Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get private key in user data #31

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Get private key in user data #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
bff50db
add .terraform.lock* to gitignore
jordan-seemplicity Dec 24, 2021
c881bda
upgrade to latest Ubuntu LTS (20.04)
jordan-seemplicity Dec 24, 2021
833161d
obtain private key from SSM in user data
jordan-seemplicity Dec 24, 2021
b55a689
redundant metadata call
jordan-seemplicity Dec 24, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# terraform
.terraform
.terraform.lock*
terraform.tfstate
terraform.tfstate.backup
terraform.tfstate.*.backup
Expand Down
16 changes: 8 additions & 8 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,13 @@ data "template_file" "user_data" {
template = file("${path.module}/templates/user-data.txt")

vars = {
wg_server_private_key = data.aws_ssm_parameter.wg_server_private_key.value
wg_server_net = var.wg_server_net
wg_server_port = var.wg_server_port
peers = join("\n", data.template_file.wg_client_data_json.*.rendered)
use_eip = var.use_eip ? "enabled" : "disabled"
eip_id = var.eip_id
wg_server_interface = var.wg_server_interface
wg_server_private_key_param = var.wg_server_private_key_param
wg_server_net = var.wg_server_net
wg_server_port = var.wg_server_port
peers = join("\n", data.template_file.wg_client_data_json.*.rendered)
use_eip = var.use_eip ? "enabled" : "disabled"
eip_id = var.eip_id
wg_server_interface = var.wg_server_interface
}
}

Expand All @@ -28,7 +28,7 @@ data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-*-16.04-amd64-server-*"]
values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
Expand Down
13 changes: 10 additions & 3 deletions templates/user-data.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,18 @@ apt-get update -y
DEBIAN_FRONTEND=noninteractive apt-get upgrade -y -o Dpkg::Options::="--force-confnew"
apt-get install -y wireguard-dkms wireguard-tools awscli

export AWS_REGION=$(curl -fsq http://169.254.169.254/latest/meta-data/placement/availability-zone | sed 's/[a-z]$//')

PRIVATE_KEY=$(
aws ssm get-parameter --name ${wg_server_private_key_param} \
--region $${AWS_REGION} --query='Parameter.Value' \
--output=text --with-decryption
)

cat > /etc/wireguard/wg0.conf <<- EOF
[Interface]
Address = ${wg_server_net}
PrivateKey = ${wg_server_private_key}
PrivateKey = $${PRIVATE_KEY}
ListenPort = ${wg_server_port}
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ${wg_server_interface} -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ${wg_server_interface} -j MASQUERADE
Expand All @@ -17,8 +25,7 @@ EOF
# we go with the eip if it is provided
if [ "${use_eip}" != "disabled" ]; then
export INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
export REGION=$(curl -fsq http://169.254.169.254/latest/meta-data/placement/availability-zone | sed 's/[a-z]$//')
aws --region $${REGION} ec2 associate-address --allocation-id ${eip_id} --instance-id $${INSTANCE_ID}
aws --region $${AWS_REGION} ec2 associate-address --allocation-id ${eip_id} --instance-id $${INSTANCE_ID}
fi

chown -R root:root /etc/wireguard/
Expand Down
21 changes: 18 additions & 3 deletions wireguard-iam.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
data "aws_caller_identity" "current" {}

data "aws_region" "current" {}

data "aws_iam_policy_document" "ec2_assume_role" {
statement {
actions = [
Expand All @@ -16,21 +20,32 @@ data "aws_iam_policy_document" "wireguard_policy_doc" {
actions = [
"ec2:AssociateAddress",
]

resources = ["*"]
}
statement {
actions = [
"ssm:GetParameter"
]
resources = [
format("arn:aws:ssm:%s:%s:parameter%s",
data.aws_region.current.name,
data.aws_caller_identity.current.account_id,
var.wg_server_private_key_param
)
]
}
}

resource "aws_iam_policy" "wireguard_policy" {
name = "tf-wireguard-${var.env}"
description = "Terraform Managed. Allows Wireguard instance to attach EIP."
description = "Terraform Managed. Allows Wireguard instance to get private key from SSM and attach EIP."
policy = data.aws_iam_policy_document.wireguard_policy_doc.json
count = (var.use_eip ? 1 : 0) # only used for EIP mode
}

resource "aws_iam_role" "wireguard_role" {
name = "tf-wireguard-${var.env}"
description = "Terraform Managed. Role to allow Wireguard instance to attach EIP."
description = "Terraform Managed. Allows Wireguard instance to get private key from SSM and attach EIP."
path = "/"
assume_role_policy = data.aws_iam_policy_document.ec2_assume_role.json
count = (var.use_eip ? 1 : 0) # only used for EIP mode
Expand Down
3 changes: 0 additions & 3 deletions wireguard-ssm.tf
View file
Open in desktop

This file was deleted.