diff --git a/docs/README.md b/docs/README.md index 291470267..2f0c64719 100644 --- a/docs/README.md +++ b/docs/README.md @@ -103,9 +103,6 @@ product documentation, organized as follows: - [kotlin/](../kotlin/android): Android / ChromeOS clients. - [website/](../website): Marketing website and product documentation. - [terraform/](../terraform): Terraform files for various example deployments. - - [terraform/examples/aws/nat-gateway](../terraform/examples/aws/nat-gateway): - Example Terraform configuration for deploying a cluster of Firezone Gateways - behind a NAT gateway on AWS with a single egress IP. - [terraform/examples/google-cloud/nat-gateway](../terraform/examples/google-cloud/nat-gateway): Example Terraform configuration for deploying a cluster of Firezone Gateways behind a NAT gateway on GCP with a single egress IP. @@ -115,9 +112,6 @@ product documentation, organized as follows: - [terraform/modules/google-cloud/apps/gateway-region-instance-group](../terraform/modules/google-cloud/apps/gateway-region-instance-group): Production-ready Terraform module for deploying regional Firezone Gateways to Google Cloud Compute using Regional Instance Groups. - - [terraform/modules/aws/firezone-gateway](../terraform/modules/aws/firezone-gateway): - Production-ready Terraform module for deploying Firezone Gateways to AWS - using Auto Scaling Groups. - [terraform/modules/azure/firezone-gateway](../terraform/modules/azure/firezone-gateway): Production-ready Terraform module for deploying Firezone Gateways to Azure using Azure Orchestrated Virtual Machine Scale Sets. diff --git a/terraform/examples/aws/nat-gateway/README.md b/terraform/examples/aws/nat-gateway/README.md deleted file mode 100644 index 3d99a80f0..000000000 --- a/terraform/examples/aws/nat-gateway/README.md +++ /dev/null @@ -1,4 +0,0 @@ -# Deploy Firezone on AWS with Terraform - -See [our docs for a detailed guide](/kb/automate/terraform/aws) on deploying -Firezone on AWS with Terraform using this example. diff --git a/terraform/examples/aws/nat-gateway/main.tf b/terraform/examples/aws/nat-gateway/main.tf deleted file mode 100644 index 208015ce9..000000000 --- a/terraform/examples/aws/nat-gateway/main.tf +++ /dev/null @@ -1,174 +0,0 @@ -# Change these to match your environment -locals { - region = "us-east-1" - firezone_token = "YOUR_FIREZONE_TOKEN" -} - -module "aws_firezone_gateway" { - source = "github.com/firezone/firezone/terraform/modules/aws/firezone-gateway" - - ################### - # Required inputs # - ################### - - # Generate a token from the admin portal in Sites -> -> Deploy Gateway. - # Only one token is needed for the cluster. - firezone_token = local.firezone_token - - # Pick an AMI to use. We recommend Ubuntu LTS or Amazon Linux 2. - base_ami = data.aws_ami_ids.ubuntu.ids[0] - - # Attach the Gateways to your VPC and subnets. - vpc = aws_vpc.main.id - public_subnet = aws_subnet.public.id - private_subnet = aws_subnet.private.id - instance_security_groups = [ - aws_security_group.instance.id - ] - - ################### - # Optional inputs # - ################### - - # Deploy a specific version of the Gateway. Generally, we recommend using the latest version. - # firezone_version = "latest" - - # Override the default API URL. This should almost never be needed. - # firezone_api_url = "wss://api.firezone.dev" - - # Gateways are very lightweight. - # See https://www.firezone.dev/kb/deploy/gateways#sizing-recommendations. - # instance_type = "t3.nano" - - # We recommend a minimum of 3 instances for high availability. - # min_size = 3 - # max_size = 5 - # desired_capacity = 3 -} - -data "aws_ami_ids" "ubuntu" { - owners = ["099720109477"] # Canonical - - filter { - name = "name" - values = ["ubuntu/images/hvm-ssd/ubuntu-*-22.04-amd64-server-*"] - } -} - -provider "aws" { - # Change this to your desired region - region = local.region -} - -resource "aws_vpc" "main" { - cidr_block = "172.16.0.0/16" - enable_dns_support = true - enable_dns_hostnames = true -} - -resource "aws_subnet" "public" { - vpc_id = aws_vpc.main.id - cidr_block = "172.16.0.0/24" - map_public_ip_on_launch = true -} - -resource "aws_subnet" "private" { - vpc_id = aws_vpc.main.id - cidr_block = "172.16.1.0/24" -} - -resource "aws_internet_gateway" "gw" { - vpc_id = aws_vpc.main.id -} - -resource "aws_eip" "nat" { - domain = "vpc" -} - -resource "aws_nat_gateway" "nat" { - allocation_id = aws_eip.nat.id - subnet_id = aws_subnet.public.id -} - -resource "aws_route_table" "public" { - vpc_id = aws_vpc.main.id - - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.gw.id - } -} - -resource "aws_route_table" "private" { - vpc_id = aws_vpc.main.id - - route { - cidr_block = "0.0.0.0/0" - nat_gateway_id = aws_nat_gateway.nat.id - } -} - -resource "aws_route_table_association" "public" { - subnet_id = aws_subnet.public.id - route_table_id = aws_route_table.public.id -} - -resource "aws_route_table_association" "private" { - subnet_id = aws_subnet.private.id - route_table_id = aws_route_table.private.id -} - -resource "aws_security_group" "instance" { - vpc_id = aws_vpc.main.id - - // allow SSH from other machines on the subnet - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = [ - aws_subnet.private.cidr_block, - aws_subnet.public.cidr_block - ] - } - - egress { - from_port = 0 - to_port = 65535 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } -} - -resource "aws_security_group" "instance_connect" { - name = "allow egress to all vpc subnets" - description = "Security group to allow SSH to vpc subnets. Created for use with EC2 Instance Connect Endpoint." - vpc_id = aws_vpc.main.id - - egress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = [ - aws_subnet.private.cidr_block, - aws_subnet.public.cidr_block - ] - } -} - -resource "aws_ec2_instance_connect_endpoint" "instance_connect_endpoint" { - subnet_id = aws_subnet.public.id - preserve_client_ip = false - security_group_ids = [ - aws_security_group.instance_connect.id - ] - - tags = { - Name = "firezone-gateway-instance-connect-endpoint" - } -} - -output "nat_public_ip" { - description = "The public IP of the NAT gateway" - value = aws_eip.nat.public_ip -} diff --git a/terraform/modules/aws/firezone-gateway/main.tf b/terraform/modules/aws/firezone-gateway/main.tf deleted file mode 100644 index 837c0cea0..000000000 --- a/terraform/modules/aws/firezone-gateway/main.tf +++ /dev/null @@ -1,54 +0,0 @@ -resource "aws_launch_configuration" "lc" { - name = "firezone-gateway-lc" - image_id = var.base_ami - instance_type = var.instance_type - security_groups = var.instance_security_groups - associate_public_ip_address = false - - lifecycle { - create_before_destroy = true - } - - user_data = <<-EOF - #!/bin/bash - set -e - - sudo apt-get update - sudo apt-get install -y curl uuid-runtime - - FIREZONE_TOKEN="${var.firezone_token}" \ - FIREZONE_VERSION="${var.firezone_version}" \ - FIREZONE_NAME="${var.firezone_name}" \ - FIREZONE_ID="$(uuidgen)" \ - FIREZONE_API_URL="${var.firezone_api_url}" \ - bash <(curl -fsSL https://raw.githubusercontent.com/firezone/firezone/main/scripts/gateway-systemd-install.sh) - - EOF -} - -resource "aws_autoscaling_group" "asg" { - desired_capacity = var.desired_capacity - max_size = var.max_size - min_size = var.min_size - vpc_zone_identifier = [var.private_subnet] - launch_configuration = aws_launch_configuration.lc.id - - tag { - key = "Name" - value = "firezone-gateway-instance" - propagate_at_launch = true - } - - dynamic "tag" { - for_each = var.extra_tags - content { - key = tag.value.key - propagate_at_launch = tag.value.propagate_at_launch - value = tag.value.value - } - } - - lifecycle { - create_before_destroy = true - } -} diff --git a/terraform/modules/aws/firezone-gateway/variables.tf b/terraform/modules/aws/firezone-gateway/variables.tf deleted file mode 100644 index a0c5a7eea..000000000 --- a/terraform/modules/aws/firezone-gateway/variables.tf +++ /dev/null @@ -1,85 +0,0 @@ -variable "base_ami" { - description = "The base AMI for the instances" - type = string -} - -variable "instance_type" { - description = "The instance type" - type = string - default = "t3.nano" -} - -variable "desired_capacity" { - description = "The desired number of instances" - type = number - default = 3 -} - -variable "min_size" { - description = "The minimum number of instances" - type = number - default = 3 -} - -variable "max_size" { - description = "The maximum number of instances" - type = number - default = 5 -} - -variable "firezone_token" { - description = "The Firezone token" - type = string - nullable = false - sensitive = true -} - -variable "firezone_version" { - description = "The Gateway version to deploy" - type = string - default = "latest" -} - -variable "firezone_name" { - description = "Name for the Gateways used in the admin portal" - type = string - default = "$(hostname)" -} - -variable "firezone_api_url" { - description = "The Firezone API URL" - type = string - default = "wss://api.firezone.dev" -} - -variable "vpc" { - description = "The VPC id to use" - type = string -} - -variable "private_subnet" { - description = "The private subnet id" - type = string -} - -variable "public_subnet" { - description = "The public subnet id" - type = string -} - -variable "instance_security_groups" { - description = "The security group ids to attach to the instances" - type = list(string) -} - -variable "extra_tags" { - description = "Extra tags for the Auto Scaling group" - - type = map(object({ - key = string - value = string - propagate_at_launch = bool - })) - - default = {} -} diff --git a/website/src/app/kb/automate/terraform/aws/readme.mdx b/website/src/app/kb/automate/terraform/aws/readme.mdx index 66d363689..3c505a8ec 100644 --- a/website/src/app/kb/automate/terraform/aws/readme.mdx +++ b/website/src/app/kb/automate/terraform/aws/readme.mdx @@ -63,7 +63,7 @@ for some general guidelines depending on your expected traffic. ## Deployment -1. [Download](https://raw.githubusercontent.com/firezone/firezone/main/terraform/examples/aws/nat-gateway/main.tf) +1. [Download](https://raw.githubusercontent.com/firezone/terraform-firezone-aws/main/examples/nat-gateway/main.tf) the `main.tf` from the example module. 1. Customize it as desired. At a minimum, you will need to set the `firezone_token` and change `base_ami` and `region` to match your