=$(cat < Date: Sat, 27 Feb 2021 20:31:04 +1030 Subject: [PATCH 239/306] restore default listeners --- user-data-auth-client-vault-token.sh | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 3232cd7..e360fe6 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -115,8 +115,11 @@ aws_internal_domain=${aws_internal_domain} remote_subnet_cidr=${remote_subnet_cidr} ls -la /usr/local/openvpn_as/scripts/ -# this may need to be in the image -/usr/local/openvpn_as/scripts/sacli Init + +# see https://evanhoffman.com/2014/07/22/openvpn-cli-cheat-sheet/ + +# # this may need to be in the image +# /usr/local/openvpn_as/scripts/sacli Init /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.network -v $client_network ConfigPut /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.netmask_bits -v $client_netmask_bits ConfigPut /usr/local/openvpn_as/scripts/sacli --key 'vpn.server.tls_auth' --value 'true' ConfigPut @@ -128,17 +131,28 @@ ls -la /usr/local/openvpn_as/scripts/ /usr/local/openvpn_as/scripts/sacli --key 'vpn.client.routing.reroute_dns' --value 'true' ConfigPut /usr/local/openvpn_as/scripts/sacli --key 'vpn.server.dhcp_option.domain' --value "$aws_internal_domain" ConfigPut /usr/local/openvpn_as/scripts/sacli --key 'vpn.server.routing.allow_private_nets_to_clients' --value 'true' ConfigPut + +# ensure listen on interaces at default. restore ip since the old one during ami build is now invalid. +/usr/local/openvpn_as/scripts/sacli --key "vpn.daemon.0.server.ip_address" --value "all" ConfigPut +/usr/local/openvpn_as/scripts/sacli --key "vpn.daemon.0.listen.ip_address" --value "all" ConfigPut +/usr/local/openvpn_as/scripts/sacli --key "vpn.server.daemon.udp.port" --value "1194" ConfigPut +/usr/local/openvpn_as/scripts/sacli --key "vpn.server.daemon.tcp.port" --value "443" ConfigPut + /usr/local/openvpn_as/scripts/sacli start + cd /usr/local/openvpn_as/scripts/ -./sacli --user $openvpn_user --key 'prop_autologin' --value 'true' UserPropPut -./sacli --user $openvpn_user --key 'c2s_route.0' --value "$remote_subnet_cidr" UserPropPut -./sacli --user $openvpn_user AutoGenerateOnBehalfOf -mkdir -p seperate -./sacli -o ./seperate --cn "${openvpn_user}_AUTOLOGIN" get5 +/usr/local/openvpn_as/scripts/sacli --user $openvpn_user --key 'prop_autologin' --value 'true' UserPropPut +/usr/local/openvpn_as/scripts/sacli --user $openvpn_user --key 'c2s_route.0' --value "$remote_subnet_cidr" UserPropPut +/usr/local/openvpn_as/scripts/sacli --user $openvpn_user AutoGenerateOnBehalfOf +mkdir -p /usr/local/openvpn_as/scripts/seperate +/usr/local/openvpn_as/scripts/sacli -o ./seperate --cn "${openvpn_user}_AUTOLOGIN" get5 chown $openvpn_user seperate/* /usr/local/openvpn_as/scripts/sacli start ls -la seperate +# show entire config +/usr/local/openvpn_as/scripts/sacli ConfigQuery + ### Store Generated keys with vault echo "Storing keys with vault..." From 1afbb9b0bd4c47042d4734f0febb7013cf0d6ca9 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 27 Feb 2021 20:56:43 +1030 Subject: [PATCH 240/306] public_ip fix --- user-data-auth-client-vault-token.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index e360fe6..8428663 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -54,8 +54,11 @@ function retry { exit $exit_status } -echo "Public IP: $(aws ec2 describe-instances --query 'Reservations[*].Instances[*].PublicIpAddress' --output=text)" -echo "Private IP: $(aws ec2 describe-instances --query 'Reservations[*].Instances[*].PrivateIpAddress' --output=text)" +export AWS_DEFAULT_REGION=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone | sed 's/\(.*\)[a-z]/\1/') +public_ip=$(aws ec2 describe-instances --query 'Reservations[*].Instances[*].PublicIpAddress' --output=text) +echo "Public IP: $public_ip" +private_ip=$(aws ec2 describe-instances --query 'Reservations[*].Instances[*].PrivateIpAddress' --output=text) +echo "Private IP: $private_ip" # If vault cli is installed we can also perform these operations with vault cli # The necessary environment variables have to be set @@ -137,6 +140,7 @@ ls -la /usr/local/openvpn_as/scripts/ /usr/local/openvpn_as/scripts/sacli --key "vpn.daemon.0.listen.ip_address" --value "all" ConfigPut /usr/local/openvpn_as/scripts/sacli --key "vpn.server.daemon.udp.port" --value "1194" ConfigPut /usr/local/openvpn_as/scripts/sacli --key "vpn.server.daemon.tcp.port" --value "443" ConfigPut +/usr/local/openvpn_as/scripts/sacli --key "host.name" --value "$public_ip" ConfigPut /usr/local/openvpn_as/scripts/sacli start From 84797acf33943a81bfd9a667c103caa18f53b522 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 27 Feb 2021 21:06:35 +1030 Subject: [PATCH 241/306] update ip aquisition method --- user-data-auth-client-vault-token.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 8428663..e246ec1 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -55,10 +55,8 @@ function retry { } export AWS_DEFAULT_REGION=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone | sed 's/\(.*\)[a-z]/\1/') -public_ip=$(aws ec2 describe-instances --query 'Reservations[*].Instances[*].PublicIpAddress' --output=text) -echo "Public IP: $public_ip" -private_ip=$(aws ec2 describe-instances --query 'Reservations[*].Instances[*].PrivateIpAddress' --output=text) -echo "Private IP: $private_ip" +public_ip=$(curl http://169.254.169.254/latest/meta-data/public-ipv4); echo "Public IP: $public_ip" +private_ip=$(curl http://169.254.169.254/latest/meta-data/local-ipv4); echo "Private IP: $private_ip" # If vault cli is installed we can also perform these operations with vault cli # The necessary environment variables have to be set From 4184a7865781bfe1da920ab66e74d1ebde7b27a2 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 28 Feb 2021 08:55:34 +1030 Subject: [PATCH 242/306] relocate file requests to vagrant --- copy_vault_file_from_bastion.sh | 60 ------------------- request_vault_file.sh | 101 -------------------------------- 2 files changed, 161 deletions(-) delete mode 100755 copy_vault_file_from_bastion.sh delete mode 100755 request_vault_file.sh diff --git a/copy_vault_file_from_bastion.sh b/copy_vault_file_from_bastion.sh deleted file mode 100755 index 58077eb..0000000 --- a/copy_vault_file_from_bastion.sh +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash -# This script aquires needed vpn client files from vault to an intermediary bastion - -set -e - -if [[ -z "$1" ]]; then - echo "Error: 1st arg bastion host must be provided. eg:" - echo "VAULT_TOKEN=s.kjh1k4jfdsfhkNe ./copy_vault_file_from_bastion.sh centos@ec2-3-25-143-13.ap-southeast-2.compute.amazonaws.com centos@i-0df3060971160cdd6.node.consul" - exit 1 -fi - -if [[ -z "$2" ]]; then - echo "Error: 2nd arg vault client must be provided. eg: centos@i-00265f3f7614cbbee.node.consul" - echo "VAULT_TOKEN=s.kjh1k4jfdsfhkNe ./copy_vault_file_from_bastion.sh centos@ec2-3-25-143-13.ap-southeast-2.compute.amazonaws.com centos@i-0df3060971160cdd6.node.consul" - exit 1 -fi - -if [[ -z "$2" ]]; then - echo "Error: env var VAULT_TOKEN must be provided. eg: VAULT_TOKEN=s.kjh1k4jfdsfhkNe" - echo "VAULT_TOKEN=s.kjh1k4jfdsfhkNe ./copy_vault_file_from_bastion.sh centos@ec2-3-25-143-13.ap-southeast-2.compute.amazonaws.com centos@i-0df3060971160cdd6.node.consul" - exit 1 -fi - -host1="$1" -host2="$2" - -# Log the given message. All logs are written to stderr with a timestamp. -function log { - local -r message="$1" - local -r timestamp=$(date +"%Y-%m-%d %H:%M:%S") - >&2 echo -e "$timestamp $message" -} - -log "Requesting files from vault to client in private subnet" -ssh -o ProxyCommand="ssh $host1 -W %h:%p" $host2 "VAULT_TOKEN=$VAULT_TOKEN bash -s" < ./request_vault_file.sh main - -function retrieve_file { - local -r source_path="$1" - local -r target_path="$(basename $source_path)" - - scp -i ~/.ssh/id_rsa-cert.pub -i ~/.ssh/id_rsa -o ProxyCommand="ssh -i ~/.ssh/id_rsa-cert.pub -i ~/.ssh/id_rsa -W %h:%p $host1" $host2:$source_path ./json_blob.json - jq -r .file json_blob.json | tee $target_path - rm ./json_blob.json - chmod 0600 $target_path -} - -# Retrieve previously generated secrets from Vault. Would be better if we can use vault as an intermediary to generate certs. - -retrieve_file "/home/centos/tmp/usr/local/openvpn_as/scripts/seperate/ca.crt" -retrieve_file "/home/centos/tmp/usr/local/openvpn_as/scripts/seperate/client.crt" -retrieve_file "/home/centos/tmp/usr/local/openvpn_as/scripts/seperate/client.key" -retrieve_file "/home/centos/tmp/usr/local/openvpn_as/scripts/seperate/ta.key" -retrieve_file "/home/centos/tmp/usr/local/openvpn_as/scripts/seperate/client.ovpn" - -cp ./client.ovpn ./openvpn.conf - -log "...Cleaning up" -ssh -o ProxyCommand="ssh $host1 -W %h:%p" $host2 "sudo rm -frv /home/centos/tmp/*" - -echo "Done." \ No newline at end of file diff --git a/request_vault_file.sh b/request_vault_file.sh deleted file mode 100755 index a01cbf3..0000000 --- a/request_vault_file.sh +++ /dev/null @@ -1,101 +0,0 @@ -#!/bin/bash -# This script aquires needed vpn client files from vault to an intermediary bastion - -set -e - -if [[ -z "$1" ]]; then - echo "Error: Arg dev/green/blue/main must be provided." - exit 1 -fi - -resourcetier="$1" -attempts=1 - -# Log the given message. All logs are written to stderr with a timestamp. -function log { - local -r message="$1" - local -r timestamp=$(date +"%Y-%m-%d %H:%M:%S") - >&2 echo -e "$timestamp $message" -} - -# A retry function that attempts to run a command a number of times and returns the output -function retry { - local -r cmd="$1" - local -r description="$2" - - for i in $(seq 1 $attempts); do - log "$description" - - # The boolean operations with the exit status are there to temporarily circumvent the "set -e" at the - # beginning of this script which exits the script immediatelly for error status while not losing the exit status code - output=$(eval "$cmd") && exit_status=0 || exit_status=$? - errors=$(echo "$output") | grep '^{' | jq -r .errors - - log "$output" - - if [[ $exit_status -eq 0 && -z "$errors" ]]; then - echo "$output" - return - fi - log "$description failed. Will sleep for 10 seconds and try again." - sleep 10 - done; - - log "$description failed after 30 attempts." - exit $exit_status -} -# export VAULT_TOKEN=${vault_token} -export VAULT_ADDR=https://vault.service.consul:8200 - -# Retry and wait for the Vault Agent to write the token out to a file. This could be -# because the Vault server is still booting and unsealing, or because run-consul -# running on the background didn't finish yet -retry \ - "vault login --no-print $VAULT_TOKEN" \ - "Waiting for Vault login" - -# vault login -method=aws header_value=vault.example.com role=dev-role-iam \ -# aws_access_key_id= \ -# aws_secret_access_key= - -# # We can then use the client token from the login output once login was successful -# token=$(cat /opt/vault/data/vault-token) - -# /opt/vault/bin/vault read secret/example_gruntwork -echo "Aquiring vault data..." -# data=$(vault kv get -format=json /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt) - -function retrieve_file { - local -r source_path="$1" - if [[ -z "$2" ]]; then - local -r target_path="$source_path" - else - local -r target_path="$2" - fi - # target_path=/usr/local/openvpn_as/scripts/seperate/ca.crt - # vault kv get -format=json /${resourcetier}/files/$target_path > /usr/local/openvpn_as/scripts/seperate/ca_test.crt - - local -r response=$(retry \ - "vault kv get -format=json /$resourcetier/files/$source_path" \ - "Trying to read secret from vault") - sudo mkdir -p $(dirname $target_path) # ensure the directory exists - echo $response | jq -r .data.data | sudo tee $target_path # retrieve full json blob to later pass permissions if required. - # skipping permissions - # local -r permissions=$(echo $response | jq -r .data.data.permissions) - # local -r uid=$(echo $response | jq -r .data.data.uid) - # local -r gid=$(echo $response | jq -r .data.data.gid) - # echo "Setting:" - # echo "uid:$uid gid:$gid permissions:$permissions target_path:$target_path" - # sudo chown $uid:$gid $target_path - # sudo chmod $permissions $target_path -} - -# Retrieve previously generated secrets from Vault. Would be better if we can use vault as an intermediary to generate certs. - -retrieve_file "/usr/local/openvpn_as/scripts/seperate/ca.crt" "$HOME/tmp/usr/local/openvpn_as/scripts/seperate/ca.crt" -retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.crt" "$HOME/tmp/usr/local/openvpn_as/scripts/seperate/client.crt" -retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.key" "$HOME/tmp/usr/local/openvpn_as/scripts/seperate/client.key" -retrieve_file "/usr/local/openvpn_as/scripts/seperate/ta.key" "$HOME/tmp/usr/local/openvpn_as/scripts/seperate/ta.key" -retrieve_file "/usr/local/openvpn_as/scripts/seperate/client.ovpn" "$HOME/tmp/usr/local/openvpn_as/scripts/seperate/client.ovpn" - -echo "Done." \ No newline at end of file From a2eecc19af9841679faa329077badb5087a13b10 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 28 Feb 2021 09:50:05 +1030 Subject: [PATCH 243/306] provide missing vars --- variables.tf | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/variables.tf b/variables.tf index 78a945e..84d01a6 100644 --- a/variables.tf +++ b/variables.tf @@ -45,9 +45,6 @@ variable "remote_ssh_ip_cidr" { description = "The IP used to ssh to the access server for admin." } -variable "remote_subnet_cidr" { -} - variable "public_subnet_ids" { default = [] } @@ -116,9 +113,19 @@ variable "use_eip" { } variable "vpn_cidr" { + description = "The CIDR range that the vpn will assign using DHCP. These are virtual addresses for routing traffic." + type = string +} + +variable "remote_subnet_cidr" { + description = "The subnet CIDR Range of your onsite private subnet. This is also the subnet where your VPN client resides in. eg: 192.168.1.0/24" + type = string } variable "public_domain_name" { + description = "(Optional) The public domain if required for DNS names of hosts eg: vpn.example.com" + type = string + default = null } variable "route_zone_id" { From 52e812c11fabd9dd77005b5670ffc5775a43a76e Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 28 Feb 2021 10:34:14 +1030 Subject: [PATCH 244/306] Test get1 vpn file --- user-data-auth-client-vault-token.sh | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index e246ec1..7072c12 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -147,7 +147,7 @@ cd /usr/local/openvpn_as/scripts/ /usr/local/openvpn_as/scripts/sacli --user $openvpn_user --key 'c2s_route.0' --value "$remote_subnet_cidr" UserPropPut /usr/local/openvpn_as/scripts/sacli --user $openvpn_user AutoGenerateOnBehalfOf mkdir -p /usr/local/openvpn_as/scripts/seperate -/usr/local/openvpn_as/scripts/sacli -o ./seperate --cn "${openvpn_user}_AUTOLOGIN" get5 +/usr/local/openvpn_as/scripts/sacli -o ./seperate --cn "${openvpn_user}_AUTOLOGIN" get1 chown $openvpn_user seperate/* /usr/local/openvpn_as/scripts/sacli start ls -la seperate @@ -203,15 +203,10 @@ function store_file { fi } +# Store generated certs in vault - - -# # Retrieve previously generated secrets from Vault. Would be better if we can use vault as an intermediary to generate certs. - -store_file "/usr/local/openvpn_as/scripts/seperate/ca.crt" -store_file "/usr/local/openvpn_as/scripts/seperate/client.crt" -store_file "/usr/local/openvpn_as/scripts/seperate/client.key" -store_file "/usr/local/openvpn_as/scripts/seperate/ta.key" -store_file "/usr/local/openvpn_as/scripts/seperate/client.ovpn" +for filename in /usr/local/openvpn_as/scripts/seperate/*; do + store_file "$filename" +done echo "Done." From 083e729cb935d0482534a5d0d43a7917f3c36402 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 1 Mar 2021 11:50:22 +1030 Subject: [PATCH 245/306] cleanup-vars --- main.tf | 14 +++++++------- user-data-auth-client-vault-token.sh | 4 ++-- variables.tf | 2 +- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/main.tf b/main.tf index ceb6d80..3765277 100644 --- a/main.tf +++ b/main.tf @@ -24,7 +24,7 @@ resource "aws_security_group" "openvpn" { protocol = "-1" from_port = 0 to_port = 0 - cidr_blocks = [var.vpc_cidr, var.vpn_cidr, var.remote_subnet_cidr] + cidr_blocks = [var.vpc_cidr, var.vpn_cidr, var.onsite_private_subnet_cidr] description = "all incoming traffic from vpc, vpn dhcp, and remote subnet" } @@ -267,7 +267,7 @@ data "template_file" "user_data_auth_client" { private_subnet1 = element(var.private_subnets, 0) public_subnet1 = element(var.public_subnets, 0) aws_internal_domain = ".consul" - remote_subnet_cidr = var.remote_subnet_cidr + onsite_private_subnet_cidr = var.onsite_private_subnet_cidr } } @@ -462,12 +462,12 @@ resource "null_resource" "firehawk_init_dependency" { # ensure that the firehawk # command = < Date: Tue, 2 Mar 2021 12:14:28 +1030 Subject: [PATCH 246/306] update vars, reanme and disable profiles --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 3765277..5175169 100644 --- a/main.tf +++ b/main.tf @@ -207,8 +207,8 @@ resource "aws_instance" "openvpn" { depends_on = [null_resource.gateway_dependency, null_resource.bastion_dependency] ami = var.ami # ami = local.ami - # needs VPNServerRole - iam_instance_profile = "VPNServerProfile" + # needs VPNServerRole_${var.conflictkey} + # iam_instance_profile = "VPNServerProfile_${var.conflictkey}" # this profile is temporarily disabled while testing passing through a vault token that is revoked. instance_type = var.instance_type key_name = var.aws_key_name subnet_id = concat(sort(var.public_subnet_ids), list(""))[0] From 94f7c7e5e8544b39e02f40409000a6104c238232 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 2 Mar 2021 13:47:19 +1030 Subject: [PATCH 247/306] auto generate and write vault --- user-data-auth-client-vault-token.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 12fd82f..c570cd4 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -6,10 +6,9 @@ set -e admin_user="${openvpn_admin_user}" -admin_pw="${openvpn_admin_pw}" - +admin_pw="$(openssl rand -base64 12)" # auto generate instance pass and store in vault after vault login. openvpn_user="${openvpn_user}" # TODO temporary use of admin for testing. Should be replaced with another user. -openvpn_user_pw="${openvpn_user_pw}" +openvpn_user_pw="$(openssl rand -base64 12)" resourcetier="${resourcetier}" # TODO these will be replaced with calls to vault. @@ -155,9 +154,13 @@ ls -la seperate # show entire config /usr/local/openvpn_as/scripts/sacli ConfigQuery -### Store Generated keys with vault +### Store Generated keys and password with vault echo "Storing keys with vault..." + +vault kv patch -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value=${admin_pw} +vault kv patch -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value=${openvpn_user_pw} + function retrieve_file { local -r file_path="$1" local -r response=$(retry \ From 2ec70d2d2491b8f510dc7e77ba6972232c2c3d5c Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 2 Mar 2021 16:41:43 +1030 Subject: [PATCH 248/306] fix vars for auto generate password --- main.tf | 4 ++-- variables.tf | 40 ++++++++++++++++++++-------------------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/main.tf b/main.tf index 5175169..94877fd 100644 --- a/main.tf +++ b/main.tf @@ -256,9 +256,9 @@ data "template_file" "user_data_auth_client" { consul_cluster_tag_value = var.consul_cluster_name example_role_name = var.example_role_name openvpn_admin_user = var.openvpn_admin_user - openvpn_admin_pw = var.openvpn_admin_pw + # openvpn_admin_pw = var.openvpn_admin_pw openvpn_user = var.openvpn_user - openvpn_user_pw = var.openvpn_user_pw + # openvpn_user_pw = var.openvpn_user_pw resourcetier = var.resourcetier vault_token = vault_token.vpn_admin.client_token diff --git a/variables.tf b/variables.tf index 9cdd6c1..81a7e7e 100644 --- a/variables.tf +++ b/variables.tf @@ -79,32 +79,32 @@ variable "instance_type" { variable "openvpn_user" { } -variable "openvpn_user_pw" { - description = "The user password used to login to Open VPN Access Server." - type = string - validation { - condition = ( - length(var.openvpn_user_pw) >= 8 - ) - error_message = "The openvpn_user_pw configured in vault must be at least 8 characters in length." - } -} +# variable "openvpn_user_pw" { +# description = "The user password used to login to Open VPN Access Server." +# type = string +# validation { +# condition = ( +# length(var.openvpn_user_pw) >= 8 +# ) +# error_message = "The openvpn_user_pw configured in vault must be at least 8 characters in length." +# } +# } variable "openvpn_admin_user" { description = "The admin user name used to configure OpenVPN Access Server" default = "openvpnas" } -variable "openvpn_admin_pw" { - description = "The admin password used to login to Open VPN Access Server." - type = string - validation { - condition = ( - length(var.openvpn_admin_pw) >= 8 - ) - error_message = "The openvpn_admin_pw configured in vault must be at least 8 characters in length." - } -} +# variable "openvpn_admin_pw" { +# description = "The admin password used to login to Open VPN Access Server." +# type = string +# validation { +# condition = ( +# length(var.openvpn_admin_pw) >= 8 +# ) +# error_message = "The openvpn_admin_pw configured in vault must be at least 8 characters in length." +# } +# } variable "use_eip" { description = "Allows the provisioning of an elsatice IP" From d99239e2dafe64b6304e1a46ea8e9647808072ad Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 2 Mar 2021 16:53:27 +1030 Subject: [PATCH 249/306] update ref to bad var --- user-data-auth-client-vault-token.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index c570cd4..d295fa9 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -158,8 +158,8 @@ ls -la seperate echo "Storing keys with vault..." -vault kv patch -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value=${admin_pw} -vault kv patch -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value=${openvpn_user_pw} +vault kv patch -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value="$admin_pw" +vault kv patch -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value="$openvpn_user_pw" function retrieve_file { local -r file_path="$1" From 142cf891f86a403286aa3e3d1d9cc24ea537c248 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 2 Mar 2021 17:18:00 +1030 Subject: [PATCH 250/306] fix vpn ref to tag key and value - missing --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 81a7e7e..8628f71 100644 --- a/variables.tf +++ b/variables.tf @@ -16,7 +16,7 @@ variable "example_role_name" { variable "consul_cluster_name" { description = "What to name the Consul server cluster and all of its associated resources" type = string - default = "consul-example" + # default = "consul-example" } variable "consul_cluster_tag_key" { From 3e8c4670606ce4c6d21158633f79847912cc8c24 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 2 Mar 2021 18:11:22 +1030 Subject: [PATCH 251/306] missing server profile --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 94877fd..3fdb789 100644 --- a/main.tf +++ b/main.tf @@ -208,7 +208,7 @@ resource "aws_instance" "openvpn" { ami = var.ami # ami = local.ami # needs VPNServerRole_${var.conflictkey} - # iam_instance_profile = "VPNServerProfile_${var.conflictkey}" # this profile is temporarily disabled while testing passing through a vault token that is revoked. + iam_instance_profile = "VPNServerProfile_${var.conflictkey}" instance_type = var.instance_type key_name = var.aws_key_name subnet_id = concat(sort(var.public_subnet_ids), list(""))[0] From 800fa98ad8e95d691439e5deb74c9ccdcad8c641 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 2 Mar 2021 18:15:30 +1030 Subject: [PATCH 252/306] update missing conflict key var --- variables.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/variables.tf b/variables.tf index 8628f71..63aacaa 100644 --- a/variables.tf +++ b/variables.tf @@ -8,6 +8,11 @@ variable "pipelineid" { type = string default = "0" } + +variable "conflictkey" { + description = "The conflictkey is a unique name for each deployement usuallly consisting of the resourcetier and the pipeid." + type = string +} variable "example_role_name" { description = "The name of the vault role. (Note: This is not the AWS role name.)" type = string From c7917c2bed1d77d4cceef6d158173eae69aaba25 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 2 Mar 2021 18:36:19 +1030 Subject: [PATCH 253/306] need to use put and not update for security --- user-data-auth-client-vault-token.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index d295fa9..788ae13 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -158,8 +158,8 @@ ls -la seperate echo "Storing keys with vault..." -vault kv patch -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value="$admin_pw" -vault kv patch -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value="$openvpn_user_pw" +vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value="$admin_pw" +vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value="$openvpn_user_pw" function retrieve_file { local -r file_path="$1" From 67da6411d354ca428757265fe77ec0093ffcb021 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 2 Mar 2021 18:45:38 +1030 Subject: [PATCH 254/306] hide history --- user-data-auth-client-vault-token.sh | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 788ae13..1cb5f8c 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -4,12 +4,13 @@ # built from the Packer template in examples/vault-consul-ami/vault-consul.json. set -e +set +o history -admin_user="${openvpn_admin_user}" -admin_pw="$(openssl rand -base64 12)" # auto generate instance pass and store in vault after vault login. -openvpn_user="${openvpn_user}" # TODO temporary use of admin for testing. Should be replaced with another user. -openvpn_user_pw="$(openssl rand -base64 12)" -resourcetier="${resourcetier}" + admin_user="${openvpn_admin_user}" + admin_pw="$(openssl rand -base64 12)" # auto generate instance pass and store in vault after vault login. + openvpn_user="${openvpn_user}" # TODO temporary use of admin for testing. Should be replaced with another user. + openvpn_user_pw="$(openssl rand -base64 12)" + resourcetier="${resourcetier}" # TODO these will be replaced with calls to vault. # Send the log output from this script to user-data.log, syslog, and the console @@ -158,8 +159,8 @@ ls -la seperate echo "Storing keys with vault..." -vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value="$admin_pw" -vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value="$openvpn_user_pw" + vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value="$admin_pw" + vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value="$openvpn_user_pw" function retrieve_file { local -r file_path="$1" @@ -212,4 +213,5 @@ for filename in /usr/local/openvpn_as/scripts/seperate/*; do store_file "$filename" done +set -o history echo "Done." From 91eaaa0644011ffdc4b0396c4d100dd258896e85 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 2 Mar 2021 18:51:12 +1030 Subject: [PATCH 255/306] hide vault input --- user-data-auth-client-vault-token.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 1cb5f8c..c314f4b 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -158,9 +158,10 @@ ls -la seperate ### Store Generated keys and password with vault echo "Storing keys with vault..." - +set +x vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value="$admin_pw" vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value="$openvpn_user_pw" +set -x function retrieve_file { local -r file_path="$1" From bcf14e90bbd87254d917af4eb5f6744d9401f35f Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 2 Mar 2021 18:57:17 +1030 Subject: [PATCH 256/306] update destroy --- user-data-auth-client-vault-token.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index c314f4b..7d8eb66 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -106,8 +106,6 @@ grep -q "^HostKey /etc/ssh/ssh_host_rsa_key" /etc/ssh/sshd_config || echo 'HostK grep -q "^HostCertificate" /etc/ssh/sshd_config || echo 'HostCertificate' | tee --append /etc/ssh/sshd_config sed -i 's@HostCertificate.*@HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub@g' /etc/ssh/sshd_config -set -x - client_network=${client_network} client_netmask_bits=${client_netmask_bits} private_subnet1=${private_subnet1} @@ -161,7 +159,6 @@ echo "Storing keys with vault..." set +x vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value="$admin_pw" vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value="$openvpn_user_pw" -set -x function retrieve_file { local -r file_path="$1" From c986da22153b31507ba87c7d48986abd563b2535 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 7 Mar 2021 11:47:58 +1030 Subject: [PATCH 257/306] py3-command-change --- user-data-auth-client-vault-token.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 7d8eb66..2865c20 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -192,7 +192,7 @@ function store_file { else octal_permissions=$(sudo stat --format '%a' $file_path | rev | sed -E 's/^([[:digit:]]{4})([^[:space:]]+)/\1/' | rev) # clip to 4 zeroes fi - octal_permissions=$( python -c "print( \"$octal_permissions\".zfill(4) )" ) # pad to 4 zeroes + octal_permissions=$( python3 -c "print( \"$octal_permissions\".zfill(4) )" ) # pad to 4 zeroes vault kv patch -address="$VAULT_ADDR" -format=json $target permissions="$octal_permissions" file_uid="$(sudo stat --format '%u' $file_path)" vault kv patch -address="$VAULT_ADDR" -format=json $target owner="$(sudo id -un -- $file_uid)" From c9780d0261487460a2b5acba351f585e7b6c8f42 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 16 Mar 2021 21:19:24 +1030 Subject: [PATCH 258/306] vpn-role-from-backend --- main.tf | 12 +++++++++++- variables.tf | 15 ++++++++++++++- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 3fdb789..56a3e7f 100644 --- a/main.tf +++ b/main.tf @@ -202,13 +202,23 @@ resource "null_resource" "bastion_dependency" { # value = local.ami # } +data "terraform_remote_state" "openvpn_profile" { # read the arn with data.terraform_remote_state.packer_profile.outputs.instance_role_arn, or read the profile name with data.terraform_remote_state.packer_profile.outputs.instance_profile_name + backend = "s3" + config = { + bucket = "state.terraform.${var.bucket_extension_vault}" + key = "${var.resourcetier_vault}/${var.vpcname_vault}-terraform-aws-iam-profile-openvpn/terraform.tfstate" + region = data.aws_region.current.name + } +} + resource "aws_instance" "openvpn" { count = var.create_vpn ? 1 : 0 depends_on = [null_resource.gateway_dependency, null_resource.bastion_dependency] ami = var.ami # ami = local.ami # needs VPNServerRole_${var.conflictkey} - iam_instance_profile = "VPNServerProfile_${var.conflictkey}" + # iam_instance_profile = "VPNServerProfile_${var.conflictkey}" + iam_instance_profile = data.terraform_remote_state.openvpn_profile.instance_profile_name instance_type = var.instance_type key_name = var.aws_key_name subnet_id = concat(sort(var.public_subnet_ids), list(""))[0] diff --git a/variables.tf b/variables.tf index 63aacaa..865802c 100644 --- a/variables.tf +++ b/variables.tf @@ -164,4 +164,17 @@ variable "public_route_table_ids" {} variable "private_domain_name" {} -variable "ami" {} \ No newline at end of file +variable "ami" {} + +variable "bucket_extension_vault" { + description = "The bucket extension where the terraform remote state resides" + type = string +} +variable "resourcetier_vault" { + description = "The resourcetier the desired vault vpc resides in" + type = string +} +variable "vpcname_vault" { + description = "A namespace component defining the location of the terraform remote state" + type = string +} \ No newline at end of file From 817949e5373174b6780c799c4405e91838ad81a9 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 16 Mar 2021 21:53:37 +1030 Subject: [PATCH 259/306] correct role name to pass through by data --- main.tf | 12 ++---------- variables.tf | 26 +++++++++++++++----------- 2 files changed, 17 insertions(+), 21 deletions(-) diff --git a/main.tf b/main.tf index 56a3e7f..616c442 100644 --- a/main.tf +++ b/main.tf @@ -202,15 +202,6 @@ resource "null_resource" "bastion_dependency" { # value = local.ami # } -data "terraform_remote_state" "openvpn_profile" { # read the arn with data.terraform_remote_state.packer_profile.outputs.instance_role_arn, or read the profile name with data.terraform_remote_state.packer_profile.outputs.instance_profile_name - backend = "s3" - config = { - bucket = "state.terraform.${var.bucket_extension_vault}" - key = "${var.resourcetier_vault}/${var.vpcname_vault}-terraform-aws-iam-profile-openvpn/terraform.tfstate" - region = data.aws_region.current.name - } -} - resource "aws_instance" "openvpn" { count = var.create_vpn ? 1 : 0 depends_on = [null_resource.gateway_dependency, null_resource.bastion_dependency] @@ -218,7 +209,8 @@ resource "aws_instance" "openvpn" { # ami = local.ami # needs VPNServerRole_${var.conflictkey} # iam_instance_profile = "VPNServerProfile_${var.conflictkey}" - iam_instance_profile = data.terraform_remote_state.openvpn_profile.instance_profile_name + # iam_instance_profile = data.terraform_remote_state.openvpn_profile.instance_profile_name + iam_instance_profile = var.iam_instance_profile_name instance_type = var.instance_type key_name = var.aws_key_name subnet_id = concat(sort(var.public_subnet_ids), list(""))[0] diff --git a/variables.tf b/variables.tf index 865802c..a622c4a 100644 --- a/variables.tf +++ b/variables.tf @@ -166,15 +166,19 @@ variable "private_domain_name" {} variable "ami" {} -variable "bucket_extension_vault" { - description = "The bucket extension where the terraform remote state resides" - type = string -} -variable "resourcetier_vault" { - description = "The resourcetier the desired vault vpc resides in" - type = string +variable "iam_instance_profile_name" { + description = "The name of the instance profile to attach to the VPN" + type = string } -variable "vpcname_vault" { - description = "A namespace component defining the location of the terraform remote state" - type = string -} \ No newline at end of file +# variable "bucket_extension_vault" { +# description = "The bucket extension where the terraform remote state resides" +# type = string +# } +# variable "resourcetier_vault" { +# description = "The resourcetier the desired vault vpc resides in" +# type = string +# } +# variable "vpcname_vault" { +# description = "A namespace component defining the location of the terraform remote state" +# type = string +# } \ No newline at end of file From 091e329b494479e806ce197ba636b357669d7f6e Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Wed, 17 Mar 2021 12:46:30 +1030 Subject: [PATCH 260/306] add query token capabilities --- user-data-auth-client-vault-token.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 2865c20..d9930bd 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -73,6 +73,9 @@ retry \ "vault login --no-print ${vault_token}" \ "Waiting for Vault login" +log "vault token capabilities $resourcetier" +vault token capabilities $resourcetier + log "Request Vault sign's the SSH host key and becomes a known host for other machines." # Allow access from clients signed by the CA. trusted_ca="/etc/ssh/trusted-user-ca-keys.pem" From 1d92cedb66a540ebbc44ae07e821a23c8ac806b5 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Wed, 17 Mar 2021 13:23:12 +1030 Subject: [PATCH 261/306] test more capabilities list --- user-data-auth-client-vault-token.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index d9930bd..38fa12e 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -75,6 +75,8 @@ retry \ log "vault token capabilities $resourcetier" vault token capabilities $resourcetier +vault token capabilities $dev/data/files +vault token capabilities $dev/files log "Request Vault sign's the SSH host key and becomes a known host for other machines." # Allow access from clients signed by the CA. From daf1b067083cac193cc31e9b944c9fcaf64105d4 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Wed, 17 Mar 2021 21:16:36 +1030 Subject: [PATCH 262/306] cleanup --- user-data-auth-client-vault-token.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 38fa12e..452cf28 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -74,9 +74,6 @@ retry \ "Waiting for Vault login" log "vault token capabilities $resourcetier" -vault token capabilities $resourcetier -vault token capabilities $dev/data/files -vault token capabilities $dev/files log "Request Vault sign's the SSH host key and becomes a known host for other machines." # Allow access from clients signed by the CA. From e43fcd7da9b400cdb35cf9d8e9c7d5893255939f Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Fri, 19 Mar 2021 21:43:40 +1030 Subject: [PATCH 263/306] gitignore-tfplan --- gitignore | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 gitignore diff --git a/gitignore b/gitignore new file mode 100644 index 0000000..d61e3c1 --- /dev/null +++ b/gitignore @@ -0,0 +1,2 @@ +# plan files are temporary +**/tfplan \ No newline at end of file From 97689def5d8f744870234245af0b805b7de90fd0 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 22 Mar 2021 13:19:59 +1030 Subject: [PATCH 264/306] vpn-iam-auth-method --- main.tf | 135 +++++---------------------- user-data-auth-client-vault-token.sh | 28 ++++-- 2 files changed, 44 insertions(+), 119 deletions(-) diff --git a/main.tf b/main.tf index 616c442..4561eba 100644 --- a/main.tf +++ b/main.tf @@ -112,96 +112,6 @@ resource "null_resource" "bastion_dependency" { bastion_dependency = var.bastion_dependency } } - -# These filters below aquire the ami for your region. If they are not working in your region try running: -# aws ec2 describe-images --image-ids {image id} -# and then progress to filtering from that information instead of the image id: -# aws ec2 describe-images --filters "Name=name,Values=OpenVPN Access Server 2.7.5-*" -# ... and update the filters appropriately -# We dont use image id's directly because they dont work in multiple regions. - -# data "aws_ami" "openvpn_2_8" { -# # aws_ami function with most_recent is best when seeking a single ami, like the latest version from filters known to produce output. -# count = 1 -# most_recent = true -# owners = ["679593333241"] # The account id - -# filter { -# name = "description" -# values = ["OpenVPN Access Server 2.8.3 publisher image from https://www.openvpn.net/."] # The * replaces part of the serial that varies by region. -# } - -# filter { -# name = "product-code" -# values = ["f2ew2wrz425a1jagnifd02u5t"] -# } -# } - -# variable "allow_prebuilt_openvpn_access_server_ami" { -# default = false -# } - -# variable "openvpn_access_server_ami_option" { # Where multiple data aws_ami queries are available, this allows us to select one. -# default = "openvpn_2_8" -# } - -# locals { -# keys = ["openvpn_2_8"] # Where multiple data aws_ami queries are available, this is the full list of options. -# empty_list = list("") -# values = [element( concat(data.aws_ami.openvpn_2_8.*.id, local.empty_list ), 0 )] # the list of ami id's -# openvpn_access_server_consumption_map = zipmap( local.keys , local.values ) -# } - -# locals { # select the found ami to use based on the map lookup -# base_ami = lookup(local.openvpn_access_server_consumption_map, var.openvpn_access_server_ami_option) -# } - -# data "aws_ami_ids" "prebuilt_openvpn_access_server_ami_list" { # search for a prebuilt tagged ami with the same base image. if there is a match, it can be used instead, allowing us to skip provisioning. -# # aws_ami_ids function produces a list matching the filters. -# owners = ["self"] -# filter { -# name = "tag:base_ami" -# values = [local.base_ami] -# } -# filter { -# name = "name" -# values = ["openvpn_access_server_prebuilt_*"] -# } -# } - -# locals { -# prebuilt_openvpn_access_server_ami_list = data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.ids -# first_element = element( data.aws_ami_ids.prebuilt_openvpn_access_server_ami_list.*.ids, 0) -# mod_list = concat( local.prebuilt_openvpn_access_server_ami_list , list("") ) -# aquired_ami = element( local.mod_list , 0) # aquired ami will use the ami in the list if found, otherwise it will default to the original ami. -# use_prebuilt_openvpn_access_server_ami = var.allow_prebuilt_openvpn_access_server_ami && length(local.mod_list) > 1 ? true : false -# ami = local.use_prebuilt_openvpn_access_server_ami ? local.aquired_ami : local.base_ami -# } - -# output "base_ami" { -# value = local.base_ami -# } - -# output "prebuilt_openvpn_access_server_ami_list" { -# value = local.prebuilt_openvpn_access_server_ami_list -# } - -# output "first_element" { -# value = local.first_element -# } - -# output "aquired_ami" { -# value = local.aquired_ami -# } - -# output "use_prebuilt_openvpn_access_server_ami" { -# value = local.use_prebuilt_openvpn_access_server_ami -# } - -# output "ami" { -# value = local.ami -# } - resource "aws_instance" "openvpn" { count = var.create_vpn ? 1 : 0 depends_on = [null_resource.gateway_dependency, null_resource.bastion_dependency] @@ -242,34 +152,33 @@ resource "aws_instance" "openvpn" { # role = "vpn-server-vault-iam-creds-role" # } -resource "vault_token" "vpn_admin" { - # dynamically generate a token with constrained permisions for the vpn role. - role_name = "vpn-server-vault-token-creds-role" - policies = ["vpn_server","ssh_host"] - renewable = false - explicit_max_ttl = "600s" -} +# resource "vault_token" "vpn_admin" { +# # dynamically generate a token with constrained permisions for the vpn role. +# role_name = "vpn-server-vault-token-creds-role" +# policies = ["vpn_server","ssh_host"] +# renewable = false +# explicit_max_ttl = "600s" +# } data "template_file" "user_data_auth_client" { template = file("${path.module}/user-data-auth-client-vault-token.sh") vars = { - consul_cluster_tag_key = var.consul_cluster_tag_key - consul_cluster_tag_value = var.consul_cluster_name - example_role_name = var.example_role_name - openvpn_admin_user = var.openvpn_admin_user + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + example_role_name = var.example_role_name + openvpn_admin_user = var.openvpn_admin_user + openvpn_user = var.openvpn_user + resourcetier = var.resourcetier + client_network = element(split("/", var.vpn_cidr), 0) + client_netmask_bits = element(split("/", var.vpn_cidr), 1) + private_subnet1 = element(var.private_subnets, 0) + public_subnet1 = element(var.public_subnets, 0) + aws_internal_domain = ".consul" + onsite_private_subnet_cidr = var.onsite_private_subnet_cidr + # vault_token = vault_token.vpn_admin.client_token # openvpn_admin_pw = var.openvpn_admin_pw - openvpn_user = var.openvpn_user # openvpn_user_pw = var.openvpn_user_pw - resourcetier = var.resourcetier - vault_token = vault_token.vpn_admin.client_token - - client_network = element(split("/", var.vpn_cidr), 0) - client_netmask_bits = element(split("/", var.vpn_cidr), 1) - private_subnet1 = element(var.private_subnets, 0) - public_subnet1 = element(var.public_subnets, 0) - aws_internal_domain = ".consul" - onsite_private_subnet_cidr = var.onsite_private_subnet_cidr } } @@ -289,7 +198,7 @@ resource "aws_eip" "openvpnip" { #wakeup a node after sleep locals { - startup = (! var.sleep && var.create_vpn) ? 1 : 0 + startup = (!var.sleep && var.create_vpn) ? 1 : 0 } output "startup" { value = local.startup @@ -328,7 +237,7 @@ EOT locals { private_ip = element(concat(aws_instance.openvpn.*.private_ip, list("")), 0) - public_ip = element(concat( var.use_eip ? aws_eip.openvpnip.*.public_ip : aws_instance.openvpn.*.public_ip , list("")), 0) + public_ip = element(concat(var.use_eip ? aws_eip.openvpnip.*.public_ip : aws_instance.openvpn.*.public_ip, list("")), 0) id = element(concat(aws_instance.openvpn.*.id, list("")), 0) security_group_id = element(concat(aws_security_group.openvpn.*.id, list("")), 0) vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}" : local.public_ip diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 452cf28..bd5d30a 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -63,18 +63,33 @@ private_ip=$(curl http://169.254.169.254/latest/meta-data/local-ipv4); echo "Pri # export VAULT_TOKEN=$token export VAULT_ADDR=https://vault.service.consul:8200 -# # Start the Vault agent -# # /opt/vault/bin/run-vault --agent --agent-auth-type iam --agent-auth-role "${example_role_name}" - +# Vault Agent IAM Auth Method +/opt/vault/bin/run-vault --agent --agent-auth-type iam --agent-auth-role "${example_role_name}" # Retry and wait for the Vault Agent to write the token out to a file. This could be # because the Vault server is still booting and unsealing, or because run-consul # running on the background didn't finish yet retry \ - "vault login --no-print ${vault_token}" \ + "[[ -s /opt/vault/data/vault-token ]] && echo 'vault token file created'" \ + "waiting for Vault agent to write out token to sink" +# We can then use the client token from the login output once login was successful +token=$(cat /opt/vault/data/vault-token) +# And use the token to perform operations on vault such as reading a secret +# These is being retried because race conditions were causing this to come up null sometimes +# response=$(retry \ +# "curl --fail -H 'X-Vault-Token: $token' -X GET https://vault.service.consul:8200/v1/secret/example_gruntwork" \ +# "Trying to read secret from vault") +# Vault CLI alternative: +export VAULT_TOKEN=$token + +# Vault Auth Token Method - passed by terraform +# export VAULT_TOKEN=${vault_token} +# # Retry and wait for the Vault Agent to write the token out to a file. This could be +# # because the Vault server is still booting and unsealing, or because run-consul +# # running on the background didn't finish yet +retry \ + "vault login --no-print $VAULT_TOKEN" \ "Waiting for Vault login" -log "vault token capabilities $resourcetier" - log "Request Vault sign's the SSH host key and becomes a known host for other machines." # Allow access from clients signed by the CA. trusted_ca="/etc/ssh/trusted-user-ca-keys.pem" @@ -108,6 +123,7 @@ grep -q "^HostKey /etc/ssh/ssh_host_rsa_key" /etc/ssh/sshd_config || echo 'HostK grep -q "^HostCertificate" /etc/ssh/sshd_config || echo 'HostCertificate' | tee --append /etc/ssh/sshd_config sed -i 's@HostCertificate.*@HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub@g' /etc/ssh/sshd_config +# Configure VPN Gateway client_network=${client_network} client_netmask_bits=${client_netmask_bits} private_subnet1=${private_subnet1} From 54812eae25f159a4d37264de5599a984d5ce3554 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 22 Mar 2021 13:37:45 +1030 Subject: [PATCH 265/306] pass blank string for token --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 4561eba..091bd4b 100644 --- a/main.tf +++ b/main.tf @@ -176,6 +176,7 @@ data "template_file" "user_data_auth_client" { public_subnet1 = element(var.public_subnets, 0) aws_internal_domain = ".consul" onsite_private_subnet_cidr = var.onsite_private_subnet_cidr + vault_token = "" # disabled since using IAM auth method # vault_token = vault_token.vpn_admin.client_token # openvpn_admin_pw = var.openvpn_admin_pw # openvpn_user_pw = var.openvpn_user_pw From 84ec5eafea0f2f0242c2af377c349b5920648d10 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 22 Mar 2021 14:19:49 +1030 Subject: [PATCH 266/306] update vpn iam auth method --- user-data-auth-client-vault-token.sh | 97 ++++++++++++++++++++++------ 1 file changed, 78 insertions(+), 19 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index bd5d30a..49b6863 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -63,32 +63,91 @@ private_ip=$(curl http://169.254.169.254/latest/meta-data/local-ipv4); echo "Pri # export VAULT_TOKEN=$token export VAULT_ADDR=https://vault.service.consul:8200 -# Vault Agent IAM Auth Method -/opt/vault/bin/run-vault --agent --agent-auth-type iam --agent-auth-role "${example_role_name}" -# Retry and wait for the Vault Agent to write the token out to a file. This could be -# because the Vault server is still booting and unsealing, or because run-consul -# running on the background didn't finish yet + +### Vault Auth IAM Method CLI retry \ - "[[ -s /opt/vault/data/vault-token ]] && echo 'vault token file created'" \ - "waiting for Vault agent to write out token to sink" -# We can then use the client token from the login output once login was successful -token=$(cat /opt/vault/data/vault-token) -# And use the token to perform operations on vault such as reading a secret -# These is being retried because race conditions were causing this to come up null sometimes + "vault login --no-print -method=aws header_value=vault.service.consul role=${example_role_name}" \ + "Waiting for Vault login" + + +# ### Vault Signed Request with IAM Role +# # Creating a signed request to AWS Security Token Service (STS) API with header of server ID "vault.service.consul" +# # This request is to the method GetCallerIdentity of STS, which answers the question "who am I?" +# # This python script creates the STS request, gets the necessary AWS credentials and signs the request with them +# # Using python here instead of doing this in bash to take advantage of python's AWS SDK boto3, which facilitates this work a lot +# # You can find this script at /examples/vault-consul-ami/auth/sign-request.py +# signed_request=$(python /opt/vault/scripts/sign-request.py vault.service.consul) +# iam_request_url=$(echo $signed_request | jq -r .iam_request_url) +# iam_request_body=$(echo $signed_request | jq -r .iam_request_body) +# iam_request_headers=$(echo $signed_request | jq -r .iam_request_headers) +# # The role name necessary here is the Vault Role name, not the AWS IAM Role name +# # This variable is filled by terraform +# data=$(cat < index.html +# python -m SimpleHTTPServer 8080 & + + +# ### Vault Agent IAM Auth Method +# /opt/vault/bin/run-vault --agent --agent-auth-type iam --agent-auth-role "${example_role_name}" # # Retry and wait for the Vault Agent to write the token out to a file. This could be # # because the Vault server is still booting and unsealing, or because run-consul # # running on the background didn't finish yet -retry \ - "vault login --no-print $VAULT_TOKEN" \ - "Waiting for Vault login" +# retry \ +# "[[ -s /opt/vault/data/vault-token ]] && echo 'vault token file created'" \ +# "waiting for Vault agent to write out token to sink" +# # We can then use the client token from the login output once login was successful +# token=$(cat /opt/vault/data/vault-token) +# # And use the token to perform operations on vault such as reading a secret +# # These is being retried because race conditions were causing this to come up null sometimes +# # response=$(retry \ +# # "curl --fail -H 'X-Vault-Token: $token' -X GET https://vault.service.consul:8200/v1/secret/example_gruntwork" \ +# # "Trying to read secret from vault") +# # Vault CLI alternative: +# export VAULT_TOKEN=$token + +# ### Vault Auth Token Method - passed by terraform ### +# # export VAULT_TOKEN=${vault_token} +# # # Retry and wait for the Vault Agent to write the token out to a file. This could be +# # # because the Vault server is still booting and unsealing, or because run-consul +# # # running on the background didn't finish yet +# # login with token +# retry \ +# "vault login --no-print $VAULT_TOKEN" \ +# "Waiting for Vault login" log "Request Vault sign's the SSH host key and becomes a known host for other machines." # Allow access from clients signed by the CA. From 1afd93aeb9274b23c5c39e3c12a6fa6a1bb3e82d Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 22 Mar 2021 14:27:56 +1030 Subject: [PATCH 267/306] revoke vault token --- user-data-auth-client-vault-token.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 49b6863..41acdd2 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -290,3 +290,6 @@ done set -o history echo "Done." + +log "Revoking vault token..." +vault token revoke -self From dfe5afc5a3fa33a0f0de47c5bffc7cabbc02c378 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 22 Mar 2021 18:40:07 +1030 Subject: [PATCH 268/306] show input to vault --- user-data-auth-client-vault-token.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/user-data-auth-client-vault-token.sh b/user-data-auth-client-vault-token.sh index 41acdd2..3d423ce 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-auth-client-vault-token.sh @@ -233,9 +233,13 @@ ls -la seperate ### Store Generated keys and password with vault echo "Storing keys with vault..." -set +x - vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value="$admin_pw" - vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value="$openvpn_user_pw" +# debug only +set -x +vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value="$admin_pw" +vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value="$openvpn_user_pw" +# set +x +# vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value="$admin_pw" +# vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value="$openvpn_user_pw" function retrieve_file { local -r file_path="$1" From 5f784396e1aafcc9ccac86751ad555bb848da5a1 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 23 Mar 2021 14:55:16 +1030 Subject: [PATCH 269/306] build-vpn-sg-first --- main.tf | 95 ++-------------------------------------------------- variables.tf | 41 +++++++++++++---------- 2 files changed, 25 insertions(+), 111 deletions(-) diff --git a/main.tf b/main.tf index 091bd4b..f2b864e 100644 --- a/main.tf +++ b/main.tf @@ -4,98 +4,7 @@ # You should define this variable as your remote static ip adress to limit vpn exposure to the public internet -variable "common_tags" {} -locals { - extra_tags = { - role = "vpn" - route = "public" - } -} - -resource "aws_security_group" "openvpn" { - count = var.create_vpn ? 1 : 0 - name = var.name - vpc_id = var.vpc_id - description = "OpenVPN security group" - - tags = merge(map("Name", var.name), var.common_tags, local.extra_tags) - ingress { - protocol = "-1" - from_port = 0 - to_port = 0 - cidr_blocks = [var.vpc_cidr, var.vpn_cidr, var.onsite_private_subnet_cidr] - - description = "all incoming traffic from vpc, vpn dhcp, and remote subnet" - } - - # For OpenVPN Client Web Server & Admin Web UI - - ingress { - protocol = "tcp" - from_port = 22 - to_port = 22 - cidr_blocks = [var.remote_ssh_ip_cidr] - description = "ssh" - } - ingress { - protocol = "tcp" - from_port = 443 - to_port = 443 - cidr_blocks = [var.remote_vpn_ip_cidr] - description = "https" - } - - # see https://openvpn.net/vpn-server-resources/amazon-web-services-ec2-tiered-appliance-quick-start-guide/ - ingress { - protocol = "tcp" - from_port = 943 - to_port = 943 - cidr_blocks = [var.remote_vpn_ip_cidr] - description = "admin ui" - } - ingress { - protocol = "tcp" - from_port = 945 - to_port = 945 - cidr_blocks = [var.remote_vpn_ip_cidr] - description = "admin ui" - } - ingress { - protocol = "udp" - from_port = 1194 - to_port = 1194 - cidr_blocks = [var.remote_vpn_ip_cidr] - } - ingress { - protocol = "icmp" - from_port = 8 - to_port = 0 - cidr_blocks = [var.remote_vpn_ip_cidr] - description = "icmp" - } - egress { - protocol = "-1" - from_port = 0 - to_port = 0 - cidr_blocks = [var.remote_vpn_ip_cidr] - description = "all outgoing traffic to vpn client remote ip" - } - egress { - protocol = "-1" - from_port = 0 - to_port = 0 - cidr_blocks = [var.vpc_cidr] - description = "all outgoing traffic to vpc" - } - egress { - protocol = "-1" - from_port = 0 - to_port = 0 - cidr_blocks = ["0.0.0.0/0"] - description = "all outgoing traffic to anywhere" - } -} variable "source_dest_check" { default = true @@ -126,7 +35,7 @@ resource "aws_instance" "openvpn" { subnet_id = concat(sort(var.public_subnet_ids), list(""))[0] source_dest_check = var.source_dest_check - vpc_security_group_ids = [local.security_group_id] + vpc_security_group_ids = var.security_group_attachments root_block_device { delete_on_termination = true @@ -240,7 +149,7 @@ locals { private_ip = element(concat(aws_instance.openvpn.*.private_ip, list("")), 0) public_ip = element(concat(var.use_eip ? aws_eip.openvpnip.*.public_ip : aws_instance.openvpn.*.public_ip, list("")), 0) id = element(concat(aws_instance.openvpn.*.id, list("")), 0) - security_group_id = element(concat(aws_security_group.openvpn.*.id, list("")), 0) + # security_group_id = element(concat(aws_security_group.openvpn.*.id, list("")), 0) vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}" : local.public_ip # private_route_table_id = element(concat(var.private_route_table_ids, list("")), 0) # public_route_table_id = element(concat(var.public_route_table_ids, list("")), 0) diff --git a/variables.tf b/variables.tf index a622c4a..7846bcb 100644 --- a/variables.tf +++ b/variables.tf @@ -1,17 +1,22 @@ variable "resourcetier" { - description = "The resource tier speicifies a unique name for a resource based on the environment. eg: dev, green, blue, main." - type = string + description = "The resource tier speicifies a unique name for a resource based on the environment. eg: dev, green, blue, main." + type = string +} + +variable "security_group_attachments" { + description = "The Security Group ID to attach to this instance" + type = string } variable "pipelineid" { - description = "The pipelineid variable can be used to uniquely specify and identify resource names for a given deployment. The pipeline ID could be set to a job ID in CI software for example. The default of 0 is fine if no more than one concurrent deployment run will occur." - type = string - default = "0" + description = "The pipelineid variable can be used to uniquely specify and identify resource names for a given deployment. The pipeline ID could be set to a job ID in CI software for example. The default of 0 is fine if no more than one concurrent deployment run will occur." + type = string + default = "0" } variable "conflictkey" { - description = "The conflictkey is a unique name for each deployement usuallly consisting of the resourcetier and the pipeid." - type = string + description = "The conflictkey is a unique name for each deployement usuallly consisting of the resourcetier and the pipeid." + type = string } variable "example_role_name" { description = "The name of the vault role. (Note: This is not the AWS role name.)" @@ -31,7 +36,7 @@ variable "consul_cluster_tag_key" { } variable "name" { default = "openvpn" - type = string + type = string } variable "create_vpn" {} @@ -62,14 +67,14 @@ variable "aws_key_name" { variable "use_bastion" { description = "If enabled, will open ssh ports to a bastion host for provisioning. This shouldn't be required if provisioning via private subnet." - type = bool - default = false + type = bool + default = false } variable "bastion_ip" { description = "The IP address of the bastion for access" - type = string - default = "none" + type = string + default = "none" } # variable "private_key" { @@ -97,7 +102,7 @@ variable "openvpn_user" { variable "openvpn_admin_user" { description = "The admin user name used to configure OpenVPN Access Server" - default = "openvpnas" + default = "openvpnas" } # variable "openvpn_admin_pw" { @@ -113,8 +118,8 @@ variable "openvpn_admin_user" { variable "use_eip" { description = "Allows the provisioning of an elsatice IP" - type = bool - default = false + type = bool + default = false } variable "vpn_cidr" { @@ -168,7 +173,7 @@ variable "ami" {} variable "iam_instance_profile_name" { description = "The name of the instance profile to attach to the VPN" - type = string + type = string } # variable "bucket_extension_vault" { # description = "The bucket extension where the terraform remote state resides" @@ -178,7 +183,7 @@ variable "iam_instance_profile_name" { # description = "The resourcetier the desired vault vpc resides in" # type = string # } -# variable "vpcname_vault" { +# variable "vpcname_vaultvpc" { # description = "A namespace component defining the location of the terraform remote state" # type = string -# } \ No newline at end of file +# } From f33e932db7de1569ddd3c1119207cf1cd3038817 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 23 Mar 2021 15:28:48 +1030 Subject: [PATCH 270/306] correct variable errors --- variables.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/variables.tf b/variables.tf index 7846bcb..e8711f9 100644 --- a/variables.tf +++ b/variables.tf @@ -187,3 +187,8 @@ variable "iam_instance_profile_name" { # description = "A namespace component defining the location of the terraform remote state" # type = string # } + +variable "common_tags" { + description = "Common tags for all resources in a deployment run." + type = map(string) +} \ No newline at end of file From 8b5d894de85c9ae060ac0c26d7351ef803c6e713 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 23 Mar 2021 15:44:43 +1030 Subject: [PATCH 271/306] add missing locals --- main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/main.tf b/main.tf index f2b864e..55fd1e8 100644 --- a/main.tf +++ b/main.tf @@ -109,6 +109,10 @@ resource "aws_eip" "openvpnip" { locals { startup = (!var.sleep && var.create_vpn) ? 1 : 0 + extra_tags = { + role = "vpn" + route = "public" + } } output "startup" { value = local.startup From 90f05f295a51ab13cebca19274d7026d36600bc5 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 23 Mar 2021 15:49:12 +1030 Subject: [PATCH 272/306] update sg attachments --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index e8711f9..3be199f 100644 --- a/variables.tf +++ b/variables.tf @@ -5,7 +5,7 @@ variable "resourcetier" { variable "security_group_attachments" { description = "The Security Group ID to attach to this instance" - type = string + type = list( string ) } variable "pipelineid" { From 8e423f97d435f9a04e4daf447587d7042277f3a8 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 23 Mar 2021 22:43:06 +1030 Subject: [PATCH 273/306] remove token usage in orchestrator --- main.tf | 9 --------- 1 file changed, 9 deletions(-) diff --git a/main.tf b/main.tf index 55fd1e8..bb7f8b6 100644 --- a/main.tf +++ b/main.tf @@ -60,15 +60,6 @@ resource "aws_instance" "openvpn" { # backend = "aws" # role = "vpn-server-vault-iam-creds-role" # } - -# resource "vault_token" "vpn_admin" { -# # dynamically generate a token with constrained permisions for the vpn role. -# role_name = "vpn-server-vault-token-creds-role" -# policies = ["vpn_server","ssh_host"] -# renewable = false -# explicit_max_ttl = "600s" -# } - data "template_file" "user_data_auth_client" { template = file("${path.module}/user-data-auth-client-vault-token.sh") From b31839bc6e36bbcf7b29dfd98ed79e596789eef5 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 4 Apr 2021 19:08:31 +0930 Subject: [PATCH 274/306] update refs to user data --- main.tf | 2 +- ...lient-vault-token.sh => user-data-iam-auth-vpn.sh | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) rename user-data-auth-client-vault-token.sh => user-data-iam-auth-vpn.sh (96%) diff --git a/main.tf b/main.tf index bb7f8b6..27cecb5 100644 --- a/main.tf +++ b/main.tf @@ -61,7 +61,7 @@ resource "aws_instance" "openvpn" { # role = "vpn-server-vault-iam-creds-role" # } data "template_file" "user_data_auth_client" { - template = file("${path.module}/user-data-auth-client-vault-token.sh") + template = file("${path.module}/user-data-iam-auth-vpn.sh") vars = { consul_cluster_tag_key = var.consul_cluster_tag_key diff --git a/user-data-auth-client-vault-token.sh b/user-data-iam-auth-vpn.sh similarity index 96% rename from user-data-auth-client-vault-token.sh rename to user-data-iam-auth-vpn.sh index 3d423ce..3184519 100644 --- a/user-data-auth-client-vault-token.sh +++ b/user-data-iam-auth-vpn.sh @@ -234,12 +234,12 @@ ls -la seperate echo "Storing keys with vault..." # debug only -set -x -vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value="$admin_pw" -vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value="$openvpn_user_pw" -# set +x -# vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value="$admin_pw" -# vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value="$openvpn_user_pw" +# set -x +# vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value="$admin_pw" +# vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value="$openvpn_user_pw" +set +x + vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value="$admin_pw" + vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value="$openvpn_user_pw" function retrieve_file { local -r file_path="$1" From 21b5849a17e5b0d8b07527c9f13c90176824a535 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 6 Apr 2021 22:06:01 +0930 Subject: [PATCH 275/306] remove uneeded private domain name - using .consul --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 3be199f..b82ff63 100644 --- a/variables.tf +++ b/variables.tf @@ -167,7 +167,7 @@ variable "firehawk_init_dependency" { variable "private_route_table_ids" {} variable "public_route_table_ids" {} -variable "private_domain_name" {} +# variable "private_domain_name" {} variable "ami" {} From dab48ea5c2749f22898ec64bbec59592fa223f0e Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 11 Apr 2021 13:18:59 +0930 Subject: [PATCH 276/306] route-combined-vpcs-cidr --- main.tf | 31 +++++++++++++------------------ user-data-iam-auth-vpn.sh | 17 +++-------------- variables.tf | 5 +++++ 3 files changed, 21 insertions(+), 32 deletions(-) diff --git a/main.tf b/main.tf index 27cecb5..3a6af36 100644 --- a/main.tf +++ b/main.tf @@ -64,22 +64,17 @@ data "template_file" "user_data_auth_client" { template = file("${path.module}/user-data-iam-auth-vpn.sh") vars = { - consul_cluster_tag_key = var.consul_cluster_tag_key - consul_cluster_tag_value = var.consul_cluster_name - example_role_name = var.example_role_name - openvpn_admin_user = var.openvpn_admin_user - openvpn_user = var.openvpn_user - resourcetier = var.resourcetier - client_network = element(split("/", var.vpn_cidr), 0) - client_netmask_bits = element(split("/", var.vpn_cidr), 1) - private_subnet1 = element(var.private_subnets, 0) - public_subnet1 = element(var.public_subnets, 0) + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + example_role_name = var.example_role_name + openvpn_admin_user = var.openvpn_admin_user + openvpn_user = var.openvpn_user + resourcetier = var.resourcetier + client_network = element(split("/", var.vpn_cidr), 0) + client_netmask_bits = element(split("/", var.vpn_cidr), 1) + combined_vpcs_cidr = var.combined_vpcs_cidr aws_internal_domain = ".consul" onsite_private_subnet_cidr = var.onsite_private_subnet_cidr - vault_token = "" # disabled since using IAM auth method - # vault_token = vault_token.vpn_admin.client_token - # openvpn_admin_pw = var.openvpn_admin_pw - # openvpn_user_pw = var.openvpn_user_pw } } @@ -141,11 +136,11 @@ EOT } locals { - private_ip = element(concat(aws_instance.openvpn.*.private_ip, list("")), 0) - public_ip = element(concat(var.use_eip ? aws_eip.openvpnip.*.public_ip : aws_instance.openvpn.*.public_ip, list("")), 0) - id = element(concat(aws_instance.openvpn.*.id, list("")), 0) + private_ip = element(concat(aws_instance.openvpn.*.private_ip, list("")), 0) + public_ip = element(concat(var.use_eip ? aws_eip.openvpnip.*.public_ip : aws_instance.openvpn.*.public_ip, list("")), 0) + id = element(concat(aws_instance.openvpn.*.id, list("")), 0) # security_group_id = element(concat(aws_security_group.openvpn.*.id, list("")), 0) - vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}" : local.public_ip + vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}" : local.public_ip # private_route_table_id = element(concat(var.private_route_table_ids, list("")), 0) # public_route_table_id = element(concat(var.public_route_table_ids, list("")), 0) } diff --git a/user-data-iam-auth-vpn.sh b/user-data-iam-auth-vpn.sh index 3184519..a807117 100644 --- a/user-data-iam-auth-vpn.sh +++ b/user-data-iam-auth-vpn.sh @@ -139,15 +139,6 @@ retry \ # # Vault CLI alternative: # export VAULT_TOKEN=$token -# ### Vault Auth Token Method - passed by terraform ### -# # export VAULT_TOKEN=${vault_token} -# # # Retry and wait for the Vault Agent to write the token out to a file. This could be -# # # because the Vault server is still booting and unsealing, or because run-consul -# # # running on the background didn't finish yet -# # login with token -# retry \ -# "vault login --no-print $VAULT_TOKEN" \ -# "Waiting for Vault login" log "Request Vault sign's the SSH host key and becomes a known host for other machines." # Allow access from clients signed by the CA. @@ -185,8 +176,7 @@ sed -i 's@HostCertificate.*@HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub@g # Configure VPN Gateway client_network=${client_network} client_netmask_bits=${client_netmask_bits} -private_subnet1=${private_subnet1} -public_subnet1=${public_subnet1} +combined_vpcs_cidr=${combined_vpcs_cidr} aws_internal_domain=${aws_internal_domain} onsite_private_subnet_cidr=${onsite_private_subnet_cidr} @@ -200,15 +190,14 @@ ls -la /usr/local/openvpn_as/scripts/ /usr/local/openvpn_as/scripts/sacli -k vpn.daemon.0.client.netmask_bits -v $client_netmask_bits ConfigPut /usr/local/openvpn_as/scripts/sacli --key 'vpn.server.tls_auth' --value 'true' ConfigPut /usr/local/openvpn_as/scripts/sacli --key vpn.server.routing.gateway_access --value 'true' ConfigPut -/usr/local/openvpn_as/scripts/sacli --key vpn.server.routing.private_network.0 --value "$private_subnet1" ConfigPut -/usr/local/openvpn_as/scripts/sacli --key vpn.server.routing.private_network.1 --value "$public_subnet1" ConfigPut /usr/local/openvpn_as/scripts/sacli --key vpn.server.routing.private_network.2 --value "$client_network/$client_netmask_bits" ConfigPut +/usr/local/openvpn_as/scripts/sacli --key vpn.server.routing.private_network.0 --value "$combined_vpcs_cidr" ConfigPut /usr/local/openvpn_as/scripts/sacli --key vpn.server.routing.private_access --value 'route' ConfigPut /usr/local/openvpn_as/scripts/sacli --key 'vpn.client.routing.reroute_dns' --value 'true' ConfigPut /usr/local/openvpn_as/scripts/sacli --key 'vpn.server.dhcp_option.domain' --value "$aws_internal_domain" ConfigPut /usr/local/openvpn_as/scripts/sacli --key 'vpn.server.routing.allow_private_nets_to_clients' --value 'true' ConfigPut -# ensure listen on interaces at default. restore ip since the old one during ami build is now invalid. +# ensure listen on interfaces at default. restore ip since the old one during ami build is now invalid. /usr/local/openvpn_as/scripts/sacli --key "vpn.daemon.0.server.ip_address" --value "all" ConfigPut /usr/local/openvpn_as/scripts/sacli --key "vpn.daemon.0.listen.ip_address" --value "all" ConfigPut /usr/local/openvpn_as/scripts/sacli --key "vpn.server.daemon.udp.port" --value "1194" ConfigPut diff --git a/variables.tf b/variables.tf index b82ff63..785e51b 100644 --- a/variables.tf +++ b/variables.tf @@ -191,4 +191,9 @@ variable "iam_instance_profile_name" { variable "common_tags" { description = "Common tags for all resources in a deployment run." type = map(string) +} + +variable "combined_vpcs_cidr" { + description = "Terraform will automatically configure multiple VPCs and subnets within this CIDR range for any resourcetier ( dev / green / blue / main )." + type = string } \ No newline at end of file From d75c80402fbd7339a060e3c721e7a0bc920e1590 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 11 Apr 2021 17:06:10 +0930 Subject: [PATCH 277/306] update-default-path-vpn-certs --- user-data-auth-client-agent.sh | 2 +- user-data-auth-client-aws-secret.sh | 2 +- user-data-auth-client.sh | 2 +- user-data-iam-auth-vpn.sh | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/user-data-auth-client-agent.sh b/user-data-auth-client-agent.sh index 70dcf2d..4a5b01e 100644 --- a/user-data-auth-client-agent.sh +++ b/user-data-auth-client-agent.sh @@ -75,7 +75,7 @@ token=$(cat /opt/vault/data/vault-token) export VAULT_TOKEN=$token response=$(retry \ - "vault kv get -format=json /$resourcetier/files/usr/local/openvpn_as/scripts/seperate/ca.crt" \ + "vault kv get -format=json /$resourcetier/vpn/client_cert_files/usr/local/openvpn_as/scripts/seperate/ca.crt" \ "Trying to read secret from vault") # /opt/vault/bin/vault read secret/example_gruntwork diff --git a/user-data-auth-client-aws-secret.sh b/user-data-auth-client-aws-secret.sh index f525672..789ae13 100644 --- a/user-data-auth-client-aws-secret.sh +++ b/user-data-auth-client-aws-secret.sh @@ -155,7 +155,7 @@ retry \ # /opt/vault/bin/vault read secret/example_gruntwork -# vault kv get /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt > /usr/local/openvpn_as/scripts/seperate/ca_test.crt +# vault kv get /${resourcetier}/vpn/client_cert_files/usr/local/openvpn_as/scripts/seperate/ca.crt > /usr/local/openvpn_as/scripts/seperate/ca_test.crt # # Serves the answer in a web server so we can test that this auth client is # # authenticating to vault and fetching data correctly diff --git a/user-data-auth-client.sh b/user-data-auth-client.sh index 4edd2a3..e078da3 100644 --- a/user-data-auth-client.sh +++ b/user-data-auth-client.sh @@ -151,7 +151,7 @@ retry \ # /opt/vault/bin/vault read secret/example_gruntwork -# vault kv get /${resourcetier}/files/usr/local/openvpn_as/scripts/seperate/ca.crt > /usr/local/openvpn_as/scripts/seperate/ca_test.crt +# vault kv get /${resourcetier}/vpn/client_cert_files/usr/local/openvpn_as/scripts/seperate/ca.crt > /usr/local/openvpn_as/scripts/seperate/ca_test.crt # # Serves the answer in a web server so we can test that this auth client is # # authenticating to vault and fetching data correctly diff --git a/user-data-iam-auth-vpn.sh b/user-data-iam-auth-vpn.sh index a807117..783fb5b 100644 --- a/user-data-iam-auth-vpn.sh +++ b/user-data-iam-auth-vpn.sh @@ -233,7 +233,7 @@ set +x function retrieve_file { local -r file_path="$1" local -r response=$(retry \ - "vault kv get -format=json /$resourcetier/files/$file_path" \ + "vault kv get -format=json /$resourcetier/vpn/client_cert_files/$file_path" \ "Trying to read secret from vault") mkdir -p $(dirname $file_path) # ensure the directory exists echo $response | jq -r .data.data.file > $file_path @@ -249,7 +249,7 @@ function retrieve_file { function store_file { local -r file_path="$1" if [[ -z "$2" ]]; then - local target="$resourcetier/files/$file_path" + local target="$resourcetier/vpn/client_cert_files/$file_path" else local target="$2" fi From d48da2d2f4806d1849744cc165ef8bc01ee56677 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 11 Apr 2021 19:03:38 +0930 Subject: [PATCH 278/306] update retrieval paths and register vpn service --- main.tf | 179 ++++----------------------- user-data-iam-auth-vpn.sh | 106 ++++++++-------- user-data-register-consul-service.sh | 14 +++ user-data-vault-store-file.sh | 94 ++++++++++++++ variables.tf | 18 +-- 5 files changed, 189 insertions(+), 222 deletions(-) create mode 100644 user-data-register-consul-service.sh create mode 100644 user-data-vault-store-file.sh diff --git a/main.tf b/main.tf index 3a6af36..dacfee0 100644 --- a/main.tf +++ b/main.tf @@ -55,26 +55,35 @@ resource "aws_instance" "openvpn" { } -# data "vault_aws_access_credentials" "creds" { -# # dynamically generated AWS key. -# backend = "aws" -# role = "vpn-server-vault-iam-creds-role" -# } +locals { + client_cert_file_path = "/usr/local/openvpn_as/scripts/seperate/client.ovpn" + client_cert_vault_path = "${local.resourcetier}/vpn/client_cert_files${local.client_cert_file_path}" +} data "template_file" "user_data_auth_client" { - template = file("${path.module}/user-data-iam-auth-vpn.sh") + template = format( + "%s%s%s", + file("${path.module}/user-data-iam-auth-vpn.sh"), + file("${path.module}/user-data-vault-store-file.sh"), + file("${path.module}/user-data-register-consul-service.sh") + ) vars = { - consul_cluster_tag_key = var.consul_cluster_tag_key - consul_cluster_tag_value = var.consul_cluster_name - example_role_name = var.example_role_name - openvpn_admin_user = var.openvpn_admin_user - openvpn_user = var.openvpn_user - resourcetier = var.resourcetier - client_network = element(split("/", var.vpn_cidr), 0) - client_netmask_bits = element(split("/", var.vpn_cidr), 1) + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + example_role_name = var.example_role_name + openvpn_admin_user = var.openvpn_admin_user + openvpn_user = var.openvpn_user + resourcetier = var.resourcetier + client_network = element(split("/", var.vpn_cidr), 0) + client_netmask_bits = element(split("/", var.vpn_cidr), 1) combined_vpcs_cidr = var.combined_vpcs_cidr aws_internal_domain = ".consul" onsite_private_subnet_cidr = var.onsite_private_subnet_cidr + + consul_service = "vpn" + + client_cert_file_path = local.client_cert_file_path + client_cert_vault_path = local.client_cert_vault_path } } @@ -145,9 +154,6 @@ locals { # public_route_table_id = element(concat(var.public_route_table_ids, list("")), 0) } -variable "route_public_domain_name" { -} - resource "aws_route53_record" "openvpn_record" { count = var.route_public_domain_name && var.create_vpn ? 1 : 0 zone_id = element(concat(list(var.route_zone_id), list("")), 0) @@ -162,146 +168,7 @@ resource "null_resource" "firehawk_init_dependency" { # ensure that the firehawk } } -# resource "null_resource" "provision_vpn" { -# count = var.create_vpn ? 1 : 0 -# depends_on = [local.public_ip, aws_route53_record.openvpn_record, null_resource.firehawk_init_dependency] - -# # triggers = { -# # instanceid = local.id -# # # If the address changes, the vpn must be provisioned again. -# # vpn_address = local.vpn_address -# # } - -# provisioner "local-exec" { -# interpreter = ["/bin/bash", "-c"] -# command = < $file_path - local -r permissions=$(echo $response | jq -r .data.data.permissions) - local -r uid=$(echo $response | jq -r .data.data.uid) - local -r gid=$(echo $response | jq -r .data.data.gid) - echo "Setting:" - echo "uid:$uid gid:$gid permissions:$permissions file_path:$file_path" - chown $uid:$gid $file_path - chmod $permissions $file_path -} +log "Revoking vault token..." +vault token revoke -self -function store_file { - local -r file_path="$1" - if [[ -z "$2" ]]; then - local target="$resourcetier/vpn/client_cert_files/$file_path" - else - local target="$2" - fi - - if sudo test -f "$file_path"; then - # vault login -no-print -address="$VAULT_ADDR" -method=aws header_value=vault.service.consul role=provisioner-vault-role - vault kv put -address="$VAULT_ADDR" -format=json $target file="$(sudo cat $file_path)" - if [[ "$OSTYPE" == "darwin"* ]]; then # Acquire file permissions. - octal_permissions=$(sudo stat -f %A $file_path | rev | sed -E 's/^([[:digit:]]{4})([^[:space:]]+)/\1/' | rev ) # clip to 4 zeroes - else - octal_permissions=$(sudo stat --format '%a' $file_path | rev | sed -E 's/^([[:digit:]]{4})([^[:space:]]+)/\1/' | rev) # clip to 4 zeroes - fi - octal_permissions=$( python3 -c "print( \"$octal_permissions\".zfill(4) )" ) # pad to 4 zeroes - vault kv patch -address="$VAULT_ADDR" -format=json $target permissions="$octal_permissions" - file_uid="$(sudo stat --format '%u' $file_path)" - vault kv patch -address="$VAULT_ADDR" -format=json $target owner="$(sudo id -un -- $file_uid)" - vault kv patch -address="$VAULT_ADDR" -format=json $target uid="$file_uid" - file_gid="$(sudo stat --format '%g' $file_path)" - vault kv patch -address="$VAULT_ADDR" -format=json $target gid="$file_gid" - else - print "Error: file not found: $file_path" - exit 1 - fi -} +set -o history +echo "Done." + +# function retrieve_file { +# local -r file_path="$1" +# local -r response=$(retry \ +# "vault kv get -format=json /$resourcetier/vpn/client_cert_files/$file_path" \ +# "Trying to read secret from vault") +# mkdir -p $(dirname $file_path) # ensure the directory exists +# echo $response | jq -r .data.data.file > $file_path +# local -r permissions=$(echo $response | jq -r .data.data.permissions) +# local -r uid=$(echo $response | jq -r .data.data.uid) +# local -r gid=$(echo $response | jq -r .data.data.gid) +# echo "Setting:" +# echo "uid:$uid gid:$gid permissions:$permissions file_path:$file_path" +# chown $uid:$gid $file_path +# chmod $permissions $file_path +# } + +# function store_file { +# local -r file_path="$1" +# if [[ -z "$2" ]]; then +# local target="$resourcetier/vpn/client_cert_files/$file_path" +# else +# local target="$2" +# fi + +# if sudo test -f "$file_path"; then +# # vault login -no-print -address="$VAULT_ADDR" -method=aws header_value=vault.service.consul role=provisioner-vault-role +# vault kv put -address="$VAULT_ADDR" -format=json $target file="$(sudo cat $file_path)" +# if [[ "$OSTYPE" == "darwin"* ]]; then # Acquire file permissions. +# octal_permissions=$(sudo stat -f %A $file_path | rev | sed -E 's/^([[:digit:]]{4})([^[:space:]]+)/\1/' | rev ) # clip to 4 zeroes +# else +# octal_permissions=$(sudo stat --format '%a' $file_path | rev | sed -E 's/^([[:digit:]]{4})([^[:space:]]+)/\1/' | rev) # clip to 4 zeroes +# fi +# octal_permissions=$( python3 -c "print( \"$octal_permissions\".zfill(4) )" ) # pad to 4 zeroes +# vault kv patch -address="$VAULT_ADDR" -format=json $target permissions="$octal_permissions" +# file_uid="$(sudo stat --format '%u' $file_path)" +# vault kv patch -address="$VAULT_ADDR" -format=json $target owner="$(sudo id -un -- $file_uid)" +# vault kv patch -address="$VAULT_ADDR" -format=json $target uid="$file_uid" +# file_gid="$(sudo stat --format '%g' $file_path)" +# vault kv patch -address="$VAULT_ADDR" -format=json $target gid="$file_gid" +# else +# print "Error: file not found: $file_path" +# exit 1 +# fi +# } + +# # Store generated certs in vault + +# for filename in /usr/local/openvpn_as/scripts/seperate/*; do +# store_file "$filename" +# done -# Store generated certs in vault -for filename in /usr/local/openvpn_as/scripts/seperate/*; do - store_file "$filename" -done -set -o history -echo "Done." -log "Revoking vault token..." -vault token revoke -self diff --git a/user-data-register-consul-service.sh b/user-data-register-consul-service.sh new file mode 100644 index 0000000..1baf1e5 --- /dev/null +++ b/user-data-register-consul-service.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e +exec > >(tee -a /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 + +# Register the service with consul. not that it may not be necesary to set the hostname in the beggining of this user data script, especially if we create a cluster in the future. +echo "...Registering service with consul" +service_name="${consul_service}" +consul services register -name=$service_name +sleep 5 +consul catalog services +dig $service_name.service.consul +result=$(dig +short $service_name.service.consul) && exit_status=0 || exit_status=$? +if [[ ! $exit_status -eq 0 ]]; then echo "No DNS entry found for $service_name.service.consul"; exit 1; fi diff --git a/user-data-vault-store-file.sh b/user-data-vault-store-file.sh new file mode 100644 index 0000000..9c9f69c --- /dev/null +++ b/user-data-vault-store-file.sh @@ -0,0 +1,94 @@ +#!/bin/bash + +set -e +exec > >(tee -a /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 + +# User Vars: Set by terraform template +resourcetier="${resourcetier}" +example_role_name="${example_role_name}" + +# Script vars (implicit) +export VAULT_ADDR="https://vault.service.consul:8200" +client_cert_file_path="${client_cert_file_path}" +client_cert_vault_path="${client_cert_vault_path}" + +# Functions +function log { + local -r message="$1" + local -r timestamp=$(date +"%Y-%m-%d %H:%M:%S") + >&2 echo -e "$timestamp $message" +} +function has_yum { + [[ -n "$(command -v yum)" ]] +} +function has_apt_get { + [[ -n "$(command -v apt-get)" ]] +} +# A retry function that attempts to run a command a number of times and returns the output +function retry { + local -r cmd="$1" + local -r description="$2" + attempts=5 + + for i in $(seq 1 $attempts); do + log "$description" + + # The boolean operations with the exit status are there to temporarily circumvent the "set -e" at the + # beginning of this script which exits the script immediatelly for error status while not losing the exit status code + output=$(eval "$cmd") && exit_status=0 || exit_status=$? + errors=$(echo "$output") | grep '^{' | jq -r .errors + + log "$output" + + if [[ $exit_status -eq 0 && -z "$errors" ]]; then + echo "$output" + return + fi + log "$description failed. Will sleep for 10 seconds and try again." + sleep 10 + done; + + log "$description failed after $attempts attempts." + exit $exit_status +} +function store_file { + local -r file_path="$1" + if [[ -z "$2" ]]; then + local target="$resourcetier/vpn/client_cert_files/$file_path" + else + local target="$2" + fi + if sudo test -f "$file_path"; then + vault kv put -address="$VAULT_ADDR" "$target/file" value="$(sudo cat $file_path | base64 -w 0)" + if [[ "$OSTYPE" == "darwin"* ]]; then # Acquire file permissions. + octal_permissions=$(sudo stat -f %A $file_path | rev | sed -E 's/^([[:digit:]]{4})([^[:space:]]+)/\1/' | rev ) # clip to 4 zeroes + else + octal_permissions=$(sudo stat --format '%a' $file_path | rev | sed -E 's/^([[:digit:]]{4})([^[:space:]]+)/\1/' | rev) # clip to 4 zeroes + fi + octal_permissions=$( python3 -c "print( \"$octal_permissions\".zfill(4) )" ) # pad to 4 zeroes + file_uid="$(sudo stat --format '%u' $file_path)" + file_gid="$(sudo stat --format '%g' $file_path)" + blob="{ \ + \"permissions\":\"$octal_permissions\", \ + \"owner\":\"$(sudo id -un -- $file_uid)\", \ + \"uid\":\"$file_uid\", \ + \"gid\":\"$file_gid\", \ + \"format\":\"base64\" \ + }" + jq_parse=$( echo "$blob" | jq -c -r '.' ) + vault kv put -address="$VAULT_ADDR" -format=json "$target/permissions" value="$jq_parse" + else + print "Error: file not found: $file_path" + exit 1 + fi +} + +### Vault Auth IAM Method CLI +retry \ + "vault login --no-print -method=aws header_value=vault.service.consul role=${example_role_name}" \ + "Waiting for Vault login" +# Store generated certs in vault +echo "...Store certificate." +store_file "$client_cert_file_path" "$client_cert_vault_path" +echo "Revoking vault token..." +vault token revoke -self diff --git a/variables.tf b/variables.tf index 785e51b..8d03b80 100644 --- a/variables.tf +++ b/variables.tf @@ -166,27 +166,12 @@ variable "firehawk_init_dependency" { variable "private_route_table_ids" {} variable "public_route_table_ids" {} - -# variable "private_domain_name" {} - variable "ami" {} variable "iam_instance_profile_name" { description = "The name of the instance profile to attach to the VPN" type = string } -# variable "bucket_extension_vault" { -# description = "The bucket extension where the terraform remote state resides" -# type = string -# } -# variable "resourcetier_vault" { -# description = "The resourcetier the desired vault vpc resides in" -# type = string -# } -# variable "vpcname_vaultvpc" { -# description = "A namespace component defining the location of the terraform remote state" -# type = string -# } variable "common_tags" { description = "Common tags for all resources in a deployment run." @@ -196,4 +181,7 @@ variable "common_tags" { variable "combined_vpcs_cidr" { description = "Terraform will automatically configure multiple VPCs and subnets within this CIDR range for any resourcetier ( dev / green / blue / main )." type = string +} + +variable "route_public_domain_name" { } \ No newline at end of file From 86e0556484253701237fe187893cf99e3bf56a63 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 11 Apr 2021 19:17:30 +0930 Subject: [PATCH 279/306] fix broken ref --- main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index dacfee0..ac35f98 100644 --- a/main.tf +++ b/main.tf @@ -56,6 +56,7 @@ resource "aws_instance" "openvpn" { } locals { + resourcetier = var.resourcetier client_cert_file_path = "/usr/local/openvpn_as/scripts/seperate/client.ovpn" client_cert_vault_path = "${local.resourcetier}/vpn/client_cert_files${local.client_cert_file_path}" } @@ -73,7 +74,7 @@ data "template_file" "user_data_auth_client" { example_role_name = var.example_role_name openvpn_admin_user = var.openvpn_admin_user openvpn_user = var.openvpn_user - resourcetier = var.resourcetier + resourcetier = local.resourcetier client_network = element(split("/", var.vpn_cidr), 0) client_netmask_bits = element(split("/", var.vpn_cidr), 1) combined_vpcs_cidr = var.combined_vpcs_cidr From a1b1512483c4f003058c739fea3c4e7c03f44bbe Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 11 Apr 2021 19:22:22 +0930 Subject: [PATCH 280/306] cleanup --- user-data-iam-auth-vpn.sh | 136 +------------------------------------- 1 file changed, 1 insertion(+), 135 deletions(-) diff --git a/user-data-iam-auth-vpn.sh b/user-data-iam-auth-vpn.sh index 301a792..b3721fa 100644 --- a/user-data-iam-auth-vpn.sh +++ b/user-data-iam-auth-vpn.sh @@ -58,88 +58,14 @@ export AWS_DEFAULT_REGION=$(curl -s http://169.254.169.254/latest/meta-data/plac public_ip=$(curl http://169.254.169.254/latest/meta-data/public-ipv4); echo "Public IP: $public_ip" private_ip=$(curl http://169.254.169.254/latest/meta-data/local-ipv4); echo "Private IP: $private_ip" -# If vault cli is installed we can also perform these operations with vault cli -# The necessary environment variables have to be set -# export VAULT_TOKEN=$token export VAULT_ADDR=https://vault.service.consul:8200 - ### Vault Auth IAM Method CLI retry \ "vault login --no-print -method=aws header_value=vault.service.consul role=${example_role_name}" \ "Waiting for Vault login" -# ### Vault Signed Request with IAM Role -# # Creating a signed request to AWS Security Token Service (STS) API with header of server ID "vault.service.consul" -# # This request is to the method GetCallerIdentity of STS, which answers the question "who am I?" -# # This python script creates the STS request, gets the necessary AWS credentials and signs the request with them -# # Using python here instead of doing this in bash to take advantage of python's AWS SDK boto3, which facilitates this work a lot -# # You can find this script at /examples/vault-consul-ami/auth/sign-request.py -# signed_request=$(python /opt/vault/scripts/sign-request.py vault.service.consul) -# iam_request_url=$(echo $signed_request | jq -r .iam_request_url) -# iam_request_body=$(echo $signed_request | jq -r .iam_request_body) -# iam_request_headers=$(echo $signed_request | jq -r .iam_request_headers) -# # The role name necessary here is the Vault Role name, not the AWS IAM Role name -# # This variable is filled by terraform -# data=$(cat < index.html -# python -m SimpleHTTPServer 8080 & - - -# ### Vault Agent IAM Auth Method -# /opt/vault/bin/run-vault --agent --agent-auth-type iam --agent-auth-role "${example_role_name}" -# # Retry and wait for the Vault Agent to write the token out to a file. This could be -# # because the Vault server is still booting and unsealing, or because run-consul -# # running on the background didn't finish yet -# retry \ -# "[[ -s /opt/vault/data/vault-token ]] && echo 'vault token file created'" \ -# "waiting for Vault agent to write out token to sink" -# # We can then use the client token from the login output once login was successful -# token=$(cat /opt/vault/data/vault-token) -# # And use the token to perform operations on vault such as reading a secret -# # These is being retried because race conditions were causing this to come up null sometimes -# # response=$(retry \ -# # "curl --fail -H 'X-Vault-Token: $token' -X GET https://vault.service.consul:8200/v1/secret/example_gruntwork" \ -# # "Trying to read secret from vault") -# # Vault CLI alternative: -# export VAULT_TOKEN=$token - - log "Request Vault sign's the SSH host key and becomes a known host for other machines." # Allow access from clients signed by the CA. trusted_ca="/etc/ssh/trusted-user-ca-keys.pem" @@ -220,12 +146,7 @@ ls -la seperate /usr/local/openvpn_as/scripts/sacli ConfigQuery ### Store Generated keys and password with vault - echo "Storing keys with vault..." -# debug only -# set -x -# vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value="$admin_pw" -# vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value="$openvpn_user_pw" set +x vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw value="$admin_pw" vault kv put -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_user_pw value="$openvpn_user_pw" @@ -234,59 +155,4 @@ log "Revoking vault token..." vault token revoke -self set -o history -echo "Done." - -# function retrieve_file { -# local -r file_path="$1" -# local -r response=$(retry \ -# "vault kv get -format=json /$resourcetier/vpn/client_cert_files/$file_path" \ -# "Trying to read secret from vault") -# mkdir -p $(dirname $file_path) # ensure the directory exists -# echo $response | jq -r .data.data.file > $file_path -# local -r permissions=$(echo $response | jq -r .data.data.permissions) -# local -r uid=$(echo $response | jq -r .data.data.uid) -# local -r gid=$(echo $response | jq -r .data.data.gid) -# echo "Setting:" -# echo "uid:$uid gid:$gid permissions:$permissions file_path:$file_path" -# chown $uid:$gid $file_path -# chmod $permissions $file_path -# } - -# function store_file { -# local -r file_path="$1" -# if [[ -z "$2" ]]; then -# local target="$resourcetier/vpn/client_cert_files/$file_path" -# else -# local target="$2" -# fi - -# if sudo test -f "$file_path"; then -# # vault login -no-print -address="$VAULT_ADDR" -method=aws header_value=vault.service.consul role=provisioner-vault-role -# vault kv put -address="$VAULT_ADDR" -format=json $target file="$(sudo cat $file_path)" -# if [[ "$OSTYPE" == "darwin"* ]]; then # Acquire file permissions. -# octal_permissions=$(sudo stat -f %A $file_path | rev | sed -E 's/^([[:digit:]]{4})([^[:space:]]+)/\1/' | rev ) # clip to 4 zeroes -# else -# octal_permissions=$(sudo stat --format '%a' $file_path | rev | sed -E 's/^([[:digit:]]{4})([^[:space:]]+)/\1/' | rev) # clip to 4 zeroes -# fi -# octal_permissions=$( python3 -c "print( \"$octal_permissions\".zfill(4) )" ) # pad to 4 zeroes -# vault kv patch -address="$VAULT_ADDR" -format=json $target permissions="$octal_permissions" -# file_uid="$(sudo stat --format '%u' $file_path)" -# vault kv patch -address="$VAULT_ADDR" -format=json $target owner="$(sudo id -un -- $file_uid)" -# vault kv patch -address="$VAULT_ADDR" -format=json $target uid="$file_uid" -# file_gid="$(sudo stat --format '%g' $file_path)" -# vault kv patch -address="$VAULT_ADDR" -format=json $target gid="$file_gid" -# else -# print "Error: file not found: $file_path" -# exit 1 -# fi -# } - -# # Store generated certs in vault - -# for filename in /usr/local/openvpn_as/scripts/seperate/*; do -# store_file "$filename" -# done - - - - +echo "Done." \ No newline at end of file From a48850451c9646f47affc4951a82a9017f169114 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 11 Apr 2021 20:03:01 +0930 Subject: [PATCH 281/306] end with newline --- user-data-iam-auth-vpn.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user-data-iam-auth-vpn.sh b/user-data-iam-auth-vpn.sh index b3721fa..ff82a81 100644 --- a/user-data-iam-auth-vpn.sh +++ b/user-data-iam-auth-vpn.sh @@ -155,4 +155,4 @@ log "Revoking vault token..." vault token revoke -self set -o history -echo "Done." \ No newline at end of file +echo "Done." From 985777c9d86315edbe1ed9e482a6754cfff2280a Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 13 Jun 2021 13:07:12 +0930 Subject: [PATCH 282/306] sqs-vpn --- main.tf | 44 ++++++++++++------------------------------- outputs.tf | 14 ++++++++++++++ scripts/sqs_notify.sh | 28 +++++++++++++++++++++++++++ variables.tf | 18 ++++++++++++++++++ 4 files changed, 72 insertions(+), 32 deletions(-) create mode 100644 outputs.tf create mode 100755 scripts/sqs_notify.sh diff --git a/main.tf b/main.tf index ac35f98..4a4f1c0 100644 --- a/main.tf +++ b/main.tf @@ -149,10 +149,7 @@ locals { private_ip = element(concat(aws_instance.openvpn.*.private_ip, list("")), 0) public_ip = element(concat(var.use_eip ? aws_eip.openvpnip.*.public_ip : aws_instance.openvpn.*.public_ip, list("")), 0) id = element(concat(aws_instance.openvpn.*.id, list("")), 0) - # security_group_id = element(concat(aws_security_group.openvpn.*.id, list("")), 0) vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}" : local.public_ip - # private_route_table_id = element(concat(var.private_route_table_ids, list("")), 0) - # public_route_table_id = element(concat(var.public_route_table_ids, list("")), 0) } resource "aws_route53_record" "openvpn_record" { @@ -223,35 +220,18 @@ resource "aws_route" "public_openvpn_remote_subnet_vpndhcp_gateway" { } } -output "id" { - value = local.id +resource "null_resource" "sqs_notify" { + count = ( var.create_vpn && (var.sqs_remote_in_vpn != null) ) ? 1 : 0 depends_on = [local.public_ip, aws_route53_record.openvpn_record] - # depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured - # aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, - # aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , - # aws_route.public_openvpn_remote_subnet_gateway, - # aws_route.private_openvpn_remote_subnet_gateway - # ] -} -output "private_ip" { - value = local.private_ip - depends_on = [local.public_ip, aws_route53_record.openvpn_record] - # depends_on = [ # don't allow other nodes to attempt to use this information until the routes are configured - # aws_route.public_openvpn_remote_subnet_vpndhcp_gateway, - # aws_route.private_openvpn_remote_subnet_vpndhcp_gateway , - # aws_route.public_openvpn_remote_subnet_gateway, - # aws_route.private_openvpn_remote_subnet_gateway - # ] -} + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + command = < Date: Sun, 13 Jun 2021 14:15:56 +0930 Subject: [PATCH 283/306] correct typo --- variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/variables.tf b/variables.tf index 97c65ab..81e70ff 100644 --- a/variables.tf +++ b/variables.tf @@ -193,13 +193,13 @@ variable "sqs_remote_in_vpn" { } variable "host1" { - decription = "The user@publichost string to connect to the bastion host to aquire vpn credentials from Vault." + description = "The user@publichost string to connect to the bastion host to aquire vpn credentials from Vault." type = string default = null } variable "host2" { - decription = "The user@privatehost string to connect to the vault client to aquire vpn credentials from Vault." + description = "The user@privatehost string to connect to the vault client to aquire vpn credentials from Vault." type = string default = null } \ No newline at end of file From 6cf80121c1efeca061b72d11f525214b8bae8e4a Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 13 Jun 2021 15:27:08 +0930 Subject: [PATCH 284/306] update compatibility with tf .13 --- main.tf | 24 ++++++++++++------------ variables.tf | 4 ++-- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/main.tf b/main.tf index 4a4f1c0..dd47067 100644 --- a/main.tf +++ b/main.tf @@ -32,7 +32,7 @@ resource "aws_instance" "openvpn" { iam_instance_profile = var.iam_instance_profile_name instance_type = var.instance_type key_name = var.aws_key_name - subnet_id = concat(sort(var.public_subnet_ids), list(""))[0] + subnet_id = var.public_subnet_id source_dest_check = var.source_dest_check vpc_security_group_ids = var.security_group_attachments @@ -41,7 +41,7 @@ resource "aws_instance" "openvpn" { delete_on_termination = true } - tags = merge(map("Name", var.name), var.common_tags, local.extra_tags) + tags = merge(tomap( {"Name" : var.name} ), var.common_tags, local.extra_tags) # `admin_user` and `admin_pw` need to be passed in to the appliance through `user_data`, see docs --> # https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/amazon-ec2-appliance-ami-quick-start-guide/ @@ -97,7 +97,7 @@ resource "aws_eip" "openvpnip" { instance = aws_instance.openvpn[count.index].id depends_on = [aws_instance.openvpn] - tags = merge(map("Name", var.name), var.common_tags, local.extra_tags) + tags = merge(tomap( {"Name" : var.name} ), var.common_tags, local.extra_tags) } @@ -146,16 +146,16 @@ EOT } locals { - private_ip = element(concat(aws_instance.openvpn.*.private_ip, list("")), 0) - public_ip = element(concat(var.use_eip ? aws_eip.openvpnip.*.public_ip : aws_instance.openvpn.*.public_ip, list("")), 0) - id = element(concat(aws_instance.openvpn.*.id, list("")), 0) + private_ip = length( aws_instance.openvpn ) > 0 ? aws_instance.openvpn[0].private_ip : null + public_ip = var.use_eip ? length( aws_eip.openvpnip ) > 0 ? aws_eip.openvpnip[0].public_ip : null : length( aws_instance.openvpn ) > 0 ? aws_instance.openvpn[0].public_ip : null + id = length( aws_instance.openvpn ) > 0 ? aws_instance.openvpn[0].id : null vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}" : local.public_ip } resource "aws_route53_record" "openvpn_record" { count = var.route_public_domain_name && var.create_vpn ? 1 : 0 - zone_id = element(concat(list(var.route_zone_id), list("")), 0) - name = element(concat(list("vpn.${var.public_domain_name}"), list("")), 0) + zone_id = try(var.route_zone_id, null) + name = try("vpn.${var.public_domain_name}", null) type = "A" ttl = 300 records = [local.public_ip] @@ -171,7 +171,7 @@ resource "aws_route" "private_openvpn_remote_subnet_gateway" { count = var.create_vpn ? length(var.private_route_table_ids) : 0 depends_on = [local.public_ip, aws_route53_record.openvpn_record] - route_table_id = element(concat(var.private_route_table_ids, list("")), count.index) + route_table_id = element(var.private_route_table_ids, count.index) destination_cidr_block = var.onsite_private_subnet_cidr instance_id = local.id @@ -184,7 +184,7 @@ resource "aws_route" "public_openvpn_remote_subnet_gateway" { count = var.create_vpn ? length(var.public_route_table_ids) : 0 depends_on = [local.public_ip, aws_route53_record.openvpn_record] - route_table_id = element(concat(var.public_route_table_ids, list("")), count.index) + route_table_id = element(var.public_route_table_ids, count.index) destination_cidr_block = var.onsite_private_subnet_cidr instance_id = local.id @@ -198,7 +198,7 @@ resource "aws_route" "private_openvpn_remote_subnet_vpndhcp_gateway" { count = var.create_vpn ? length(var.private_route_table_ids) : 0 depends_on = [local.public_ip, aws_route53_record.openvpn_record] - route_table_id = element(concat(var.private_route_table_ids, list("")), count.index) + route_table_id = element(var.private_route_table_ids, count.index) destination_cidr_block = var.vpn_cidr instance_id = local.id @@ -211,7 +211,7 @@ resource "aws_route" "public_openvpn_remote_subnet_vpndhcp_gateway" { count = var.create_vpn ? length(var.public_route_table_ids) : 0 depends_on = [local.public_ip, aws_route53_record.openvpn_record] - route_table_id = element(concat(var.public_route_table_ids, list("")), count.index) + route_table_id = element(var.public_route_table_ids, count.index) destination_cidr_block = var.vpn_cidr instance_id = local.id diff --git a/variables.tf b/variables.tf index 81e70ff..d4e6ac0 100644 --- a/variables.tf +++ b/variables.tf @@ -55,8 +55,8 @@ variable "remote_ssh_ip_cidr" { description = "The IP used to ssh to the access server for admin." } -variable "public_subnet_ids" { - default = [] +variable "public_subnet_id" { + default = null } # variable "cert_arn" { From 049589ec7737815768cc1f3590edc19a01672329 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 13 Jun 2021 18:37:56 +0930 Subject: [PATCH 285/306] enforce sqs --- main.tf | 5 ++++- variables.tf | 3 --- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index dd47067..9ed0bba 100644 --- a/main.tf +++ b/main.tf @@ -221,7 +221,10 @@ resource "aws_route" "public_openvpn_remote_subnet_vpndhcp_gateway" { } resource "null_resource" "sqs_notify" { - count = ( var.create_vpn && (var.sqs_remote_in_vpn != null) ) ? 1 : 0 + count = var.create_vpn ? 1 : 0 + triggers = { + instance_id = aws_instance.openvpn[count.index].id + } depends_on = [local.public_ip, aws_route53_record.openvpn_record] provisioner "local-exec" { diff --git a/variables.tf b/variables.tf index d4e6ac0..9eec007 100644 --- a/variables.tf +++ b/variables.tf @@ -189,17 +189,14 @@ variable "route_public_domain_name" { variable "sqs_remote_in_vpn" { description = "The SQS queue URL for a remote client to observe messages to establish connection with the VPN Server." type = string - default = null } variable "host1" { description = "The user@publichost string to connect to the bastion host to aquire vpn credentials from Vault." type = string - default = null } variable "host2" { description = "The user@privatehost string to connect to the vault client to aquire vpn credentials from Vault." type = string - default = null } \ No newline at end of file From da1dbb3b459bf24f61a76ff574e2f0643efbd808 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 13 Jun 2021 18:41:52 +0930 Subject: [PATCH 286/306] use path to module for script --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 9ed0bba..9703c2b 100644 --- a/main.tf +++ b/main.tf @@ -234,7 +234,7 @@ resource "null_resource" "sqs_notify" { until consul catalog services | grep -m 1 "vpn"; do sleep 10 ; done # This might need to run after ssh auth generation instead. - scripts/sqs_notify.sh "${local.resourcetier}" "${var.sqs_remote_in_vpn}" "${var.host1}" "${var.host2}" + ${path.module}/scripts/sqs_notify.sh "${local.resourcetier}" "${var.sqs_remote_in_vpn}" "${var.host1}" "${var.host2}" EOT } } \ No newline at end of file From 18f1a1a2b372afa17aa5fd3400274b94fcb2e322 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 13 Jun 2021 18:47:24 +0930 Subject: [PATCH 287/306] test subsheel --- scripts/sqs_notify.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/sqs_notify.sh b/scripts/sqs_notify.sh index 901d896..760228c 100755 --- a/scripts/sqs_notify.sh +++ b/scripts/sqs_notify.sh @@ -11,10 +11,11 @@ readonly sqs_queue_url="$2" readonly host1="$3" readonly host2="$4" -readonly VAULT_ADDR="https://vault.service.consul:8200" +# readonly VAULT_ADDR="https://vault.service.consul:8200" +readonly VAULT_ADDR=https://vault.service.consul:8200 openvpn_admin_pw="$(vault kv get -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw)" -token="$(vault token create -address=\"$VAULT_ADDR\" -policy=vpn_read_config -policy=deadline_client -explicit-max-ttl=5m -ttl=5m -use-limit=4 -field=token)" +token="$(vault token create -address="$VAULT_ADDR" -policy=vpn_read_config -policy=deadline_client -explicit-max-ttl=5m -ttl=5m -use-limit=4 -field=token)" file_content="<< EOF { From 43576412d4df80ef8739640ccffd6974088760a8 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 14 Jun 2021 14:13:38 +0930 Subject: [PATCH 288/306] update sqs notify heredoc --- scripts/sqs_notify.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/scripts/sqs_notify.sh b/scripts/sqs_notify.sh index 760228c..edbcd83 100755 --- a/scripts/sqs_notify.sh +++ b/scripts/sqs_notify.sh @@ -11,19 +11,18 @@ readonly sqs_queue_url="$2" readonly host1="$3" readonly host2="$4" -# readonly VAULT_ADDR="https://vault.service.consul:8200" readonly VAULT_ADDR=https://vault.service.consul:8200 -openvpn_admin_pw="$(vault kv get -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw)" +openvpn_admin_pw="$(vault kv get -field=value -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw)" token="$(vault token create -address="$VAULT_ADDR" -policy=vpn_read_config -policy=deadline_client -explicit-max-ttl=5m -ttl=5m -use-limit=4 -field=token)" -file_content="<< EOF +file_content=< Date: Mon, 14 Jun 2021 14:39:53 +0930 Subject: [PATCH 289/306] update sqs message --- scripts/sqs_notify.sh | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/scripts/sqs_notify.sh b/scripts/sqs_notify.sh index edbcd83..a1a60d8 100755 --- a/scripts/sqs_notify.sh +++ b/scripts/sqs_notify.sh @@ -16,13 +16,14 @@ readonly VAULT_ADDR=https://vault.service.consul:8200 openvpn_admin_pw="$(vault kv get -field=value -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw)" token="$(vault token create -address="$VAULT_ADDR" -policy=vpn_read_config -policy=deadline_client -explicit-max-ttl=5m -ttl=5m -use-limit=4 -field=token)" -file_content=< Date: Mon, 14 Jun 2021 14:46:21 +0930 Subject: [PATCH 290/306] update pass result --- scripts/sqs_notify.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/sqs_notify.sh b/scripts/sqs_notify.sh index a1a60d8..0f9b161 100755 --- a/scripts/sqs_notify.sh +++ b/scripts/sqs_notify.sh @@ -18,7 +18,7 @@ token="$(vault token create -address="$VAULT_ADDR" -policy=vpn_read_config -poli file_content="$(cat < Date: Thu, 17 Jun 2021 19:36:19 +0930 Subject: [PATCH 291/306] test purge queue --- main.tf | 3 --- scripts/sqs_notify.sh | 9 ++++++++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 9703c2b..37cc26d 100644 --- a/main.tf +++ b/main.tf @@ -230,9 +230,6 @@ resource "null_resource" "sqs_notify" { provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] command = < Date: Thu, 17 Jun 2021 19:52:33 +0930 Subject: [PATCH 292/306] purge first --- scripts/sqs_notify.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/scripts/sqs_notify.sh b/scripts/sqs_notify.sh index 2ea3c08..73086ed 100755 --- a/scripts/sqs_notify.sh +++ b/scripts/sqs_notify.sh @@ -2,6 +2,10 @@ set -e +aws sqs purge-queue --queue-url $sqs_queue_url +echo "...Waiting 60 seconds to purge queue of old data." +sleep 60 + printf "\n...Waiting for consul vpn service before attempting SQS notify.\n\n" until consul catalog services | grep -m 1 "vpn"; do sleep 10 ; done @@ -30,7 +34,4 @@ file_content="$(cat < Date: Thu, 17 Jun 2021 19:59:28 +0930 Subject: [PATCH 293/306] purge if non zero --- scripts/sqs_notify.sh | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/scripts/sqs_notify.sh b/scripts/sqs_notify.sh index 73086ed..4d1f31d 100755 --- a/scripts/sqs_notify.sh +++ b/scripts/sqs_notify.sh @@ -2,9 +2,20 @@ set -e -aws sqs purge-queue --queue-url $sqs_queue_url -echo "...Waiting 60 seconds to purge queue of old data." -sleep 60 +readonly resourcetier="$1" +readonly sqs_queue_url="$2" +readonly host1="$3" +readonly host2="$4" +readonly ttl_mins="15m" +readonly VAULT_ADDR=https://vault.service.consul:8200 + +queue_msgs="$(aws sqs get-queue-attributes --queue-url $sqs_queue_url --attribute-names ApproximateNumberOfMessages | jq -r '.Attributes.ApproximateNumberOfMessages')" + +if [[ ! "$queue_msgs" -eq 0 ]]; + aws sqs purge-queue --queue-url $sqs_queue_url + echo "...Waiting 60 seconds to purge queue of old data. ApproximateNumberOfMessages: $queue_msgs" + sleep 60 +fi printf "\n...Waiting for consul vpn service before attempting SQS notify.\n\n" until consul catalog services | grep -m 1 "vpn"; do sleep 10 ; done @@ -13,13 +24,7 @@ echo "" echo "...Using SQS queue to notify remote clients of VPN credential endpoint. SSH certs must be configured to use the endpoint." echo "" -readonly resourcetier="$1" -readonly sqs_queue_url="$2" -readonly host1="$3" -readonly host2="$4" -readonly ttl_mins="15m" -readonly VAULT_ADDR=https://vault.service.consul:8200 openvpn_admin_pw="$(vault kv get -field=value -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw)" token="$(vault token create -address="$VAULT_ADDR" -policy=vpn_read_config -policy=deadline_client -explicit-max-ttl=$ttl_mins -ttl=$ttl_mins -use-limit=4 -field=token)" From b5246252fcc15c054a1fa4bcd21c62e96e1874d9 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Thu, 17 Jun 2021 20:01:53 +0930 Subject: [PATCH 294/306] syntax error fix --- scripts/sqs_notify.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/scripts/sqs_notify.sh b/scripts/sqs_notify.sh index 4d1f31d..184dd61 100755 --- a/scripts/sqs_notify.sh +++ b/scripts/sqs_notify.sh @@ -11,10 +11,10 @@ readonly VAULT_ADDR=https://vault.service.consul:8200 queue_msgs="$(aws sqs get-queue-attributes --queue-url $sqs_queue_url --attribute-names ApproximateNumberOfMessages | jq -r '.Attributes.ApproximateNumberOfMessages')" -if [[ ! "$queue_msgs" -eq 0 ]]; - aws sqs purge-queue --queue-url $sqs_queue_url - echo "...Waiting 60 seconds to purge queue of old data. ApproximateNumberOfMessages: $queue_msgs" - sleep 60 +if [[ ! "$queue_msgs" -eq 0 ]]; then + aws sqs purge-queue --queue-url $sqs_queue_url + echo "...Waiting 60 seconds to purge queue of old data. ApproximateNumberOfMessages: $queue_msgs" + sleep 60 fi printf "\n...Waiting for consul vpn service before attempting SQS notify.\n\n" @@ -31,10 +31,10 @@ token="$(vault token create -address="$VAULT_ADDR" -policy=vpn_read_config -poli file_content="$(cat < Date: Thu, 17 Jun 2021 20:19:33 +0930 Subject: [PATCH 295/306] echo host args --- scripts/sqs_notify.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/sqs_notify.sh b/scripts/sqs_notify.sh index 184dd61..cea03fa 100755 --- a/scripts/sqs_notify.sh +++ b/scripts/sqs_notify.sh @@ -22,10 +22,10 @@ until consul catalog services | grep -m 1 "vpn"; do sleep 10 ; done echo "" echo "...Using SQS queue to notify remote clients of VPN credential endpoint. SSH certs must be configured to use the endpoint." +echo "host1: $host1" +echo "host2: $host2" echo "" - - openvpn_admin_pw="$(vault kv get -field=value -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw)" token="$(vault token create -address="$VAULT_ADDR" -policy=vpn_read_config -policy=deadline_client -explicit-max-ttl=$ttl_mins -ttl=$ttl_mins -use-limit=4 -field=token)" From 2bd07f7a62170ab5b6b29b8131fc647f051f1813 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 19 Jun 2021 10:07:36 +0930 Subject: [PATCH 296/306] rename message --- scripts/sqs_notify.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/sqs_notify.sh b/scripts/sqs_notify.sh index cea03fa..e099a0c 100755 --- a/scripts/sqs_notify.sh +++ b/scripts/sqs_notify.sh @@ -29,7 +29,7 @@ echo "" openvpn_admin_pw="$(vault kv get -field=value -address="$VAULT_ADDR" -format=json $resourcetier/network/openvpn_admin_pw)" token="$(vault token create -address="$VAULT_ADDR" -policy=vpn_read_config -policy=deadline_client -explicit-max-ttl=$ttl_mins -ttl=$ttl_mins -use-limit=4 -field=token)" -file_content="$(cat < Date: Sat, 19 Jun 2021 10:17:52 +0930 Subject: [PATCH 297/306] cleanup --- user-data-auth-client-agent.sh | 85 --------------- user-data-auth-client-aws-secret.sh | 163 ---------------------------- user-data-auth-client.sh | 159 --------------------------- 3 files changed, 407 deletions(-) delete mode 100644 user-data-auth-client-agent.sh delete mode 100644 user-data-auth-client-aws-secret.sh delete mode 100644 user-data-auth-client.sh diff --git a/user-data-auth-client-agent.sh b/user-data-auth-client-agent.sh deleted file mode 100644 index 4a5b01e..0000000 --- a/user-data-auth-client-agent.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/bash -# This script is meant to be run in the User Data of each EC2 Instance while it's booting. The script uses the -# run-consul script to configure and start Consul in client mode. Note that this script assumes it's running in an AMI -# built from the Packer template in examples/vault-consul-ami/vault-consul.json. -# It then uses Vault agent to automatically authenticate to the Vault server. After login, Vault agent writes the -# authentication token to a file location, which you can use for your applications. Note that by default, only the `vault` -# user has access to the file, so you may need to grant the appropriate permissions to your application. -# Finally, this script reads a secret and exposes it in a simple web server for test purposes. - -set -e - -# Send the log output from this script to user-data.log, syslog, and the console -# From: https://alestic.com/2010/12/ec2-user-data-output/ -exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 - -# Log the given message. All logs are written to stderr with a timestamp. -function log { - local -r message="$1" - local -r timestamp=$(date +"%Y-%m-%d %H:%M:%S") - >&2 echo -e "$timestamp $message" -} - -# A retry function that attempts to run a command a number of times and returns the output -function retry { - local -r cmd="$1" - local -r description="$2" - - for i in $(seq 1 30); do - log "$description" - - # The boolean operations with the exit status are there to temporarily circumvent the "set -e" at the - # beginning of this script which exits the script immediatelly for error status while not losing the exit status code - output=$(eval "$cmd") && exit_status=0 || exit_status=$? - errors=$(echo "$output") | grep '^{' | jq -r .errors - - log "$output" - - if [[ $exit_status -eq 0 && -n "$output" && -z "$errors" ]]; then - echo "$output" - return - fi - log "$description failed. Will sleep for 10 seconds and try again." - sleep 10 - done; - - log "$description failed after 30 attempts." - exit $exit_status -} - -# These variables are passed in via Terraform template interpolation -/opt/consul/bin/run-consul --client --cluster-tag-key "${consul_cluster_tag_key}" --cluster-tag-value "${consul_cluster_tag_value}" - -# Start the Vault agent -export VAULT_ADDR=https://vault.service.consul:8200 - -/opt/vault/bin/run-vault --agent --agent-auth-type iam --agent-auth-role "${example_role_name}" - -# Retry and wait for the Vault Agent to write the token out to a file. This could be -# because the Vault server is still booting and unsealing, or because run-consul -# running on the background didn't finish yet -retry \ - "[[ -s /opt/vault/data/vault-token ]] && echo 'vault token file created'" \ - "waiting for Vault agent to write out token to sink" - -# We can then use the client token from the login output once login was successful -token=$(cat /opt/vault/data/vault-token) - -# And use the token to perform operations on vault such as reading a secret -# These is being retried because race conditions were causing this to come up null sometimes -# response=$(retry \ -# "curl --fail -H 'X-Vault-Token: $token' -X GET https://vault.service.consul:8200/v1/secret/example_gruntwork" \ -# "Trying to read secret from vault") - -# Vault CLI alternative: -export VAULT_TOKEN=$token - -response=$(retry \ - "vault kv get -format=json /$resourcetier/vpn/client_cert_files/usr/local/openvpn_as/scripts/seperate/ca.crt" \ - "Trying to read secret from vault") - -# /opt/vault/bin/vault read secret/example_gruntwork -# Serves the answer in a web server so we can test that this auth client is -# authenticating to vault and fetching data correctly -echo $response | jq -r .data > /usr/local/openvpn_as/scripts/seperate/ca_test.crt -# python -m SimpleHTTPServer 8080 & diff --git a/user-data-auth-client-aws-secret.sh b/user-data-auth-client-aws-secret.sh deleted file mode 100644 index 789ae13..0000000 --- a/user-data-auth-client-aws-secret.sh +++ /dev/null @@ -1,163 +0,0 @@ -#!/bin/bash -# This script is meant to be run in the User Data of each EC2 Instance while it's booting. The script uses the -# run-consul script to configure and start Consul in client mode. Note that this script assumes it's running in an AMI -# built from the Packer template in examples/vault-consul-ami/vault-consul.json. - -set -e - -admin_user="${openvpn_admin_user}" -admin_pw="${openvpn_admin_pw}" -# TODO these will be replaced with calls to vault. - -# Send the log output from this script to user-data.log, syslog, and the console -# From: https://alestic.com/2010/12/ec2-user-data-output/ -exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 - -# These variables are passed in via Terraform template interpolation -/opt/consul/bin/run-consul --client --cluster-tag-key "${consul_cluster_tag_key}" --cluster-tag-value "${consul_cluster_tag_value}" - -# Log the given message. All logs are written to stderr with a timestamp. -function log { - local -r message="$1" - local -r timestamp=$(date +"%Y-%m-%d %H:%M:%S") - >&2 echo -e "$timestamp $message" -} - -# A retry function that attempts to run a command a number of times and returns the output -function retry { - local -r cmd="$1" - local -r description="$2" - - for i in $(seq 1 30); do - log "$description" - - # The boolean operations with the exit status are there to temporarily circumvent the "set -e" at the - # beginning of this script which exits the script immediatelly for error status while not losing the exit status code - output=$(eval "$cmd") && exit_status=0 || exit_status=$? - errors=$(echo "$output") | grep '^{' | jq -r .errors - - log "$output" - - if [[ $exit_status -eq 0 && -n "$output" && -z "$errors" ]]; then - echo "$output" - return - fi - log "$description failed. Will sleep for 10 seconds and try again." - sleep 10 - done; - - log "$description failed after 30 attempts." - exit $exit_status -} - -# Retrieves the pkcs7 certificate from instance metadata -# The vault role name is filled by terraform -# The role itself is created when configuting the vault cluster -# pkcs7=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n') -# data=$(cat < \ -# aws_secret_access_key= - -# # We can then use the client token from the login output once login was successful -# token=$(cat /opt/vault/data/vault-token) - -# /opt/vault/bin/vault read secret/example_gruntwork - -# vault kv get /${resourcetier}/vpn/client_cert_files/usr/local/openvpn_as/scripts/seperate/ca.crt > /usr/local/openvpn_as/scripts/seperate/ca_test.crt - -# # Serves the answer in a web server so we can test that this auth client is -# # authenticating to vault and fetching data correctly -# echo $response | jq -r .data.the_answer > index.html -# python -m SimpleHTTPServer 8080 & diff --git a/user-data-auth-client.sh b/user-data-auth-client.sh deleted file mode 100644 index e078da3..0000000 --- a/user-data-auth-client.sh +++ /dev/null @@ -1,159 +0,0 @@ -#!/bin/bash -# This script is meant to be run in the User Data of each EC2 Instance while it's booting. The script uses the -# run-consul script to configure and start Consul in client mode. Note that this script assumes it's running in an AMI -# built from the Packer template in examples/vault-consul-ami/vault-consul.json. - -set -e - -admin_user="${openvpn_admin_user}" -admin_pw="${openvpn_admin_pw}" -# TODO these will be replaced with calls to vault. - -# Send the log output from this script to user-data.log, syslog, and the console -# From: https://alestic.com/2010/12/ec2-user-data-output/ -exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 - -# These variables are passed in via Terraform template interpolation -/opt/consul/bin/run-consul --client --cluster-tag-key "${consul_cluster_tag_key}" --cluster-tag-value "${consul_cluster_tag_value}" - -# Log the given message. All logs are written to stderr with a timestamp. -function log { - local -r message="$1" - local -r timestamp=$(date +"%Y-%m-%d %H:%M:%S") - >&2 echo -e "$timestamp $message" -} - -# A retry function that attempts to run a command a number of times and returns the output -function retry { - local -r cmd="$1" - local -r description="$2" - - for i in $(seq 1 30); do - log "$description" - - # The boolean operations with the exit status are there to temporarily circumvent the "set -e" at the - # beginning of this script which exits the script immediatelly for error status while not losing the exit status code - output=$(eval "$cmd") && exit_status=0 || exit_status=$? - errors=$(echo "$output") | grep '^{' | jq -r .errors - - log "$output" - - if [[ $exit_status -eq 0 && -n "$output" && -z "$errors" ]]; then - echo "$output" - return - fi - log "$description failed. Will sleep for 10 seconds and try again." - sleep 10 - done; - - log "$description failed after 30 attempts." - exit $exit_status -} - -# Retrieves the pkcs7 certificate from instance metadata -# The vault role name is filled by terraform -# The role itself is created when configuting the vault cluster -# pkcs7=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n') -# data=$(cat < /usr/local/openvpn_as/scripts/seperate/ca_test.crt - -# # Serves the answer in a web server so we can test that this auth client is -# # authenticating to vault and fetching data correctly -# echo $response | jq -r .data.the_answer > index.html -# python -m SimpleHTTPServer 8080 & From 77abbba58dcf3a5970af074ed19b645f64e7fbbc Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sat, 19 Jun 2021 19:34:41 +0930 Subject: [PATCH 298/306] resolve ip for vpn correctly --- main.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 37cc26d..78ab176 100644 --- a/main.tf +++ b/main.tf @@ -147,7 +147,9 @@ EOT locals { private_ip = length( aws_instance.openvpn ) > 0 ? aws_instance.openvpn[0].private_ip : null - public_ip = var.use_eip ? length( aws_eip.openvpnip ) > 0 ? aws_eip.openvpnip[0].public_ip : null : length( aws_instance.openvpn ) > 0 ? aws_instance.openvpn[0].public_ip : null + _eip_public_ip = length( aws_eip.openvpnip ) > 0 ? aws_eip.openvpnip[0].public_ip : null + _instance_public_ip = length( aws_instance.openvpn ) > 0 ? aws_instance.openvpn[0].public_ip : null + public_ip = var.use_eip ? local._eip_public_ip : local._instance_public_ip id = length( aws_instance.openvpn ) > 0 ? aws_instance.openvpn[0].id : null vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}" : local.public_ip } From 9654b910b56ecaa016edee113505dbf965f11d37 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Wed, 19 Jan 2022 20:58:19 +1030 Subject: [PATCH 299/306] remove-deployer-ip --- variables.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/variables.tf b/variables.tf index 9eec007..0d074b1 100644 --- a/variables.tf +++ b/variables.tf @@ -51,10 +51,6 @@ variable "remote_vpn_ip_cidr" { default = "0.0.0.0/0" } -variable "remote_ssh_ip_cidr" { - description = "The IP used to ssh to the access server for admin." -} - variable "public_subnet_id" { default = null } From f8790a7dab973e9620aad0ff65204c35c0a3fd52 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 21 Feb 2022 18:27:43 +1030 Subject: [PATCH 300/306] use-network-interface-id --- main.tf | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/main.tf b/main.tf index 78ab176..cef6bea 100644 --- a/main.tf +++ b/main.tf @@ -41,7 +41,7 @@ resource "aws_instance" "openvpn" { delete_on_termination = true } - tags = merge(tomap( {"Name" : var.name} ), var.common_tags, local.extra_tags) + tags = merge(tomap({ "Name" : var.name }), var.common_tags, local.extra_tags) # `admin_user` and `admin_pw` need to be passed in to the appliance through `user_data`, see docs --> # https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/amazon-ec2-appliance-ami-quick-start-guide/ @@ -56,8 +56,8 @@ resource "aws_instance" "openvpn" { } locals { - resourcetier = var.resourcetier - client_cert_file_path = "/usr/local/openvpn_as/scripts/seperate/client.ovpn" + resourcetier = var.resourcetier + client_cert_file_path = "/usr/local/openvpn_as/scripts/seperate/client.ovpn" client_cert_vault_path = "${local.resourcetier}/vpn/client_cert_files${local.client_cert_file_path}" } data "template_file" "user_data_auth_client" { @@ -97,7 +97,7 @@ resource "aws_eip" "openvpnip" { instance = aws_instance.openvpn[count.index].id depends_on = [aws_instance.openvpn] - tags = merge(tomap( {"Name" : var.name} ), var.common_tags, local.extra_tags) + tags = merge(tomap({ "Name" : var.name }), var.common_tags, local.extra_tags) } @@ -146,12 +146,13 @@ EOT } locals { - private_ip = length( aws_instance.openvpn ) > 0 ? aws_instance.openvpn[0].private_ip : null - _eip_public_ip = length( aws_eip.openvpnip ) > 0 ? aws_eip.openvpnip[0].public_ip : null - _instance_public_ip = length( aws_instance.openvpn ) > 0 ? aws_instance.openvpn[0].public_ip : null - public_ip = var.use_eip ? local._eip_public_ip : local._instance_public_ip - id = length( aws_instance.openvpn ) > 0 ? aws_instance.openvpn[0].id : null - vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}" : local.public_ip + private_ip = length(aws_instance.openvpn) > 0 ? aws_instance.openvpn[0].private_ip : null + _eip_public_ip = length(aws_eip.openvpnip) > 0 ? aws_eip.openvpnip[0].public_ip : null + _instance_public_ip = length(aws_instance.openvpn) > 0 ? aws_instance.openvpn[0].public_ip : null + public_ip = var.use_eip ? local._eip_public_ip : local._instance_public_ip + id = length(aws_instance.openvpn) > 0 ? aws_instance.openvpn[0].id : null + network_interface_id = length(aws_instance.openvpn) > 0 ? aws_instance.openvpn.network_interface_id : null + vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}" : local.public_ip } resource "aws_route53_record" "openvpn_record" { @@ -175,7 +176,7 @@ resource "aws_route" "private_openvpn_remote_subnet_gateway" { route_table_id = element(var.private_route_table_ids, count.index) destination_cidr_block = var.onsite_private_subnet_cidr - instance_id = local.id + network_interface_id = local.network_interface_id timeouts { create = "5m" @@ -188,7 +189,7 @@ resource "aws_route" "public_openvpn_remote_subnet_gateway" { route_table_id = element(var.public_route_table_ids, count.index) destination_cidr_block = var.onsite_private_subnet_cidr - instance_id = local.id + network_interface_id = local.network_interface_id timeouts { create = "5m" @@ -202,7 +203,7 @@ resource "aws_route" "private_openvpn_remote_subnet_vpndhcp_gateway" { route_table_id = element(var.private_route_table_ids, count.index) destination_cidr_block = var.vpn_cidr - instance_id = local.id + network_interface_id = local.network_interface_id timeouts { create = "5m" @@ -215,7 +216,7 @@ resource "aws_route" "public_openvpn_remote_subnet_vpndhcp_gateway" { route_table_id = element(var.public_route_table_ids, count.index) destination_cidr_block = var.vpn_cidr - instance_id = local.id + network_interface_id = local.network_interface_id timeouts { create = "5m" @@ -223,7 +224,7 @@ resource "aws_route" "public_openvpn_remote_subnet_vpndhcp_gateway" { } resource "null_resource" "sqs_notify" { - count = var.create_vpn ? 1 : 0 + count = var.create_vpn ? 1 : 0 triggers = { instance_id = aws_instance.openvpn[count.index].id } @@ -236,4 +237,4 @@ resource "null_resource" "sqs_notify" { ${path.module}/scripts/sqs_notify.sh "${local.resourcetier}" "${var.sqs_remote_in_vpn}" "${var.host1}" "${var.host2}" EOT } -} \ No newline at end of file +} From f7977307fc17c974a5a563cbdb118b56daccbd5b Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 21 Feb 2022 18:44:14 +1030 Subject: [PATCH 301/306] define provider version --- main.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index cef6bea..aa6a8ae 100644 --- a/main.tf +++ b/main.tf @@ -4,7 +4,11 @@ # You should define this variable as your remote static ip adress to limit vpn exposure to the public internet - +provider "aws" { + # if you haven't installed and configured the aws cli, you will need to provide your aws access key and secret key. + # in a dev environment these version locks below can be disabled. in production, they should be locked based on the suggested versions from terraform init. + version = "~> 4.1.0" +} variable "source_dest_check" { default = true From 720dc1fd3f8847d7b908d9b6c1a24d022f9700b6 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 21 Feb 2022 19:42:57 +1030 Subject: [PATCH 302/306] fix missing count attribute --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index aa6a8ae..ddc65f8 100644 --- a/main.tf +++ b/main.tf @@ -155,7 +155,7 @@ locals { _instance_public_ip = length(aws_instance.openvpn) > 0 ? aws_instance.openvpn[0].public_ip : null public_ip = var.use_eip ? local._eip_public_ip : local._instance_public_ip id = length(aws_instance.openvpn) > 0 ? aws_instance.openvpn[0].id : null - network_interface_id = length(aws_instance.openvpn) > 0 ? aws_instance.openvpn.network_interface_id : null + network_interface_id = length(aws_instance.openvpn) > 0 ? aws_instance.openvpn[0].network_interface_id : null vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}" : local.public_ip } From 4e1bf9128469ce79308e1b535903defb5af91080 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 21 Feb 2022 20:21:17 +1030 Subject: [PATCH 303/306] try primary_network_interface_id --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index ddc65f8..b455e31 100644 --- a/main.tf +++ b/main.tf @@ -155,7 +155,7 @@ locals { _instance_public_ip = length(aws_instance.openvpn) > 0 ? aws_instance.openvpn[0].public_ip : null public_ip = var.use_eip ? local._eip_public_ip : local._instance_public_ip id = length(aws_instance.openvpn) > 0 ? aws_instance.openvpn[0].id : null - network_interface_id = length(aws_instance.openvpn) > 0 ? aws_instance.openvpn[0].network_interface_id : null + network_interface_id = length(aws_instance.openvpn) > 0 ? aws_instance.openvpn[0].primary_network_interface_id : null vpn_address = var.route_public_domain_name ? "vpn.${var.public_domain_name}" : local.public_ip } From 27c23e8edb2ad99bb70b51fb36d55309fa04cdf2 Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Tue, 1 Mar 2022 18:22:50 +1030 Subject: [PATCH 304/306] Update AWS to 4.30 --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index b455e31..9a36264 100644 --- a/main.tf +++ b/main.tf @@ -7,7 +7,7 @@ provider "aws" { # if you haven't installed and configured the aws cli, you will need to provide your aws access key and secret key. # in a dev environment these version locks below can be disabled. in production, they should be locked based on the suggested versions from terraform init. - version = "~> 4.1.0" + version = "~> 4.3.0" } variable "source_dest_check" { From 3fee588b5f9b89cd9a672b28a8b356f9db0ef39e Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Mon, 21 Mar 2022 00:39:13 +1030 Subject: [PATCH 305/306] update-versions --- .gitignore | 3 ++- main.tf | 6 ------ versions.tf | 5 +++-- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index d95d243..cb86cbc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ private-variables.tf - +.terraform +.terraform.lock.hcl diff --git a/main.tf b/main.tf index 9a36264..fba0eaa 100644 --- a/main.tf +++ b/main.tf @@ -4,12 +4,6 @@ # You should define this variable as your remote static ip adress to limit vpn exposure to the public internet -provider "aws" { - # if you haven't installed and configured the aws cli, you will need to provide your aws access key and secret key. - # in a dev environment these version locks below can be disabled. in production, they should be locked based on the suggested versions from terraform init. - version = "~> 4.3.0" -} - variable "source_dest_check" { default = true } diff --git a/versions.tf b/versions.tf index 7f62e23..edcead5 100644 --- a/versions.tf +++ b/versions.tf @@ -2,10 +2,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" + version = "~> 4.3.0" } null = { - source = "hashicorp/null" + version = "~> 3.0" } } required_version = ">= 0.13" -} +} \ No newline at end of file From 8172b31052d1c5f2b88f833257bc2284a9f2135f Mon Sep 17 00:00:00 2001 From: Andrew Graham Date: Sun, 27 Mar 2022 17:18:00 +1030 Subject: [PATCH 306/306] Update versions --- versions.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/versions.tf b/versions.tf index edcead5..bd97f68 100644 --- a/versions.tf +++ b/versions.tf @@ -2,11 +2,12 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.3.0" + version = "~> 4.6.0" } null = { + source = "hashicorp/null" version = "~> 3.0" } } required_version = ">= 0.13" -} \ No newline at end of file +}