Credstash has been removed (#10)

Author: leventyalcin

README.md

@@ -7,10 +7,6 @@ This module setups a VPN server for a VPC to connect to instances.
 
 After provisioning, don't forget to run commands below:
 
-* **credstash**
-  * `export BACKUP_ENCRYPTION_KEY=$(uuidgen)`
-  * `credstash -r REGION -t CREDSTASH_TABLE_NAME put -k alias/CREDSTASH_TABLE_NAME BACKUP_ENCRYPTION_KEY $BACKUP_ENCRYPTION_KEY`
-  * `credstash -r REGION -t CREDSTASH_TABLE_NAME put -k alias/CREDSTASH_TABLE_NAME HEALTHCHECKS_IO_KEY CHANGEME-WITH-THE-KEY-FROM-HEALTHCHECKS-IO`
 * **Pritunl setup**
   * `sudo pritunl setup-key`
 
@@ -21,8 +17,10 @@ After provisioning, don't forget to run commands below:
 * **public_subnet_id:** One of the public subnets to create the instance
 * **ami_id:** Amazon Linux AMI ID
 * **instance_type:** Instance type of the VPN box (t2.small is mostly enough)
-* **office_ip_cidrs:** List of office IP addresses that you can SSH and non-VPN connected users can reach temporary profile download pages
-* **tags**: Map of AWS Tag key and values
+* **whitelist:** List of office IP addresses that you can SSH and non-VPN connected users can reach temporary profile download pages
+* **tags:** Map of AWS Tag key and values
+* **resource_name_prefix:** All the resources will be prefixed with the value of this variable
+* **healthchecks_io_key:** Health check key for healthchecks.io
 
 # Outputs
 * **vpn_instance_private_ip_address:** Private IP address of the instance
@@ -38,14 +36,15 @@ provider "aws" {
 }
 
 module "app_pritunl" {
-  source = "github.com/opsgang/terraform_pritunl?ref=1.1.0"
+  source = "github.com/opsgang/terraform_pritunl?ref=2.0.0"
 
   aws_key_name         = "org-eu-west-2"
   vpc_id               = "${module.vpc.vpc_id}"
   public_subnet_id     = "${module.vpc.public_subnets[1]}"
   ami_id               = "ami-403e2524"
   instance_type        = "t2.nano"
-  resource_name_prefix = "agate-pritunl"
+  resource_name_prefix = "opsgang-pritunl"
+  healthchecks_io_key  = "NNNNNNNN-NNNN-NNNN-NNNN-NNNNNNNNNNN"
 
   whitelist = [
     "8.8.8.8/32",

main.tf

@@ -1,61 +1,37 @@
-data "aws_region" "current" {
-  current = true
-}
+data "aws_region" "current" {}
 
 data "aws_caller_identity" "current" {}
 
 data "template_file" "user_data" {
   template = "${file("${path.module}/templates/user_data.sh.tpl")}"
 
   vars {
-    aws_region           = "${data.aws_region.current.name}"
-    s3_backup_bucket     = "${var.resource_name_prefix}-backup"
-    credstash_table_name = "${var.resource_name_prefix}-credstash"
+    aws_region          = "${data.aws_region.current.name}"
+    s3_backup_bucket    = "${var.resource_name_prefix}-backup"
+    healthchecks_io_key = "/pritunl/${var.resource_name_prefix}/healthchecks-io-key"
   }
 }
 
-data "template_file" "credstash_policy" {
+data "template_file" "kms_policy" {
   template = "${file("${path.module}/templates/key_policy.json.tpl")}"
 
   vars {
     resource_name_prefix = "${var.resource_name_prefix}"
-    key_admin_arn        = "${aws_iam_role.role.arn}"
     account_id           = "${data.aws_caller_identity.current.account_id}"
+    key_admin_arn        = "${aws_iam_role.role.arn}"
   }
 }
 
 data "template_file" "iam_instance_role_policy" {
   template = "${file("${path.module}/templates/iam_instance_role_policy.json.tpl")}"
 
   vars {
+    s3_backup_bucket     = "${var.resource_name_prefix}-backup"
     resource_name_prefix = "${var.resource_name_prefix}"
-    db_credstash_arn     = "${aws_dynamodb_table.db_credstash.arn}"
-  }
-}
-
-resource "aws_dynamodb_table" "db_credstash" {
-  name           = "${var.resource_name_prefix}-credstash"
-  read_capacity  = 1
-  write_capacity = 1
-  hash_key       = "name"
-  range_key      = "version"
-
-  attribute {
-    name = "name"
-    type = "S"
-  }
-
-  attribute {
-    name = "version"
-    type = "S"
+    aws_region           = "${data.aws_region.current.name}"
+    account_id           = "${data.aws_caller_identity.current.account_id}"
+    ssm_key_prefix       = "/pritunl/${var.resource_name_prefix}/*"
   }
-
-  tags = "${
-            merge(
-              map("Name", format("%s-%s", var.resource_name_prefix, "credstash")),
-              var.tags,
-            )
-          }"
 }
 
 resource "null_resource" "waiter" {
@@ -66,35 +42,61 @@ resource "null_resource" "waiter" {
   }
 }
 
-resource "aws_kms_key" "credstash" {
+resource "aws_kms_key" "parameter_store" {
   depends_on = ["null_resource.waiter"]
 
-  description = "Credstash space for ${var.resource_name_prefix}"
+  description = "Parameter store and backup key for ${var.resource_name_prefix}"
 
-  policy                  = "${data.template_file.credstash_policy.rendered}"
-  deletion_window_in_days = 7
+  policy                  = "${data.template_file.kms_policy.rendered}"
+  deletion_window_in_days = 30
   is_enabled              = true
   enable_key_rotation     = true
 
   tags = "${
             merge(
-              map("Name", format("%s-%s", var.resource_name_prefix, "credstash")),
+              map("Name", format("%s-%s", var.resource_name_prefix, "parameter-store")),
               var.tags,
             )
           }"
 }
 
-resource "aws_kms_alias" "credstash" {
-  depends_on = ["aws_kms_key.credstash"]
+resource "aws_kms_alias" "parameter_store" {
+  depends_on = ["aws_kms_key.parameter_store"]
 
-  name          = "alias/${var.resource_name_prefix}-credstash"
-  target_key_id = "${aws_kms_key.credstash.key_id}"
+  name          = "alias/${var.resource_name_prefix}-parameter-store"
+  target_key_id = "${aws_kms_key.parameter_store.key_id}"
+}
+
+resource "aws_ssm_parameter" "healthchecks_io_key" {
+  name      = "/pritunl/${var.resource_name_prefix}/healthchecks-io-key"
+  type      = "SecureString"
+  value     = "${var.healthchecks_io_key}"
+  key_id    = "${aws_kms_key.parameter_store.arn}"
+  overwrite = true
+
+  tags = "${
+            merge(
+              map("Name", format("%s/%s/%s", "pritunl", var.resource_name_prefix, "healthchecks-io-key")),
+              var.tags,
+            )
+          }"
 }
 
 resource "aws_s3_bucket" "backup" {
+  depends_on = ["aws_kms_key.parameter_store"]
+
   bucket = "${var.resource_name_prefix}-backup"
   acl    = "private"
 
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = "${aws_kms_key.parameter_store.arn}"
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
   lifecycle_rule {
     prefix  = "backups"
     enabled = true

templates/iam_instance_role_policy.json.tpl

@@ -1,23 +1,13 @@
 {
     "Version": "2012-10-17",
     "Statement": [
-      {
-        "Action": [
-          "dynamodb:PutItem",
-          "dynamodb:GetItem",
-          "dynamodb:Query",
-          "dynamodb:Scan"
-        ],
-        "Effect": "Allow",
-        "Resource": "${db_credstash_arn}"
-      },
       {
         "Effect": "Allow",
         "Action": [
           "s3:ListBucket",
           "s3:GetBucketLocation"
         ],
-        "Resource": [ "arn:aws:s3:::${resource_name_prefix}-backup" ]
+        "Resource": [ "arn:aws:s3:::${s3_backup_bucket}" ]
       },
       {
         "Effect": "Allow",
@@ -28,7 +18,7 @@
           "s3:List*",
           "s3:DeleteObject"
         ],
-        "Resource": [ "arn:aws:s3:::${resource_name_prefix}-backup/*" ]
+        "Resource": [ "arn:aws:s3:::${s3_backup_bucket}/*" ]
       },
       {
         "Effect": "Allow",
@@ -41,6 +31,13 @@
         ],
         "Resource": "*"
       },
+      {
+        "Effect": "Allow",
+        "Action": [
+            "ssm:GetParameters"
+        ],
+        "Resource": "arn:aws:ssm:${aws_region}:${account_id}:parameter${ssm_key_prefix}"
+      },
       {
           "Effect": "Allow",
           "Action": [

templates/key_policy.json.tpl

@@ -1,6 +1,6 @@
 {
   "Version": "2012-10-17",
-  "Id": "${resource_name_prefix}-credstash",
+  "Id": "${resource_name_prefix}-parameter-store",
   "Statement": [
     {
       "Sid": "Enable IAM User Permissions",

templates/user_data.sh.tpl

@@ -3,11 +3,16 @@
 export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/aws/bin:/root/bin
 
 yum update -y
-yum install -y gcc libffi-devel openssl-devel
 
-# credstash installation for secrets
+# upgrade pip to latest stable
 pip install -U pip
-/usr/local/bin/pip install -U credstash awscli
+# upgrade awscli to latest stable
+# upgrading pip from 9.0.3 to 10.0.1 changes the path from /usr/bin/pip to
+# /usr/local/bin/pip and the line below throws this error
+#     /var/lib/cloud/instance/scripts/part-001: line 10: /usr/bin/pip: No such file or directory
+# So, I export the PATH in the beggining correctly but still tries to from the old location
+# I couldn't see why in the outputs I'm going to hardcode it for now (01:10am)
+/usr/local/bin/pip install -U awscli
 
 echo "* hard nofile 64000" >> /etc/security/limits.conf
 echo "* soft nofile 64000" >> /etc/security/limits.conf
@@ -49,27 +54,35 @@ status amazon-ssm-agent || start amazon-ssm-agent
 cat <<EOF > /usr/sbin/mongobackup.sh
 #!/bin/bash -e
 
+set -o errexit  # exit on cmd failure
+set -o nounset  # fail on use of unset vars
+set -o pipefail # throw latest exit failure code in pipes
+set -o xtrace   # print command traces before executing command.
+
 export PATH="/usr/local/bin:\$PATH"
-export BACKUP_ENCRYPTION_KEY=\$(credstash --region ${aws_region} --table ${credstash_table_name} get BACKUP_ENCRYPTION_KEY)
 export BACKUP_TIME=\$(date +'%Y-%m-%d-%H-%M-%S')
 export BACKUP_FILENAME="\$BACKUP_TIME-pritunl-db-backup.tar.gz"
 export BACKUP_DEST="/tmp/\$BACKUP_TIME"
 mkdir "\$BACKUP_DEST" && cd "\$BACKUP_DEST"
 mongodump -d pritunl
 tar zcf "\$BACKUP_FILENAME" dump
 rm -rf dump
-gpg --yes --batch --passphrase="\$BACKUP_ENCRYPTION_KEY" -c "\$BACKUP_FILENAME"
 md5sum "\$BACKUP_FILENAME" > "\$BACKUP_FILENAME.md5"
-rm "\$BACKUP_FILENAME"
 aws s3 sync . s3://${s3_backup_bucket}/backups/
 cd && rm -rf "\$BACKUP_DEST"
 EOF
 chmod 700 /usr/sbin/mongobackup.sh
 
 cat <<EOF > /etc/cron.daily/pritunl-backup
 #!/bin/bash -e
-export PATH="/usr/local/bin:\$PATH"
-/usr/sbin/mongobackup.sh && curl -fsS --retry 3 "https://hchk.io/\$(credstash --region ${aws_region} --table ${credstash_table_name} get HEALTHCHECKS_IO_KEY)"
+export PATH="/usr/local/sbin:/usr/local/bin:\$PATH"
+mongobackup.sh && \
+  curl -fsS --retry 3 \
+  "https://hchk.io/\$( aws --region=${aws_region} --output=text \
+                        ssm get-parameters \
+                        --names ${healthchecks_io_key} \
+                        --with-decryption \
+                        --query 'Parameters[*].Value')"
 EOF
 chmod 755 /etc/cron.daily/pritunl-backup
 

variables.tf

@@ -29,6 +29,11 @@ variable "tags" {
 }
 
 variable "resource_name_prefix" {
-  description = "All the resources will be prefixed with this varible"
+  description = "All the resources will be prefixed with the value of this variable"
   default     = "pritunl"
 }
+
+variable "healthchecks_io_key" {
+  description = "Health check key for healthchecks.io"
+  default     = "invalid"
+}