From 001cf0ee4ad7af7f72246cd7639dfde3ffb32f92 Mon Sep 17 00:00:00 2001
From: Marc Qualie <marc@marcqualie.com>
Date: Tue, 24 Aug 2021 16:23:38 +0100
Subject: [PATCH] Module: VPN (#30)

---
 .github/workflows/ci.yml |  1 +
 README.md                |  1 +
 vpn/README.md            | 33 +++++++++++++++++++++++++++++++++
 vpn/eip.tf               |  8 ++++++++
 vpn/instance.tf          | 19 +++++++++++++++++++
 vpn/security-groups.tf   | 37 +++++++++++++++++++++++++++++++++++++
 vpn/varaibles.tf         | 10 ++++++++++
 vpn/vpc.tf               | 10 ++++++++++
 8 files changed, 119 insertions(+)
 create mode 100644 vpn/README.md
 create mode 100644 vpn/eip.tf
 create mode 100644 vpn/instance.tf
 create mode 100644 vpn/security-groups.tf
 create mode 100644 vpn/varaibles.tf
 create mode 100644 vpn/vpc.tf

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index aa4d2320..9f334ad5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,6 +17,7 @@ jobs:
           - rds
           - secrets
           - vpc
+          # - vpn # TODO: Figure out private module access
       fail-fast: false
     runs-on: ubuntu-latest
     if: "!contains(github.event.head_commit.message, '[skip ci]')"
diff --git a/README.md b/README.md
index 502a6a2d..4fd7866e 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,7 @@ We create modules here for re-use between projects.
 - [rds](rds/README.md) - Used for creating and configuring databases and their networking.
 - [secrets](secrets/README.md) - Used for creating a new secret.
 - [vpc](vpc/README.md) - Creates a VPC in AWS account. Also generates a group fo public and private submodules.
+- [vpn](vpn/README.md) - Launches an isolated Outline VPN inside a new VPC.
 
 
 
diff --git a/vpn/README.md b/vpn/README.md
new file mode 100644
index 00000000..8229d7f5
--- /dev/null
+++ b/vpn/README.md
@@ -0,0 +1,33 @@
+# Terraform Module: VPN
+
+Launches an isolated Outline VPN instance with it's own VPC.
+
+
+
+## Usage
+
+```terraform
+module "vpc" {
+  source = "github.com/dbl-works/terraform//vpc?ref=v2021.07.05"
+
+  account_id    = 12345678
+  eip           = "0.0.0.0"
+  ami_id        = "ami-07e4ed4c95c385519"
+  project       = "dbl"
+  environment   = "production"
+  cidr_block    = "10.0.0.0/16"
+  key_name      = "outline-server-ssh"
+
+  # optional
+  region        = "eu-central-1"
+  instance_type = "t3.micro"
+}
+```
+
+
+
+## Custom Domain
+
+By default the VPN will launch with just the public IP address (EIP). If you want to access this via a friendly name (e.g. proxy.dbl.works) then you should add a DNS entry (A record) with the EIP as the value for the subdomain you want.
+
+`A proxy.dbl.works. 127.0.0.1`
diff --git a/vpn/eip.tf b/vpn/eip.tf
new file mode 100644
index 00000000..9ee4fcbf
--- /dev/null
+++ b/vpn/eip.tf
@@ -0,0 +1,8 @@
+data "aws_eip" "main" {
+  public_ip = var.eip
+}
+
+resource "aws_eip_association" "main" {
+  instance_id   = aws_instance.main.id
+  allocation_id = data.aws_eip.main.id
+}
diff --git a/vpn/instance.tf b/vpn/instance.tf
new file mode 100644
index 00000000..6bc641ea
--- /dev/null
+++ b/vpn/instance.tf
@@ -0,0 +1,19 @@
+# ec2 instance
+resource "aws_instance" "main" {
+  ami                         = var.ami_id
+  instance_type               = var.instance_type
+  associate_public_ip_address = true # Needs to be true, even if allocating an EIP
+  availability_zone           = "${var.region}a"
+  key_name                    = var.key_name
+  subnet_id                   = module.vpc.subnet_public_ids[0]
+  vpc_security_group_ids = [
+    aws_security_group.main.id,
+  ]
+  monitoring = true
+
+  tags = {
+    Name        = "${var.project}-${var.environment}"
+    Project     = var.project
+    Environment = var.environment
+  }
+}
diff --git a/vpn/security-groups.tf b/vpn/security-groups.tf
new file mode 100644
index 00000000..0bf6b432
--- /dev/null
+++ b/vpn/security-groups.tf
@@ -0,0 +1,37 @@
+resource "aws_security_group" "main" {
+  name   = "${var.project}-${var.environment}-vpn"
+  vpc_id = module.vpc.id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_security_group_rule" "ssh" {
+  type      = "ingress"
+  from_port = 22
+  to_port   = 22
+  protocol  = "tcp"
+  cidr_blocks = [
+    "0.0.0.0/0", # TODO: Lock this down post-launch?
+  ]
+  security_group_id = aws_security_group.main.id
+}
+
+resource "aws_security_group_rule" "outline" {
+  type      = "ingress"
+  from_port = 1024
+  to_port   = 65535
+  protocol  = "tcp"
+  cidr_blocks = [
+    "0.0.0.0/0",
+  ]
+  security_group_id = aws_security_group.main.id
+}
diff --git a/vpn/varaibles.tf b/vpn/varaibles.tf
new file mode 100644
index 00000000..e7e69113
--- /dev/null
+++ b/vpn/varaibles.tf
@@ -0,0 +1,10 @@
+variable "account_id" {}
+variable "project" {}
+variable "environment" {}
+variable "eip" {}
+variable "ami_id" {}
+variable "cidr_block" {}
+variable "key_name" {}
+
+variable "region" { default = "eu-central-1" }
+variable "instance_type" { default = "t3.micro" }
diff --git a/vpn/vpc.tf b/vpn/vpc.tf
new file mode 100644
index 00000000..1d8ef907
--- /dev/null
+++ b/vpn/vpc.tf
@@ -0,0 +1,10 @@
+module "vpc" {
+  source = "github.com/dbl-works/terraform//vpc?ref=v2021.07.30"
+
+  account_id         = var.account_id
+  availability_zones = ["${var.region}a", "${var.region}b", "${var.region}c"]
+  environment        = var.environment
+  project            = var.project
+  region             = var.region
+  cidr_block         = var.cidr_block
+}