terrafying-components 1.12.3 → 1.12.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ddbde82c2d58b321194378e086691805dfe735cd7fa50e971ea8ff4ac936857a
-  data.tar.gz: b9f54244f14ba08017775d12040f8aca706d1f07218c694cf5950d3223a7189a
+  metadata.gz: b6da8b7007cb656c796f3c191b3e5987eb1370674c947c49a108ab0d4ac39cf3
+  data.tar.gz: 1ff85bce88c2cc69d00f05591a316e54b4d5db38d92b780f74c15c88c90de72b
 SHA512:
-  metadata.gz: a03b6859dbd50737c5adefddca1c7a06d6574b6be02d900b5a3d827827c4c8dc0f91541a614d7f9bf03a05b765409202a5126148abe5b5c2b870a9cd356bd726
-  data.tar.gz: 83c4448f92f85ab5568d90e455666a9136188e2fd646739c10ecda051d9a0617bc641f25d2a2c50615f60936440e02fe230514553a3320a2095a9893e99d66f2
+  metadata.gz: 5ac9cc17797ade6fbab7ee58869061b71ad18244d6b28dcc81ca8cff4ccc72f0fad45492e3bc0705d6fdcb57fee4225aecdf7031d88201e42ad44e81ac146dba
+  data.tar.gz: f65261b1d1786a2ddfebba957698d4c6293599253d5ff5bf52fe33f323e70b4ad041f131c3d380ebabe1934efecb86f30621e85ff42e3b4d553f5124b70279f0

data/lib/terrafying/components.rb

@@ -9,4 +9,5 @@ require 'terrafying/components/service'
 require 'terrafying/components/subnet'
 require 'terrafying/components/vpc'
 require 'terrafying/components/vpn'
+require 'terrafying/components/vpn_oidc'
 require 'terrafying/components/zone'

data/lib/terrafying/components/dynamicset.rb

@@ -32,6 +32,7 @@ module Terrafying
       def create_in(vpc, name, options = {})
         options = {
           public: false,
+          eip: false,
           ami: aws.ami('base-image-24b8d5fb', owners = ['136393635417']),
           instance_type: 't3a.micro',
           instances: { min: 1, max: 1, desired: 1, tags: {} },

data/lib/terrafying/components/ignition.rb

@@ -14,6 +14,7 @@ module Terrafying
           volumes: [],
           environment_variables: [],
           arguments: [],
+          ports: [],
           require_units: [],
           host_networking: false,
           privileged: false
@@ -29,17 +30,9 @@ module Terrafying
 
         docker_options = []
 
-        if options[:environment_variables].count > 0
-          docker_options += options[:environment_variables].map do |var|
-            "-e #{var}"
-          end
-        end
-
-        if options[:volumes].count > 0
-          docker_options += options[:volumes].map do |volume|
-            "-v #{volume}"
-          end
-        end
+        docker_options += options[:environment_variables].map { |var| "-e #{var}" }
+        docker_options += options[:volumes].map { |volume| "-v #{volume}" }
+        docker_options += options[:ports].map { |port| "-p #{port}:#{port}" }
 
         docker_options << '--net=host' if options[:host_networking]
 

data/lib/terrafying/components/instance.rb

@@ -2,6 +2,7 @@
 
 require 'xxhash'
 
+require 'terrafying/components/ports'
 require 'terrafying/components/usable'
 
 module Terrafying
@@ -30,6 +31,7 @@ module Terrafying
       def create_in(vpc, name, options = {})
         options = {
           public: false,
+          eip: false,
           instance_type: 't3a.micro',
           instance_profile: nil,
           ports: [],
@@ -78,12 +80,14 @@ module Terrafying
           @subnet = subnets[subnet_index]
         end
 
+        associate_public_ip_address = options[:eip] || options[:public]
+
         @id = resource :aws_instance, ident, {
           ami: options[:ami],
           instance_type: options[:instance_type],
           iam_instance_profile: profile_from(options[:instance_profile]),
           subnet_id: @subnet.id,
-          associate_public_ip_address: options[:public],
+          associate_public_ip_address: associate_public_ip_address,
           root_block_device: {
             volume_type: 'gp2',
             volume_size: 32
@@ -101,7 +105,15 @@ module Terrafying
           depends_on: options[:depends_on]
         }.merge(options[:ip_address] ? { private_ip: options[:ip_address] } : {}).merge(lifecycle)
 
-        @ip_address = output_of(:aws_instance, ident, options[:public] ? :public_ip : :private_ip)
+        @ip_address = @id[options[:public] ? :public_ip : :private_ip]
+
+        if options[:eip]
+          @eip = resource :aws_eip, ident, {
+            instance: @id,
+            vpc: true
+          }
+          @ip_address = @eip[:public_ip]
+        end
 
         self
       end

data/lib/terrafying/components/prometheus.rb

@@ -22,7 +22,7 @@ module Terrafying
         thanos_name: 'thanos',
         thanos_version: 'v0.4.0',
         prom_name: 'prometheus',
-        prom_version: 'v2.9.2',
+        prom_version: 'v2.10.0',
         instances: 2,
         instance_type: 't3a.small'
       )

data/lib/terrafying/components/staticset.rb

@@ -37,6 +37,7 @@ module Terrafying
       def create_in(vpc, name, options = {})
         options = {
           public: false,
+          eip: false,
           ami: aws.ami('base-image-24b8d5fb', owners = ['136393635417']),
           instance_type: 't3a.micro',
           subnets: vpc.subnets.fetch(:private, []),

data/lib/terrafying/components/version.rb

@@ -2,6 +2,6 @@
 
 module Terrafying
   module Components
-    VERSION = '1.12.3'
+    VERSION = '1.12.4'
   end
 end

data/lib/terrafying/components/vpn_oidc.rb

@@ -0,0 +1,285 @@
+
+# frozen_string_literal: true
+
+require 'digest'
+require 'netaddr'
+
+require 'terrafying/components/ignition'
+require 'terrafying/components/service'
+require 'terrafying/generator'
+
+IN4MASK = 0xffffffff
+
+def cidr_to_split_address(raw_cidr)
+  cidr = NetAddr::CIDR.create(raw_cidr)
+
+  masklen = 32 - cidr.bits
+  maskaddr = ((IN4MASK >> masklen) << masklen)
+
+  maskip = (0..3).map do |i|
+    (maskaddr >> (24 - 8 * i)) & 0xff
+  end.join('.')
+
+  "#{cidr.first} #{maskip}"
+end
+
+module Terrafying
+  module Components
+    class OIDCVPN < Terrafying::Context
+      attr_reader :name, :cidr, :service, :ip_address
+
+      def self.create_in(options)
+        new(**options).tap(&:create_in)
+      end
+
+      def initialize(
+        vpc:,
+        name:,
+        client_id:,
+        issuer_url:,
+        ca: nil,
+        groups: [],
+        cidr: '10.8.0.0/24',
+        public: true,
+        subnets: vpc.subnets.fetch(:public, []),
+        static: false,
+        route_all_traffic: false,
+        route_dns_entries: [],
+        units: [],
+        tags: {},
+        service_options: {}
+      )
+        super()
+        @vpc = vpc
+        @name = name
+        @client_id = client_id
+        @issuer_url = issuer_url
+        @ca = ca
+        @groups = groups
+        @cidr = cidr
+        @fqdn = vpc.zone.qualify(name)
+        @public = public
+        @subnets = subnets
+        @static = static
+        @route_all_traffic = route_all_traffic
+        @route_dns_entries = route_dns_entries
+        @units = units
+        @tags = tags
+        @service_options = service_options
+      end
+
+      def create_in
+        units = [
+          openvpn_service,
+          openvpn_authz_service(@ca, @fqdn, @route_all_traffic, @route_dns_entries, @groups, @client_id, @issuer_url),
+        ]
+        files = [
+          openvpn_conf,
+          openvpn_env,
+          openvpn_ip_delay,
+        ]
+        keypairs = []
+        keypairs.push(@ca.create_keypair_in(self, @fqdn)) if @ca
+
+        instances = [{}]
+        if @static
+          subnet = @subnets.first
+          instances = [{ subnet: subnet, ip_address: subnet.ip_addresses.first }]
+        end
+
+        @service = add! Service.create_in(
+          @vpc, @name,
+          {
+            eip: @public,
+            public: @public,
+            ports: [22, 443, { number: 1194, type: 'udp' }],
+            tags:@tags,
+            units: units + @units,
+            files: files,
+            keypairs: keypairs,
+            subnets: @subnets,
+            instances: instances,
+            iam_policy_statements: [
+              {
+                Effect: 'Allow',
+                Action: [
+                  'ec2:DescribeRouteTables'
+                ],
+                Resource: [
+                  '*'
+                ]
+              }
+            ]
+          }.merge(@service_options)
+        )
+
+        @ip_address = @service.instance_set.instances.first.ip_address
+      end
+
+      def allow_security_group_in(vpc, name: '')
+        name = "allow-#{@vpc.name}-vpn".downcase if name.empty?
+
+        ingress_rules = [
+          {
+            from_port: 0,
+            to_port: 0,
+            protocol: -1,
+            security_groups: [@service.egress_security_group]
+          }
+        ]
+
+        if @public
+          ingress_rules << {
+            from_port: 0,
+            to_port: 0,
+            protocol: -1,
+            cidr_blocks: ["#{@ip_address}/32"]
+          }
+        end
+
+        resource :aws_security_group, tf_safe("#{name}-#{vpc.name}"),
+                 name: name,
+                 vpc_id: vpc.id,
+                 ingress: ingress_rules
+      end
+
+      def openvpn_service
+        Ignition.container_unit(
+          'openvpn', 'kylemanna/openvpn',
+          host_networking: true,
+          privileged: true,
+          volumes: [
+            '/etc/ssl/openvpn:/etc/ssl/openvpn:ro',
+            '/etc/openvpn:/etc/openvpn'
+          ],
+          required_units: ['docker.service', 'network-online.target', 'openvpn-authz.service']
+        )
+      end
+
+      def openvpn_authz_service(ca, fqdn, route_all_traffic, route_dns_entry, groups, client_id, issuer_url)
+        optional_arguments = []
+        optional_volumes = []
+
+        optional_arguments << '--route-all' if route_all_traffic
+        optional_arguments += groups.map { |group| "--oidc-allowed-groups \"#{group}\"" }
+        optional_arguments += route_dns_entry.map { |entry| "--route-dns-entries #{entry}" }
+        optional_arguments << "--tls-cert-file /etc/ssl/#{ca.name}/#{fqdn}/cert" if ca
+        optional_arguments << "--tls-key-file /etc/ssl/#{ca.name}/#{fqdn}/key" if ca
+        optional_volumes << "/etc/ssl/#{ca.name}:/etc/ssl/#{ca.name}" if ca
+
+        Ignition.container_unit(
+          'openvpn-authz', 'quay.io/uswitch/openvpn-authz:2.1',
+          volumes: optional_volumes + [
+            '/etc/ssl/openvpn:/etc/ssl/openvpn',
+            '/var/openvpn-authz:/var/openvpn-authz'
+          ],
+          environment_variables: [
+            "AWS_REGION=#{aws.region}"
+          ],
+          ports: ['443'],
+          arguments: optional_arguments + [
+            "--http-address https://0.0.0.0:443",
+            "--fqdn #{fqdn}",
+            '--cache /var/openvpn-authz',
+            "--oidc-client-id \"#{client_id}\"",
+            "--oidc-issuer-url \"#{issuer_url}\"",
+            '/etc/ssl/openvpn'
+          ]
+        )
+      end
+
+      def openvpn_conf
+        {
+          path: '/etc/openvpn/openvpn.conf',
+          mode: '0644',
+          contents: <<~EOF
+            server #{cidr_to_split_address(@cidr)}
+            verb 3
+
+            iproute /etc/openvpn/ovpn_ip.sh
+
+            key /etc/ssl/openvpn/server/key
+            ca /etc/ssl/openvpn/ca/cert
+            cert /etc/ssl/openvpn/server/cert
+            dh /etc/ssl/openvpn/dh.pem
+            tls-auth /etc/ssl/openvpn/ta.key
+
+            cipher AES-256-CBC
+            auth SHA512
+            tls-version-min 1.2
+
+            key-direction 0
+            keepalive 10 60
+            persist-key
+            persist-tun
+
+            proto udp
+            # Rely on Docker to do port mapping, internally always 1194
+            port 1194
+            dev tun0
+            status /tmp/openvpn-status.log
+
+            user nobody
+            group nogroup
+          EOF
+        }
+      end
+
+      def openvpn_env
+        {
+          path: '/etc/openvpn/ovpn_env.sh',
+          mode: '0644',
+          contents: <<~EOF
+            declare -x OVPN_SERVER=#{@cidr}
+          EOF
+        }
+      end
+
+      # OpenVPN doesn't wait long enough for the tun0 device to init
+      # https://github.com/kylemanna/docker-openvpn/issues/370
+      def openvpn_ip_delay
+        {
+          path: '/etc/openvpn/ovpn_ip.sh',
+          mode: '0755',
+          contents: <<~IP_SCRIPT
+            #!/usr/bin/env bash
+            sleep 0.1
+            /sbin/ip $*
+          IP_SCRIPT
+        }
+      end
+
+      def with_endpoint_service(*args)
+        @service.with_endpoint_service(*args)
+      end
+
+      def security_group
+        @service.security_group
+      end
+
+      def ingress_security_group
+        @service.ingress_security_group
+      end
+
+      def egress_security_group
+        @service.egress_security_group
+      end
+
+      def pingable_by(*services)
+        @service.pingable_by(*services)
+      end
+
+      def used_by(*services)
+        @service.used_by(*services)
+      end
+
+      def pingable_by_cidr(*cidrs)
+        @service.pingable_by_cidr(*cidrs)
+      end
+
+      def used_by_cidr(*cidrs)
+        @service.used_by_cidr(*cidrs)
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terrafying-components
 version: !ruby/object:Gem::Version
-  version: 1.12.3
+  version: 1.12.4
 platform: ruby
 authors:
 - uSwitch Limited
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-05-24 00:00:00.000000000 Z
+date: 2019-05-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -132,6 +132,7 @@ files:
 - lib/terrafying/components/version.rb
 - lib/terrafying/components/vpc.rb
 - lib/terrafying/components/vpn.rb
+- lib/terrafying/components/vpn_oidc.rb
 - lib/terrafying/components/zone.rb
 homepage: https://github.com/uswitch/terrafying-components
 licenses: