Created
August 6, 2018 00:38
-
-
Save jmhale/86c27e245fc47f39998702121bdfecc6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Temporary VPN for DEF CON | |
variable "dns_zone" {} | |
variable "dns_zone_id" {} | |
variable "ssh_key_id" {} | |
data "aws_iam_policy_document" "access-defcon-artifacts-policy-doc" { | |
statement { | |
actions = [ | |
"s3:GetObject", | |
"s3:GetObjectAcl", | |
"s3:GetObjectTagging", | |
"s3:GetObjectTorrent", | |
"s3:GetObjectVersion", | |
"s3:GetObjectVersionAcl", | |
"s3:GetObjectVersionTagging", | |
"s3:GetObjectVersionTorrent", | |
"s3:ListAllMyBuckets", | |
"s3:ListBucket" | |
] | |
resources = [ | |
"arn:aws:s3:::fakebucket-build-artifacts", | |
"arn:aws:s3:::fakebucket-build-artifacts/*" | |
] | |
} | |
} | |
data "aws_iam_policy_document" "ec2-assume-role" { | |
statement { | |
actions = [ | |
"sts:AssumeRole" | |
] | |
principals { | |
type = "Service" | |
identifiers = ["ec2.amazonaws.com"] | |
} | |
} | |
} | |
resource "aws_iam_policy" "access-defcon-artifacts-policy" { | |
name = "tf-access-defcon-artifacts" | |
description = "Terraform Managed. Policy to allow access to defcon build artifacts S3 bucket" | |
policy = "${data.aws_iam_policy_document.access-defcon-artifacts-policy-doc.json}" | |
} | |
resource "aws_iam_role" "access-defcon-artifacts-role" { | |
name = "tf-access-defcon-artifacts" | |
description = "Terraform Managed. Role to allow access to defcon build artifacts S3 bucket" | |
path = "/" | |
assume_role_policy = "${data.aws_iam_policy_document.ec2-assume-role.json}" | |
} | |
resource "aws_iam_policy_attachment" "attach-build-artifacts-policy" { | |
name = "attach-build-artifacts-policy" | |
roles = ["${aws_iam_role.access-defcon-artifacts-role.name}"] | |
policy_arn = "${aws_iam_policy.access-defcon-artifacts-policy.arn}" | |
} | |
resource "aws_iam_instance_profile" "access-defcon-artifacts-profile" { | |
name = "tf-access-defcon-artifacts" | |
role = "${aws_iam_role.access-defcon-artifacts-role.name}" | |
} | |
resource "aws_security_group" "openvpn-sg-defcon" { | |
name = "openvpn-sg-defcon" | |
description = "Terraform Managed. Allow DC VPN traffic" | |
vpc_id = "${aws_vpc.vpc_defcon.id}" | |
tags { | |
Name = "openvpn-sg-defcon", | |
Project = "defcon", | |
tf-managed = "True" | |
} | |
ingress { | |
from_port = 443 | |
to_port = 443 | |
protocol = "tcp" | |
cidr_blocks = ["0.0.0.0/0"] | |
} | |
egress { | |
from_port = 0 | |
to_port = 0 | |
protocol = "-1" | |
cidr_blocks = ["0.0.0.0/0"] | |
} | |
} | |
resource "aws_instance" "openvpn-defcon-instance" { | |
ami = "ami-da05a4a0" | |
instance_type = "t2.micro" | |
key_name = "${var.ssh_key_id}" | |
subnet_id = "${aws_subnet.defcon_subnet_public_east_1a.id}" | |
vpc_security_group_ids = ["${aws_security_group.openvpn-sg-defcon.id}"] | |
iam_instance_profile = "${aws_iam_instance_profile.access-defcon-artifacts-profile.name}" | |
user_data = <<EOF | |
#!/bin/bash | |
sudo apt-get update -y | |
sudo apt-get install -y openvpn easy-rsa awscli | |
sudo aws configure set s3.signature_version s3v4 | |
sudo aws s3 sync s3://fakebucket-build-artifacts/openvpn /etc/openvpn | |
sudo /usr/bin/openssl dhparam -out /etc/openvpn/dh2048.pem 2048 | |
sudo mv /etc/openvpn/before.rules /etc/ufw/before.rules | |
sudo sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw | |
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf | |
sudo sysctl -p | |
sudo ufw allow ssh | |
sudo ufw allow https | |
sudo ufw --force enable | |
sudo systemctl enable openvpn@server | |
sudo systemctl start openvpn@server | |
EOF | |
tags { | |
Name = "defcon-openvpn" | |
} | |
} | |
resource "aws_eip" "vpn_eip" { | |
instance = "${aws_instance.openvpn-defcon-instance.id}" | |
vpc = true | |
} | |
resource "aws_route53_record" "vpn_r53_a_record" { | |
zone_id = "${var.dns_zone_id}" | |
name = "dcvpn.${var.dns_zone}" | |
type = "A" | |
ttl = "300" | |
records = ["${aws_eip.vpn_eip.public_ip}"] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment