terraform/aws: usability improvements (#23)

updates #22
tailscale-dev · Sep 17, 2024 · 5dc08a0 · 5dc08a0
1 parent 80d208c
commit 5dc08a0
Show file tree

Hide file tree

Showing 7 changed files with 359 additions and 180 deletions.
diff --git a/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf b/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf
@@ -1,16 +1,41 @@
 locals {
   name = "example-${basename(path.cwd)}"
 
-  tags = {
+  aws_tags = {
     Name = local.name
   }
+
+  tailscale_acl_tags = [
+    "tag:example-infra",
+    "tag:example-exitnode",
+    "tag:example-subnetrouter",
+    "tag:example-appconnector",
+  ]
+  tailscale_set_preferences = [
+    "--auto-update",
+    "--ssh",
+    "--advertise-connector",
+    "--advertise-exit-node",
+    "--advertise-routes=${join(",", [
+      local.vpc_cidr_block,
+    ])}",
+  ]
+
+  // Modify these to use your own VPC
+  vpc_cidr_block     = module.vpc.vpc_cidr_block
+  vpc_id             = module.vpc.vpc_id
+  subnet_id          = module.vpc.public_subnets[0]
+  private_subnet_id  = module.vpc.private_subnets[0]
+  security_group_ids = [aws_security_group.tailscale.id]
+  instance_type      = "t4g.micro"
 }
 
+// Remove this to use your own VPC.
 module "vpc" {
   source = "../internal-modules/aws-vpc"
 
   name = local.name
-  tags = local.tags
+  tags = local.aws_tags
 
   cidr = "10.0.80.0/22"
 
@@ -23,31 +48,26 @@ resource "tailscale_tailnet_key" "main" {
   preauthorized       = true
   reusable            = true
   recreate_if_invalid = "always"
-  tags = [
-    "tag:example-infra",
-    "tag:example-exitnode",
-    "tag:example-subnetrouter",
-    "tag:example-appconnector",
-  ]
+  tags                = local.tailscale_acl_tags
 }
 
 resource "aws_network_interface" "primary" {
-  subnet_id       = module.vpc.public_subnets[0]
-  security_groups = [module.vpc.tailscale_security_group_id]
-  tags            = merge(local.tags, { Name = "${local.name}-primary" })
+  subnet_id       = local.subnet_id
+  security_groups = local.security_group_ids
+  tags            = merge(local.aws_tags, { Name = "${local.name}-primary" })
 }
 resource "aws_eip" "primary" {
-  tags = local.tags
+  tags = local.aws_tags
 }
 resource "aws_eip_association" "primary" {
   network_interface_id = aws_network_interface.primary.id
   allocation_id        = aws_eip.primary.id
 }
 
 resource "aws_network_interface" "secondary" {
-  subnet_id       = module.vpc.private_subnets[0]
-  security_groups = [module.vpc.tailscale_security_group_id]
-  tags            = merge(local.tags, { Name = "${local.name}-secondary" })
+  subnet_id       = local.private_subnet_id
+  security_groups = local.security_group_ids
+  tags            = merge(local.aws_tags, { Name = "${local.name}-secondary" })
 
   source_dest_check = false
 }
@@ -56,26 +76,54 @@ module "tailscale_aws_ec2_autoscaling" {
   source = "../internal-modules/aws-ec2-autoscaling/"
 
   autoscaling_group_name = local.name
-  instance_type          = "t4g.micro"
-  instance_tags          = local.tags
+  instance_type          = local.instance_type
+  instance_tags          = local.aws_tags
 
   network_interfaces = [
     aws_network_interface.primary.id, # first NIC must be in PUBLIC subnet
     aws_network_interface.secondary.id,
   ]
 
   # Variables for Tailscale resources
-  tailscale_hostname = local.name
-  tailscale_auth_key = tailscale_tailnet_key.main.key
-  tailscale_set_preferences = [
-    "--auto-update",
-    "--ssh",
-    "--advertise-connector",
-    "--advertise-exit-node",
-    "--advertise-routes=${join(",", [module.vpc.vpc_cidr_block])}",
-  ]
+  tailscale_hostname        = local.name
+  tailscale_auth_key        = tailscale_tailnet_key.main.key
+  tailscale_set_preferences = local.tailscale_set_preferences
 
   depends_on = [
-    module.vpc.natgw_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets
+    module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
   ]
 }
+
+resource "aws_security_group" "tailscale" {
+  vpc_id = local.vpc_id
+  name   = local.name
+}
+
+resource "aws_security_group_rule" "tailscale_ingress" {
+  security_group_id = aws_security_group.tailscale.id
+  type              = "ingress"
+  from_port         = 41641
+  to_port           = 41641
+  protocol          = "udp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
+
+resource "aws_security_group_rule" "egress" {
+  security_group_id = aws_security_group.tailscale.id
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
+
+resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" {
+  security_group_id = aws_security_group.tailscale.id
+  type              = "ingress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = [local.vpc_cidr_block]
+}
diff --git a/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf b/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf
@@ -1,16 +1,36 @@
 locals {
   name = "example-${basename(path.cwd)}"
 
-  tags = {
+  aws_tags = {
     Name = local.name
   }
+
+  tailscale_acl_tags = [
+    "tag:example-infra",
+  ]
+  tailscale_set_preferences = [
+    "--auto-update",
+    "--ssh",
+  ]
+
+  // Modify these to use your own VPC
+  vpc_cidr_block     = module.vpc.vpc_cidr_block
+  vpc_id             = module.vpc.vpc_id
+  subnet_id          = module.vpc.public_subnets[0]
+  security_group_ids = [aws_security_group.tailscale.id]
+  instance_type      = "t4g.micro"
+  vpc_endpoint_route_table_ids = flatten([
+    module.vpc.public_route_table_ids,
+    module.vpc.private_route_table_ids,
+  ])
 }
 
+// Remove this to use your own VPC.
 module "vpc" {
   source = "../internal-modules/aws-vpc"
 
   name = local.name
-  tags = local.tags
+  tags = local.aws_tags
 
   cidr = "10.0.80.0/22"
 
@@ -19,18 +39,15 @@ module "vpc" {
 }
 
 resource "aws_vpc_endpoint" "recorder" {
-  vpc_id       = module.vpc.vpc_id
-  service_name = "com.amazonaws.${aws_s3_bucket.recorder.region}.s3"
-  route_table_ids = flatten([
-    module.vpc.public_route_table_ids,
-    module.vpc.private_route_table_ids,
-  ])
-  tags = local.tags
+  vpc_id          = local.vpc_id
+  service_name    = "com.amazonaws.${aws_s3_bucket.recorder.region}.s3"
+  route_table_ids = local.vpc_endpoint_route_table_ids
+  tags            = local.aws_tags
 }
 
 resource "aws_s3_bucket" "recorder" {
   bucket_prefix = substr(local.name, 0, 37)
-  tags          = local.tags
+  tags          = local.aws_tags
 
   force_destroy = true
 }
@@ -73,7 +90,7 @@ resource "aws_s3_bucket_policy" "recorder" {
 }
 
 resource "aws_iam_policy" "recorder" {
-  tags   = local.tags
+  tags   = local.aws_tags
   policy = <<-EOT
   {
     "Version": "2012-10-17",
@@ -98,7 +115,7 @@ resource "aws_iam_policy" "recorder" {
 
 resource "aws_iam_user" "recorder" {
   name = local.name
-  tags = local.tags
+  tags = local.aws_tags
 }
 
 resource "aws_iam_policy_attachment" "recorder" {
@@ -126,18 +143,16 @@ resource "tailscale_tailnet_key" "main" {
   preauthorized       = true
   reusable            = true
   recreate_if_invalid = "always"
-  tags = [
-    "tag:example-infra",
-  ]
+  tags                = local.tailscale_acl_tags
 }
 
 resource "aws_network_interface" "primary" {
-  subnet_id       = module.vpc.public_subnets[0]
-  security_groups = [module.vpc.tailscale_security_group_id]
-  tags            = local.tags
+  subnet_id       = local.subnet_id
+  security_groups = local.security_group_ids
+  tags            = local.aws_tags
 }
 resource "aws_eip" "primary" {
-  tags = local.tags
+  tags = local.aws_tags
 }
 resource "aws_eip_association" "primary" {
   network_interface_id = aws_network_interface.primary.id
@@ -148,18 +163,15 @@ module "tailscale_aws_ec2_autoscaling" {
   source = "../internal-modules/aws-ec2-autoscaling/"
 
   autoscaling_group_name = local.name
-  instance_type          = "t4g.micro"
-  instance_tags          = local.tags
+  instance_type          = local.instance_type
+  instance_tags          = local.aws_tags
 
   network_interfaces = [aws_network_interface.primary.id]
 
   # Variables for Tailscale resources
-  tailscale_hostname = local.name
-  tailscale_auth_key = tailscale_tailnet_key.main.key
-  tailscale_set_preferences = [
-    "--auto-update",
-    "-ssh",
-  ]
+  tailscale_hostname        = local.name
+  tailscale_auth_key        = tailscale_tailnet_key.main.key
+  tailscale_set_preferences = local.tailscale_set_preferences
 
   #
   # Set up Tailscale Session Recorder (tsrecorder)
@@ -178,6 +190,40 @@ module "tailscale_aws_ec2_autoscaling" {
   ]
 
   depends_on = [
-    module.vpc.natgw_ids, # for private subnets - ensure NAT gateway is available before instance provisioning
+    module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
   ]
 }
+
+resource "aws_security_group" "tailscale" {
+  vpc_id = local.vpc_id
+  name   = local.name
+}
+
+resource "aws_security_group_rule" "tailscale_ingress" {
+  security_group_id = aws_security_group.tailscale.id
+  type              = "ingress"
+  from_port         = 41641
+  to_port           = 41641
+  protocol          = "udp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
+
+resource "aws_security_group_rule" "egress" {
+  security_group_id = aws_security_group.tailscale.id
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
+
+resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" {
+  security_group_id = aws_security_group.tailscale.id
+  type              = "ingress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = [local.vpc_cidr_block]
+}