jmhale/defcon-vpn.tf

## defcon-vpn.tf
## Temporary VPN for DEF CON

variable "dns_zone"    {}
variable "dns_zone_id" {}
variable "ssh_key_id"  {}

data "aws_iam_policy_document" "access-defcon-artifacts-policy-doc" {
    statement {
      actions = [
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectTagging",
        "s3:GetObjectTorrent",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl",
        "s3:GetObjectVersionTagging",
        "s3:GetObjectVersionTorrent",
        "s3:ListAllMyBuckets",
        "s3:ListBucket"
      ]
      resources = [
        "arn:aws:s3:::fakebucket-build-artifacts",
        "arn:aws:s3:::fakebucket-build-artifacts/*"
      ]
    }
}

data "aws_iam_policy_document" "ec2-assume-role" {
    statement {
        actions = [
          "sts:AssumeRole"
        ]
        principals {
          type        = "Service"
          identifiers = ["ec2.amazonaws.com"]
        }
    }
}

resource "aws_iam_policy" "access-defcon-artifacts-policy" {
    name = "tf-access-defcon-artifacts"
    description = "Terraform Managed. Policy to allow access to defcon build artifacts S3 bucket"
    policy = "${data.aws_iam_policy_document.access-defcon-artifacts-policy-doc.json}"
}

resource "aws_iam_role" "access-defcon-artifacts-role" {
  name = "tf-access-defcon-artifacts"
  description = "Terraform Managed. Role to allow access to defcon build artifacts S3 bucket"
  path = "/"
  assume_role_policy = "${data.aws_iam_policy_document.ec2-assume-role.json}"
}

resource "aws_iam_policy_attachment" "attach-build-artifacts-policy" {
  name = "attach-build-artifacts-policy"
  roles = ["${aws_iam_role.access-defcon-artifacts-role.name}"]
  policy_arn = "${aws_iam_policy.access-defcon-artifacts-policy.arn}"
}

resource "aws_iam_instance_profile" "access-defcon-artifacts-profile" {
  name = "tf-access-defcon-artifacts"
  role = "${aws_iam_role.access-defcon-artifacts-role.name}"
}

resource "aws_security_group" "openvpn-sg-defcon" {
  name        = "openvpn-sg-defcon"
  description = "Terraform Managed. Allow DC VPN traffic"
  vpc_id      = "${aws_vpc.vpc_defcon.id}"
  tags {
    Name = "openvpn-sg-defcon",
    Project = "defcon",
    tf-managed = "True"
  }

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    cidr_blocks     = ["0.0.0.0/0"]
  }
}

resource "aws_instance" "openvpn-defcon-instance" {
  ami = "ami-da05a4a0"
  instance_type = "t2.micro"
  key_name = "${var.ssh_key_id}"
  subnet_id = "${aws_subnet.defcon_subnet_public_east_1a.id}"
  vpc_security_group_ids = ["${aws_security_group.openvpn-sg-defcon.id}"]
  iam_instance_profile = "${aws_iam_instance_profile.access-defcon-artifacts-profile.name}"
  user_data = <<EOF
#!/bin/bash
sudo apt-get update -y
sudo apt-get install -y openvpn easy-rsa awscli
sudo aws configure set s3.signature_version s3v4
sudo aws s3 sync s3://fakebucket-build-artifacts/openvpn /etc/openvpn
sudo /usr/bin/openssl dhparam -out /etc/openvpn/dh2048.pem 2048
sudo mv /etc/openvpn/before.rules /etc/ufw/before.rules
sudo sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sudo sysctl -p
sudo ufw allow ssh
sudo ufw allow https
sudo ufw --force enable
sudo systemctl enable openvpn@server
sudo systemctl start openvpn@server

EOF

  tags {
    Name = "defcon-openvpn"
  }
}

resource "aws_eip" "vpn_eip" {
  instance = "${aws_instance.openvpn-defcon-instance.id}"
  vpc      = true
}

resource "aws_route53_record" "vpn_r53_a_record" {
  zone_id = "${var.dns_zone_id}"
  name    = "dcvpn.${var.dns_zone}"
  type    = "A"
  ttl     = "300"
  records = ["${aws_eip.vpn_eip.public_ip}"]
}
	## Temporary VPN for DEF CON

	variable "dns_zone" {}
	variable "dns_zone_id" {}
	variable "ssh_key_id" {}

	data "aws_iam_policy_document" "access-defcon-artifacts-policy-doc" {
	statement {
	actions = [
	"s3:GetObject",
	"s3:GetObjectAcl",
	"s3:GetObjectTagging",
	"s3:GetObjectTorrent",
	"s3:GetObjectVersion",
	"s3:GetObjectVersionAcl",
	"s3:GetObjectVersionTagging",
	"s3:GetObjectVersionTorrent",
	"s3:ListAllMyBuckets",
	"s3:ListBucket"
	]
	resources = [
	"arn:aws:s3:::fakebucket-build-artifacts",
	"arn:aws:s3:::fakebucket-build-artifacts/*"
	]
	}
	}

	data "aws_iam_policy_document" "ec2-assume-role" {
	statement {
	actions = [
	"sts:AssumeRole"
	]
	principals {
	type = "Service"
	identifiers = ["ec2.amazonaws.com"]
	}
	}
	}

	resource "aws_iam_policy" "access-defcon-artifacts-policy" {
	name = "tf-access-defcon-artifacts"
	description = "Terraform Managed. Policy to allow access to defcon build artifacts S3 bucket"
	policy = "${data.aws_iam_policy_document.access-defcon-artifacts-policy-doc.json}"
	}

	resource "aws_iam_role" "access-defcon-artifacts-role" {
	name = "tf-access-defcon-artifacts"
	description = "Terraform Managed. Role to allow access to defcon build artifacts S3 bucket"
	path = "/"
	assume_role_policy = "${data.aws_iam_policy_document.ec2-assume-role.json}"
	}

	resource "aws_iam_policy_attachment" "attach-build-artifacts-policy" {
	name = "attach-build-artifacts-policy"
	roles = ["${aws_iam_role.access-defcon-artifacts-role.name}"]
	policy_arn = "${aws_iam_policy.access-defcon-artifacts-policy.arn}"
	}

	resource "aws_iam_instance_profile" "access-defcon-artifacts-profile" {
	name = "tf-access-defcon-artifacts"
	role = "${aws_iam_role.access-defcon-artifacts-role.name}"
	}

	resource "aws_security_group" "openvpn-sg-defcon" {
	name = "openvpn-sg-defcon"
	description = "Terraform Managed. Allow DC VPN traffic"
	vpc_id = "${aws_vpc.vpc_defcon.id}"
	tags {
	Name = "openvpn-sg-defcon",
	Project = "defcon",
	tf-managed = "True"
	}

	ingress {
	from_port = 443
	to_port = 443
	protocol = "tcp"
	cidr_blocks = ["0.0.0.0/0"]
	}

	egress {
	from_port = 0
	to_port = 0
	protocol = "-1"
	cidr_blocks = ["0.0.0.0/0"]
	}
	}

	resource "aws_instance" "openvpn-defcon-instance" {
	ami = "ami-da05a4a0"
	instance_type = "t2.micro"
	key_name = "${var.ssh_key_id}"
	subnet_id = "${aws_subnet.defcon_subnet_public_east_1a.id}"
	vpc_security_group_ids = ["${aws_security_group.openvpn-sg-defcon.id}"]
	iam_instance_profile = "${aws_iam_instance_profile.access-defcon-artifacts-profile.name}"
	user_data = <<EOF
	#!/bin/bash
	sudo apt-get update -y
	sudo apt-get install -y openvpn easy-rsa awscli
	sudo aws configure set s3.signature_version s3v4
	sudo aws s3 sync s3://fakebucket-build-artifacts/openvpn /etc/openvpn
	sudo /usr/bin/openssl dhparam -out /etc/openvpn/dh2048.pem 2048
	sudo mv /etc/openvpn/before.rules /etc/ufw/before.rules
	sudo sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw
	sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
	sudo sysctl -p
	sudo ufw allow ssh
	sudo ufw allow https
	sudo ufw --force enable
	sudo systemctl enable openvpn@server
	sudo systemctl start openvpn@server

	EOF

	tags {
	Name = "defcon-openvpn"
	}
	}

	resource "aws_eip" "vpn_eip" {
	instance = "${aws_instance.openvpn-defcon-instance.id}"
	vpc = true
	}

	resource "aws_route53_record" "vpn_r53_a_record" {
	zone_id = "${var.dns_zone_id}"
	name = "dcvpn.${var.dns_zone}"
	type = "A"
	ttl = "300"
	records = ["${aws_eip.vpn_eip.public_ip}"]
	}