Merge pull request #8 from barracuda-cloudgen-access/update-proxy

Update proxy
barracuda-cloudgen-access · Jun 7, 2021 · 225e41f · 225e41f
2 parents f44f0bf + c72a40b
commit 225e41f
Show file tree

Hide file tree

Showing 14 changed files with 428 additions and 263 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,2 @@
+# Folder specific
+* @SRE
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+# https://dependabot.com/docs/config-file-beta/validator/
+---
+version: 2
+updates:
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "wednesday"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -8,6 +8,8 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 defaults:
   run:
     shell: sh
@@ -39,23 +41,29 @@ jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
-    container: wata727/tflint
     steps:
       - name: Checkout
         uses: actions/checkout@v2
-      - name: Lint
+      - name: Setup
+        uses: terraform-linters/setup-tflint@v1.1.0
+      - name: Show version
+        run: tflint --version
+      - name: Run
         run: >
           find ./modules/ -maxdepth 1 -mindepth 1
           -exec tflint {} --loglevel=info \;
 
   security:
     name: Security
     runs-on: ubuntu-latest
-    container:
-      image: liamg/tfsec
-      options: --user root
     steps:
       - name: Checkout
         uses: actions/checkout@v2
-      - name: Security
-        run: /usr/bin/tfsec ./modules --verbose
+      - name: tfsec
+        uses: tfsec/tfsec-sarif-action@master
+        with:
+          sarif_file: tfsec.sarif
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: tfsec.sarif
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,4 @@
-.terraform
+.terraform*
 terraform.tfstate
 *.tfstate*
 terraform.tfvars
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,15 +1,33 @@
 # Change Log
 
+## v1.2.0
+
+All changes are compatible with the previous versions,
+however upgrading an existing deploy will cause downtime.
+This is the recommended upgrade process:
+
+  1. Deploy new module using the same enrollment token from the existing one
+  2. After checking the target groups are all healthy, update the CloudGen Access Proxy Host on the console
+  3. Wait 15-30m to ensure all the clients updated the configuration
+  4. Destroy the previous module
+
+- [aws-asg] Update aws_elasticache_replication_group with new multi_az_enabled parameter
+- [aws-asg] Use Amazon Linux 2 AMI as default AMI
+- [aws-asg] Update naming
+- [aws-asg] Allow multiple deploys on the same region
+- [aws-asg] Allow specifying custom tags
+- [aws-asg] Require terraform 0.14 to allow sensitive variables
+
 ## v1.1.0
 
-- Require terraform 0.13 to allow validations
-- Update README and misc logic
-- Allow using custom AMI
-- Add CloudWatch logs configuration
-- Add Fyde Access Proxy log level configuration
-- Prevent lingering token after module removal
-- Create redis elasticache when instance count is more than 1
-- Recycle instances on launch configuration change
+- [aws-asg] Require terraform 0.13 to allow validations
+- [aws-asg] Update README and misc logic
+- [aws-asg] Allow using custom AMI
+- [aws-asg] Add CloudWatch logs configuration
+- [aws-asg] Add CloudGen Access Proxy log level configuration
+- [aws-asg] Prevent lingering token after module removal
+- [aws-asg] Create redis elasticache when instance count is more than 1
+- [aws-asg] Recycle instances on launch configuration change
 
 ## v1.0.0
 

diff --git a/README.md b/README.md
@@ -8,53 +8,14 @@ Visit the [Website](https://www.barracuda.com/products/cloudgen-access)
 
 Check the [Product Documentation](https://campus.barracuda.com/product/cloudgenaccess/doc/93201218/overview/)
 
-## Access Proxy
+## Modules
 
-### AWS - Auto Scaling Group
-
-Usage example:
-
-```yaml
-module "fyde-access-proxy" {
-  source = "git::git@github.com/barracuda-cloudgen-access/terraform-modules.git//modules/aws-asg?ref=v1.1.0"
-
-  # Fyde Access Proxy
-  fyde_access_proxy_public_port = 443
-  fyde_access_proxy_token       = "replace_with_token"
-
-  # AWS
-  aws_region = "us-east-1"
-
-  # Network Load Balancing
-  nlb_subnets = ["subnet-public-1", "subnet-public-2", "subnet-public-3"]
-
-  # Auto Scaling Group
-  asg_desired_capacity    = 3
-  asg_min_size            = 3
-  asg_max_size            = 3
-  asg_subnets             = ["subnet-private-1", "subnet-private-2", "subnet-private-3"]
-
-  # Launch Configuration
-  launch_cfg_instance_type = "t2.small"
-  launch_cfg_key_pair_name = "key_pair_name"
-}
-
-output "Network_Load_Balancer_DNS_Name" {
-  value       = module.fyde-access-proxy.Network_Load_Balancer_DNS_Name
-}
-
-output "Security_Group_for_Resources" {
-  value       = module.fyde-access-proxy.Security_Group_for_Resources
-}
-```
-
-Check all the available variables [here](modules/aws-asg/README.md)
+- [CloudGen Access Proxy ASG](./modules/aws-asg/)
 
 ## Misc
 
 - This repository has [pre-commit](https://github.com/antonbabenko/pre-commit-terraform) configured
   - Test all the pre-commit hooks with `pre-commit run -a`
-- Test branch with `git::git@github.com:fyde/terraform-modules.git//modules/aws-asg?ref=<branch-name>`
 - Test github actions with [nektos/act](https://github.com/nektos/act)
 
 ## Links

diff --git a/modules/aws-asg/README.md b/modules/aws-asg/README.md
@@ -2,16 +2,19 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 2 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 0.14 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 3.26 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3 |
 | <a name="requirement_template"></a> [template](#requirement\_template) | ~> 2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 2 |
-| <a name="provider_null"></a> [null](#provider\_null) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 3.26 |
+| <a name="provider_null"></a> [null](#provider\_null) | ~> 3 |
+| <a name="provider_random"></a> [random](#provider\_random) | ~> 3 |
 
 ## Modules
 
@@ -23,13 +26,13 @@ No modules.
 |------|------|
 | [aws_autoscaling_group.asg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |
 | [aws_autoscaling_notification.notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_notification) | resource |
-| [aws_cloudwatch_log_group.fyde_access_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.cloudgen_access_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_elasticache_replication_group.redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group) | resource |
 | [aws_elasticache_subnet_group.redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group) | resource |
 | [aws_iam_instance_profile.profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.cloudgen_access_proxy_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_iam_role_policy.fyde_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_launch_configuration.launch_config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration) | resource |
 | [aws_lb.nlb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
@@ -41,38 +44,39 @@ No modules.
 | [aws_security_group.redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.resources](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
-| [null_resource.redis_multiaz_enable](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.tags_as_list_of_maps](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [aws_ami.fyde_access_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [random_string.prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [aws_ami.ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_subnet.vpc_from_first_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_asg_ami"></a> [asg\_ami](#input\_asg\_ami) | Defaults to 'fyde' to use the AMI maintained and secured by Fyde.<br>  Suported types are CentOS or AWS Linux based" | `string` | `"fyde"` | no |
+| <a name="input_asg_ami"></a> [asg\_ami](#input\_asg\_ami) | Uses linux AMI maintained by AWS by default.<br>  Suported types are CentOS, Ubuntu or AWS Linux based. | `string` | `"amazonlinux2"` | no |
 | <a name="input_asg_desired_capacity"></a> [asg\_desired\_capacity](#input\_asg\_desired\_capacity) | The number of Amazon EC2 instances that should be running in the auto scaling group | `number` | `3` | no |
 | <a name="input_asg_max_size"></a> [asg\_max\_size](#input\_asg\_max\_size) | The minimum size of the auto scaling group | `number` | `3` | no |
 | <a name="input_asg_min_size"></a> [asg\_min\_size](#input\_asg\_min\_size) | The maximum size of the auto scaling group | `number` | `3` | no |
 | <a name="input_asg_notification_arn_topic"></a> [asg\_notification\_arn\_topic](#input\_asg\_notification\_arn\_topic) | Optional ARN topic to get Auto Scaling Group events | `string` | `""` | no |
-| <a name="input_asg_subnets"></a> [asg\_subnets](#input\_asg\_subnets) | A list of subnet IDs to launch resources in.<br>  Use Private Subnets with NAT Gateway configured or Public Subnets | `list` | n/a | yes |
+| <a name="input_asg_subnets"></a> [asg\_subnets](#input\_asg\_subnets) | A list of subnet IDs to launch resources in.<br>  Use Private Subnets with NAT Gateway configured or Public Subnets | `list(any)` | n/a | yes |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS Region | `string` | n/a | yes |
 | <a name="input_cloudWatch_logs_retention_in_days"></a> [cloudWatch\_logs\_retention\_in\_days](#input\_cloudWatch\_logs\_retention\_in\_days) | Days to keep CloudWatch logs (Possible values are:<br>    1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0.<br>    0 = never delete.) | `number` | `7` | no |
+| <a name="input_cloudgen_access_proxy_level"></a> [cloudgen\_access\_proxy\_level](#input\_cloudgen\_access\_proxy\_level) | Set the CloudGen Access Proxy orchestrator log level | `string` | `"info"` | no |
+| <a name="input_cloudgen_access_proxy_public_port"></a> [cloudgen\_access\_proxy\_public\_port](#input\_cloudgen\_access\_proxy\_public\_port) | Public port for this proxy (must match the value configured in the console for this proxy) | `number` | `443` | no |
+| <a name="input_cloudgen_access_proxy_token"></a> [cloudgen\_access\_proxy\_token](#input\_cloudgen\_access\_proxy\_token) | CloudGen Access Proxy Token for this proxy (obtained from the console after proxy creation) | `string` | n/a | yes |
 | <a name="input_cloudwatch_logs_enabled"></a> [cloudwatch\_logs\_enabled](#input\_cloudwatch\_logs\_enabled) | Set to true to send '/var/log/message' logs to CloudWatch | `bool` | `true` | no |
-| <a name="input_fyde_access_proxy_public_port"></a> [fyde\_access\_proxy\_public\_port](#input\_fyde\_access\_proxy\_public\_port) | Public port for this proxy (must match the value configured in the console for this proxy) | `number` | `443` | no |
-| <a name="input_fyde_access_proxy_token"></a> [fyde\_access\_proxy\_token](#input\_fyde\_access\_proxy\_token) | Fyde Access Proxy Token for this proxy (obtained from the console after proxy creation) | `any` | n/a | yes |
-| <a name="input_fyde_proxy_level"></a> [fyde\_proxy\_level](#input\_fyde\_proxy\_level) | Set the Fyde Proxy orchestrator log level | `string` | `"info"` | no |
 | <a name="input_launch_cfg_associate_public_ip_address"></a> [launch\_cfg\_associate\_public\_ip\_address](#input\_launch\_cfg\_associate\_public\_ip\_address) | Associate a public ip address with an instance in a VPC | `bool` | `false` | no |
-| <a name="input_launch_cfg_instance_type"></a> [launch\_cfg\_instance\_type](#input\_launch\_cfg\_instance\_type) | The type of instance to use (t2.micro, t2.small, t2.medium, etc) | `string` | `"t2.small"` | no |
+| <a name="input_launch_cfg_instance_type"></a> [launch\_cfg\_instance\_type](#input\_launch\_cfg\_instance\_type) | The type of instance to use (e.g. t2.micro, t2.small, t2.medium, etc) | `string` | `"t2.small"` | no |
 | <a name="input_launch_cfg_key_pair_name"></a> [launch\_cfg\_key\_pair\_name](#input\_launch\_cfg\_key\_pair\_name) | The name of the key pair to use | `string` | n/a | yes |
-| <a name="input_module_version"></a> [module\_version](#input\_module\_version) | Terraform module version | `string` | `"v1.1.0"` | no |
+| <a name="input_module_version"></a> [module\_version](#input\_module\_version) | Terraform module version | `string` | `"v1.2.0"` | no |
 | <a name="input_nlb_enable_cross_zone_load_balancing"></a> [nlb\_enable\_cross\_zone\_load\_balancing](#input\_nlb\_enable\_cross\_zone\_load\_balancing) | Configure cross zone load balancing for the NLB | `bool` | `false` | no |
 | <a name="input_nlb_subnets"></a> [nlb\_subnets](#input\_nlb\_subnets) | A list of public subnet IDs to attach to the LB. Use Public Subnets only | `list(string)` | n/a | yes |
-| <a name="input_redis_subnets"></a> [redis\_subnets](#input\_redis\_subnets) | A list of subnet IDs to to use for the redis instances.<br>  At least two subnets on different Availability Zones must be provided | `list` | `[]` | no |
+| <a name="input_redis_subnets"></a> [redis\_subnets](#input\_redis\_subnets) | A list of subnet IDs to to use for the redis instances.<br>  At least two subnets on different Availability Zones must be provided | `list(any)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_Network_Load_Balancer_DNS_Name"></a> [Network\_Load\_Balancer\_DNS\_Name](#output\_Network\_Load\_Balancer\_DNS\_Name) | Update the Fyde Access Proxy in the Console with this DNS name |
+| <a name="output_Network_Load_Balancer_DNS_Name"></a> [Network\_Load\_Balancer\_DNS\_Name](#output\_Network\_Load\_Balancer\_DNS\_Name) | Update the CloudGen Access Proxy in the Console with this DNS name |