Initial Commit

Author: poush

.gitignore

@@ -0,0 +1,4 @@
+*.tfstate
+*.tfstate.backup
+
+.terraform/

.pre-commit-config.yaml

@@ -0,0 +1,15 @@
+- repo: git://github.com/pre-commit/pre-commit-hooks
+  sha: v1.2.3
+  hooks:
+    - id: trailing-whitespace
+
+- repo: git://github.com/Lucas-C/pre-commit-hooks
+  sha: v1.1.5
+  hooks:
+    - id: forbid-tabs
+
+- repo: git://github.com/kintoandar/pre-commit.git
+  sha: v2.1.0
+  hooks:
+    - id: terraform_fmt
+    - id: terraform_validate

LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2017 Piyush Agrawal<poush12@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

README.md

@@ -0,0 +1,39 @@
+# Input variables
+
+- **aws_key_name:** SSH Key pair for VPN instance
+- **vpc_id:** The VPC id
+- **public_subnet_id:** One of the public subnets to create the instance
+- **instance_type:** Instance type of the VPN box (t2.small is mostly enough)
+- **whitelist:** List of office IP addresses that you can SSH and non-VPN connected users can reach temporary profile download pages
+- **whitelist_http:** List of IP addresses that you can allow HTTP connections.
+- **internal_cidrs:** List of CIDRs that will be whitelisted to access the VPN server internally.
+- **resource_name_prefix:** All the resources will be prefixed with the value of this variable
+
+# Outputs
+
+- **pritunl_private_ip:** Private IP address of the instance
+- **pritunl_public_ip:** EIP of the VPN box
+
+# Usage
+
+```
+provider "aws" {
+  region  = "eu-west-2"
+}
+
+module "pritunl" {
+  source = "github.com/poush/terraform-aws-pritunl?ref=1.0.0"
+
+  aws_key_name         = "aws_key_name"
+  vpc_id               = "${module.vpc.vpc_id}"
+  public_subnet_id     = "${module.vpc.public_subnets[1]}"
+  instance_type        = "t2.micro"
+  resource_name_prefix = "my-pritunl"
+
+  whitelist = [
+    "<Your IP>/32",
+  ]
+}
+```
+
+**Please Note that it can take few minutes (ideally 3-5 minutes) for provisioner to complete after terraform completes its process. Once completed, you should see Pritunl app on the public IP of instance**

main.tf

@@ -0,0 +1,161 @@
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}
+
+resource "aws_security_group" "pritunl" {
+  name        = "${var.resource_name_prefix}-vpn"
+  description = "${var.resource_name_prefix}-vpn"
+  vpc_id      = "${var.vpc_id}"
+
+  # SSH access
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = var.internal_cidrs
+  }
+
+  # HTTP access for Let's Encrypt validation
+  ingress {
+    from_port = 80
+    to_port   = 80
+    protocol  = "tcp"
+
+    cidr_blocks = var.whitelist_http
+  }
+
+  # HTTPS access
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = var.internal_cidrs
+  }
+
+  # VPN WAN access
+  ingress {
+    from_port   = 10000
+    to_port     = 19999
+    protocol    = "udp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # ICMP
+  ingress {
+    from_port   = -1
+    to_port     = -1
+    protocol    = "icmp"
+    cidr_blocks = var.internal_cidrs
+  }
+
+  # outbound internet access
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = "${
+    merge(
+      map("Name", format("%s-%s", var.resource_name_prefix, "vpn")),
+      var.tags,
+    )
+  }"
+}
+
+resource "aws_security_group" "allow_from_office" {
+  name        = "${var.resource_name_prefix}-whitelist"
+  description = "Allows SSH connections and HTTP(s) connections from office"
+  vpc_id      = "${var.vpc_id}"
+
+  # SSH access
+  ingress {
+    description = "Allow SSH access from select CIDRs"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = var.whitelist
+  }
+
+  # HTTPS access
+  ingress {
+    description = "Allow HTTPS access from select CIDRs"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = var.whitelist
+  }
+
+  # ICMP
+  ingress {
+    description = "Allow ICMPv4 from select CIDRs"
+    from_port   = -1
+    to_port     = -1
+    protocol    = "icmp"
+    cidr_blocks = var.whitelist
+  }
+
+  # outbound internet access
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = "${
+    merge(
+      map("Name", format("%s-%s", var.resource_name_prefix, "whitelist")),
+      var.tags,
+    )
+  }"
+}
+
+data "aws_ami" "oracle" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["OL7.6-x86_64-HVM-2019-01-29"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  owners = ["131827586825"] # Canonical
+}
+
+resource "aws_instance" "pritunl" {
+  ami           = "${data.aws_ami.oracle.id}"
+  instance_type = "${var.instance_type}"
+  key_name      = "${var.aws_key_name}"
+  user_data     = "${file("${path.module}/provision.sh")}"
+
+  vpc_security_group_ids = [
+    "${aws_security_group.pritunl.id}",
+    "${aws_security_group.allow_from_office.id}",
+  ]
+
+  subnet_id = "${var.public_subnet_id}"
+
+  tags = "${
+    merge(
+      map("Name", format("%s-%s", var.resource_name_prefix, "vpn")),
+      var.tags,
+    )
+  }"
+
+}
+
+# resource "aws_route53_record" "pritunl-www" {
+#   zone_id = "${var.route53_zoneid}"
+#   name    = "${var.domain_name}"
+#   type    = "A"
+#   ttl     = "300"
+#   records = ["${aws_instance.pritunl.public_ip}"]
+# }
+
+

outputs.tf

@@ -0,0 +1,7 @@
+output "pritunl_private_ip" {
+  value = "${aws_instance.pritunl.private_ip}"
+}
+
+output "pritunl_public_ip" {
+  value = "${aws_instance.pritunl.public_ip}"
+}

provision.sh

@@ -0,0 +1,49 @@
+#!/bin/bash -xe
+# exec > >(tee /var/log/pritunl-install-data.log|logger -t user-data -s 2>/dev/console) 2>&1yes
+
+export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/aws/bin:/root/bin
+echo "Pritunl Installing"
+yum update -y
+
+echo "* hard nofile 64000" >> /etc/security/limits.conf
+echo "* soft nofile 64000" >> /etc/security/limits.conf
+echo "root hard nofile 64000" >> /etc/security/limits.conf
+echo "root soft nofile 64000" >> /etc/security/limits.conf
+
+sudo tee /etc/yum.repos.d/mongodb-org-4.0.repo << EOF
+[mongodb-org-4.0]
+name=MongoDB Repository
+baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/
+gpgcheck=1
+enabled=1
+gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
+EOF
+
+sudo tee /etc/yum.repos.d/pritunl.repo << EOF
+[pritunl]
+name=Pritunl Repository
+baseurl=https://repo.pritunl.com/stable/yum/centos/7/
+gpgcheck=1
+enabled=1
+EOF
+
+sudo yum -y install oracle-epel-release-el7
+sudo yum-config-manager --enable ol7_developer_epel
+gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
+gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
+sudo yum -y remove iptables-services
+sudo yum -y install pritunl mongodb-org
+sudo systemctl start mongod pritunl
+sudo systemctl enable mongod pritunl
+
+cat <<EOF > /etc/logrotate.d/pritunl
+/var/log/mongodb/*.log {
+  daily
+  missingok
+  rotate 60
+  compress
+  delaycompress
+  copytruncate
+  notifempty
+}
+EOF

variables.tf

@@ -0,0 +1,44 @@
+variable "aws_key_name" {
+  description = "SSH keypair name for the VPN instance"
+}
+
+variable "vpc_id" {
+  description = "Which VPC VPN server will be created in"
+}
+
+variable "public_subnet_id" {
+  description = "One of the public subnet id for the VPN instance"
+}
+
+variable "instance_type" {
+  description = "Instance type for VPN Box"
+  type        = "string"
+  default     = "t2.micro"
+}
+
+variable "whitelist" {
+  description = "[List] Office IP CIDRs for SSH and HTTPS"
+  type        = "list"
+}
+
+variable "whitelist_http" {
+  description = "[List] Whitelist for HTTP port"
+  type        = "list"
+  default     = ["0.0.0.0/0"]
+}
+
+variable "tags" {
+  description = "A map of tags to add to all resources"
+  default     = {}
+}
+
+variable "resource_name_prefix" {
+  description = "All the resources will be prefixed with the value of this variable"
+  default     = "pritunl"
+}
+
+variable "internal_cidrs" {
+  description = "[List] IP CIDRs to whitelist in the pritunl's security group"
+  type        = "list"
+  default     = ["10.0.0.0/16"]
+}