Bensky/fix sshuttle (#76)

* reverting userdata changes

* removing variable from readme

* adding changelog updates

* input fixes

* removing commit changes

* re-adding route53 variable changes

* Revert "removing commit changes"

This reverts commit 5b96450.

* removing route_53_zone_id optional changes

* removing 1/11/22 changes

* adding extra tag option

* changing dynamic name

* changing dynamic syntax

* changing extra dags default value

* changing input type

aws/CHANGELOG.md

@@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [aws-unreleased]
+* Removing userdata changes and related variables, so sshuttle commands will work.
+
 ## [aws-unreleased]
 * Add input variable `additional_user_data_end` to execute commands after users creation.
 * Add `ssh_key_name` to support external `aws_key_pair` resource.

aws/README.md

@@ -102,6 +102,12 @@ Description: An S3 bucket to store data that should persist on the bastion when
 
 Type: `any`
 
+#### route53\_zone\_id
+
+Description: ID of the ROute53 zone for the bastion to add its host record.
+
+Type: `any`
+
 #### unattended\_upgrade\_email\_recipient
 
 Description: An email address where unattended upgrade errors should be emailed. THis sets the option in /etc/apt/apt.conf.d/50unattended-upgrades
@@ -236,14 +242,6 @@ Type: `string`
 
 Default: `"true"`
 
-#### route53\_zone\_id
-
-Description: ID of the ROute53 zone for the bastion to add its host record.
-
-Type: `string`
-
-Default: `""`
-
 #### ssh\_cidr\_blocks
 
 Description: A list of CIDRs allowed to SSH to the bastion. Override the module default by specifying an empty list, []
@@ -258,17 +256,9 @@ Default:
 ]
 ```
 
-#### ssh\_key\_name
-
-Description: Key name of a pre-existing AWS SSH Key Pair to use. This input is mutually exclusive with the `ssh_public_key_file` input, which can be used instead to create a new Key Pair.
-
-Type: `string`
-
-Default: `""`
-
 #### ssh\_public\_key\_file
 
-Description: The *content* of an existing SSH public key file, that will be used to create an AWS SSH Key Pair. This input is mutually exclusive with the `ssh_key_name` input, which can be used instead to reference a pre-existing Key Pair.
+Description: The content of an existing SSH public key file, that will be used to create an AWS SSH Key Pair. Yes, this input has an unfortunate name.
 
 Type: `string`
 
@@ -313,4 +303,4 @@ We are happy to share this internal module with the community. We appreciate sug
 
 ## Design Considerations
 
-The [design document](../DESIGN.md) describes the goals and vision for this project. 
+The [design document](../DESIGN.md) describes the goals and vision for this project. 

aws/auto-scaling.tf

@@ -19,6 +19,16 @@ resource "aws_autoscaling_group" "bastion" {
     propagate_at_launch = true
   }
 
+  dynamic "tag" {
+    for_each = var.extra_asg_tags
+    content {
+      key = tag.value["key"]
+      value = tag.value["value"]
+      propagate_at_launch = tag.value["propagate_at_launch"]
+    }
+  }
+
+
   # THis needs to match the Launch Configuration.
   lifecycle {
     create_before_destroy = true

aws/bastion-userdata.tmpl

@@ -82,51 +82,44 @@ info "Configuring CloudWatch Agent. . ." && \
 /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:cloudwatch-agent.conf -s && \
 rm -f cloudwatch-agent.conf cloudwatch-agent.deb
 
-zone_id="${zone_id}"
-
-if [ ! -z "$zone_id" ]
-then
-  info Setting up DNS registration on boot
-  info Downloading the cli53 tool
-  curl -Lo /usr/local/bin/cli53 https://github.com/barnybug/cli53/releases/download/0.8.13/cli53-linux-amd64
-  chmod +x /usr/local/bin/cli53
-  info Creating the /usr/local/bin/register-dns script using route53 zone ID ${zone_id}. . .
-  cat <<'EOF' >/usr/local/bin/register-dns
-  #!/bin/bash
+info Setting up DNS registration on boot
+info Downloading the cli53 tool
+curl -Lo /usr/local/bin/cli53 https://github.com/barnybug/cli53/releases/download/0.8.13/cli53-linux-amd64
+chmod +x /usr/local/bin/cli53
+info Creating the /usr/local/bin/register-dns script using route53 zone ID ${zone_id}. . .
+cat <<'EOF' >/usr/local/bin/register-dns
+#!/bin/bash
 
-  zone_id="${zone_id}"
-  bastion_name="${bastion_name}"
-  public_ip=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
-  zone_name=$(cli53 list -f csv |grep ${zone_id}|cut -d, -f2)
+zone_id="${zone_id}"
+bastion_name="${bastion_name}"
+public_ip=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
+zone_name=$(cli53 list -f csv |grep ${zone_id}|cut -d, -f2)
 
-  echo $0 - registering $${bastion_name}.$${zone_name} to IP $${public_ip} using zone ID $${zone_id}...
+echo $0 - registering $${bastion_name}.$${zone_name} to IP $${public_ip} using zone ID $${zone_id}...
 
-  cli53 rrcreate --replace \
-  $${zone_id} "$${bastion_name} 60 A $${public_ip}"
+cli53 rrcreate --replace \
+$${zone_id} "$${bastion_name} 60 A $${public_ip}"
 
 EOF
-  chmod +x /usr/local/bin/register-dns
+chmod +x /usr/local/bin/register-dns
 
-  info Installing the register-dns systemd service
-  cat <<EOF >/etc/systemd/system/register-dns.service
-  [Unit]
-  Description=Register the public IP address in DNS
+info Installing the register-dns systemd service
+cat <<EOF >/etc/systemd/system/register-dns.service
+[Unit]
+Description=Register the public IP address in DNS
 
-  [Service]
-  ExecStart=/usr/local/bin/register-dns
-  Type=oneshot
-  RemainAfterExit=yes
+[Service]
+ExecStart=/usr/local/bin/register-dns
+Type=oneshot
+RemainAfterExit=yes
 
-  [Install]
-  WantedBy=multi-user.target
+[Install]
+WantedBy=multi-user.target
 
 EOF
-  systemctl daemon-reload
-  systemctl enable register-dns
-  systemctl start register-dns
-else
-  info Skip DNS registration on boot
-fi
+systemctl daemon-reload
+systemctl enable register-dns
+systemctl start register-dns
 
 info Configuring unattended upgrades in /etc/apt/apt.conf.d/50unattended-upgrades
 cat <<EOF >>/etc/apt/apt.conf.d/50unattended-upgrades
@@ -138,7 +131,7 @@ Unattended-Upgrade::Mail "${unattended_upgrade_email_recipient}";
 ${unattended_upgrade_additional_configs}
 EOF
 
-# Execute optional additional user data (before additional users are created).
+# Execute optional additional user data.
 if [ "$${additional_user_data}x" == "x" ] ; then
   info "Executing additional_user_data. . ."
   ${additional_user_data}
@@ -176,13 +169,6 @@ systemctl daemon-reload
 systemctl enable additional-external-users
 systemctl start additional-external-users
 
-# Execute optional additional user data (after additional users are created).
-if [ "$${additional_user_data_end}x" == "x" ] ; then
-  info "Executing additional_user_data_end. . ."
-  ${additional_user_data_end}
-  info "Finished executing additional_user_data_end. . ."
-fi
-
 # Use a temporary variable to more easily compare the lowercase remove_root_access input.
 rra=$(echo ${remove_root_access} |tr '[:upper:]' '[:lower:]')
 if test $rra == "true" -o $rra == "yes" -o $rra == "1" ; then
@@ -195,8 +181,4 @@ else
 fi
 
 info Rebooting, if required by any kernel updates earlier
-if test -r /var/run/reboot-required ; then
-  echo Reboot is required, doing that now...
-  shutdown -r now
-fi
-
+test -r /var/run/reboot-required && echo Reboot is required, doing that now... && shutdown -r now

aws/iam.tf

@@ -81,7 +81,6 @@ EOF
 }
 
 resource "aws_iam_role_policy" "bastion_route53" {
-  count = var.route53_zone_id == "" ? 0 : 1
 
   name = "bastion-route53"
   role = aws_iam_role.bastion_role.id

aws/inputs.tf

@@ -47,12 +47,7 @@ variable "additional_external_users" {
 }
 
 variable "additional_user_data" {
-  description = "Content to be appended to UserData, which is run the first time the bastion EC2 boots, before additional users are created."
-  default     = ""
-}
-
-variable "additional_user_data_end" {
-  description = "Content to be appended to UserData, which is run the first time the bastion EC2 boots, after additional users are created."
+  description = "Content to be appended to UserData, which is run the first time the bastion EC2 boots."
   default     = ""
 }
 
@@ -65,7 +60,6 @@ variable "route53_zone_id" {
   # This zone ID is turned into a zone name by the `register-dns` script,
   # which is created by user-data.
   description = "ID of the ROute53 zone for the bastion to add its host record."
-  default = ""
 }
 
 variable "log_retention" {
@@ -82,13 +76,8 @@ variable "vpc_subnet_ids" {
   description = "A list of subnet IDs where the Auto Scaling Group can place the bastion."
 }
 
-variable "ssh_key_name" {
-  description = "Key name of a pre-existing AWS SSH Key Pair to use. This input is mutually exclusive with the `ssh_public_key_file` input, which can be used instead to create a new Key Pair."
-  default     = ""
-}
-
 variable "ssh_public_key_file" {
-  description = "The *content* of an existing SSH public key file, that will be used to create an AWS SSH Key Pair. This input is mutually exclusive with the `ssh_key_name` input, which can be used instead to reference a pre-existing Key Pair."
+  description = "The content of an existing SSH public key file, that will be used to create an AWS SSH Key Pair. Yes, this input has an unfortunate name."
   default     = ""
 }
 
@@ -122,3 +111,9 @@ variable "encrypt_root_volume" {
   description = "If true, encrypt the root ebs volume of the bastion"
   default     = true
 }
+
+variable "extra_asg_tags" {
+  type = list
+  description = "Extra tags for the bastion autoscaling group"
+  default = []
+}

aws/launchconfig.tf

@@ -13,7 +13,6 @@ data "template_file" "bastion_user_data" {
     unattended_upgrade_additional_configs = var.unattended_upgrade_additional_configs
     remove_root_access                    = var.remove_root_access
     additional_user_data                  = var.additional_user_data
-    additional_user_data_end              = var.additional_user_data_end
     # Join the rendered templates per additional user into a single string variable.
 
     additional_user_templates                                   = join("\n", data.template_file.additional_user.*.rendered)
@@ -36,7 +35,7 @@ resource "aws_launch_configuration" "bastion" {
   associate_public_ip_address = "true"
 
   user_data_base64 = base64gzip(data.template_file.bastion_user_data.rendered)
-  key_name         = var.ssh_key_name != "" ? var.ssh_key_name : (length(aws_key_pair.bastion) > 0 ? aws_key_pair.bastion[0].id : null)
+  key_name = length(aws_key_pair.bastion) > 0 ? aws_key_pair.bastion[0].id : null
 
   root_block_device {
     encrypted = var.encrypt_root_volume
@@ -51,4 +50,3 @@ resource "aws_launch_configuration" "bastion" {
     ignore_changes = [image_id]
   }
 }
-