[WIFI-11553] Chg: vpn

Signed-off-by: Dmitry Dunaev <dmitry@opsfleet.com>

terraform/root-162540680133/sops_key/main.tf

@@ -1,6 +1,6 @@
 provider "aws" {
   version = ">= 2.63.0"
-  region = var.aws_region
+  region  = var.aws_region
 }
 
 terraform {

terraform/wifi-289708231103/tip-wifi-vpn/.sops.yaml

@@ -0,0 +1,2 @@
+creation_rules:
+- kms: 'arn:aws:kms:us-east-2:289708231103:alias/helm-secrets'

terraform/wifi-289708231103/tip-wifi-vpn/.terraform.lock.hcl

@@ -1,21 +1,40 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
-provider "registry.terraform.io/hashicorp/aws" {
-  version     = "3.71.0"
-  constraints = ">= 3.15.0"
+provider "registry.terraform.io/carlpett/sops" {
+  version     = "0.7.1"
+  constraints = "~> 0.5"
   hashes = [
-    "h1:wnTd0krep3mqRz650U7TSv/tCkA0LoXKe0QFlnsg/7Q=",
-    "zh:173134d8861a33ed60a48942ad2b96b9d06e85c506d7f927bead47a28f4ebdd2",
-    "zh:2996c8e96930f526f1761e99d14c0b18d83e287b1362aa2fa1444cf848ece613",
-    "zh:43903da1e0a809a1fb5832e957dbe2321b86630d6bfdd8b47728647a72fd912d",
-    "zh:43e71fd8924e7f7b56a0b2a82e29edf07c53c2b41ee7bb442a2f1c27e03e86ae",
-    "zh:4f4c73711f64a3ff85f88bf6b2594e5431d996b7a59041ff6cbc352f069fc122",
-    "zh:5045241b8695ffbd0730bdcd91393b10ffd0cfbeaad6254036e42ead6687d8fd",
-    "zh:6a8811a0fb1035c09aebf1f9b15295523a9a7a2627fd783f50c6168a82e192dd",
-    "zh:8d273c04d7a8c36d4366329adf041c480a0f1be10a7269269c88413300aebdb8",
-    "zh:b90505897ae4943a74de2b88b6a9e7d97bf6dc325a0222235996580edff28656",
-    "zh:ea5e422942ac6fc958229d27d4381c89d21d70c5c2c67a6c06ff357bcded76f6",
-    "zh:f1536d7ff2d3bfd668e3ac33d8956b4f988f87fdfdcc371c7d94b98d5dba53e2",
+    "h1:/LNLI9qKgRjlHhyl1M/6BA+HVUMQ9RQApZgyfV4RAJ4=",
+    "zh:203d5ab6af38efb9fc84fdbb303218aa5012dc8d28e700642be41bbc4b1c2fa1",
+    "zh:5684a2dc65da50824fb4275c10ac452e6512dd0d60a9abd5f505e67e7b9d759a",
+    "zh:b4311d7cae0b29f2dcf5a18a8297ed0787f59b140102547da9f8b61af27e15b6",
+    "zh:bbf9e6956191a95dfbb8336b1cc8a059ceba4d3f1f22a83e4f08662cd1cabe9b",
+    "zh:cd8f244d26f9733b9b238db22b520e69cdc68262093db3389ec466b1df2cadd8",
+    "zh:d855e4dc2ad41d8a877dd5dcd51061233fc5976c5c9afceb5a973e6a9f76b1d9",
+    "zh:ed584cf42015e1f10359cc2d85b12e348c5c1581ae781be29e0e3dfb7f43590b",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.40.0"
+  constraints = ">= 4.4.0"
+  hashes = [
+    "h1:ZNYcP0N4WfRiuCmkXJkPrTS/4BG7PfkbXBUhbA77WTg=",
+    "zh:04ca7287b7f5a2a310b60308cc08df11e97714d32d1a10c34a94454d330af66e",
+    "zh:13c28ba9b324c526580783a3807007a296ce58c607c7bdc94ae2bb72b35b6495",
+    "zh:2c84dbc0701b9724802f7343f916f50b6914a044dfbfc6654f264c9347f02dac",
+    "zh:33255a22e1d1ecec2ad8ccfec1e4a54dc33a8d71f3edad098c25d822958a138b",
+    "zh:4583b5e92b8de3662c8d8ff8a6527572ec23ad8c64dd686ff9dd528bc6934a4f",
+    "zh:4a9f502c0b8abe45abda846e0601f8d8ef582e62e0b92cb747b4200a711ba739",
+    "zh:558959e19935ec5e7f0647e900fc8561f4961a377be0178496a6495805136721",
+    "zh:6b3dc4b034d34885db620d73c75d3bb9abeee539e61ca9d0670fb995353e165d",
+    "zh:72f0dac5dbba355bce88599ded2baabc7d109ee786b89c6648ae720cb00a4bbf",
+    "zh:77981b87e2bcbb278402e8ff863d5e50aafbdc03629d7a57273c06989884a22f",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:c5b4dd61558a4887a23847d23cd3b41a97ad03a9f3624d0687cb5461fee514b0",
+    "zh:c8949bc6600ec10ea5c0abdd4c1ffee8f82519c0cda8cc7a651e6258960e6249",
+    "zh:d1c88ab98f126d65cd0c7b6c9e1d06d59e766217ae374d5a908052817e3692a3",
+    "zh:ff2e921440bcbfd440ef84f5127ba881c930b2b70773e725de35c0fa3baddc4b",
   ]
 }

terraform/wifi-289708231103/tip-wifi-vpn/alerts.tf

@@ -128,7 +128,7 @@ resource "aws_cloudformation_stack" "atlassian_cloud_backup_email_notification"
   template_body = <<EOT
 AWSTemplateFormatVersion: 2010-09-09
 Resources:
-%{~for subscription in var.sns_alarm_subscriptions}
+%{~for subscription in jsondecode(data.sops_file.secrets.raw).sns_alarm_subscriptions}
   Subscription${md5(subscription["endpoint"])}:
     Type: AWS::SNS::Subscription
     Properties:

terraform/wifi-289708231103/tip-wifi-vpn/main.tf

@@ -12,6 +12,13 @@ terraform {
     dynamodb_table = "terraform-state-lock"
     encrypt        = true
   }
+
+  required_providers {
+    sops = {
+      source  = "carlpett/sops"
+      version = "~> 0.5"
+    }
+  }
 }
 
 data "terraform_remote_state" "wlan_main" {
@@ -26,6 +33,10 @@ data "terraform_remote_state" "wlan_main" {
   }
 }
 
+data "sops_file" "secrets" {
+  source_file = "secrets.enc.json"
+}
+
 locals {
   common_tags = {
     "ManagedBy" = "terraform"

terraform/wifi-289708231103/tip-wifi-vpn/perfecto-vpn.tf

@@ -1,6 +1,6 @@
 resource "aws_customer_gateway" "tunnel_perfecto" {
   bgp_asn    = 65000
-  ip_address = "23.21.201.213"
+  ip_address = data.sops_file.secrets.data["perfecto_ip"]
   type       = "ipsec.1"
   tags       = merge({ Name = "tunnel-perfecto" }, local.common_tags)
 }
@@ -12,9 +12,3 @@ resource "aws_vpn_connection" "tunnel-perfecto" {
   static_routes_only  = true
   tags                = merge({ Name = "tunnel-perfecto" }, local.common_tags)
 }
-
-# resource "aws_ec2_transit_gateway_route" "tunnel-perfecto" {
-#   destination_cidr_block         = "198.160.7.240/32"
-#   transit_gateway_attachment_id  = aws_vpn_connection.tunnel-perfecto.transit_gateway_attachment_id
-#   transit_gateway_route_table_id = module.tgw_main.ec2_transit_gateway_association_default_route_table_id
-# }

terraform/wifi-289708231103/tip-wifi-vpn/secrets.enc.json

@@ -0,0 +1,35 @@
+{
+	"perfecto_ip": "ENC[AES256_GCM,data:/IY0aCN2eHcL0RucVw==,iv:R7ZeKlKpKHMQsUjGHsZbiVEFsGmwUciqReGd9l+5Ttw=,tag:5fAf9wnxVkKK05EATbskzw==,type:str]",
+	"vpn_endpoint_ip": "ENC[AES256_GCM,data:3nuiwTivzdxWCoz3LpY=,iv:fVXXVTd0uEMGCSsQoz5G2TBMyN8j2kdIjkWVxFbS1ZE=,tag:xpKDqJGPvLc3VSLsMSyYxw==,type:str]",
+	"nrg_vpn_endpoint_ip": "ENC[AES256_GCM,data:DLdU2Zty4catmeZWcZq2,iv:zJNSGSrNyHUthGYy6SnJx24qHx8DSr+9AelstchTAGs=,tag:vHDgU3d53SjEOyt4mIVuNg==,type:str]",
+	"vpn_endpoint_cidr": "ENC[AES256_GCM,data:zFuYNiOQ8CuSnKsnMXc=,iv:NjT8TBjU7t+TFDabF1qQ4fOzJpJBbnDAN3ZVNQOi8ig=,tag:RNnfvoXxaRgEPjpvL/PGGA==,type:str]",
+	"sns_alarm_subscriptions": [
+		{
+			"protocol": "ENC[AES256_GCM,data:YOJqHTg=,iv:H/fdlPeKnotz5F3iRCRomaXzurl9w2JZj+zWuCyhDSc=,tag:EaFi41DuHiE7zYJCO+g8hA==,type:str]",
+			"endpoint": "ENC[AES256_GCM,data:82w01TQr6f/r58QwPaXOvmdJtvbHVyU=,iv:PDAW0llXFGnjXFr+vefRXFDogLkN93dxRd2k+wk3Pg4=,tag:vCwpaHFHhTgQnufqMt6Zhg==,type:str]"
+		},
+		{
+			"protocol": "ENC[AES256_GCM,data:nytYN7Y=,iv:G0TvH0k77GTsxpO5oe1Lbzlw0PpxOytRHy0AsBW+BsA=,tag:W3amDCbgp0p3kBVlCYoq9g==,type:str]",
+			"endpoint": "ENC[AES256_GCM,data:V5plQfypyyS1E5HWeyMOuFhjpZhHmA==,iv:YvZTkaSJoWBpSLCMHdbSDz2ZI45WEKfSHHIC3l8Krpk=,tag:FPOdvy1POHgFSwxsCZaeXQ==,type:str]"
+		}
+	],
+	"sops": {
+		"kms": [
+			{
+				"arn": "arn:aws:kms:us-east-2:289708231103:alias/helm-secrets",
+				"created_at": "2022-11-21T14:47:10Z",
+				"enc": "AQICAHiG/4CitJjM31GdYxTw9OLz/Zs5oK+DCq0cU2fAjtAA3AG3CR4Uexo9ZJ5nJPwdaLBkAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM6OsLcrzyAYuuYnDmAgEQgDs3YMMRGuRKMIw5Pa5t6V5PugAdomPvN2oLwVpPA9d34I8wyrD2QcOlNNMr3bgNIRSGWzgtS/fk9/c7+A==",
+				"aws_profile": ""
+			}
+		],
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-11-21T14:53:55Z",
+		"mac": "ENC[AES256_GCM,data:LNvZI/pz05pOyhLO3uWHLv/0EyAKfQ3JHNf/CLT9ezcJm2UPNPPxjEmknjm6J222ox1pWFFStWS0t8GMLdfgF7vackG2n+VqLHT4OTmHXLekVxrCJBLKPQmHeIIoAHQNyenzNatwkiAxHZa/PyprzFrv8sb7yb8yE7/YJpl6fOQ=,iv:5b9rE+qKrU3x21b0XQcOOJQrN1hx00EiXoU4HJOeZ4I=,tag:wG3zunaVaUAo0RD9Tyqgeg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

terraform/wifi-289708231103/tip-wifi-vpn/terraform.tfvars

@@ -1,18 +1 @@
 aws_region = "us-east-2"
-
-vpn_endpoint_ip = "209.249.227.25"
-
-nrg_vpn_endpoint_ip = "163.114.132.128"
-
-vpn_endpoint_cidr = "100.97.55.0/24"
-
-sns_alarm_subscriptions = [
-  {
-    protocol = "email",
-    endpoint = "tip-alerts@opsfleet.com"
-  },
-  {
-    protocol = "email",
-    endpoint = "tipdevops@launchcg.com"
-  },
-]

terraform/wifi-289708231103/tip-wifi-vpn/transit_gateway.tf

@@ -26,7 +26,7 @@ resource "aws_route" "private" {
 }
 
 resource "aws_ec2_transit_gateway_route" "vpn" {
-  destination_cidr_block         = var.vpn_endpoint_cidr
+  destination_cidr_block         = data.sops_file.secrets.data["vpn_endpoint_cidr"]
   transit_gateway_attachment_id  = aws_vpn_connection.tunnel_tip_wifi_nrg.transit_gateway_attachment_id
   transit_gateway_route_table_id = module.tgw_main.ec2_transit_gateway_association_default_route_table_id
 }

terraform/wifi-289708231103/tip-wifi-vpn/vars.tf

@@ -1,22 +1 @@
 variable "aws_region" {}
-
-variable "vpn_endpoint_ip" {
-  description = "IP address of the VPN endpoint connecting to AWS"
-  type        = string
-}
-
-variable "vpn_endpoint_cidr" {
-  description = "Subnet behind the VPN endpoint $vpn_endpoint_ip"
-  type        = string
-}
-
-variable "nrg_vpn_endpoint_ip" {
-  description = "IP address of the VPN endpoint connecting to AWS"
-  type        = string
-}
-
-variable "sns_alarm_subscriptions" {
-  description = "SNS VPN alarm subscriptions"
-  type        = set(map(string))
-  default     = []
-}

terraform/wifi-289708231103/tip-wifi-vpn/vpn.tf

@@ -1,6 +1,6 @@
 resource "aws_customer_gateway" "tunnel_tip_wifi_nrg" {
   bgp_asn    = 65000
-  ip_address = var.nrg_vpn_endpoint_ip
+  ip_address = data.sops_file.secrets.data["nrg_vpn_endpoint_ip"]
   type       = "ipsec.1"
   tags       = merge({ Name = "tip-wifi-fre" }, local.common_tags)
 }