Skip to content
This repository has been archived by the owner on Dec 17, 2024. It is now read-only.

Terraform module to provision Teleport related resources

License

Notifications You must be signed in to change notification settings

skyscrapers/terraform-teleport

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

70 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

** DEPRECATION NOTICE: We no longer maintain these modules. Please get in contact if you are interested taking over the codebase. **

terraform-teleport

Terraform module to provision Teleport related resources.

Starting from version 5.0.0, this module uses Terraform 0.12 syntax.

teleport-bootstrap-script

This module creates a script to configure and start the Teleport service on a server. It's useful on pre-built images, where everything is already setup on build-time but Teleport still needs to be configured with the actual node information, like private IP, node name and auth credentials. It uses envsubst to set the correct configuration into /etc/teleport.yaml, so the following environment variables need to be present in that file before running this script:

  • $ADVERTISE_IP
  • $AUTH_TOKEN
  • $AUTH_SERVER
  • $NODENAME

Requirements

Name Version
terraform >= 1.0.0

Providers

No providers.

Modules

No modules.

Resources

No resources.

Inputs

Name Description Type Default Required
auth_server Auth server that this node will connect to, including the port number string n/a yes
auth_token Auth token that this node will present to the auth server. Note that this should be the bare token, without the type prefix. See the official documentation on static tokens for more info string n/a yes
function Function that this node performs, will be the first part of the node name string n/a yes
additional_labels List of additional labels to add to the Teleport node. Every list item represents a label, with its key and value. Example: ["k8s_version: 1.10.10", "instance_type: t2.medium"] list(string) [] no
environment Environment where this node belongs to, will be the third part of the node name string "" no
include_instance_id If running in EC2, also include the instance ID in the node name. This is needed in autoscaled environments, so nodes don't collide with each other if they get recycled/autoscaled bool true no
project Project where this node belongs to, will be the second part of the node name string "" no

Outputs

Name Description
teleport_bootstrap_script The rendered script to add to the Instance cloud-init user data
teleport_config_cloudinit The rendered Teleport config that you can add to the instance cloud-init user data
teleport_service_cloudinit The rendered Teleport systemd service that you can add to the instance cloud-init user data

The two cloudinit outputs can be used in the context of write files. Example:

write_files:
${teleport_config}
${teleport_service}

Example

data "cloudinit_config" "api_cloudinit" {
  gzip          = true
  base64_encode = true

  # Configure teleport
  part {
    content_type = "text/cloud-config"
    content =<<EOF
#cloud-config

write_files:
${module.teleport_bootstrap_script.teleport_config_cloudinit}
${module.teleport_bootstrap_script.teleport_service_cloudinit}
EOF
  }

  # Start teleport
  part {
    content_type = "text/x-shellscript"
    content      = "${module.teleport_bootstrap_script.teleport_bootstrap_script}"
  }
}

module "teleport_bootstrap_script" {
  source      = "github.com/skyscrapers/terraform-teleport//teleport-bootstrap-script?ref=1.0.0"
  auth_server = "tools01.customer.skyscrape.rs:3025"
  auth_token  = "something_really_really_secret"
  function    = "api"
  environment = "${terraform.workspace}"
}

teleport-server

This module will deploy Teleport on an EC2 instance. The same server will run both auth and proxy. It'll also create an EIP and a Route53 record to be able to access Teleport. The server will use Letsencrypt to retrieve a valid certificate for the Teleport server. It'll use the DNS challenge with Route53 to validate the domain name, but in case the Route53 sub-zone is not completely setup during the first boot and Letsencrypt fails to generate a valid certificate, the server will keep retrying until it does, and in the meantime, Teleport will use a self-signed certificate for the Web UI and API.

Requirements

These are the requirements to apply this module:

  • Teleport pre-built in an AMI: to avoid relying on external sources during boot time, all dependencies have to be present in the AMI, and that includes Teleport and the CloudWatch logs agent. Skyscrapers publishes and maintains such an AMI, and can be found with the filter:
    • owner-id: "496014204152"
    • name: "ebs-teleport-*"
    • tag:project: "teleport"
  • Route53 zone
  • VPC and a subnet where to deploy the EC2 instance
Name Version
terraform ~> 1.0
aws >= 4.0

Providers

Name Version
aws >= 4.0
aws.route53 >= 4.0
cloudinit n/a

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_group.teleport resource
aws_cloudwatch_log_group.teleport_audit resource
aws_eip.teleport_public resource
aws_iam_instance_profile.profile resource
aws_iam_role.role resource
aws_iam_role_policy.policy resource
aws_instance.teleport_instance resource
aws_route53_record.teleport resource
aws_route53_record.teleport_sub resource
aws_s3_bucket.sessions resource
aws_s3_bucket_public_access_block.sessions resource
aws_security_group.teleport_server resource
aws_security_group_rule.internet_http_access resource
aws_security_group_rule.internet_https_access resource
aws_security_group_rule.ntp resource
aws_security_group_rule.teleport_auth_from_nodes resource
aws_security_group_rule.teleport_auth_from_proxy_self resource
aws_security_group_rule.teleport_https_auth_to_world resource
aws_security_group_rule.teleport_https_proxy_from_world resource
aws_security_group_rule.teleport_kube_proxy_to_world resource
aws_security_group_rule.teleport_le_http_proxy_from_world resource
aws_security_group_rule.teleport_le_https_proxy_from_world resource
aws_security_group_rule.teleport_nodes_from_proxy_self resource
aws_security_group_rule.teleport_proxy_to_auth_self resource
aws_security_group_rule.teleport_proxy_to_nodes resource
aws_security_group_rule.teleport_proxy_to_nodes_self resource
aws_security_group_rule.teleport_reverse_ssh_proxy_from_world resource
aws_security_group_rule.teleport_reverse_ssh_proxy_to_world resource
aws_security_group_rule.teleport_ssh_proxy_from_world resource
aws_ami.teleport_ami data source
aws_iam_policy_document.teleport data source
aws_region.current data source
aws_route53_zone.root data source
aws_subnet.teleport data source
cloudinit_config.teleport data source

Inputs

Name Description Type Default Required
environment The environment where this setup belongs to. Only for naming reasons string n/a yes
letsencrypt_email Email to use to register to letsencrypt string n/a yes
project A project where this setup belongs to. Only for naming reasons string n/a yes
r53_zone The Route53 zone where to add the Teleport DNS record string n/a yes
subnet_id Subnet id where the EC2 instance will be deployed string n/a yes
allowed_cli_cidr_blocks CIDR blocks that are allowed to access the cli interface of the proxy server list(string)
[
"0.0.0.0/0"
]
no
allowed_kube_cidr_blocks CIDR blocks that are allowed to access the kubernetes interface of the proxy server list(string)
[
"0.0.0.0/0"
]
no
allowed_node_cidr_blocks CIDR blocks that are allowed to access the API interface in the auth server list(string)
[
"10.0.0.0/8"
]
no
allowed_tunnel_cidr_blocks CIDR blocks that are allowed to access the reverse tunnel interface of the proxy server list(string)
[
"0.0.0.0/0"
]
no
allowed_web_cidr_blocks CIDR blocks that are allowed to access the web interface of the proxy server list(string)
[
"0.0.0.0/0"
]
no
ami_id AMI id for the EC2 instance string null no
instance_ebs_optimized If true, the launched EC2 instance will be EBS-optimized. Note that if this is not set on an instance type that is optimized by default then this will show as disabled but if the instance type is optimized by default then there is no need to set this and there is no effect to disabling it. See the EBS Optimized section of the AWS User Guide for more information bool null no
instance_type Instance type for the EC2 instance string "t3.small" no
key_name SSH key name for the EC2 instance string null no
log_retention_period Amount of days to keep the logs number 30 no
root_vl_delete Whether the root volume of the EC2 instance should be destroyed on instance termination bool true no
root_vl_encrypted Whether the root volume of the EC2 instance should be encrypted bool true no
root_vl_size Volume size for the root volume of the EC2 instance, in gigabytes number 16 no
root_vl_type Volume type for the root volume of the EC2 instance. Can be standard, gp2, or io1 string "gp2" no
teleport_auth_tokens List of static tokens to configure in the Teleport server. Note that these tokens will be added "as-is" in the Teleport configuration, so they must be pre-fixed with the token type (e.g. teleport_auth_tokens = ["node:sdf34asd7f832efhsdnfsjdfh3i24788923r"]). See the official documentation on static tokens for more info list(string) [] no
teleport_auth_type Default authentication type. Possible values are 'local' and 'github' string "local" no
teleport_cluster_name Name of the teleport cluster string null no
teleport_dynamodb_table Name of the DynamoDB table to configure in Teleport string null no
teleport_hostname DNS hostname that will be created for the teleport server string "teleport" no
teleport_log_output Teleport logging configuration, possible values are stdout, stderr and syslog string "stdout" no
teleport_log_severity Teleport logging configuration, possible severity values are INFO, WARN and ERROR string "ERROR" no
teleport_session_recording Setting for configuring session recording in Teleport. Check the official documentation for more info string "node" no
teleport_version Teleport version to use. Will be used to search for a compatible AMI if ami_id is null. If not set, will search for the newest AMI string null no

Outputs

Name Description
teleport_cluster_name Name of the teleport cluster
teleport_server_fqdn FQDN of the DNS record of the Teleport server.
teleport_server_instance_id Instance id of the Teleport server.
teleport_server_instance_profile_arn Instance profile ARN of the Teleport server.
teleport_server_instance_profile_id Instance profile id of the Teleport server.
teleport_server_instance_profile_name Instance profile name of the Teleport server.
teleport_server_private_ip Private IP of the Teleport server.
teleport_server_public_ip Public IP of the Teleport server.
teleport_server_role_arn Role ARN of the Teleport server.
teleport_server_role_id Role id of the Teleport server.
teleport_server_role_name Role name of the Teleport server.
teleport_server_sg_id Security group id of the Teleport server.

Example

module "teleport_ec2" {
  source                  = "github.com/skyscrapers/terraform-teleport//teleport-server?ref=8.0.0"
  project                    = "int"
  environment                = "tools"
  teleport_hostname          = "teleport"
  r53_zone                   = "tools.example.com"
  subnet_id                  = var.public_lb_subnets[0]
  key_name                   = mykey

  teleport_auth_tokens = sensitive(concat(
    ["node:${random_password.node_token.result}"],
    ["kube,app:${random_password.agent_token.result}"],
  ))

  providers = {
    aws         = aws
    aws.route53 = aws.route53
  }
}

Migrating to >= 8.0.0

Starting version 8.0.0 of the module, we introduced 2 breaking changes:

  • Renamed teleport_subdomain variable to teleport_hostname
  • Introduced the possibility to host the R53 zone in a different AWS account. If you want to keep the functionality as before, just point the aws.route53 provider alias to the main aws one.
module "teleport_ec2" {
  providers = {
    aws.route53 = aws
  }
}

teleport-node-sg-rules

This module will create the needed security group rules to allow a Teleport node to join a cluster. It requires the security groups of the three components (see "Available variables"), although both proxy and auth might run in the same server and have the same security group.

Available variables

Name Description Type Default Required
teleport_auth_sg_id Security group id of the auth server. string - yes
teleport_node_sg_id Security group id of the node server. string - yes
teleport_proxy_sg_id Security group id of the proxy server. string - yes

Outputs

\

Example

module "teleport_vault_sg_rules" {
  teleport_proxy_sg_id = "${data.terraform_remote_state.teleport.teleport_server_sg_id}"
  teleport_node_sg_id  = "${module.ha_vault.sg_id}"
  teleport_auth_sg_id  = "${data.terraform_remote_state.teleport.teleport_server_sg_id}"
}