Merge pull request #13 from masterpointio/feature/support-ssh

Gowiem · web-flow · commit fa87d64eb669 · 2024-02-20T13:46:21.000-07:00
feat: adds SSH support + tagging + upgrades ssm-agent 1.0
diff --git a/.trunk/.gitignore b/.trunk/.gitignore
@@ -6,3 +6,4 @@
 plugins
 user_trunk.yaml
 user.yaml
+tmp
diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml
@@ -2,11 +2,11 @@
 # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
 version: 0.1
 cli:
-  version: 1.17.2
+  version: 1.20.0
 plugins:
   sources:
     - id: trunk
-      ref: v1.2.6
+      ref: v1.4.3
       uri: https://github.com/trunk-io/plugins
 runtimes:
   enabled:
@@ -15,17 +15,22 @@ runtimes:
     - python@3.10.8
 lint:
   enabled:
-    - checkov@3.0.40
+    - actionlint@1.6.26
+    - checkov@3.2.22
     - git-diff-check
-    - markdownlint@0.37.0
-    - prettier@3.1.0
+    - markdownlint@0.39.0
+    - prettier@3.2.5
     - shellcheck@0.9.0
     - shfmt@3.6.0
-    - terrascan@1.18.3
-    - tflint@0.49.0
-    - trivy@0.47.0
-    - trufflehog@3.63.0
-    - yamllint@1.33.0
+    - terrascan@1.18.11
+    - tflint@0.50.3
+    - trivy@0.49.1
+    - trufflehog@3.67.6
+    - yamllint@1.35.1
+  ignore:
+    - linters: [shellcheck]
+      paths:
+        - userdata.sh.tmpl
 actions:
   enabled:
     - trunk-announce
diff --git a/README.md b/README.md
diff --git a/aqua.yaml b/aqua.yaml
@@ -0,0 +1,14 @@
+---
+# aqua - Declarative CLI Version Manager
+# https://aquaproj.github.io/
+# checksum:
+#   enabled: true
+#   require_checksum: true
+#   supported_envs:
+#   - all
+registries:
+  - type: standard
+    ref: v4.137.0 # renovate: depName=aquaproj/aqua-registry
+packages:
+  - name: hashicorp/terraform@v1.7.3
+  - name: opentofu/opentofu@v1.6.1
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -1,3 +1,4 @@
+# trunk-ignore-all(trivy/AVD-AWS-0178): We don't need have VPC Flow logs.
 provider "aws" {
   region = var.region
 }
diff --git a/main.tf b/main.tf
@@ -1,32 +1,39 @@
 locals {
-  tailscale_tags = [for k, v in module.this.tags : "tag:${v}" if k == "Name"]
-  userdata = templatefile("${path.module}/userdata.sh.tpl", {
-    routes   = join(",", var.advertise_routes)
-    authkey  = tailscale_tailnet_key.default.key
-    hostname = module.this.id
+
+  primary_tag              = coalesce(var.primary_tag, module.this.id)
+  prefixed_primary_tag     = "tag:${local.primary_tag}"
+  prefixed_additional_tags = [for tag in var.additional_tags : "tag:${tag}"]
+  tailscale_tags           = concat([local.prefixed_primary_tag], local.prefixed_additional_tags)
+
+  userdata = templatefile("${path.module}/userdata.sh.tmpl", {
+    routes      = join(",", var.advertise_routes)
+    authkey     = tailscale_tailnet_key.default.key
+    hostname    = module.this.id
+    tags        = join(",", local.tailscale_tags)
+    ssh_enabled = var.ssh_enabled
   })
 }
 
 module "tailscale_subnet_router" {
   source  = "masterpointio/ssm-agent/aws"
-  version = "0.17.0"
+  version = "1.0.0"
 
   context = module.this.context
   tags    = module.this.tags
 
-  vpc_id                        = var.vpc_id
-  subnet_ids                    = var.subnet_ids
-  key_pair_name                 = var.key_pair_name
+  vpc_id                    = var.vpc_id
+  subnet_ids                = var.subnet_ids
+  key_pair_name             = var.key_pair_name
+  create_run_shell_document = var.create_run_shell_document
+
   additional_security_group_ids = var.additional_security_group_ids
-  create_run_shell_document     = var.create_run_shell_document
 
   session_logging_kms_key_alias     = var.session_logging_kms_key_alias
   session_logging_enabled           = var.session_logging_enabled
   session_logging_ssm_document_name = var.session_logging_ssm_document_name
 
-  ami            = var.ami
-  instance_type  = var.instance_type
-  instance_count = var.instance_count
+  ami           = var.ami
+  instance_type = var.instance_type
 
   monitoring_enabled          = var.monitoring_enabled
   associate_public_ip_address = var.associate_public_ip_address
diff --git a/userdata.sh.tmpl b/userdata.sh.tmpl
@@ -1,5 +1,5 @@
 #!/bin/bash -ex
-exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1
+exec > >(tee /var/log/user-data.log | logger -t user-data -s 2>/dev/console) 2>&1
 
 # Enable ip_forward to allow advertising routes
 echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
@@ -18,7 +18,10 @@ sudo systemctl enable --now tailscaled
 sleep 5
 
 # Start tailscale
+# We pass --advertise-tags below even though the authkey being created with those tags should result
+# in the same effect. This is to be more explicit because tailscale tags are a complicated topic.
 sudo tailscale up \
-    --advertise-routes=${routes} \
-    --authkey=${authkey} \
-    --hostname=${hostname}
+  --advertise-routes=${routes} \
+  --advertise-tags=${tags} \
+  --authkey=${authkey} \
+  --hostname=${hostname}%{ if ssh_enabled == true } --ssh%{ endif }
diff --git a/variables.tf b/variables.tf
@@ -86,12 +86,6 @@ variable "instance_type" {
   description = "The instance type to use for the Tailscale Subnet Router EC2 instance."
 }
 
-variable "instance_count" {
-  default     = 1
-  type        = number
-  description = "The number of Tailscale Subnet Router EC2 instances you would like to deploy."
-}
-
 variable "monitoring_enabled" {
   description = "Enable detailed monitoring of instances"
   type        = bool
@@ -108,6 +102,24 @@ variable "associate_public_ip_address" {
 ## Tailscale ##
 ##############
 
+variable "primary_tag" {
+  default     = null
+  type        = string
+  description = "The primary tag to apply to the Tailscale Subnet Router machine. Do not include the `tag:` prefix. This must match the OAuth client's tag. If not provided, the module will use the module's ID as the primary tag, which is configured in context.tf"
+}
+
+variable "additional_tags" {
+  default     = []
+  type        = list(string)
+  description = "Additional Tailscale tags to apply to the Tailscale Subnet Router machine in addition to `primary_tag`. These should not include the `tag:` prefix."
+}
+
+variable "ssh_enabled" {
+  type        = bool
+  default     = true
+  description = "Enable SSH access to the Tailscale Subnet Router EC2 instance. Defaults to true."
+}
+
 variable "advertise_routes" {
   default     = []
   type        = list(string)
diff --git a/versions.tf b/versions.tf
@@ -6,14 +6,6 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 4.0"
     }
-    local = {
-      source  = "hashicorp/local"
-      version = ">= 1.2"
-    }
-    null = {
-      source  = "hashicorp/null"
-      version = ">= 2.0"
-    }
     tailscale = {
       source  = "tailscale/tailscale"
       version = ">= 0.13.7"

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+# trunk-ignore-all(trivy/AVD-AWS-0178): We don't need have VPC Flow logs.`
`1`	`2`	`provider "aws" {`
`2`	`3`	`region = var.region`
`3`	`4`	`}`