Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add "Secure Mode" to the complete example #112

Merged
merged 26 commits into from
Apr 4, 2023
Merged
Changes from 1 commit
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
29da7fa
wip
RothAndrew Mar 23, 2023
c2496cf
wip
RothAndrew Mar 24, 2023
c48d612
Delete complete-self-managed-nodegroup example since secure mode cove…
RothAndrew Mar 24, 2023
5be5d46
wip
RothAndrew Mar 24, 2023
33f4f82
wip
RothAndrew Mar 27, 2023
6902720
Change keycloak_enabled back to true
RothAndrew Mar 27, 2023
898169d
undo the managed stuff and change keycloak_enabled back to false
RothAndrew Mar 27, 2023
29af182
wip
RothAndrew Mar 27, 2023
28b5a4e
Update providers to use eks module output instead of data object
RothAndrew Mar 27, 2023
b2d0b5e
Change keycloak_enabled back to true
RothAndrew Mar 27, 2023
9aad202
wip
RothAndrew Mar 27, 2023
bce548a
Merge branch 'main' into feature/secure-mode-to-complete-example
RothAndrew Mar 28, 2023
ef3bbf3
Merge branch 'main' into feature/secure-mode-to-complete-example
zack-is-cool Mar 29, 2023
7cc6609
Increase the sleep to 3 minutes
RothAndrew Mar 29, 2023
5818e84
wip
RothAndrew Mar 29, 2023
49ba458
wip
RothAndrew Mar 29, 2023
06cb1e0
wip
RothAndrew Mar 29, 2023
d288fc5
wip
RothAndrew Mar 29, 2023
5939e8e
Merge branch 'main' into feature/secure-mode-to-complete-example
ntwkninja Mar 30, 2023
2445893
wip
RothAndrew Mar 30, 2023
add42b5
wip
RothAndrew Mar 31, 2023
9a4a7ec
Merge branch 'main' into feature/secure-mode-to-complete-example
RothAndrew Apr 3, 2023
1a7082f
wip
RothAndrew Apr 3, 2023
20d1430
wip
RothAndrew Apr 3, 2023
2c9a5a4
Merge branch 'main' into feature/secure-mode-to-complete-example
RothAndrew Apr 3, 2023
a8172e9
wip
RothAndrew Apr 3, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
wip
RothAndrew committed Mar 24, 2023

Verified

This commit was signed with the committer’s verified signature.
RothAndrew Andy Roth
commit c2496cf265fc2f3006cdbd69288b061eb2a86f4e
1 change: 0 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -37,7 +37,6 @@ _test-all:
-v "${PWD}/.cache/tmp:/tmp" \
-v "${PWD}/.cache/go:/root/go" \
-v "${PWD}/.cache/go-build:/root/.cache/go-build" \
-v "${PWD}/test/.ssh:/root/.ssh" \
--workdir "/app/test/e2e" \
-e GOPATH=/root/go \
-e GOCACHE=/root/.cache/go-build \
1 change: 1 addition & 0 deletions examples/complete/README.md
Original file line number Diff line number Diff line change
@@ -143,6 +143,7 @@ Coming soon
|------|-------------|
| <a name="output_bastion_instance_id"></a> [bastion\_instance\_id](#output\_bastion\_instance\_id) | The ID of the bastion host |
| <a name="output_bastion_private_key"></a> [bastion\_private\_key](#output\_bastion\_private\_key) | The private key for the bastion host |
| <a name="output_bastion_region"></a> [bastion\_region](#output\_bastion\_region) | The region that the bastion host was deployed to |
| <a name="output_dynamodb_name"></a> [dynamodb\_name](#output\_dynamodb\_name) | Name of DynmoDB table |
| <a name="output_keycloak_db_instance_endpoint"></a> [keycloak\_db\_instance\_endpoint](#output\_keycloak\_db\_instance\_endpoint) | The connection endpoint |
| <a name="output_keycloak_db_instance_name"></a> [keycloak\_db\_instance\_name](#output\_keycloak\_db\_instance\_name) | The database name |
6 changes: 6 additions & 0 deletions examples/complete/outputs.tf
Original file line number Diff line number Diff line change
@@ -29,11 +29,17 @@ output "bastion_instance_id" {
value = module.bastion.instance_id
}

output "bastion_region" {
description = "The region that the bastion host was deployed to"
value = module.bastion.region
}

output "bastion_private_key" {
description = "The private key for the bastion host"
value = module.bastion.private_key
sensitive = true
}

output "dynamodb_name" {
description = "Name of DynmoDB table"
value = module.loki_s3_bucket.dynamodb_name
1 change: 1 addition & 0 deletions modules/bastion/README.md
Original file line number Diff line number Diff line change
@@ -166,6 +166,7 @@ No modules.
| <a name="output_private_ip"></a> [private\_ip](#output\_private\_ip) | Private IP |
| <a name="output_private_key"></a> [private\_key](#output\_private\_key) | n/a |
| <a name="output_public_ip"></a> [public\_ip](#output\_public\_ip) | Public IP |
| <a name="output_region"></a> [region](#output\_region) | Region the bastion was deployed to |
| <a name="output_security_group_ids"></a> [security\_group\_ids](#output\_security\_group\_ids) | Security Group Ids |
| <a name="output_session_logs_bucket_arn"></a> [session\_logs\_bucket\_arn](#output\_session\_logs\_bucket\_arn) | Session Logs Bucket ARN |
| <a name="output_session_logs_bucket_name"></a> [session\_logs\_bucket\_name](#output\_session\_logs\_bucket\_name) | Session Logs Bucket Name |
5 changes: 5 additions & 0 deletions modules/bastion/output.tf
Original file line number Diff line number Diff line change
@@ -56,3 +56,8 @@ output "bastion_role_arn" {
value = aws_iam_role.bastion_ssm_role.arn
description = "Bastion Role ARN"
}

output "region" {
value = data.aws_region.current.name
description = "Region the bastion was deployed to"
}
3 changes: 0 additions & 3 deletions test/.ssh/config

This file was deleted.

18 changes: 10 additions & 8 deletions test/e2e/examples_complete_secure_test.go
Original file line number Diff line number Diff line change
@@ -58,7 +58,8 @@ func setupTestExamplesCompleteSecure(t *testing.T, terraformOptionsNoTargets *te
// TODO: Figure out how to parse the input variables to get the bastion password rather than having to hardcode it
bastionPassword := "my-password"
vpcCidr := terraform.Output(t, terraformOptionsWithVPCAndBastionTargets, "vpc_cidr")
err := applyWithSshuttle(t, bastionInstanceID, bastionPassword, vpcCidr, terraformOptionsNoTargets)
bastionRegion := terraform.Output(t, terraformOptionsWithVPCAndBastionTargets, "bastion_region")
err := applyWithSshuttle(t, bastionInstanceID, bastionRegion, bastionPassword, vpcCidr, terraformOptionsNoTargets)
require.NoError(t, err)
})
}
@@ -71,15 +72,16 @@ func teardownTestExamplesCompleteSecure(t *testing.T, terraformOptionsNoTargets
// TODO: Figure out how to parse the input variables to get the bastion password rather than having to hardcode it
bastionPassword := "my-password"
vpcCidr := terraform.Output(t, terraformOptionsWithEKSTarget, "vpc_cidr")
err := destroyWithSshuttle(t, bastionInstanceID, bastionPassword, vpcCidr, terraformOptionsWithEKSTarget)
bastionRegion := terraform.Output(t, terraformOptionsWithEKSTarget, "bastion_region")
err := destroyWithSshuttle(t, bastionInstanceID, bastionRegion, bastionPassword, vpcCidr, terraformOptionsWithEKSTarget)
assert.NoError(t, err)
terraform.Destroy(t, terraformOptionsNoTargets)
})
}

func applyWithSshuttle(t *testing.T, bastionInstanceID string, bastionPassword string, vpcCidr string, terraformOptions *terraform.Options) error {
func applyWithSshuttle(t *testing.T, bastionInstanceID string, bastionRegion string, bastionPassword string, vpcCidr string, terraformOptions *terraform.Options) error {
t.Helper()
cmd, err := runSshuttleInBackground(t, bastionInstanceID, bastionPassword, vpcCidr)
cmd, err := runSshuttleInBackground(t, bastionInstanceID, bastionRegion, bastionPassword, vpcCidr)
if err != nil {
return err
}
@@ -92,9 +94,9 @@ func applyWithSshuttle(t *testing.T, bastionInstanceID string, bastionPassword s
return nil
}

func destroyWithSshuttle(t *testing.T, bastionInstanceID string, bastionPassword string, vpcCidr string, terraformOptions *terraform.Options) error {
func destroyWithSshuttle(t *testing.T, bastionInstanceID string, bastionRegion string, bastionPassword string, vpcCidr string, terraformOptions *terraform.Options) error {
t.Helper()
cmd, err := runSshuttleInBackground(t, bastionInstanceID, bastionPassword, vpcCidr)
cmd, err := runSshuttleInBackground(t, bastionInstanceID, bastionRegion, bastionPassword, vpcCidr)
if err != nil {
return err
}
@@ -107,9 +109,9 @@ func destroyWithSshuttle(t *testing.T, bastionInstanceID string, bastionPassword
return nil
}

func runSshuttleInBackground(t *testing.T, bastionInstanceID string, bastionPassword string, vpcCidr string) (*exec.Cmd, error) {
func runSshuttleInBackground(t *testing.T, bastionInstanceID string, bastionRegion string, bastionPassword string, vpcCidr string) (*exec.Cmd, error) {
t.Helper()
cmd := exec.Command("sshuttle", "-e", fmt.Sprintf(`sshpass -p "%s" ssh -q -o CheckHostIP=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null`, bastionPassword), "--dns", "--disable-ipv6", "-vr", fmt.Sprintf("ec2-user@%s", bastionInstanceID), vpcCidr) //nolint:gosec
cmd := exec.Command("sshuttle", "-e", fmt.Sprintf(`sshpass -p "%s" ssh -q -o CheckHostIP=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ProxyCommand="aws ssm --region '%s' start-session --target %%h --document-name AWS-StartSSHSession --parameters 'portNumber=%%p'"`, bastionPassword, bastionRegion), "--dns", "--disable-ipv6", "-vr", fmt.Sprintf("ec2-user@%s", bastionInstanceID), vpcCidr) //nolint:gosec
if err := cmd.Start(); err != nil {
return nil, fmt.Errorf("failed to start sshuttle: %w", err)
}