Module: VPN (#30)

.github/workflows/ci.yml

@@ -17,6 +17,7 @@ jobs:
           - rds
           - secrets
           - vpc
+          # - vpn # TODO: Figure out private module access
       fail-fast: false
     runs-on: ubuntu-latest
     if: "!contains(github.event.head_commit.message, '[skip ci]')"

README.md

@@ -16,6 +16,7 @@ We create modules here for re-use between projects.
 - [rds](rds/README.md) - Used for creating and configuring databases and their networking.
 - [secrets](secrets/README.md) - Used for creating a new secret.
 - [vpc](vpc/README.md) - Creates a VPC in AWS account. Also generates a group fo public and private submodules.
+- [vpn](vpn/README.md) - Launches an isolated Outline VPN inside a new VPC.
 
 
 

vpn/README.md

@@ -0,0 +1,33 @@
+# Terraform Module: VPN
+
+Launches an isolated Outline VPN instance with it's own VPC.
+
+
+
+## Usage
+
+```terraform
+module "vpc" {
+  source = "github.com/dbl-works/terraform//vpc?ref=v2021.07.05"
+
+  account_id    = 12345678
+  eip           = "0.0.0.0"
+  ami_id        = "ami-07e4ed4c95c385519"
+  project       = "dbl"
+  environment   = "production"
+  cidr_block    = "10.0.0.0/16"
+  key_name      = "outline-server-ssh"
+
+  # optional
+  region        = "eu-central-1"
+  instance_type = "t3.micro"
+}
+```
+
+
+
+## Custom Domain
+
+By default the VPN will launch with just the public IP address (EIP). If you want to access this via a friendly name (e.g. proxy.dbl.works) then you should add a DNS entry (A record) with the EIP as the value for the subdomain you want.
+
+`A proxy.dbl.works. 127.0.0.1`

vpn/eip.tf

@@ -0,0 +1,8 @@
+data "aws_eip" "main" {
+  public_ip = var.eip
+}
+
+resource "aws_eip_association" "main" {
+  instance_id   = aws_instance.main.id
+  allocation_id = data.aws_eip.main.id
+}

vpn/instance.tf

@@ -0,0 +1,19 @@
+# ec2 instance
+resource "aws_instance" "main" {
+  ami                         = var.ami_id
+  instance_type               = var.instance_type
+  associate_public_ip_address = true # Needs to be true, even if allocating an EIP
+  availability_zone           = "${var.region}a"
+  key_name                    = var.key_name
+  subnet_id                   = module.vpc.subnet_public_ids[0]
+  vpc_security_group_ids = [
+    aws_security_group.main.id,
+  ]
+  monitoring = true
+
+  tags = {
+    Name        = "${var.project}-${var.environment}"
+    Project     = var.project
+    Environment = var.environment
+  }
+}

vpn/security-groups.tf

@@ -0,0 +1,37 @@
+resource "aws_security_group" "main" {
+  name   = "${var.project}-${var.environment}-vpn"
+  vpc_id = module.vpc.id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_security_group_rule" "ssh" {
+  type      = "ingress"
+  from_port = 22
+  to_port   = 22
+  protocol  = "tcp"
+  cidr_blocks = [
+    "0.0.0.0/0", # TODO: Lock this down post-launch?
+  ]
+  security_group_id = aws_security_group.main.id
+}
+
+resource "aws_security_group_rule" "outline" {
+  type      = "ingress"
+  from_port = 1024
+  to_port   = 65535
+  protocol  = "tcp"
+  cidr_blocks = [
+    "0.0.0.0/0",
+  ]
+  security_group_id = aws_security_group.main.id
+}

vpn/varaibles.tf

@@ -0,0 +1,10 @@
+variable "account_id" {}
+variable "project" {}
+variable "environment" {}
+variable "eip" {}
+variable "ami_id" {}
+variable "cidr_block" {}
+variable "key_name" {}
+
+variable "region" { default = "eu-central-1" }
+variable "instance_type" { default = "t3.micro" }

vpn/vpc.tf

@@ -0,0 +1,10 @@
+module "vpc" {
+  source = "github.com/dbl-works/terraform//vpc?ref=v2021.07.30"
+
+  account_id         = var.account_id
+  availability_zones = ["${var.region}a", "${var.region}b", "${var.region}c"]
+  environment        = var.environment
+  project            = var.project
+  region             = var.region
+  cidr_block         = var.cidr_block
+}