chore: first commit

Reviewed-by: Avi Miller <[email protected]>
Signed-off-by: Ali Mukadam <[email protected]>

Author: hyder

.gitignore

@@ -0,0 +1,16 @@
+#  Local .terraform directories
+**/.terraform/*
+
+provider.tf
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# .tfvars files
+*.tfvars
+
+# visual code
+ **/.vscode/*
+
+.terraform.lock.hcl

CHANGELOG.adoc

@@ -0,0 +1,8 @@
+= CHANGELOG
+:idprefix:
+:idseparator: *
+
+:uri-changelog: http://keepachangelog.com/
+All notable changes to this project are documented in this file.
+
+The format is based on {uri-changelog}[Keep a Changelog].

CONTRIBUTING.adoc

@@ -0,0 +1,47 @@
+= CONTRIBUTING
+
+:uri-oracle-oca: https://oca.opensource.oracle.com
+
+Oracle welcomes contributions to this repository from anyone.
+
+If you want to submit a pull request to fix a bug or enhance an existing
+feature, please first open an issue and link to that issue when you
+submit your pull request.
+
+If you have any questions about a possible submission, feel free to open
+an issue too.
+
+== Contributing to the terraform-oci-wireguard repository
+
+Pull requests can be made under
+{uri-oracle-oca}[The Oracle Contributor Agreement](OCA).
+
+For pull requests to be accepted, the bottom of your commit message must have
+the following line using your name and e-mail address as it appears in the
+OCA Signatories list.
+
+----
+Signed-off-by: Your Name <[email protected]>
+----
+
+This can be automatically added to pull requests by committing with:
+
+----
+  git commit --signoff
+----
+
+Only pull requests from committers that can be verified as having
+signed the OCA can be accepted.
+
+=== Pull request process
+
+. Fork this repository
+. Create a branch in your fork to implement the changes. We recommend using
+the issue number as part of your branch name, e.g. `1234-fixes`
+. Ensure that any documentation is updated with the changes that are required
+by your fix.
+. Ensure that any samples are updated if the base image has been changed.
+. Submit the pull request. *Do not leave the pull request blank*. Explain exactly
+what your changes are meant to do and provide simple steps on how to validate
+your changes. Ensure that you reference the issue you created as well.
+We will assign the pull request to 2-3 people for review before it is merged.

CONTRIBUTORS.adoc

@@ -0,0 +1,5 @@
+== GitHub userids of contributors
+
+OWNERS # have admin access and can merge code to main:
+
+- @hyder

LICENSE.txt

@@ -0,0 +1,35 @@
+Copyright (c) 2022 Oracle and/or its affiliates.
+
+The Universal Permissive License (UPL), Version 1.0
+
+Subject to the condition set forth below, permission is hereby granted to any
+person obtaining a copy of this software, associated documentation and/or data
+(collectively the "Software"), free of charge and under any and all copyright
+rights in the Software, and any and all patent rights owned or freely
+licensable by each licensor hereunder covering either (i) the unmodified
+Software as contributed to or provided by such licensor, or (ii) the Larger
+Works (as defined below), to deal in both
+
+(a) the Software, and
+(b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+one is included with the Software (each a "Larger Work" to which the Software
+is contributed by such licensors),
+
+without restriction, including without limitation the rights to copy, create
+derivative works of, display, perform, and distribute the Software and make,
+use, sell, offer for sale, import, export, have made, and have sold the
+Software and the Larger Work(s), and to sublicense the foregoing rights on
+either these or other terms.
+
+This license is subject to the following condition:
+The above copyright notice and either this complete permission notice or at
+a minimum a reference to the UPL must be included in all copies or
+substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,25 @@
+# Terraform module for WireGuard on OCI
+
+[uri-docs]: https://github.com/oracle-terraform-modules/terraform-oci-wireguard/blob/main/docs
+[uri-oci]: https://cloud.oracle.com/cloud-infrastructure
+[uri-prereqs]: https://github.com/oracle-terraform-modules/terraform-oci-wireguard/blob/main/docs/prerequisites.adoc
+[uri-quickstart]: https://github.com/oracle-terraform-modules/terraform-oci-wireguard/blob/main/docs/quickstart.adoc
+[uri-wireguard]: https://www.wireguard.com/
+
+From [wireguard.com][uri-wireguard]:
+
+_WireGuard ® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances._
+
+This Terraform module automates the deployment of a WireGuard VPN endpoint instance on [Oracle Cloud Infrastructure][uri-oci]. It can be used to enable secure connectivity to private subnets without needing a bastion host or using the Bastion service.
+
+## [Documentation][uri-docs]
+
+* [Prerequisites][uri-prereqs]
+
+* [Quick Start][uri-quickstart]
+
+## License
+
+The content in this repository is copyright (c) 2022, Oracle and/or its affiliates. It is released under the Universal Permissive License v1.0 as shown at <https://oss.oracle.com/licenses/upl>.
+
+"WireGuard" and the "WireGuard" logo are registered trademarks of Jason A. Donenfeld.

cloudinit/wireguard.template.yaml

@@ -0,0 +1,19 @@
+#cloud-config
+package_upgrade: ${upgrade_wireguard}
+timezone: ${wireguard_timezone} 
+packages:
+  - wireguard-tools
+write_files:
+  - path: "/root/wireguard/wireguard.sh"
+    permissions: "0700"
+    encoding: "gzip+base64"
+    content: |
+      ${wireguard_setup}
+  - path: "/root/wireguard/wg0.conf"
+    permissions: "0700"
+    encoding: "gzip+base64"
+    content: |
+      ${wireguard_conf}
+runcmd:
+ - bash /root/wireguard/wireguard.sh
+ - touch /home/opc/wireguard.finish

compute.tf

@@ -0,0 +1,60 @@
+resource "oci_core_instance" "wireguard" {
+  availability_domain = data.oci_identity_availability_domain.ad.name
+  compartment_id      = var.compartment_id
+
+  agent_config {
+
+    are_all_plugins_disabled = true
+    is_management_disabled   = true
+    is_monitoring_disabled   = true
+
+
+  }
+
+  create_vnic_details {
+    assign_public_ip = var.wireguard_type == "public" ? true : false
+    display_name     = var.label_prefix == "none" ? "wireguard-vnic" : "${var.label_prefix}-wireguard-vnic"
+    hostname_label   = "wireguard"
+    subnet_id        = oci_core_subnet.wireguard.id
+  }
+
+  display_name = var.label_prefix == "none" ? "wireguard" : "${var.label_prefix}-wireguard"
+
+  launch_options {
+    boot_volume_type = "PARAVIRTUALIZED"
+    network_type     = "PARAVIRTUALIZED"
+  }
+
+  # prevent the wireguard from destroying and recreating itself if the image ocid changes 
+  lifecycle {
+    ignore_changes = [source_details[0].source_id]
+  }
+
+  metadata = {
+    ssh_authorized_keys = (var.ssh_public_key != "") ? var.ssh_public_key : (var.ssh_public_key_path != "none") ? file(var.ssh_public_key_path) : ""
+    user_data           = data.cloudinit_config.wireguard.rendered
+  }
+
+  shape = lookup(var.wireguard_shape, "shape", "VM.Standard.E2.2")
+
+  dynamic "shape_config" {
+    for_each = length(regexall("Flex", lookup(var.wireguard_shape, "shape", "VM.Standard.E3.Flex"))) > 0 ? [1] : []
+    content {
+      ocpus         = max(1, lookup(var.wireguard_shape, "ocpus", 1))
+      memory_in_gbs = (lookup(var.wireguard_shape, "memory", 4) / lookup(var.wireguard_shape, "ocpus", 1)) > 64 ? (lookup(var.wireguard_shape, "ocpus", 1) * 4) : lookup(var.wireguard_shape, "memory", 4)
+    }
+  }
+
+  source_details {
+    boot_volume_size_in_gbs = lookup(var.wireguard_shape, "boot_volume_size", 50)
+    source_type             = "image"
+    source_id               = local.wireguard_image_id
+  }
+
+  state = var.wireguard_state
+
+  timeouts {
+    create = "60m"
+  }
+
+}

conf/wg.template.conf

@@ -0,0 +1,12 @@
+[Interface]
+Address = 192.168.2.1/24
+SaveConfig = true
+PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
+PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
+ListenPort = 51820
+PrivateKey = SERVER_PRIVATE_KEY
+
+# [Peer]
+# PublicKey = CLIENT_PUBLIC_KEY
+# AllowedIPs = 192.168.2.2/32
+# Endpoint = CLIENT_PUBLIC_IP:60477

datasources.tf

@@ -0,0 +1,58 @@
+# Copyright 2019, 2021 Oracle Corporation and/or affiliates.  All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+
+data "oci_identity_availability_domain" "ad" {
+  compartment_id = var.tenancy_id
+  ad_number      = var.availability_domain
+}
+
+data "oci_core_vcn" "vcn" {
+  vcn_id = var.vcn_id
+}
+
+data "oci_core_images" "oracle_images" {
+  compartment_id           = var.compartment_id
+  operating_system         = "Oracle Linux"
+  operating_system_version = "9"
+  shape                    = lookup(var.wireguard_shape, "shape", "VM.Standard.E2.2")
+  sort_by                  = "TIMECREATED"
+  sort_order               = "DESC"
+}
+
+# cloud init for wireguard
+data "cloudinit_config" "wireguard" {
+  gzip          = true
+  base64_encode = true
+
+  part {
+    filename     = "wireguard.yaml"
+    content_type = "text/cloud-config"
+    content = templatefile(
+      local.wireguard_template, {
+        wireguard_conf     = local.wireguard_conf_template,
+        wireguard_setup    = local.setup_wireguard_template,
+        wireguard_timezone = var.wireguard_timezone,
+        upgrade_wireguard  = var.upgrade_wireguard
+      }
+    )
+  }
+}
+
+# Gets a list of VNIC attachments on the wireguard instance
+data "oci_core_vnic_attachments" "wireguard_vnics_attachments" {
+  availability_domain = data.oci_identity_availability_domain.ad.name
+  compartment_id      = var.compartment_id
+  depends_on          = [oci_core_instance.wireguard]
+  instance_id         = oci_core_instance.wireguard.id
+}
+
+# Gets the OCID of the first (default) VNIC on the wireguard instance
+data "oci_core_vnic" "wireguard_vnic" {
+  depends_on = [oci_core_instance.wireguard]
+  vnic_id    = lookup(data.oci_core_vnic_attachments.wireguard_vnics_attachments.vnic_attachments[0], "vnic_id")
+}
+
+data "oci_core_instance" "wireguard" {
+  depends_on  = [oci_core_instance.wireguard]
+  instance_id = oci_core_instance.wireguard.id
+}