From e2b9c8398beb2ea31c0e21c2de850ae67e96b8b1 Mon Sep 17 00:00:00 2001
From: Wilson Carey <carey@unif.io>
Date: Sun, 26 Jun 2016 18:47:24 -0400
Subject: [PATCH 1/4] Updated server security groups and instance user data

---
 certs/main.tf      | 142 +++++++++++++++++++++++++++------------------
 certs/outputs.tf   |   4 +-
 certs/variables.tf |  21 +++----
 3 files changed, 97 insertions(+), 70 deletions(-)

diff --git a/certs/main.tf b/certs/main.tf
index 9afee38..1949ef1 100644
--- a/certs/main.tf
+++ b/certs/main.tf
@@ -1,7 +1,7 @@
 # OpenVPN Server
 
 ## Creates IAM role & policies
-resource "aws_iam_role" "vpn_role" {
+resource "aws_iam_role" "role" {
   name = "${var.stack_item_label}-${var.region}"
   path = "/"
 
@@ -21,9 +21,9 @@ resource "aws_iam_role" "vpn_role" {
 EOF
 }
 
-resource "aws_iam_role_policy" "s3_vpn_ro" {
-  name = "s3_vpn_ro"
-  role = "${aws_iam_role.vpn_role.id}"
+resource "aws_iam_role_policy" "s3_certs_ro" {
+  name = "s3_certs_ro"
+  role = "${aws_iam_role.role.id}"
 
   policy = <<EOF
 {
@@ -54,8 +54,8 @@ EOF
 }
 
 resource "aws_iam_role_policy" "tags" {
-  name = "vpn-tags"
-  role = "${aws_iam_role.vpn_role.id}"
+  name = "tags"
+  role = "${aws_iam_role.role.id}"
 
   policy = <<EOF
 {
@@ -77,45 +77,109 @@ EOF
 }
 
 ## Creates IAM instance profile
-resource "aws_iam_instance_profile" "vpn_profile" {
+resource "aws_iam_instance_profile" "profile" {
   name  = "${var.stack_item_label}-${var.region}"
-  roles = ["${aws_iam_role.vpn_role.name}"]
+  roles = ["${aws_iam_role.role.name}"]
 }
 
-## Creates security group rules
-resource "aws_security_group_rule" "allow_all_out" {
+## Create elastic load balancer security group and rules
+resource "aws_security_group" "sg_elb" {
+  name_prefix = "${var.stack_item_label}-elb-"
+  description = "${var.stack_item_fullname} load balancer security group"
+  vpc_id      = "${var.vpc_id}"
+
+  tags {
+    Name        = "${var.stack_item_label}-elb"
+    application = "${var.stack_item_fullname}"
+    managed_by  = "terraform"
+  }
+}
+
+resource "aws_security_group_rule" "elb_allow_all_out" {
   type              = "egress"
   from_port         = 0
   to_port           = 0
   protocol          = "-1"
   cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = "${module.cluster.sg_id}"
+  security_group_id = "${aws_security_group.sg_elb.id}"
 }
 
-resource "aws_security_group_rule" "allow_ssh_in_tcp" {
+resource "aws_security_group_rule" "elb_allow_openvpn_tcp_in" {
   type              = "ingress"
-  from_port         = 22
-  to_port           = 22
+  from_port         = 1194
+  to_port           = 1194
   protocol          = "tcp"
-  cidr_blocks       = ["${split(",",var.cidr_whitelist)}"]
+  cidr_blocks       = ["${split(",",var.vpn_whitelist)}"]
+  security_group_id = "${aws_security_group.sg_elb.id}"
+}
+
+## Creates an elastic load balancer
+resource "aws_elb" "elb" {
+  name            = "${var.stack_item_label}"
+  subnets         = ["${split(",",var.subnets)}"]
+  internal        = false
+  security_groups = ["${aws_security_group.sg_elb.id}"]
+
+  listener {
+    instance_port     = 1194
+    instance_protocol = "tcp"
+    lb_port           = 1194
+    lb_protocol       = "tcp"
+  }
+
+  health_check {
+    healthy_threshold   = 4
+    unhealthy_threshold = 2
+    timeout             = 3
+    target              = "TCP:1194"
+    interval            = 30
+  }
+
+  tags {
+    Name        = "${var.stack_item_label}"
+    application = "${var.stack_item_fullname}"
+    managed_by  = "terraform"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+## Creates security group rules
+resource "aws_security_group_rule" "cluster_allow_all_out" {
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = "${module.cluster.sg_id}"
 }
 
-resource "aws_security_group_rule" "allow_openvpn_in_tcp" {
+resource "aws_security_group_rule" "cluster_allow_openvpn_tcp_in" {
+  type                     = "ingress"
+  from_port                = 1194
+  to_port                  = 1194
+  protocol                 = "tcp"
+  source_security_group_id = "${aws_security_group.sg_elb.id}"
+  security_group_id        = "${module.cluster.sg_id}"
+}
+
+resource "aws_security_group_rule" "cluster_allow_ssh_in" {
   type              = "ingress"
-  from_port         = 1194
-  to_port           = 1194
+  from_port         = 22
+  to_port           = 22
   protocol          = "tcp"
-  cidr_blocks       = ["${split(",",var.cidr_whitelist)}"]
+  cidr_blocks       = ["${split(",",var.ssh_whitelist)}"]
   security_group_id = "${module.cluster.sg_id}"
 }
 
-resource "aws_security_group_rule" "allow_ping_in_icmp" {
+resource "aws_security_group_rule" "cluster_allow_icmp_in" {
   type              = "ingress"
   from_port         = 0
   to_port           = 0
   protocol          = "icmp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["${split(",",var.ssh_whitelist)}"]
   security_group_id = "${module.cluster.sg_id}"
 }
 
@@ -124,6 +188,7 @@ resource "template_file" "user_data" {
   template = "${file("${path.module}/templates/user_data.tpl")}"
 
   vars {
+    hostname         = "${var.stack_item_label}"
     s3_bucket        = "${var.s3_bucket}"
     s3_bucket_prefix = "${var.s3_bucket_prefix}"
     route_cidrs      = "${var.route_cidrs}"
@@ -150,7 +215,7 @@ module "cluster" {
   # LC parameters
   ami              = "${var.ami}"
   instance_type    = "${var.instance_type}"
-  instance_profile = "${aws_iam_instance_profile.vpn_profile.id}"
+  instance_profile = "${aws_iam_instance_profile.profile.id}"
   user_data        = "${template_file.user_data.rendered}"
   key_name         = "${var.key_name}"
   ebs_optimized    = false
@@ -162,36 +227,3 @@ module "cluster" {
   min_elb_capacity = 1
   load_balancers   = "${aws_elb.elb.id}"
 }
-
-## Creates a load balancer
-resource "aws_elb" "elb" {
-  name            = "${var.stack_item_label}"
-  subnets         = ["${split(",",var.subnets)}"]
-  internal        = false
-  security_groups = ["${module.cluster.sg_id}"]
-
-  listener {
-    instance_port     = 1194
-    instance_protocol = "tcp"
-    lb_port           = 1194
-    lb_protocol       = "tcp"
-  }
-
-  health_check {
-    healthy_threshold   = 2
-    unhealthy_threshold = 2
-    timeout             = 3
-    target              = "TCP:1194"
-    interval            = 30
-  }
-
-  tags {
-    Name        = "${var.stack_item_label}"
-    application = "${var.stack_item_fullname}"
-    managed_by  = "terraform"
-  }
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
diff --git a/certs/outputs.tf b/certs/outputs.tf
index 953f0f8..c7a2d39 100644
--- a/certs/outputs.tf
+++ b/certs/outputs.tf
@@ -4,6 +4,6 @@ output "vpn_server_sg_id" {
   value = "${module.cluster.sg_id}"
 }
 
-output "cidr_whitelist" {
-  value = "${var.cidr_whitelist}"
+output "vpn_whitelist" {
+  value = "${var.vpn_whitelist}"
 }
diff --git a/certs/variables.tf b/certs/variables.tf
index 5452d56..ccb136c 100644
--- a/certs/variables.tf
+++ b/certs/variables.tf
@@ -12,17 +12,6 @@ variable "stack_item_fullname" {
 }
 
 ## VPC parameters
-
-###
-### 0 - if instance is a standalone instance outside a VPC
-### 1 - if instance is in a vpc
-###
-variable "in_vpc" {
-  type        = "string"
-  description = "Flag for associating the cluster with a VPC."
-  default     = 1
-}
-
 variable "vpc_id" {
   type        = "string"
   description = "ID of the target VPC."
@@ -74,8 +63,14 @@ variable "s3_bucket_prefix" {
   default     = ""
 }
 
-variable "cidr_whitelist" {
+variable "vpn_whitelist" {
+  type        = "string"
+  description = "Limit VPN access to the designated list of CIDRs"
+  default     = "0.0.0.0/0"
+}
+
+variable "ssh_whitelist" {
   type        = "string"
-  description = "Limit access to the designated list of CIDRs"
+  description = "Limit SSH access to the designated list of CIDRs"
   default     = "0.0.0.0/0"
 }

From 667f6fda9e6d027b5cab40112a94b85b5a21ed39 Mon Sep 17 00:00:00 2001
From: Wilson Carey <carey@unif.io>
Date: Mon, 27 Jun 2016 10:26:10 -0400
Subject: [PATCH 2/4] Updated certificate generation module for standardization

---
 CHANGELOG.md                           |  32 ++++--
 generate-certs/main.tf                 | 104 ++++++++++-------
 generate-certs/outputs.tf              |   1 -
 generate-certs/templates/user_data.tpl |  28 ++---
 generate-certs/variables.tf            | 152 +++++++++++++++----------
 5 files changed, 191 insertions(+), 126 deletions(-)
 delete mode 100644 generate-certs/outputs.tf

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5dd6387..505e85b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,16 +1,30 @@
-# CHANGELOG
+## Unreleased
 
-### ???
+## ???
 
 - Feature: Automatically push instance's subnet route into `server.conf`
 - export `zone_id`, `dns_name` from aws_elb
 - Fix the 4 subnet fixed mapping
 - Fill in some examples
 
-### 0.0.5
+## 0.0.6
+
+#### BREAKING CHANGES:
+- Updates in resource naming will cause churn for existing resources.
+
+#### IMPROVEMENTS:
+- Standardization with other Unif.io OSS terraform modules
+- Documentation improvements
+- Updated security group scheme for OpenVPN server
+
+## 0.0.5
+
+#### FEATURES:
 - Initial release of `generate-certs` module
 
-### 0.0.4
+## 0.0.4
+
+#### IMPROVEMENTS:
 - Standardization with other Unif.io OSS terraform modules
 - CI Builder
 - Small tweaks:
@@ -20,15 +34,17 @@
   - lifecycle `create_before_destroy` fixes to deal with dependency issues on build.
   - somewhat breaking change: in_vpc now is `1`(true) instead of `0`(false)
 
-### 0.0.3
+## 0.0.3
 
+#### IMPROVEMENTS:
 - Fix: tag.application for elb reverted to using short name instead of full application name due to naming restrictions
 
-### 0.0.2
+## 0.0.2
 
+#### IMPROVEMENTS:
 - Fix: use updated `awscli` client from pip instead of apt
 
-### 0.0.1
+## 0.0.1
 
+#### FEATURES:
 - Basic functioning openvpn server working off us-east-1
-
diff --git a/generate-certs/main.tf b/generate-certs/main.tf
index 7f2c32b..2fd2145 100644
--- a/generate-certs/main.tf
+++ b/generate-certs/main.tf
@@ -1,9 +1,8 @@
-# OpenVPN Generate Certs
+# OpenVPN Certificate Generator
 
-## Creates IAM Role & Instance Profile
-# TODO: figure out how to de-dup
-resource "aws_iam_role" "gen_certs_role" {
-  name = "${var.stack_item_label}-${var.region}-gen-certs"
+## Creates IAM role & policies
+resource "aws_iam_role" "role" {
+  name = "${var.stack_item_label}-${var.region}"
   path = "/"
 
   assume_role_policy = <<EOF
@@ -22,9 +21,9 @@ resource "aws_iam_role" "gen_certs_role" {
 EOF
 }
 
-resource "aws_iam_role_policy" "s3_gen_certs" {
-  name = "s3_gen_certs"
-  role = "${aws_iam_role.gen_certs_role.id}"
+resource "aws_iam_role_policy" "s3_certs_rw" {
+  name = "s3_certs_rw"
+  role = "${aws_iam_role.role.id}"
 
   policy = <<EOF
 {
@@ -37,8 +36,8 @@ resource "aws_iam_role_policy" "s3_gen_certs" {
         "s3:PutObject"
       ],
       "Resource": [
-        "arn:aws:s3:::${replace(var.s3_root_path,"/(\/)+$/","")}",
-        "arn:aws:s3:::${replace(var.s3_root_path,"/(\/)+$/","")}/*"
+        "arn:aws:s3:::${var.s3_bucket}",
+        "arn:aws:s3:::${var.s3_bucket}/*"
       ]
     },
     {
@@ -47,7 +46,7 @@ resource "aws_iam_role_policy" "s3_gen_certs" {
         "s3:List*"
       ],
       "Resource": [
-        "arn:aws:s3:::${element(split("/", var.s3_root_path), 0)}"
+        "arn:aws:s3:::${var.s3_bucket}"
       ]
     }
   ]
@@ -55,9 +54,9 @@ resource "aws_iam_role_policy" "s3_gen_certs" {
 EOF
 }
 
-resource "aws_iam_role_policy" "gen_certs_tags" {
-  name = "gen-certs-tags"
-  role = "${aws_iam_role.gen_certs_role.id}"
+resource "aws_iam_role_policy" "tags" {
+  name = "tags"
+  role = "${aws_iam_role.role.id}"
 
   policy = <<EOF
 {
@@ -79,24 +78,40 @@ EOF
 }
 
 ## Creates IAM instance profile
-resource "aws_iam_instance_profile" "gen_certs_profile" {
-  name  = "${var.stack_item_label}-${var.region}-gen-certs"
-  roles = ["${aws_iam_role.gen_certs_role.name}"]
+resource "aws_iam_instance_profile" "profile" {
+  name  = "${var.stack_item_label}-${var.region}"
+  roles = ["${aws_iam_role.role.name}"]
 }
 
 ## Creates security group rules
-resource "aws_security_group" "generate_certs_sg" {
-  name        = "${var.stack_item_label}-${var.region}-gen-certs-sg"
-  description = "${stack_item_fullname} security group"
+resource "aws_security_group" "sg_cert_gen" {
+  name_prefix = "${var.stack_item_label}-${var.region}-"
+  description = "${var.stack_item_fullname} security group"
+  vpc_id      = "${var.vpc_id}"
+
+  tags {
+    Name        = "${var.stack_item_label}"
+    application = "${var.stack_item_fullname}"
+    managed_by  = "terraform"
+  }
+}
+
+resource "aws_security_group_rule" "allow_all_out" {
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = "${aws_security_group.sg_cert_gen.id}"
 }
 
-resource "aws_security_group_rule" "allow_ssh_in_tcp" {
+resource "aws_security_group_rule" "allow_ssh_in" {
   type              = "ingress"
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"
   cidr_blocks       = ["${split(",",var.cidr_whitelist)}"]
-  security_group_id = "${aws_security_group.generate_certs_sg.id}"
+  security_group_id = "${aws_security_group.sg_cert_gen.id}"
 }
 
 ## Creates user instance data
@@ -104,38 +119,39 @@ resource "template_file" "user_data" {
   template = "${file("${path.module}/templates/user_data.tpl")}"
 
   vars {
-    s3_region         = "${var.region}"
-    s3_cert_root_path = "s3://${var.s3_root_path}"
-    key_size          = "${var.cert_key_size}"
-    s3_dir_override   = "${var.s3_dir_override}"
-    key_city          = "${var.key_city}"
-    key_org           = "${var.key_org}"
-    key_email         = "${var.key_email}"
-    key_ou            = "${var.key_ou}"
-    cert_key_name     = "${var.cert_key_name}"
-    key_country       = "${var.key_country}"
-    key_province      = "${var.key_province}"
-    active_clients    = "${var.active_clients}"
-    revoked_clients   = "${var.revoked_clients}"
-    openvpn_host      = "${var.openvpn_host}"
-    force_cert_regen  = "${var.force_cert_regen}"
-    s3_push_dryrun    = "${var.s3_push_dryrun}"
+    active_clients   = "${var.active_clients}"
+    cert_key_name    = "${var.cert_key_name}"
+    cert_key_size    = "${var.cert_key_size}"
+    force_cert_regen = "${var.force_cert_regen}"
+    hostname         = "${var.stack_item_label}"
+    key_city         = "${var.key_city}"
+    key_country      = "${var.key_country}"
+    key_email        = "${var.key_email}"
+    key_org          = "${var.key_org}"
+    key_ou           = "${var.key_ou}"
+    key_province     = "${var.key_province}"
+    openvpn_host     = "${var.openvpn_host}"
+    region           = "${var.region}"
+    revoked_clients  = "${var.revoked_clients}"
+    s3_bucket        = "${var.s3_bucket}"
+    s3_dir_override  = "${var.s3_bucket_prefix}"
+    s3_push_dryrun   = "${var.s3_push_dryrun}"
   }
 }
 
 ## Creates instance
 resource "aws_instance" "generate_certs" {
-  count                       = 1
-  ami                         = "${coalesce(lookup(var.ami_region_lookup, var.ami_region), var.ami_custom)}"
+  ami                         = "${coalesce(lookup(var.ami_region_lookup, var.region), var.ami_custom)}"
   instance_type               = "${var.instance_type}"
   key_name                    = "${var.key_name}"
-  security_groups             = ["${aws_security_group.generate_certs_sg.name}"]
+  vpc_security_group_ids      = ["${aws_security_group.sg_cert_gen.id}"]
+  subnet_id                   = "${var.subnet}"
   associate_public_ip_address = true
-  iam_instance_profile        = "${aws_iam_instance_profile.gen_certs_profile.id}"
+  iam_instance_profile        = "${aws_iam_instance_profile.profile.id}"
 
   tags {
-    Name        = "${var.stack_item_label}-generate-certs"
-    application = "${var.stack_item_label}-generate-certs"
+    Name        = "${var.stack_item_label}"
+    application = "${var.stack_item_fullname}"
     managed_by  = "terraform"
   }
 
diff --git a/generate-certs/outputs.tf b/generate-certs/outputs.tf
deleted file mode 100644
index 8b13789..0000000
--- a/generate-certs/outputs.tf
+++ /dev/null
@@ -1 +0,0 @@
-
diff --git a/generate-certs/templates/user_data.tpl b/generate-certs/templates/user_data.tpl
index bd22a6d..4e4ce3a 100644
--- a/generate-certs/templates/user_data.tpl
+++ b/generate-certs/templates/user_data.tpl
@@ -2,20 +2,20 @@
 manage_etc_hosts: True
 
 runcmd:
-  - echo "S3_REGION=\"ap-northeast-1\"" > /etc/default/openvpn-cert-generator
-  - echo "S3_CERT_ROOT_PATH=\"${s3_cert_root_path}\"" >> /etc/default/openvpn-cert-generator
-  - echo "KEY_SIZE=${key_size}" >> /etc/default/openvpn-cert-generator
-  - echo "S3_DIR_OVERRIDE=${s3_dir_override}" >> /etc/default/openvpn-cert-generator
-  - echo "KEY_CITY=${key_city}" >> /etc/default/openvpn-cert-generator
-  - echo "KEY_ORG=${key_org}" >> /etc/default/openvpn-cert-generator
-  - echo "KEY_EMAIL=${key_email}" >> /etc/default/openvpn-cert-generator
-  - echo "KEY_OU=${key_ou}" >> /etc/default/openvpn-cert-generator
-  - echo "KEY_NAME=${cert_key_name}" >> /etc/default/openvpn-cert-generator
-  - echo "KEY_COUNTRY=${key_country}" >> /etc/default/openvpn-cert-generator
-  - echo "KEY_PROVINCE=${key_province}" >> /etc/default/openvpn-cert-generator
-  - echo "ACTIVE_CLIENTS=${active_clients}" >> /etc/default/openvpn-cert-generator
-  - echo "REVOKED_CLIENTS=${revoked_clients}" >> /etc/default/openvpn-cert-generator
-  - echo "OPENVPN_HOST=${openvpn_host}" >> /etc/default/openvpn-cert-generator
+  - echo "S3_REGION=\"${region}\"" > /etc/default/openvpn-cert-generator
+  - echo "S3_CERT_ROOT_PATH=\"s3://${s3_bucket}/\"" >> /etc/default/openvpn-cert-generator
+  - echo "KEY_SIZE=${cert_key_size}" >> /etc/default/openvpn-cert-generator
+  - echo "S3_DIR_OVERRIDE=\"${s3_dir_override}\"" >> /etc/default/openvpn-cert-generator
+  - echo "KEY_CITY=\"${key_city}\"" >> /etc/default/openvpn-cert-generator
+  - echo "KEY_ORG=\"${key_org}\"" >> /etc/default/openvpn-cert-generator
+  - echo "KEY_EMAIL=\"${key_email}\"" >> /etc/default/openvpn-cert-generator
+  - echo "KEY_OU=\"${key_ou}\"" >> /etc/default/openvpn-cert-generator
+  - echo "KEY_NAME=\"${cert_key_name}\"" >> /etc/default/openvpn-cert-generator
+  - echo "KEY_COUNTRY=\"${key_country}\"" >> /etc/default/openvpn-cert-generator
+  - echo "KEY_PROVINCE=\"${key_province}\"" >> /etc/default/openvpn-cert-generator
+  - echo "ACTIVE_CLIENTS=\"${active_clients}\"" >> /etc/default/openvpn-cert-generator
+  - echo "REVOKED_CLIENTS=\"${revoked_clients}\"" >> /etc/default/openvpn-cert-generator
+  - echo "OPENVPN_HOST=\"${openvpn_host}\"" >> /etc/default/openvpn-cert-generator
   - echo "FORCE_CERT_REGEN=${force_cert_regen}" >> /etc/default/openvpn-cert-generator
   - echo "S3_PUSH_DRYRUN=${s3_push_dryrun}" >> /etc/default/openvpn-cert-generator
 
diff --git a/generate-certs/variables.tf b/generate-certs/variables.tf
index 42d519f..3c64486 100644
--- a/generate-certs/variables.tf
+++ b/generate-certs/variables.tf
@@ -1,7 +1,21 @@
-# openvpn-generate-certs - Variables
+# Input Variables
 
-variable "ami_region" {
-  type = "string"
+## Resource tags
+variable "stack_item_label" {
+  type        = "string"
+  description = "Short form identifier for this stack. This value is used to create the 'Name' resource tag for resources created by this stack item, and also serves as a unique key for re-use."
+}
+
+variable "stack_item_fullname" {
+  type        = "string"
+  description = "Long form descriptive name for this stack item. This value is used to create the 'application' resource tag for resources created by this stack item."
+}
+
+## Instance parameters
+variable "ami_custom" {
+  type        = "string"
+  description = "Custom AMI to utilize"
+  default     = ""
 }
 
 variable "ami_region_lookup" {
@@ -15,109 +29,129 @@ variable "ami_region_lookup" {
   }
 }
 
-variable "ami_custom" {
+variable "cidr_whitelist" {
+  default = "0.0.0.0/0"
+}
+
+variable "instance_type" {
   type        = "string"
-  description = "Artifact AMI"
-  default     = ""
+  description = "EC2 instance type to associate with the launch configuration."
+  default     = "m3.medium"
 }
 
-variable "stack_item_fullname" {
-  type = "string"
+variable "key_name" {
+  type        = "string"
+  description = "SSH key pair to associate with the launch configuration."
 }
 
-variable "stack_item_label" {}
+variable "region" {
+  type        = "string"
+  description = "AWS region to be utilized."
+}
 
-variable "instance_type" {
-  type    = "string"
-  default = "m3.medium"
+variable "subnet" {
+  tpye        = "string"
+  description = "VPC subnet to associate with the instance"
 }
 
-variable "region" {}
+variable "vpc_id" {
+  type        = "string"
+  description = "ID of the target VPC."
+}
 
-variable "key_name" {}
+## Generator parameters
 
-# Do not include the s3:// prefix
-# Format should be something like <bucket name>/<folder path>
-variable "s3_root_path" {
-  type = "string"
+### Order matters. Do not remove clients here, use the 'revoked_clients' list instead.
+variable "active_clients" {
+  type        = "string"
+  description = "Comma delimited list of active clients"
+  default     = "client"
 }
 
-# From AWS limits, max rules for an SG is ~50
-variable "cidr_whitelist" {
-  default = "0.0.0.0/0"
+variable "cert_key_name" {
+  type    = "string"
+  default = "EasyRSA"
 }
 
 variable "cert_key_size" {
+  type    = "string"
   default = 4096
 }
 
-variable "s3_dir_override" {
-  type    = "string"
-  default = ""
+variable "force_cert_regen" {
+  type        = "string"
+  description = "Force all certificates to be regenerated."
+  default     = false
 }
 
 variable "key_city" {
-  type    = "string"
-  default = "San Francisco"
+  type        = "string"
+  description = "City to be associated with the certificate."
+  default     = "San Francisco"
 }
 
-variable "key_org" {
-  type    = "string"
-  default = "Fort-Funston"
+variable "key_country" {
+  type        = "string"
+  description = "Country to be associated with the certificate."
+  default     = "US"
 }
 
-# This should probably stick around to help with notifications
 variable "key_email" {
-  type    = "string"
-  default = "cert-admin@example.com"
-}
-
-variable "key_ou" {
-  type    = "string"
-  default = "MyOrgUnit"
+  type        = "string"
+  description = "Email address to be associated with the certificate."
+  default     = "cert-admin@example.com"
 }
 
-variable "cert_key_name" {
-  type    = "string"
-  default = "EasyRSA"
+variable "key_org" {
+  type        = "string"
+  description = "Organization to be associated with the certificate."
+  default     = "Fort-Funston"
 }
 
-variable "key_country" {
-  type    = "string"
-  default = "US"
+variable "key_ou" {
+  type        = "string"
+  description = "Organizational unit to be associated with the certificate."
+  default     = "MyOrgUnit"
 }
 
 variable "key_province" {
-  type    = "string"
-  default = "CA"
+  type        = "string"
+  description = "Province to be associated with the certificate."
+  default     = "CA"
 }
 
-# Comma delimited list
-variable "active_clients" {
-  type    = "string"
-  default = "client"
+variable "openvpn_host" {
+  type        = "string"
+  description = "Publicly accessible hostname of the OpenVPN server(s)."
+  default     = "localhost"
 }
 
 # Comma delimited list
 variable "revoked_clients" {
-  type    = "string"
-  default = ""
+  type        = "string"
+  description = "Comma delimited list of existing clients who are to have their privileges revoked."
+  default     = ""
 }
 
-variable "openvpn_host" {
-  description = "Publicly accessible hostname to openvpn server(s)"
+variable "s3_bucket" {
   type        = "string"
-  default     = "localhost"
+  description = "The S3 bucket where certificate and configuration are stored."
 }
 
-variable "force_cert_regen" {
-  description = "Force all certificates to be regenerated"
+### Do not include the trailing slash
+variable "s3_bucket_prefix" {
   type        = "string"
-  default     = "false"
+  description = "The S3 bucket prefix. Certificates and configuration will be sourced from the root if not configured."
+  default     = ""
+}
+
+variable "s3_dir_override" {
+  type    = "string"
+  default = ""
 }
 
 variable "s3_push_dryrun" {
-  description = "Dry-run push of certificates into s3 location"
   type        = "string"
-  default     = "false"
+  description = "Dry-run push of certificates into s3 location"
+  default     = false
 }

From ec1844014e1691a5576dab1e5e7740a2bb8da317 Mon Sep 17 00:00:00 2001
From: Wilson Carey <carey@unif.io>
Date: Mon, 27 Jun 2016 21:06:35 -0400
Subject: [PATCH 3/4] Updated certificate server module for standardization

---
 CHANGELOG.md                  |  2 ++
 Rakefile                      |  4 +---
 certs/main.tf                 |  2 +-
 certs/outputs.tf              |  8 ++++++++
 certs/variables.tf            | 16 ++++++++++++++--
 examples/openvpn/main.tf      |  2 --
 examples/openvpn/variables.tf |  8 --------
 7 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 505e85b..94ec558 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,11 +11,13 @@
 
 #### BREAKING CHANGES:
 - Updates in resource naming will cause churn for existing resources.
+- Updated certificate generator to require VPC deployment
 
 #### IMPROVEMENTS:
 - Standardization with other Unif.io OSS terraform modules
 - Documentation improvements
 - Updated security group scheme for OpenVPN server
+- Added pre-built AMI lookup to the server module
 
 ## 0.0.5
 
diff --git a/Rakefile b/Rakefile
index 5571362..ab0798d 100644
--- a/Rakefile
+++ b/Rakefile
@@ -4,15 +4,13 @@ inputs = {
   'stack_item_label'    => 'expl-tst',
   'stack_item_fullname' => 'Example Stack',
   'vpc_id'              => 'vpc-xxxxxx',
-  'region'              => 'us-west-2',
+  'region'              => 'us-east-1',
   'subnets'             => 'subnet-111111,subnet-222222',
-  'ami'                 => 'ami-xxxxxx',
   'instance_type'       => 't2.small',
   'key_name'            => 'example',
   'route_cidrs'         => '10.10.0.0/25,10.10.0.128/25,10.10.4.0/25,10.10.4.128/25',
   's3_bucket'           => 'openvpn-certs',
   's3_bucket_prefix'    => '20160603',
-  'cidr_whitelist'      => '0.0.0.0/0'
 }
 
 task :default => :verify
diff --git a/certs/main.tf b/certs/main.tf
index 1949ef1..17781e0 100644
--- a/certs/main.tf
+++ b/certs/main.tf
@@ -213,7 +213,7 @@ module "cluster" {
   region  = "${var.region}"
 
   # LC parameters
-  ami              = "${var.ami}"
+  ami              = "${coalesce(lookup(var.ami_region_lookup, var.region), var.ami_custom)}"
   instance_type    = "${var.instance_type}"
   instance_profile = "${aws_iam_instance_profile.profile.id}"
   user_data        = "${template_file.user_data.rendered}"
diff --git a/certs/outputs.tf b/certs/outputs.tf
index c7a2d39..f4a2a7f 100644
--- a/certs/outputs.tf
+++ b/certs/outputs.tf
@@ -7,3 +7,11 @@ output "vpn_server_sg_id" {
 output "vpn_whitelist" {
   value = "${var.vpn_whitelist}"
 }
+
+output "vpn_elb_dns_name" {
+  value = "${aws_elb.elb.dns_name}"
+}
+
+output "vpn_elb_zone_id" {
+  value = "${aws_elb.elb.zone_id}"
+}
diff --git a/certs/variables.tf b/certs/variables.tf
index ccb136c..bf7206e 100644
--- a/certs/variables.tf
+++ b/certs/variables.tf
@@ -28,9 +28,21 @@ variable "subnets" {
 }
 
 ## OpenVPN parameters
-variable "ami" {
+variable "ami_custom" {
   type        = "string"
-  description = "Amazon Machine Image (AMI) to associate with the launch configuration."
+  description = "Custom AMI to utilize"
+  default     = ""
+}
+
+variable "ami_region_lookup" {
+  # Not meant to be overwritten
+  type = "map"
+
+  default = {
+    us-east-1      = "ami-d66995bb"
+    ap-northeast-1 = "ami-4803ec29"
+    custom         = ""
+  }
 }
 
 variable "instance_type" {
diff --git a/examples/openvpn/main.tf b/examples/openvpn/main.tf
index fcaeada..ac5bc19 100644
--- a/examples/openvpn/main.tf
+++ b/examples/openvpn/main.tf
@@ -19,11 +19,9 @@ module "openvpn_server" {
   subnets = "${var.subnets}"
 
   ## OpenVPN parameters
-  ami              = "${var.ami}"
   instance_type    = "${var.instance_type}"
   key_name         = "${var.key_name}"
   route_cidrs      = "${var.route_cidrs}"
   s3_bucket        = "${var.s3_bucket}"
   s3_bucket_prefix = "${var.s3_bucket_prefix}"
-  cidr_whitelist   = "${var.cidr_whitelist}"
 }
diff --git a/examples/openvpn/variables.tf b/examples/openvpn/variables.tf
index 49daad8..cc3297f 100644
--- a/examples/openvpn/variables.tf
+++ b/examples/openvpn/variables.tf
@@ -23,10 +23,6 @@ variable "subnets" {
 }
 
 ## OpenVPN parameters
-variable "ami" {
-  type = "string"
-}
-
 variable "instance_type" {
   type = "string"
 }
@@ -46,7 +42,3 @@ variable "s3_bucket" {
 variable "s3_bucket_prefix" {
   type = "string"
 }
-
-variable "cidr_whitelist" {
-  type = "string"
-}

From f401d2e7fd1f4aca7eb3d3d68da4866798b5d1f8 Mon Sep 17 00:00:00 2001
From: Wilson Carey <carey@unif.io>
Date: Tue, 28 Jun 2016 21:24:59 -0400
Subject: [PATCH 4/4] Added regex filters to s3_bucket and prefix inputs

---
 certs/main.tf                          | 6 +++---
 certs/templates/user_data.tpl          | 2 +-
 generate-certs/main.tf                 | 6 +++---
 generate-certs/templates/user_data.tpl | 4 ++--
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/certs/main.tf b/certs/main.tf
index 17781e0..f2997c3 100644
--- a/certs/main.tf
+++ b/certs/main.tf
@@ -35,8 +35,8 @@ resource "aws_iam_role_policy" "s3_certs_ro" {
         "s3:Get*"
       ],
       "Resource": [
-        "arn:aws:s3:::${var.s3_bucket}/${var.s3_bucket_prefix}",
-        "arn:aws:s3:::${var.s3_bucket}/${var.s3_bucket_prefix}/*"
+        "arn:aws:s3:::${replace(var.s3_bucket,"/(\/)+$/","")}/${replace(var.s3_bucket_prefix,"/^(\/)+|(\/)+$/","")}",
+        "arn:aws:s3:::${replace(var.s3_bucket,"/(\/)+$/","")}/${replace(var.s3_bucket_prefix,"/^(\/)+|(\/)+$/","")}/*"
       ]
     },
     {
@@ -45,7 +45,7 @@ resource "aws_iam_role_policy" "s3_certs_ro" {
         "s3:List*"
       ],
       "Resource": [
-        "arn:aws:s3:::${var.s3_bucket}"
+        "arn:aws:s3:::${replace(var.s3_bucket,"/(\/)+$/","")}"
       ]
     }
   ]
diff --git a/certs/templates/user_data.tpl b/certs/templates/user_data.tpl
index 122d597..dfc21d9 100644
--- a/certs/templates/user_data.tpl
+++ b/certs/templates/user_data.tpl
@@ -1,6 +1,6 @@
 #cloud-config
 runcmd:
-  - echo "OPENVPN_CERT_SOURCE=s3://${s3_bucket}/${s3_bucket_prefix}" > /etc/openvpn/get-openvpn-certs.env
+  - echo "OPENVPN_CERT_SOURCE=s3://${replace(s3_bucket,"/(\/)+$/","")}/${replace(s3_bucket_prefix,"/^(\/)+|(\/)+$/","")}" > /etc/openvpn/get-openvpn-certs.env
   - echo "push \"route $(ip route get 8.8.8.8| grep src| sed 's/.*src \(.*\)$/\1/g') 255.255.255.255 net_gateway\"" >> /etc/openvpn/server.conf
   - echo "push \"route ${cidrhost(element(split(",",route_cidrs),1), 0)}  ${cidrnetmask(element(split(",",route_cidrs),1))}\"" >> /etc/openvpn/server.conf
   - echo "push \"route ${cidrhost(element(split(",",route_cidrs),2), 0)}  ${cidrnetmask(element(split(",",route_cidrs),2))}\"" >> /etc/openvpn/server.conf
diff --git a/generate-certs/main.tf b/generate-certs/main.tf
index 2fd2145..86fdeeb 100644
--- a/generate-certs/main.tf
+++ b/generate-certs/main.tf
@@ -36,8 +36,8 @@ resource "aws_iam_role_policy" "s3_certs_rw" {
         "s3:PutObject"
       ],
       "Resource": [
-        "arn:aws:s3:::${var.s3_bucket}",
-        "arn:aws:s3:::${var.s3_bucket}/*"
+        "arn:aws:s3:::${replace(var.s3_bucket,"/(\/)+$/","")}",
+        "arn:aws:s3:::${replace(var.s3_bucket,"/(\/)+$/","")}/*"
       ]
     },
     {
@@ -46,7 +46,7 @@ resource "aws_iam_role_policy" "s3_certs_rw" {
         "s3:List*"
       ],
       "Resource": [
-        "arn:aws:s3:::${var.s3_bucket}"
+        "arn:aws:s3:::${replace(var.s3_bucket,"/(\/)+$/","")}"
       ]
     }
   ]
diff --git a/generate-certs/templates/user_data.tpl b/generate-certs/templates/user_data.tpl
index 4e4ce3a..fd1033f 100644
--- a/generate-certs/templates/user_data.tpl
+++ b/generate-certs/templates/user_data.tpl
@@ -3,9 +3,9 @@ manage_etc_hosts: True
 
 runcmd:
   - echo "S3_REGION=\"${region}\"" > /etc/default/openvpn-cert-generator
-  - echo "S3_CERT_ROOT_PATH=\"s3://${s3_bucket}/\"" >> /etc/default/openvpn-cert-generator
+  - echo "S3_CERT_ROOT_PATH=\"s3://${replace(s3_bucket,"/(\/)+$/","")}/\"" >> /etc/default/openvpn-cert-generator
   - echo "KEY_SIZE=${cert_key_size}" >> /etc/default/openvpn-cert-generator
-  - echo "S3_DIR_OVERRIDE=\"${s3_dir_override}\"" >> /etc/default/openvpn-cert-generator
+  - echo "S3_DIR_OVERRIDE=\"${replace(s3_bucket_prefix,"/^(\/)+|(\/)+$/","")}\"" >> /etc/default/openvpn-cert-generator
   - echo "KEY_CITY=\"${key_city}\"" >> /etc/default/openvpn-cert-generator
   - echo "KEY_ORG=\"${key_org}\"" >> /etc/default/openvpn-cert-generator
   - echo "KEY_EMAIL=\"${key_email}\"" >> /etc/default/openvpn-cert-generator