Merge pull request #3 from unifio/yl-generate-certs

Initial release of generate-certs module
unifio · Jun 9, 2016 · 19e094b · 19e094b
2 parents 3f581b0 + b53c5c0
commit 19e094b
Show file tree

Hide file tree

Showing 6 changed files with 297 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,12 @@
 ### ???
 
 - Feature: Automatically push instance's subnet route into `server.conf`
+- export `zone_id`, `dns_name` from aws_elb
+- Fix the 4 subnet fixed mapping
+- Fill in some examples
+
+### 0.0.5
+- Initial release of `generate-certs` module
 
 ### 0.0.4
 - Standardization with other Unif.io OSS terraform modules

diff --git a/examples/.gitkeep b/examples/.gitkeep
diff --git a/generate-certs/main.tf b/generate-certs/main.tf
@@ -0,0 +1,143 @@
+# OpenVPN Generate Certs
+
+## Creates IAM Role & Instance Profile
+# TODO: figure out how to de-dup
+resource "aws_iam_role" "gen_certs_role" {
+  name = "${var.stack_item_label}-${var.region}-gen-certs"
+  path = "/"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "sts:AssumeRole",
+      "Principal": {
+         "Service": "ec2.amazonaws.com"
+      }
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "s3_gen_certs" {
+  name = "s3_gen_certs"
+  role = "${aws_iam_role.gen_certs_role.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:Get*",
+        "s3:PutObject"
+      ],
+      "Resource": [
+        "arn:aws:s3:::${replace(var.s3_root_path,"/(\/)+$/","")}",
+        "arn:aws:s3:::${replace(var.s3_root_path,"/(\/)+$/","")}/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:List*"
+      ],
+      "Resource": [
+        "arn:aws:s3:::${element(split("/", var.s3_root_path), 0)}"
+      ]
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "gen_certs_tags" {
+  name = "gen-certs-tags"
+  role = "${aws_iam_role.gen_certs_role.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+          "ec2:CreateTags",
+          "ec2:AssociateAddress",
+          "ec2:DescribeAddresses",
+          "ec2:DescribeInstances"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+## Creates IAM instance profile
+resource "aws_iam_instance_profile" "gen_certs_profile" {
+  name  = "${var.stack_item_label}-${var.region}-gen-certs"
+  roles = ["${aws_iam_role.gen_certs_role.name}"]
+}
+
+## Creates security group rules
+resource "aws_security_group" "generate_certs_sg" {
+  name        = "${var.stack_item_label}-${var.region}-gen-certs-sg"
+  description = "${stack_item_fullname} security group"
+}
+
+resource "aws_security_group_rule" "allow_ssh_in_tcp" {
+  type              = "ingress"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks       = ["${split(",",var.cidr_whitelist)}"]
+  security_group_id = "${aws_security_group.generate_certs_sg.id}"
+}
+
+## Creates user instance data
+resource "template_file" "user_data" {
+  template = "${file("${path.module}/templates/user_data.tpl")}"
+
+  vars {
+    s3_region         = "${var.region}"
+    s3_cert_root_path = "s3://${var.s3_root_path}"
+    key_size          = "${var.cert_key_size}"
+    s3_dir_override   = "${var.s3_dir_override}"
+    key_city          = "${var.key_city}"
+    key_org           = "${var.key_org}"
+    key_email         = "${var.key_email}"
+    key_ou            = "${var.key_ou}"
+    cert_key_name     = "${var.cert_key_name}"
+    key_country       = "${var.key_country}"
+    key_province      = "${var.key_province}"
+    active_clients    = "${var.active_clients}"
+    revoked_clients   = "${var.revoked_clients}"
+    openvpn_host      = "${var.openvpn_host}"
+    force_cert_regen  = "${var.force_cert_regen}"
+    s3_push_dryrun    = "${var.s3_push_dryrun}"
+  }
+}
+
+## Creates instance
+resource "aws_instance" "generate_certs" {
+  count                       = 1
+  ami                         = "${coalesce(lookup(var.ami_region_lookup, var.ami_region), var.ami_custom)}"
+  instance_type               = "${var.instance_type}"
+  key_name                    = "${var.key_name}"
+  security_groups             = ["${aws_security_group.generate_certs_sg.name}"]
+  associate_public_ip_address = true
+  iam_instance_profile        = "${aws_iam_instance_profile.gen_certs_profile.id}"
+
+  tags {
+    Name        = "${var.stack_item_label}-generate-certs"
+    application = "${var.stack_item_label}-generate-certs"
+    managed_by  = "terraform"
+  }
+
+  user_data = "${template_file.user_data.rendered}"
+}
diff --git a/generate-certs/outputs.tf b/generate-certs/outputs.tf
@@ -0,0 +1 @@
+
diff --git a/generate-certs/templates/user_data.tpl b/generate-certs/templates/user_data.tpl
@@ -0,0 +1,24 @@
+#cloud-config
+manage_etc_hosts: True
+
+runcmd:
+  - echo "S3_REGION=\"ap-northeast-1\"" > /etc/default/openvpn-cert-generator
+  - echo "S3_CERT_ROOT_PATH=\"${s3_cert_root_path}\"" >> /etc/default/openvpn-cert-generator
+  - echo "KEY_SIZE=${key_size}" >> /etc/default/openvpn-cert-generator
+  - echo "S3_DIR_OVERRIDE=${s3_dir_override}" >> /etc/default/openvpn-cert-generator
+  - echo "KEY_CITY=${key_city}" >> /etc/default/openvpn-cert-generator
+  - echo "KEY_ORG=${key_org}" >> /etc/default/openvpn-cert-generator
+  - echo "KEY_EMAIL=${key_email}" >> /etc/default/openvpn-cert-generator
+  - echo "KEY_OU=${key_ou}" >> /etc/default/openvpn-cert-generator
+  - echo "KEY_NAME=${cert_key_name}" >> /etc/default/openvpn-cert-generator
+  - echo "KEY_COUNTRY=${key_country}" >> /etc/default/openvpn-cert-generator
+  - echo "KEY_PROVINCE=${key_province}" >> /etc/default/openvpn-cert-generator
+  - echo "ACTIVE_CLIENTS=${active_clients}" >> /etc/default/openvpn-cert-generator
+  - echo "REVOKED_CLIENTS=${revoked_clients}" >> /etc/default/openvpn-cert-generator
+  - echo "OPENVPN_HOST=${openvpn_host}" >> /etc/default/openvpn-cert-generator
+  - echo "FORCE_CERT_REGEN=${force_cert_regen}" >> /etc/default/openvpn-cert-generator
+  - echo "S3_PUSH_DRYRUN=${s3_push_dryrun}" >> /etc/default/openvpn-cert-generator
+
+  - systemctl start openvpn-cert-generator.service
+
+output : { all : '| tee -a /var/log/cloud-init-output.log' }
diff --git a/generate-certs/variables.tf b/generate-certs/variables.tf
@@ -0,0 +1,123 @@
+# openvpn-generate-certs - Variables
+
+variable "ami_region" {
+  type = "string"
+}
+
+variable "ami_region_lookup" {
+  # Not meant to be overwritten
+  type = "map"
+
+  default = {
+    us-east-1      = "ami-6934c804"
+    ap-northeast-1 = "ami-b036d9d1"
+    custom         = ""
+  }
+}
+
+variable "ami_custom" {
+  type        = "string"
+  description = "Artifact AMI"
+  default     = ""
+}
+
+variable "stack_item_fullname" {
+  type = "string"
+}
+
+variable "stack_item_label" {}
+
+variable "instance_type" {
+  type    = "string"
+  default = "m3.medium"
+}
+
+variable "region" {}
+
+variable "key_name" {}
+
+# Do not include the s3:// prefix
+# Format should be something like <bucket name>/<folder path>
+variable "s3_root_path" {
+  type = "string"
+}
+
+# From AWS limits, max rules for an SG is ~50
+variable "cidr_whitelist" {
+  default = "0.0.0.0/0"
+}
+
+variable "cert_key_size" {
+  default = 4096
+}
+
+variable "s3_dir_override" {
+  type    = "string"
+  default = ""
+}
+
+variable "key_city" {
+  type    = "string"
+  default = "San Francisco"
+}
+
+variable "key_org" {
+  type    = "string"
+  default = "Fort-Funston"
+}
+
+# This should probably stick around to help with notifications
+variable "key_email" {
+  type    = "string"
+  default = "cert-admin@example.com"
+}
+
+variable "key_ou" {
+  type    = "string"
+  default = "MyOrgUnit"
+}
+
+variable "cert_key_name" {
+  type    = "string"
+  default = "EasyRSA"
+}
+
+variable "key_country" {
+  type    = "string"
+  default = "US"
+}
+
+variable "key_province" {
+  type    = "string"
+  default = "CA"
+}
+
+# Comma delimited list
+variable "active_clients" {
+  type    = "string"
+  default = "client"
+}
+
+# Comma delimited list
+variable "revoked_clients" {
+  type    = "string"
+  default = ""
+}
+
+variable "openvpn_host" {
+  description = "Publicly accessible hostname to openvpn server(s)"
+  type        = "string"
+  default     = "localhost"
+}
+
+variable "force_cert_regen" {
+  description = "Force all certificates to be regenerated"
+  type        = "string"
+  default     = "false"
+}
+
+variable "s3_push_dryrun" {
+  description = "Dry-run push of certificates into s3 location"
+  type        = "string"
+  default     = "false"
+}