First commit

ayltai · Jul 6, 2023 · 4ee3e5f · 4ee3e5f
commit 4ee3e5f
Show file tree

Hide file tree

Showing 7 changed files with 359 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: terraform
+    directory: /
+    schedule:
+      interval: daily
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -0,0 +1,27 @@
+name: CD
+on:
+  release:
+    types:
+      - created
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: hashicorp/setup-terraform@v1
+        with:
+          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+      - run: terraform init -lock-timeout=5m
+        env:
+          TF_IN_AUTOMATION: true
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }}
+          TF_VAR_tailscale_api_key: ${{ secrets.TAILSCALE_API_KEY }}
+          TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
+      - run: terraform apply -auto-approve -input=false -lock-timeout=5m
+        env:
+          TF_IN_AUTOMATION: true
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }}
+          TF_VAR_tailscale_api_key: ${{ secrets.TAILSCALE_API_KEY }}
+          TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,33 @@
+name: CI
+on:
+  - push
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: hashicorp/setup-terraform@v1
+        with:
+          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+      - run: terraform fmt -check
+      - run: terraform init -lock-timeout=5m
+        env:
+          TF_IN_AUTOMATION: true
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }}
+          TF_VAR_tailscale_api_key: ${{ secrets.TAILSCALE_API_KEY }}
+          TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
+      - run: terraform validate -no-color
+        env:
+          TF_IN_AUTOMATION: true
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }}
+          TF_VAR_tailscale_api_key: ${{ secrets.TAILSCALE_API_KEY }}
+          TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
+      - run: terraform plan -no-color -input=false -lock-timeout=5m
+        env:
+          TF_IN_AUTOMATION: true
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }}
+          TF_VAR_tailscale_api_key: ${{ secrets.TAILSCALE_API_KEY }}
+          TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,12 @@
+# macOS
+.DS_Store
+
+# JetBrains
+.idea/
+*.iml
+
+# Terraform
+.terraform/
+*.tfstate
+*.tfstate*
+secret.tfvars
diff --git a/data.tf b/data.tf
@@ -0,0 +1,23 @@
+data "aws_ami" "this" {
+  filter {
+    name = "name"
+
+    values = [
+      var.ami_filter,
+    ]
+  }
+
+  filter {
+    name = "virtualization-type"
+
+    values = [
+      "hvm",
+    ]
+  }
+
+  owners = [
+    var.ami_owner,
+  ]
+
+  most_recent = true
+}
diff --git a/main.tf b/main.tf
@@ -0,0 +1,177 @@
+terraform {
+  required_version = ">= 1.5.0"
+
+  backend "remote" {
+    hostname     = "app.terraform.io"
+    organization = "tailscale"
+
+    workspaces {
+      name = "main"
+    }
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.6"
+    }
+
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.2"
+    }
+
+    tailscale = {
+      source  = "tailscale/tailscale"
+      version = "~> 0.13"
+    }
+
+    tls = {
+      source  = "hashicorp/tls"
+      version = "~> 4.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+}
+
+provider "tailscale" {
+  api_key = var.tailscale_api_key
+  tailnet = var.tailscale_tailnet
+}
+
+resource "aws_vpc" "this" {
+  cidr_block = var.vpc_cidr_block
+}
+
+resource "aws_subnet" "this" {
+  vpc_id            = aws_vpc.this.id
+  cidr_block        = var.subnet_cidr_block
+  availability_zone = "${var.aws_region}a"
+}
+
+resource "aws_internet_gateway" "this" {
+  vpc_id = aws_vpc.this.id
+}
+
+resource "aws_eip" "this" {
+  instance = aws_instance.this.id
+  domain   = "vpc"
+
+  depends_on = [
+    aws_internet_gateway.this,
+  ]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route_table" "this" {
+  vpc_id = aws_vpc.this.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.this.id
+  }
+}
+
+resource "aws_route_table_association" "this" {
+  route_table_id = aws_route_table.this.id
+  subnet_id      = aws_subnet.this.id
+}
+
+resource "aws_security_group" "this" {
+  name   = "${var.server_hostname}-${var.aws_region}"
+  vpc_id = aws_vpc.this.id
+
+  ingress {
+    description = "SSH"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+
+    cidr_blocks = [
+      "0.0.0.0/0",
+    ]
+  }
+
+  egress {
+    from_port = 0
+    to_port   = 0
+    protocol  = "-1"
+
+    cidr_blocks = [
+      "0.0.0.0/0",
+    ]
+  }
+}
+
+resource "tls_private_key" "this" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "aws_key_pair" "this" {
+  key_name   = "${var.server_hostname}-${var.aws_region}"
+  public_key = tls_private_key.this.public_key_openssh
+}
+
+resource "aws_ssm_parameter" "this" {
+  name  = "/tailscale/${var.server_hostname}-${var.aws_region}"
+  type  = "SecureString"
+  value = tls_private_key.this.private_key_pem
+}
+
+resource "aws_instance" "this" {
+  ami           = data.aws_ami.this.id
+  instance_type = var.server_instance_type
+  subnet_id     = aws_subnet.this.id
+  key_name      = aws_key_pair.this.key_name
+
+  vpc_security_group_ids = [
+    aws_security_group.this.id,
+  ]
+
+  root_block_device {
+    volume_size = var.server_storage_size
+  }
+}
+
+resource "tailscale_tailnet_key" "this" {
+  reusable      = true
+  preauthorized = true
+  expiry        = var.tailscale_tailnet_key_expiry
+}
+
+resource "null_resource" "this" {
+  triggers = {
+    always_run = timestamp()
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "sudo apt update",
+      "sudo apt -qq install software-properties-common apt-transport-https ca-certificates lsb-release curl -y",
+      "curl -fsSL ${var.tailscale_package_url}.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null",
+      "curl -fsSL ${var.tailscale_package_url}.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list",
+      "sudo apt update",
+      "sudo apt -qq install tailscale -y",
+      "sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf",
+      "sudo sed -i 's/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=1/' /etc/sysctl.conf",
+      "sudo sysctl -p",
+      "sudo tailscale up --advertise-exit-node --hostname=${var.server_hostname}-${var.aws_region} --authkey=${tailscale_tailnet_key.this.key}",
+      "sudo systemctl enable --now tailscaled",
+    ]
+
+    connection {
+      agent       = false
+      timeout     = var.timeout
+      host        = aws_eip.this.public_ip
+      private_key = tls_private_key.this.private_key_pem
+      user        = var.server_username
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,81 @@
+variable "aws_region" {
+  description = "AWS region"
+  type        = string
+  default     = "ap-east-1"
+}
+
+variable "vpc_cidr_block" {
+  description = "VPC CIDR block"
+  type        = string
+  default     = "10.0.0.0/24"
+}
+
+variable "subnet_cidr_block" {
+  description = "Subnet CIDR block"
+  type        = string
+  default     = "10.0.0.0/28"
+}
+
+variable "ami_filter" {
+  description = "AMI filter"
+  type        = string
+  default     = "ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-arm64-server-*"
+}
+
+variable "ami_owner" {
+  description = "AMI owner is Canonical"
+  default     = "099720109477"
+}
+
+variable "server_instance_type" {
+  description = "Server instance type"
+  type        = string
+  default     = "t4g.nano"
+}
+
+variable "server_storage_size" {
+  description = "Server storage size"
+  type        = number
+  default     = 8
+}
+
+variable "server_username" {
+  description = "AMI user"
+  default     = "ubuntu"
+}
+
+variable "server_hostname" {
+  description = "Server hostname"
+  type        = string
+  default     = "vpn"
+}
+
+variable "tailscale_api_key" {
+  description = "Tailscale API access token"
+  type        = string
+  sensitive   = true
+}
+
+variable "tailscale_tailnet" {
+  description = "Tailscale tailnet name"
+  type        = string
+  sensitive   = true
+}
+
+variable "tailscale_tailnet_key_expiry" {
+  description = "Tailscale tailnet key expiry"
+  type        = number
+  default     = 2419200
+}
+
+variable "tailscale_package_url" {
+  description = "Tailscale package download URL"
+  type        = string
+  default     = "https://pkgs.tailscale.com/stable/ubuntu/jammy"
+}
+
+variable "timeout" {
+  description = "Provision timeout"
+  type        = string
+  default     = "30m"
+}