github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: move AWS firezone-gateway module to dedicated repo (#5816)

Browse Source 
Why:

Managing the module from Terraform registry is simpler if our published
module is in its own repo.

See https://github.com/firezone/terraform-firezone-aws
This commit is contained in:
Jamil
2024-07-09 14:05:14 -07:00
committed by GitHub
parent 117d736c4e
commit ae87abacff
6 changed files with 1 additions and 324 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/README.md
View File

@@ -103,9 +103,6 @@ product documentation, organized as follows:
- [kotlin/](../kotlin/android): Android / ChromeOS clients.
- [website/](../website): Marketing website and product documentation.
- [terraform/](../terraform): Terraform files for various example deployments.
- [terraform/examples/aws/nat-gateway](../terraform/examples/aws/nat-gateway):
Example Terraform configuration for deploying a cluster of Firezone Gateways
behind a NAT gateway on AWS with a single egress IP.
- [terraform/examples/google-cloud/nat-gateway](../terraform/examples/google-cloud/nat-gateway):
Example Terraform configuration for deploying a cluster of Firezone Gateways
behind a NAT gateway on GCP with a single egress IP.
@@ -115,9 +112,6 @@ product documentation, organized as follows:
- [terraform/modules/google-cloud/apps/gateway-region-instance-group](../terraform/modules/google-cloud/apps/gateway-region-instance-group):
Production-ready Terraform module for deploying regional Firezone Gateways
to Google Cloud Compute using Regional Instance Groups.
- [terraform/modules/aws/firezone-gateway](../terraform/modules/aws/firezone-gateway):
Production-ready Terraform module for deploying Firezone Gateways to AWS
using Auto Scaling Groups.
- [terraform/modules/azure/firezone-gateway](../terraform/modules/azure/firezone-gateway):
Production-ready Terraform module for deploying Firezone Gateways to Azure
using Azure Orchestrated Virtual Machine Scale Sets.

4
terraform/examples/aws/nat-gateway/README.md
View File

@@ -1,4 +0,0 @@
# Deploy Firezone on AWS with Terraform
See [our docs for a detailed guide](/kb/automate/terraform/aws) on deploying
Firezone on AWS with Terraform using this example.

174
terraform/examples/aws/nat-gateway/main.tf
View File

@@ -1,174 +0,0 @@
# Change these to match your environment
locals {
region = "us-east-1"
firezone_token = "YOUR_FIREZONE_TOKEN"
}
module "aws_firezone_gateway" {
source = "github.com/firezone/firezone/terraform/modules/aws/firezone-gateway"
###################
# Required inputs #
###################
# Generate a token from the admin portal in Sites -> <site> -> Deploy Gateway.
# Only one token is needed for the cluster.
firezone_token = local.firezone_token
# Pick an AMI to use. We recommend Ubuntu LTS or Amazon Linux 2.
base_ami = data.aws_ami_ids.ubuntu.ids[0]
# Attach the Gateways to your VPC and subnets.
vpc = aws_vpc.main.id
public_subnet = aws_subnet.public.id
private_subnet = aws_subnet.private.id
instance_security_groups = [
aws_security_group.instance.id
]
###################
# Optional inputs #
###################
# Deploy a specific version of the Gateway. Generally, we recommend using the latest version.
# firezone_version = "latest"
# Override the default API URL. This should almost never be needed.
# firezone_api_url = "wss://api.firezone.dev"
# Gateways are very lightweight.
# See https://www.firezone.dev/kb/deploy/gateways#sizing-recommendations.
# instance_type = "t3.nano"
# We recommend a minimum of 3 instances for high availability.
# min_size = 3
# max_size = 5
# desired_capacity = 3
}
data "aws_ami_ids" "ubuntu" {
owners = ["099720109477"] # Canonical
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-*-22.04-amd64-server-*"]
}
}
provider "aws" {
# Change this to your desired region
region = local.region
}
resource "aws_vpc" "main" {
cidr_block = "172.16.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
}
resource "aws_subnet" "public" {
vpc_id = aws_vpc.main.id
cidr_block = "172.16.0.0/24"
map_public_ip_on_launch = true
}
resource "aws_subnet" "private" {
vpc_id = aws_vpc.main.id
cidr_block = "172.16.1.0/24"
}
resource "aws_internet_gateway" "gw" {
vpc_id = aws_vpc.main.id
}
resource "aws_eip" "nat" {
domain = "vpc"
}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public.id
}
resource "aws_route_table" "public" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.gw.id
}
}
resource "aws_route_table" "private" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.nat.id
}
}
resource "aws_route_table_association" "public" {
subnet_id = aws_subnet.public.id
route_table_id = aws_route_table.public.id
}
resource "aws_route_table_association" "private" {
subnet_id = aws_subnet.private.id
route_table_id = aws_route_table.private.id
}
resource "aws_security_group" "instance" {
vpc_id = aws_vpc.main.id
// allow SSH from other machines on the subnet
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
aws_subnet.private.cidr_block,
aws_subnet.public.cidr_block
]
}
egress {
from_port = 0
to_port = 65535
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "instance_connect" {
name = "allow egress to all vpc subnets"
description = "Security group to allow SSH to vpc subnets. Created for use with EC2 Instance Connect Endpoint."
vpc_id = aws_vpc.main.id
egress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
aws_subnet.private.cidr_block,
aws_subnet.public.cidr_block
]
}
}
resource "aws_ec2_instance_connect_endpoint" "instance_connect_endpoint" {
subnet_id = aws_subnet.public.id
preserve_client_ip = false
security_group_ids = [
aws_security_group.instance_connect.id
]
tags = {
Name = "firezone-gateway-instance-connect-endpoint"
}
}
output "nat_public_ip" {
description = "The public IP of the NAT gateway"
value = aws_eip.nat.public_ip
}

54
terraform/modules/aws/firezone-gateway/main.tf
View File

@@ -1,54 +0,0 @@
resource "aws_launch_configuration" "lc" {
name = "firezone-gateway-lc"
image_id = var.base_ami
instance_type = var.instance_type
security_groups = var.instance_security_groups
associate_public_ip_address = false
lifecycle {
create_before_destroy = true
}
user_data = <<-EOF
#!/bin/bash
set -e
sudo apt-get update
sudo apt-get install -y curl uuid-runtime
FIREZONE_TOKEN="${var.firezone_token}" \
FIREZONE_VERSION="${var.firezone_version}" \
FIREZONE_NAME="${var.firezone_name}" \
FIREZONE_ID="$(uuidgen)" \
FIREZONE_API_URL="${var.firezone_api_url}" \
bash <(curl -fsSL https://raw.githubusercontent.com/firezone/firezone/main/scripts/gateway-systemd-install.sh)
EOF
}
resource "aws_autoscaling_group" "asg" {
desired_capacity = var.desired_capacity
max_size = var.max_size
min_size = var.min_size
vpc_zone_identifier = [var.private_subnet]
launch_configuration = aws_launch_configuration.lc.id
tag {
key = "Name"
value = "firezone-gateway-instance"
propagate_at_launch = true
}
dynamic "tag" {
for_each = var.extra_tags
content {
key = tag.value.key
propagate_at_launch = tag.value.propagate_at_launch
value = tag.value.value
}
}
lifecycle {
create_before_destroy = true
}
}

85
terraform/modules/aws/firezone-gateway/variables.tf
View File

@@ -1,85 +0,0 @@
variable "base_ami" {
description = "The base AMI for the instances"
type = string
}
variable "instance_type" {
description = "The instance type"
type = string
default = "t3.nano"
}
variable "desired_capacity" {
description = "The desired number of instances"
type = number
default = 3
}
variable "min_size" {
description = "The minimum number of instances"
type = number
default = 3
}
variable "max_size" {
description = "The maximum number of instances"
type = number
default = 5
}
variable "firezone_token" {
description = "The Firezone token"
type = string
nullable = false
sensitive = true
}
variable "firezone_version" {
description = "The Gateway version to deploy"
type = string
default = "latest"
}
variable "firezone_name" {
description = "Name for the Gateways used in the admin portal"
type = string
default = "$(hostname)"
}
variable "firezone_api_url" {
description = "The Firezone API URL"
type = string
default = "wss://api.firezone.dev"
}
variable "vpc" {
description = "The VPC id to use"
type = string
}
variable "private_subnet" {
description = "The private subnet id"
type = string
}
variable "public_subnet" {
description = "The public subnet id"
type = string
}
variable "instance_security_groups" {
description = "The security group ids to attach to the instances"
type = list(string)
}
variable "extra_tags" {
description = "Extra tags for the Auto Scaling group"
type = map(object({
key = string
value = string
propagate_at_launch = bool
}))
default = {}
}

2
website/src/app/kb/automate/terraform/aws/readme.mdx
View File

@@ -63,7 +63,7 @@ for some general guidelines depending on your expected traffic.
## Deployment
1. [Download](https://raw.githubusercontent.com/firezone/firezone/main/terraform/examples/aws/nat-gateway/main.tf)
1. [Download](https://raw.githubusercontent.com/firezone/terraform-firezone-aws/main/examples/nat-gateway/main.tf)
the `main.tf` from the example module.
1. Customize it as desired. At a minimum, you will need to set the
`firezone_token` and change `base_ami` and `region` to match your