From fedecc79db200593ede980a2b054c5782abd985c Mon Sep 17 00:00:00 2001 From: Marc Meszaros Date: Tue, 25 May 2021 13:50:58 -0700 Subject: [PATCH 1/3] Use empty string for template file variables for interpolation fix vainkop/terraform-aws-wireguard#4 --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index fec5461..62e4e40 100644 --- a/main.tf +++ b/main.tf @@ -57,7 +57,7 @@ resource "aws_launch_configuration" "wireguard_launch_config" { iam_instance_profile = (var.use_eip ? aws_iam_instance_profile.wireguard_profile[0].name : null) user_data = templatefile("${path.module}/templates/user-data.txt", { wg_server_private_key = var.use_ssm ? "AWS_SSM_PARAMETER" : var.wg_server_private_key, - wg_server_private_key_aws_ssm_name = var.use_ssm ? aws_ssm_parameter.wireguard_server_private_key[0].name : null, + wg_server_private_key_aws_ssm_name = var.use_ssm ? aws_ssm_parameter.wireguard_server_private_key[0].name : "", wg_server_net = var.wg_server_net, wg_server_port = var.wg_server_port, peers = join("\n", data.template_file.wg_client_data_json.*.rendered), From e893c14cebb9cedc1caf59b0caf15e5ab0198dc7 Mon Sep 17 00:00:00 2001 From: Marc Meszaros Date: Tue, 25 May 2021 12:24:11 -0700 Subject: [PATCH 2/3] Don't create eip if var.use_eip = false Also make sure that var.use_eip is true when creating DNS record --- main.tf | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 62e4e40..c53508d 100644 --- a/main.tf +++ b/main.tf @@ -1,4 +1,6 @@ resource "aws_eip" "wireguard" { + count = var.use_eip ? 1 : 0 + vpc = true tags = { Name = "wireguard" @@ -6,14 +8,14 @@ resource "aws_eip" "wireguard" { } resource "aws_route53_record" "wireguard" { - count = var.use_route53 ? 1 : 0 + count = var.use_route53 && var.use_eip ? 1 : 0 allow_overwrite = true set_identifier = "wireguard-${var.region}" zone_id = var.route53_hosted_zone_id name = var.route53_record_name type = "A" ttl = "60" - records = [aws_eip.wireguard.public_ip] + records = [aws_eip.wireguard[0].public_ip] dynamic "geolocation_routing_policy" { for_each = try(length(var.route53_geo.policy) > 0 ? var.route53_geo.policy : tomap(false), {}) @@ -62,7 +64,7 @@ resource "aws_launch_configuration" "wireguard_launch_config" { wg_server_port = var.wg_server_port, peers = join("\n", data.template_file.wg_client_data_json.*.rendered), use_eip = var.use_eip ? "enabled" : "disabled", - eip_id = aws_eip.wireguard.id, + eip_id = var.use_eip ? aws_eip.wireguard[0].id : "", use_ssm = var.use_ssm ? "true" : "false", wg_server_interface = var.wg_server_interface }) From 0c5b3195b97867168167c7330e400e03ddf24fa5 Mon Sep 17 00:00:00 2001 From: Marc Meszaros Date: Tue, 25 May 2021 14:07:27 -0700 Subject: [PATCH 3/3] When use_eip is false skip creating the elastic IP resource Also add the EIP id to module outputs in case `use_route53` is `false` and user needs access to elastic IP details. --- README.md | 17 ++++++++--------- outputs.tf | 4 ++++ variables.tf | 2 +- 3 files changed, 13 insertions(+), 10 deletions(-) create mode 100644 outputs.tf diff --git a/README.md b/README.md index b45cb76..c78ebe3 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ # terraform-aws-wireguard -A Terraform module to deploy a WireGuard VPN server on AWS. It can also be used to run one or more servers behind a loadbalancer, for redundancy. +A Terraform module to deploy a WireGuard VPN server on AWS. It can also be used to run one or more servers behind a loadbalancer, for redundancy. -The module is "Terragrunt ready" & supports multi region deployment & values in yaml format. Please see example here: [example/](example/) +The module is "Terragrunt ready" & supports multi region deployment & values in yaml format. Please see example here: [example/](example/) ## Prerequisites Before using this module, you'll need to generate a key pair for your server and client, which cloud-init will source and add to WireGuard's configuration. @@ -21,9 +21,8 @@ Before using this module, you'll need to generate a key pair for your server and |`ssh_key_id`|`string`|Yes|A SSH public key ID to add to the VPN instance.| |`vpc_id`|`string`|Yes|The VPC ID in which Terraform will launch the resources.| |`env`|`string`|Optional - defaults to `prod`|The name of environment for WireGuard. Used to differentiate multiple deployments.| -|`use_eip`|`bool`|Optional|Whether to attach an [Elastic IP](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html) address to the VPN server. Useful for avoiding changing IPs.| -|`eip_id`|`string`|Optional|When `use_eip` is enabled, specify the ID of the Elastic IP to which the VPN server will attach.| -|`use_ssm`|`bool`|Optional|Use SSM Parameter Store for the VPN server Private Key.| +|`use_eip`|`bool`|Optional - defaults to `false`|Whether to create and attach an [Elastic IP](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html) address to the VPN server. Useful for avoiding changing IPs.| +|`use_ssm`|`bool`|Optional - defaults to `false`|Use SSM Parameter Store for the VPN server Private Key.| |`wg_server_private_key`|`string`|Yes - defaults to static value in `/etc/wireguard/wg0.conf`| Static value or The Parameter Store key to use for the VPN server Private Key.| |`target_group_arns`|`string`|Optional|The Loadbalancer Target Group to which the vpn server ASG will attach.| |`additional_security_group_ids`|`list`|Optional|Used to allow added access to reach the WG servers or allow loadbalancer health checks.| @@ -37,10 +36,10 @@ Before using this module, you'll need to generate a key pair for your server and |`wg_persistent_keepalive`|`integer`|Optional - defaults to `25`|Regularity of Keepalives, useful for NAT stability.| |`ami_id`|`string`|Optional - defaults to the newest Ubuntu 20.04 AMI|AMI to use for the VPN server.| |`wg_server_interface`|`string`|Optional - defaults to eth0|Server interface to route traffic to for installations forwarding traffic to private networks.| -|`use_route53`|`bool`|Optional|Create Route53 record for Wireguard server.| -|`route53_hosted_zone_id`|`string`|Optional - if use_route53 is not used.|Route53 Hosted zone ID for Wireguard server Route53 record.| -|`route53_record_name`|`string`|Optional - if use_route53 is not used.|Route53 Record Name for Wireguard server.| - +|`use_route53`|`bool`|Optional - default to `false`|Create Route53 record for Wireguard server (requires `use_eip` to be `true`).| +|`route53_hosted_zone_id`|`string`|Optional - if `use_route53` is not used.|Route53 Hosted zone ID for Wireguard server Route53 record.| +|`route53_record_name`|`string`|Optional - if `use_route53` is not used.|Route53 Record Name for Wireguard server.| + If the `wg_server_private_key` contains certain characters like slashes & etc then it needs additional pre-processing before entering it into `values.yaml`. Example: ``` export ESCAPED_WG_SERVER_PRIVATE_KEY=$(printf '%s\n' "$WG_SERVER_PRIVATE_KEY" | sed -e 's/[\/&]/\\&/g') diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..a4a67fa --- /dev/null +++ b/outputs.tf @@ -0,0 +1,4 @@ +output "eip_id" { + value = var.use_eip ? aws_eip.wireguard[0].id : null + description = "The elastic IP id (if `use_eip` is enabled)" +} diff --git a/variables.tf b/variables.tf index 3d5f4ab..1dd0202 100644 --- a/variables.tf +++ b/variables.tf @@ -58,7 +58,7 @@ variable "wg_persistent_keepalive" { variable "use_eip" { type = bool default = false - description = "Whether to enable Elastic IP switching code in user-data on wg server startup. If true, eip_id must also be set to the ID of the Elastic IP." + description = "Create and use an Elastic IP in user-data on wg server startup." } variable "use_ssm" {