Skip to content

doc: update documentation for used terraform modules #285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 10, 2022
Merged

doc: update documentation for used terraform modules #285

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/aws-ec2-pritunl-diagram.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
9 changes: 5 additions & 4 deletions terraform/layer1-aws/aws-ec2-pritunl.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,11 @@
module "pritunl" {
count = var.pritunl_vpn_server_enable ? 1 : 0

source = "../modules/aws-ec2-pritunl"
environment = local.env
vpc_id = module.vpc.vpc_id
public_subnets = module.vpc.public_subnets
source = "../modules/aws-ec2-pritunl"
environment = local.env
vpc_id = module.vpc.vpc_id
public_subnets = module.vpc.public_subnets
private_subnets = module.vpc.private_subnets
ingress_with_cidr_blocks = [
{
protocol = "6"
Expand Down
75 changes: 75 additions & 0 deletions terraform/modules/aws-ec2-pritunl/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
<!-- BEGIN_TF_DOCS -->
## Requirements

No requirements.

## Providers

| Name | Version |
| ------------------------------------------------- | ------- |
| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |

## Modules

| Name | Source | Version |
| ----------------------------------------------------------------------- | --------------------------------------------------------- | ------- |
| <a name="module_backup_role"></a> [backup\_role](#module\_backup\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | 4.14.0 |
| <a name="module_ec2_sg"></a> [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | 4.8.0 |
| <a name="module_efs_sg"></a> [efs\_sg](#module\_efs\_sg) | terraform-aws-modules/security-group/aws | 4.8.0 |
| <a name="module_iam_policy"></a> [iam\_policy](#module\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | 4.14.0 |
| <a name="module_this_role"></a> [this\_role](#module\_this\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | 4.14.0 |

## Resources

| Name | Type |
| -------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
| [aws_autoscaling_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |
| [aws_backup_plan.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource |
| [aws_backup_selection.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource |
| [aws_backup_vault.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
| [aws_efs_file_system.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system) | resource |
| [aws_efs_mount_target.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_mount_target) | resource |
| [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
| [aws_iam_instance_profile.this_instance_profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
| [aws_launch_template.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
| [aws_ami.amazon_linux_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |

## Inputs

| Name | Description | Type | Default | Required |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | :------: |
| <a name="input_encrypted"></a> [encrypted](#input\_encrypted) | Encrypt or not EFS | `bool` | `true` | no |
| <a name="input_environment"></a> [environment](#input\_environment) | Environment name | `string` | `"infra"` | no |
| <a name="input_ingress_with_cidr_blocks"></a> [ingress\_with\_cidr\_blocks](#input\_ingress\_with\_cidr\_blocks) | A list of Pritunl server security group rules where source is CIDR | <pre>list(object({<br> protocol = string<br> from_port = string<br> to_port = string<br> cidr_blocks = string<br> }))</pre> | `[]` | no |
| <a name="input_ingress_with_source_security_group_id"></a> [ingress\_with\_source\_security\_group\_id](#input\_ingress\_with\_source\_security\_group\_id) | A list of Pritunl server security group rules where source is another security group | <pre>list(object({<br> protocol = string<br> from_port = string<br> to_port = string<br> security_groups = string<br> }))</pre> | `[]` | no |
| <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | Pritunl server instance type | `string` | `"t3.small"` | no |
| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | KMS key ID in case of using CMK | `any` | `null` | no |
| <a name="input_name"></a> [name](#input\_name) | Name used for all resources in this module | `string` | `"pritunl"` | no |
| <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | A list of private subnets where EFS will be created | `list(any)` | n/a | yes |
| <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | A list of public subnets where Pritunl server will be run | `list(any)` | n/a | yes |
| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC where to create security groups | `string` | n/a | yes |

## Outputs

| Name | Description |
| ---------------------------------------------------------------------------------------------------------- | ----------- |
| <a name="output_pritunl_endpoint"></a> [pritunl\_endpoint](#output\_pritunl\_endpoint) | n/a |
| <a name="output_pritunl_security_group"></a> [pritunl\_security\_group](#output\_pritunl\_security\_group) | n/a |
<!-- END_TF_DOCS -->

## Architecture diagram

![pritunl-server-architecture-diagram](../../../docs/aws-ec2-pritunl-diagram.svg)

## Description
* AWS ASG is used to automatically run "broken" instance again
* The entire logic is located in user-data script:
* Install MongoDB
* Install Pritunl-server
* Configure sysctl
* Attache Elastic IP
* Disable source-destination check, because this instance will forward traffic
* Mount EFS filesystem into directory with MongoDB data. We don't want to care about AZ and EBS disks
* AWS Backup is configured to backup EFS storage
6 changes: 3 additions & 3 deletions terraform/modules/aws-ec2-pritunl/backup.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ resource "aws_backup_vault" "this" {
}

resource "aws_backup_plan" "this" {
name = "${var.name}_backup_plan"
name = var.name
rule {
rule_name = "${var.name}_backup_plan_efs"
rule_name = var.name
target_vault_name = aws_backup_vault.this.name
schedule = "cron(0 1 * * ? *)"
lifecycle {
Expand All @@ -16,7 +16,7 @@ resource "aws_backup_plan" "this" {

resource "aws_backup_selection" "efs" {
iam_role_arn = module.backup_role.iam_role_arn
name = "${var.name}_backup_selection_efs"
name = "${var.name}-efs"
plan_id = aws_backup_plan.this.id

resources = [
Expand Down
41 changes: 32 additions & 9 deletions terraform/modules/aws-ec2-pritunl/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,43 @@
variable "vpc_id" {}
variable "public_subnets" {}
variable "vpc_id" {
type = string
description = "ID of the VPC where to create security groups"
}

variable "public_subnets" {
type = list(any)
description = "A list of public subnets where Pritunl server will be run"
}

variable "private_subnets" {
type = list(any)
description = "A list of private subnets where EFS will be created"
}

variable "name" {
default = "pritunl"
default = "pritunl"
description = "Name used for all resources in this module"
}

variable "environment" {
default = "infra"
default = "infra"
description = "Environment name"
}

variable "instance_type" {
default = "t3.small"
default = "t3.small"
description = "Pritunl server instance type"
}

variable "encrypted" {
default = true
default = true
description = "Encrypt or not EFS"
}

variable "kms_key_id" {
default = null
default = null
description = "KMS key ID in case of using CMK"
}

variable "ingress_with_source_security_group_id" {
type = list(object({
protocol = string
Expand All @@ -26,8 +46,10 @@ variable "ingress_with_source_security_group_id" {
security_groups = string
}))

default = []
default = []
description = "A list of Pritunl server security group rules where source is another security group"
}

variable "ingress_with_cidr_blocks" {
type = list(object({
protocol = string
Expand All @@ -36,5 +58,6 @@ variable "ingress_with_cidr_blocks" {
cidr_blocks = string
}))

default = []
default = []
description = "A list of Pritunl server security group rules where source is CIDR"
}
37 changes: 37 additions & 0 deletions terraform/modules/aws-iam-eks-trusted/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
<!-- BEGIN_TF_DOCS -->
## Requirements

No requirements.

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |

## Modules

No modules.

## Resources

| Name | Type |
|------|------|
| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_name"></a> [name](#input\_name) | Name, required to form unique resource names | `any` | n/a | yes |
| <a name="input_oidc_provider_arn"></a> [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | The ARN of the OIDC Provider | `any` | n/a | yes |
| <a name="input_policy"></a> [policy](#input\_policy) | The policy that will be attached to role | `any` | n/a | yes |
| <a name="input_region"></a> [region](#input\_region) | Target region for all infrastructure resources | `any` | n/a | yes |

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | This role ARN |
<!-- END_TF_DOCS -->
4 changes: 1 addition & 3 deletions terraform/modules/aws-iam-eks-trusted/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,13 @@
variable "oidc_provider_arn" {
description = "The ARN of the OIDC Provider"
default = ""
}

variable "name" {
description = "Name, required to form unique resource names"
default = ""
}

variable "region" {
description = "Target region for all infrastructure resources"
default = ""
}

variable "policy" {
Expand Down
37 changes: 37 additions & 0 deletions terraform/modules/aws-iam-user-with-policy/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
<!-- BEGIN_TF_DOCS -->
## Requirements

No requirements.

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |

## Modules

No modules.

## Resources

| Name | Type |
|------|------|
| [aws_iam_access_key.this_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_user.this_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_name"></a> [name](#input\_name) | Project name, required to form unique resource names | `any` | n/a | yes |
| <a name="input_policy"></a> [policy](#input\_policy) | IAM policy that will be attached to user | `any` | n/a | yes |

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_access_key_id"></a> [access\_key\_id](#output\_access\_key\_id) | AWS ACCESS\_KEY\_ID |
| <a name="output_access_secret_key"></a> [access\_secret\_key](#output\_access\_secret\_key) | AWS ACCESS\_SECRET\_KEY |
<!-- END_TF_DOCS -->
1 change: 0 additions & 1 deletion terraform/modules/aws-iam-user-with-policy/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
variable "name" {
description = "Project name, required to form unique resource names"
default = ""
}

variable "policy" {
Expand Down
Loading