Merge pull request #24 from barracuda-cloudgen-access/update

Updates
barracuda-cloudgen-access · Jun 15, 2022 · b7a3366 · b7a3366
2 parents 0a1f685 + 06e8b5f
commit b7a3366
Showing 8 changed files with 133 additions and 83 deletions.
diff --git a/.github/workflows/label-checks.yaml b/.github/workflows/label-checks.yaml
@@ -12,8 +12,8 @@ jobs:
     steps:
       - name: Check for label
         run: |
-          echo "Pull request is labeled as 'do not merge'"
-          echo "This workflow fails so that the pull request cannot be merged"
+          echo "Pull request is labeled as 'do not merge'!"
+          echo "This workflow fails so that the pull request cannot be merged!"
           exit 1
   require-semver:
     if: |
@@ -26,7 +26,7 @@ jobs:
     steps:
       - name: Check for label
         run: |
-          echo "Pull request is missing semver label!"
+          echo "Pull request is missing semver label! (patch/minor/major/skip-semver)!"
           echo "This workflow fails so that the pull request cannot be merged!"
           exit 1
   require-category:
@@ -41,6 +41,6 @@ jobs:
     steps:
       - name: Check for label
         run: |
-          echo "Pull request is missing category label (feature/fix/chore)!"
+          echo "Pull request is missing category label (feature/fix/chore/docs/dependencies)!"
           echo "This workflow fails so that the pull request cannot be merged!"
           exit 1
diff --git a/.github/workflows/terraform-checks.yml b/.github/workflows/terraform-checks.yml
@@ -7,6 +7,7 @@ on:
 
 env:
   TERRAFORM_DOCS_VERSION: v0.16.0
+  HCLEDIT_VERSION: 0.2.3
 
 jobs:
   collectInputs:
@@ -20,7 +21,7 @@ jobs:
 
       - name: Get root directories
         id: dirs
-        uses: clowdhaus/terraform-composite-actions/directories@v1.4.1
+        uses: clowdhaus/terraform-composite-actions/directories@v1.5.0
 
   preCommitMinVersions:
     name: Min TF pre-commit
@@ -33,27 +34,30 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
 
+      - name: tfsec
+        uses: tfsec/tfsec-sarif-action@master
+
       - name: Terraform min/max versions
         id: minMax
-        uses: clowdhaus/terraform-min-max@v1.0.7
+        uses: clowdhaus/terraform-min-max@v1.0.8
         with:
           directory: ${{ matrix.directory }}
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
         # Run only validate pre-commit check on min version supported
         if: ${{ matrix.directory !=  '.' }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.4.1
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.5.0
         with:
           terraform-version: ${{ steps.minMax.outputs.minVersion }}
-          args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*'
+          args: "terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*"
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
         # Run only validate pre-commit check on min version supported
         if: ${{ matrix.directory ==  '.' }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.4.1
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.5.0
         with:
           terraform-version: ${{ steps.minMax.outputs.minVersion }}
-          args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)'
+          args: "terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)"
 
   preCommitMaxVersion:
     name: Max TF pre-commit
@@ -68,10 +72,15 @@ jobs:
 
       - name: Terraform min/max versions
         id: minMax
-        uses: clowdhaus/terraform-min-max@v1.0.7
+        uses: clowdhaus/terraform-min-max@v1.0.8
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.4.1
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.5.0
         with:
           terraform-version: ${{ steps.minMax.outputs.maxVersion }}
           terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
+          install-hcledit: true
+          hcledit-version: ${{ env.HCLEDIT_VERSION }}
+
+      - name: check
+        run: hcledit --help
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,14 +1,13 @@
----
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.63.0
+    rev: v1.71.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
       - id: terraform_docs
       - id: terraform_tflint
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.1.0
+    rev: v4.2.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer
diff --git a/modules/aws-asg/README.md b/modules/aws-asg/README.md
@@ -1,19 +1,20 @@
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 3.38 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.50 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.54.0 |
-| <a name="provider_null"></a> [null](#provider\_null) | 3.1.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | 3.1.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.18.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | 3.1.1 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.3.1 |
 
 ## Modules
 
@@ -33,7 +34,7 @@ No modules.
 | [aws_iam_role_policy.cloudgen_access_proxy_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_launch_configuration.launch_config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration) | resource |
+| [aws_launch_template.launch_template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
 | [aws_lb.nlb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
 | [aws_lb_listener.nlb_listener](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
 | [aws_lb_target_group.nlb_target_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
@@ -54,6 +55,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_asg_ami"></a> [asg\_ami](#input\_asg\_ami) | Uses linux AMI maintained by AWS by default.<br>  Suported types are CentOS, Ubuntu or AWS Linux based. | `string` | `"amazonlinux2"` | no |
 | <a name="input_asg_desired_capacity"></a> [asg\_desired\_capacity](#input\_asg\_desired\_capacity) | The number of Amazon EC2 instances that should be running in the auto scaling group | `number` | `3` | no |
+| <a name="input_asg_health_check_grace_period"></a> [asg\_health\_check\_grace\_period](#input\_asg\_health\_check\_grace\_period) | The amount of time, in seconds, that Amazon EC2 Auto Scaling waits<br>  before checking the health status of new instances. | `number` | `300` | no |
 | <a name="input_asg_max_size"></a> [asg\_max\_size](#input\_asg\_max\_size) | The minimum size of the auto scaling group | `number` | `3` | no |
 | <a name="input_asg_min_size"></a> [asg\_min\_size](#input\_asg\_min\_size) | The maximum size of the auto scaling group | `number` | `3` | no |
 | <a name="input_asg_notification_arn_topic"></a> [asg\_notification\_arn\_topic](#input\_asg\_notification\_arn\_topic) | Optional ARN topic to get Auto Scaling Group events | `string` | `""` | no |
@@ -64,13 +66,14 @@ No modules.
 | <a name="input_cloudgen_access_proxy_public_port"></a> [cloudgen\_access\_proxy\_public\_port](#input\_cloudgen\_access\_proxy\_public\_port) | Public port for this proxy (must match the value configured in the console for this proxy) | `number` | `443` | no |
 | <a name="input_cloudgen_access_proxy_token"></a> [cloudgen\_access\_proxy\_token](#input\_cloudgen\_access\_proxy\_token) | CloudGen Access Proxy Token for this proxy (obtained from the console after proxy creation) | `string` | n/a | yes |
 | <a name="input_cloudwatch_logs_enabled"></a> [cloudwatch\_logs\_enabled](#input\_cloudwatch\_logs\_enabled) | Set to true to send '/var/log/message' logs to CloudWatch | `bool` | `true` | no |
-| <a name="input_launch_cfg_associate_public_ip_address"></a> [launch\_cfg\_associate\_public\_ip\_address](#input\_launch\_cfg\_associate\_public\_ip\_address) | Associate a public ip address with an instance in a VPC | `bool` | `false` | no |
-| <a name="input_launch_cfg_instance_type"></a> [launch\_cfg\_instance\_type](#input\_launch\_cfg\_instance\_type) | The type of instance to use (e.g. t2.micro, t2.small, t2.medium, etc) | `string` | `"t2.small"` | no |
-| <a name="input_launch_cfg_key_pair_name"></a> [launch\_cfg\_key\_pair\_name](#input\_launch\_cfg\_key\_pair\_name) | The name of the key pair to use | `string` | n/a | yes |
-| <a name="input_module_version"></a> [module\_version](#input\_module\_version) | Terraform module version | `string` | `"v1.2.4"` | no |
+| <a name="input_launch_tmpl_associate_public_ip_address"></a> [launch\_tmpl\_associate\_public\_ip\_address](#input\_launch\_tmpl\_associate\_public\_ip\_address) | Associate a public ip address with an instance in a VPC | `bool` | `false` | no |
+| <a name="input_launch_tmpl_instance_type"></a> [launch\_tmpl\_instance\_type](#input\_launch\_tmpl\_instance\_type) | The type of instance to use (e.g. t3.micro, t3.small, t3.medium, etc) | `string` | `"t3.small"` | no |
+| <a name="input_module_version"></a> [module\_version](#input\_module\_version) | Terraform module version | `string` | `"v2.0.0"` | no |
 | <a name="input_nlb_enable_cross_zone_load_balancing"></a> [nlb\_enable\_cross\_zone\_load\_balancing](#input\_nlb\_enable\_cross\_zone\_load\_balancing) | Configure cross zone load balancing for the NLB | `bool` | `false` | no |
 | <a name="input_nlb_subnets"></a> [nlb\_subnets](#input\_nlb\_subnets) | A list of public subnet IDs to attach to the LB. Use Public Subnets only | `list(string)` | n/a | yes |
 | <a name="input_redis_subnets"></a> [redis\_subnets](#input\_redis\_subnets) | A list of subnet IDs to to use for the redis instances.<br>  At least two subnets on different Availability Zones must be provided | `list(any)` | `[]` | no |
+| <a name="input_ssm_allow_console"></a> [ssm\_allow\_console](#input\_ssm\_allow\_console) | Configures Systems Manager Session Manager to allow console | `bool` | `true` | no |
+| <a name="input_ssm_parameter_store"></a> [ssm\_parameter\_store](#input\_ssm\_parameter\_store) | Set to false to disable querying the Systems Manager Parameter Store for process arguments | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 
 ## Outputs
@@ -79,3 +82,4 @@ No modules.
 |------|-------------|
 | <a name="output_Network_Load_Balancer_DNS_Name"></a> [Network\_Load\_Balancer\_DNS\_Name](#output\_Network\_Load\_Balancer\_DNS\_Name) | Update the CloudGen Access Proxy in the Console with this DNS name |
 | <a name="output_Security_Group_for_Resources"></a> [Security\_Group\_for\_Resources](#output\_Security\_Group\_for\_Resources) | Use this group to allow CloudGen Access Proxy access to internal resources |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/aws-asg/examples/cga-with-vpc/README.md b/modules/aws-asg/examples/cga-with-vpc/README.md
@@ -1,3 +1,4 @@
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 No requirements.
@@ -6,23 +7,20 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.74.1 |
-| <a name="provider_tls"></a> [tls](#provider\_tls) | 3.1.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.18.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_cloudgen-access-proxy"></a> [cloudgen-access-proxy](#module\_cloudgen-access-proxy) | git::git@github.com:barracuda-cloudgen-access/terraform-modules.git//modules/aws-asg | v1.2.4 |
-| <a name="module_key_pair"></a> [key\_pair](#module\_key\_pair) | terraform-aws-modules/key-pair/aws | 1.0.0 |
+| <a name="module_cloudgen-access-proxy"></a> [cloudgen-access-proxy](#module\_cloudgen-access-proxy) | ../../ | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 3.0.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_default_route_table.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table) | resource |
-| [tls_private_key.private_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
 
 ## Inputs
 
@@ -36,3 +34,4 @@ No requirements.
 |------|-------------|
 | <a name="output_Network_Load_Balancer_DNS_Name"></a> [Network\_Load\_Balancer\_DNS\_Name](#output\_Network\_Load\_Balancer\_DNS\_Name) | n/a |
 | <a name="output_Security_Group_for_Resources"></a> [Security\_Group\_for\_Resources](#output\_Security\_Group\_for\_Resources) | n/a |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/aws-asg/examples/cga-with-vpc/main.tf b/modules/aws-asg/examples/cga-with-vpc/main.tf
@@ -54,8 +54,10 @@ module "cloudgen-access-proxy" {
   asg_subnets          = module.vpc.private_subnets
 
   # Launch Configuration
-  launch_cfg_instance_type = "t3.small"
-  launch_cfg_key_pair_name = module.key_pair.key_pair_key_name
+  launch_tmpl_instance_type = "t3.small"
+
+  # AWS Systems Manager
+  ssm_parameter_store = false
 
   tags = {
     extra_tag = "extra-value"
@@ -70,23 +72,6 @@ output "Security_Group_for_Resources" {
   value = module.cloudgen-access-proxy.Security_Group_for_Resources
 }
 
-#
-# SSH key for instances
-#
-
-# (!) The private key will be saved in the terraform state file
-resource "tls_private_key" "private_key" {
-  algorithm = "RSA"
-}
-
-module "key_pair" {
-  source  = "terraform-aws-modules/key-pair/aws"
-  version = "1.0.0"
-
-  key_name   = local.application
-  public_key = tls_private_key.private_key.public_key_openssh
-}
-
 #
 # VPC
 #

diff --git a/modules/aws-asg/main.tf b/modules/aws-asg/main.tf
@@ -166,19 +166,23 @@ resource "aws_autoscaling_group" "asg" {
   default_cooldown          = 120
   desired_capacity          = var.asg_desired_capacity
   force_delete              = true
-  health_check_grace_period = 60
+  health_check_grace_period = var.asg_health_check_grace_period
   health_check_type         = "ELB"
-  launch_configuration      = aws_launch_configuration.launch_config.id
   max_size                  = var.asg_max_size
   metrics_granularity       = "1Minute"
   min_size                  = var.asg_min_size
-  name                      = aws_launch_configuration.launch_config.name
+  name                      = aws_launch_template.launch_template.name
   target_group_arns         = [aws_lb_target_group.nlb_target_group.arn]
   termination_policies      = ["OldestInstance"]
   vpc_zone_identifier       = var.asg_subnets
   wait_for_capacity_timeout = "10m"
   protect_from_scale_in     = false
 
+  launch_template {
+    id      = aws_launch_template.launch_template.id
+    version = aws_launch_template.launch_template.latest_version
+  }
+
   lifecycle {
     create_before_destroy = true
   }
@@ -187,7 +191,7 @@ resource "aws_autoscaling_group" "asg" {
     [
       {
         "key"                 = "Name"
-        "value"               = aws_launch_configuration.launch_config.name
+        "value"               = aws_launch_template.launch_template.name
         "propagate_at_launch" = true
       },
     ],
@@ -228,29 +232,58 @@ data "aws_ami" "ami" {
 }
 
 #
-# Launch Configuration
+# Launch Template
 #
 
-resource "aws_launch_configuration" "launch_config" {
-  associate_public_ip_address = var.launch_cfg_associate_public_ip_address
-  iam_instance_profile        = aws_iam_instance_profile.profile.id
-  image_id                    = coalesce(data.aws_ami.ami[0].id, var.asg_ami)
-  instance_type               = var.launch_cfg_instance_type
-  key_name                    = var.launch_cfg_key_pair_name
-  name_prefix                 = "cga-proxy-${random_string.prefix.result}-"
+resource "aws_launch_template" "launch_template" {
+  name_prefix = "cga-proxy-${random_string.prefix.result}-"
+
+  block_device_mappings {
+    device_name = "/dev/xvda"
+
+    ebs {
+      delete_on_termination = true
+      encrypted             = true
+      volume_size           = 8
+      volume_type           = "gp3"
+    }
+  }
+
+  iam_instance_profile {
+    arn = aws_iam_instance_profile.profile.arn
+  }
+
+  image_id                             = coalesce(data.aws_ami.ami[0].id, var.asg_ami)
+  instance_initiated_shutdown_behavior = "terminate"
+  instance_type                        = var.launch_tmpl_instance_type
 
   metadata_options {
-    http_endpoint = "enabled"
-    http_tokens   = "required"
+    http_endpoint               = "enabled"
+    http_protocol_ipv6          = "disabled"
+    http_put_response_hop_limit = 3
+    http_tokens                 = "required"
+    instance_metadata_tags      = "enabled"
   }
 
-  security_groups = compact([
-    aws_security_group.inbound.id,
-    aws_security_group.resources.id,
-    local.redis_enabled ? aws_security_group.redis[0].id : ""
-  ])
+  network_interfaces {
+    associate_public_ip_address = var.launch_tmpl_associate_public_ip_address
+    device_index                = 0
+    security_groups = compact([
+      aws_security_group.inbound.id,
+      aws_security_group.resources.id,
+      local.redis_enabled ? aws_security_group.redis[0].id : ""
+    ])
+  }
 
-  user_data = <<-EOT
+  tag_specifications {
+    resource_type = "volume"
+
+    tags = {
+      Name = "cga-proxy-${random_string.prefix.result}"
+    }
+  }
+
+  user_data = base64encode(<<-EOT
   #!/bin/bash
   %{~if var.cloudwatch_logs_enabled~}
   # Install CloudWatch Agent
@@ -261,6 +294,9 @@ resource "aws_launch_configuration" "launch_config" {
   # Install CloudGen Access Proxy
   curl -sL "https://url.access.barracuda.com/proxy-linux" | bash -s -- \
     -u \
+  %{~if !var.ssm_parameter_store~}
+    -e "DISABLE_AWS_SSM=1" \
+  %{~endif~}
   %{~if local.redis_enabled~}
     -r "${aws_elasticache_replication_group.redis[0].primary_endpoint_address}" \
     -s "${aws_elasticache_replication_group.redis[0].port}" \
@@ -272,11 +308,7 @@ resource "aws_launch_configuration" "launch_config" {
   curl -sL "https://url.access.barracuda.com/harden-linux" | bash -s --
   shutdown -r now
   EOT
-
-  root_block_device {
-    delete_on_termination = true
-    encrypted             = false #tfsec:ignore:AWS014
-  }
+  )
 
   lifecycle {
     create_before_destroy = true
@@ -332,6 +364,8 @@ resource "aws_iam_role" "role" {
     ]
   })
 
+  managed_policy_arns = var.ssm_allow_console ? ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"] : null
+
   tags = {
     Name = "cga-proxy-${random_string.prefix.result}-role"
   }
@@ -357,7 +391,7 @@ resource "aws_iam_role_policy" "cloudgen_access_proxy_secrets" {
   })
 }
 
-resource "aws_iam_role_policy" "cloudwatch_logs" {
+resource "aws_iam_role_policy" "cloudwatch_logs" { #tfsec:ignore:aws-iam-no-policy-wildcards
   count = var.cloudwatch_logs_enabled ? 1 : 0
 
   name = "cga-proxy-${random_string.prefix.result}-cloudwatch-logs"

diff --git a/modules/aws-asg/variables.tf b/modules/aws-asg/variables.tf
@@ -44,7 +44,7 @@ variable "cloudgen_access_proxy_level" {
 variable "module_version" {
   description = "Terraform module version"
   type        = string
-  default     = "v1.2.4"
+  default     = "v2.0.0"
 }
 
 #
@@ -121,25 +121,45 @@ variable "asg_notification_arn_topic" {
   default     = ""
 }
 
+variable "asg_health_check_grace_period" {
+  description = <<EOF
+  The amount of time, in seconds, that Amazon EC2 Auto Scaling waits
+  before checking the health status of new instances.
+  EOF
+  type        = number
+  default     = 300
+}
+
 #
-# Launch Configuration
+# Launch Template
 #
 
-variable "launch_cfg_associate_public_ip_address" {
+variable "launch_tmpl_associate_public_ip_address" {
   description = "Associate a public ip address with an instance in a VPC"
   type        = bool
   default     = false
 }
 
-variable "launch_cfg_instance_type" {
-  description = "The type of instance to use (e.g. t2.micro, t2.small, t2.medium, etc)"
+variable "launch_tmpl_instance_type" {
+  description = "The type of instance to use (e.g. t3.micro, t3.small, t3.medium, etc)"
   type        = string
-  default     = "t2.small"
+  default     = "t3.small"
 }
 
-variable "launch_cfg_key_pair_name" {
-  description = "The name of the key pair to use"
-  type        = string
+#
+# AWS Systems Manager
+#
+
+variable "ssm_allow_console" {
+  description = "Configures Systems Manager Session Manager to allow console"
+  type        = bool
+  default     = true
+}
+
+variable "ssm_parameter_store" {
+  description = "Set to false to disable querying the Systems Manager Parameter Store for process arguments"
+  type        = bool
+  default     = true
 }
 
 #