Merge pull request #57 from gdbranco/feat/ocm-13090

OCM-13090 | feat: include bastion host module

Author: openshift-merge-bot[bot]

.gitignore

@@ -41,3 +41,9 @@ terraform.rc
 
 # Ignore IDE directories
 .idea/
+
+# Cert files
+*.pem
+
+# PID file generated by sshuttle daemon bastion connnect script
+*sshuttle-pid-file

assets/bastion-host-user-data.yaml

@@ -0,0 +1,5 @@
+#cloud-config
+#package_update: true
+#package_upgrade: true
+runcmd:
+- curl -L https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/4.1.15/openshift-client-linux-4.1.15.tar.gz | tar -C /usr/bin/ -xzf -

assets/bastion_connect.sh

@@ -0,0 +1,43 @@
+#!/bin/sh
+set -eux
+
+# Check for dependencies
+if ! command -v sshuttle >/dev/null; then
+    echo "Please install sshuttle"
+    exit 1
+fi
+if ! command -v jq >/dev/null; then
+    echo "Please install jq"
+    exit 1
+fi
+
+TERRAFORM_JSON=$(terraform output -json)
+# Assigns public IP of bastion host to variables
+BASTION_HOST_PUB_IP=$(jq '.bastion_host_public_ip.value[0]' -r <<< $TERRAFORM_JSON)
+# Sest bastion host ssh .pem filename to variable
+ROSA_KEY=$(find . | grep '.pem')
+# Get API url of Rosa Cluster
+API=$(jq '.cluster_api_url.value' -r <<< $TERRAFORM_JSON)
+PW=$(jq '.password.value.result' -r <<< $TERRAFORM_JSON)
+
+if [ -z "$API" ]; then
+    echo "Could not find the API URL"
+    exit 4
+fi
+if [ -z "$ROSA_KEY" ]; then
+    echo "Could not find the SSH key"
+    exit 4
+fi
+if [ -z "$BASTION_HOST_PUB_IP" ]; then
+    echo "Could not find the SSH bastion host IP address"
+    exit 4
+fi
+if [ -z "$PW" ]; then
+    echo "Could not find the cluster idp password"
+    exit 4
+fi
+
+# Connect to the SSH bastion
+# Note that the user depends on AMI and might require to be changed
+sshuttle --daemon --pidfile="${TF_DIR:-.}/sshuttle-pid-file" --ssh-cmd "ssh -i ${TF_DIR:-.}/${ROSA_KEY}" --dns -NHr "ec2-user@${BASTION_HOST_PUB_IP}" 10.0.0.0/16
+oc login $API --username admin --password "${PW}"

assets/bastion_disconnect.sh

@@ -0,0 +1,3 @@
+
+PID=$(cat ${TF_DIR:-.}/sshuttle-pid-file)
+kill $PID

examples/rosa-hcp-private/README.md

@@ -1,4 +1,4 @@
-# ROSA HCP Private
+# Private ROSA HCP
 
 ## Introduction
 
@@ -7,6 +7,7 @@ This is a Terraform manifest example for creating a Red Hat OpenShift Service on
 This example includes:
 - A ROSA cluster with private access.
 - All AWS resources (IAM and networking) that are created as part of the ROSA cluster module execution.
+- A bastion host EC2 instance that allows to reach the private cluster.
 
 ## Example Usage
 
@@ -61,9 +62,46 @@ resource "random_password" "password" {
 module "vpc" {
   source = "terraform-redhat/rosa-hcp/rhcs//modules/vpc"
 
-  name_prefix              = "my-cluster"
+  name_prefix              = "my-vpc"
   availability_zones_count = 3
 }
+
+############################
+# Bastion instance for connection to the cluster
+############################
+data "aws_ami" "rhel9" {
+  most_recent = true
+
+  filter {
+    name   = "platform-details"
+    values = ["Red Hat Enterprise Linux"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+
+  filter {
+    name   = "manifest-location"
+    values = ["amazon/RHEL-9.*_HVM-*-x86_64-*-Hourly2-GP2"]
+  }
+
+  owners = ["309956199498"] # Amazon's "Official Red Hat" account
+}
+module "bastion_host" {
+  source     = "../../modules/bastion-host"
+  prefix     = "my-host"
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = [module.vpc.public_subnets[0]]
+  ami_id         = aws_ami.rhel9.id
+  user_data_file = file("bastion-host-user-data.yaml")
+}
 ```
 
 
@@ -81,21 +119,23 @@ module "vpc" {
 
 | Name | Version |
 |------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.35.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_bastion_host"></a> [bastion\_host](#module\_bastion\_host) | ../../modules/bastion-host | n/a |
 | <a name="module_hcp"></a> [hcp](#module\_hcp) | ../../ | n/a |
-| <a name="module_htpasswd_idp"></a> [htpasswd\_idp](#module\_htpasswd\_idp) | ../../modules/idp | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../modules/vpc | n/a |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+| [aws_ami.rhel9](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 
 ## Inputs
 
@@ -110,6 +150,9 @@ module "vpc" {
 |------|-------------|
 | <a name="output_account_role_prefix"></a> [account\_role\_prefix](#output\_account\_role\_prefix) | The prefix used for all generated AWS resources. |
 | <a name="output_account_roles_arn"></a> [account\_roles\_arn](#output\_account\_roles\_arn) | A map of Amazon Resource Names (ARNs) associated with the AWS IAM roles created. The key in the map represents the name of an AWS IAM role, while the corresponding value represents the associated Amazon Resource Name (ARN) of that role. |
+| <a name="output_bastion_host_public_ip"></a> [bastion\_host\_public\_ip](#output\_bastion\_host\_public\_ip) | Bastion Host Public IP |
+| <a name="output_cluster_api_url"></a> [cluster\_api\_url](#output\_cluster\_api\_url) | The URL of the API server. |
+| <a name="output_cluster_console_url"></a> [cluster\_console\_url](#output\_cluster\_console\_url) | The URL of the console. |
 | <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id) | Unique identifier of the cluster. |
 | <a name="output_oidc_config_id"></a> [oidc\_config\_id](#output\_oidc\_config\_id) | The unique identifier associated with users authenticated through OpenID Connect (OIDC) generated by this OIDC config. |
 | <a name="output_oidc_endpoint_url"></a> [oidc\_endpoint\_url](#output\_oidc\_endpoint\_url) | Registered OIDC configuration issuer URL, generated by this OIDC config. |

examples/rosa-hcp-private/main.tf

@@ -9,15 +9,16 @@ locals {
 module "hcp" {
   source = "../../"
 
-  cluster_name             = var.cluster_name
-  openshift_version        = var.openshift_version
-  machine_cidr             = module.vpc.cidr_block
-  aws_subnet_ids           = module.vpc.private_subnets
-  aws_availability_zones   = module.vpc.availability_zones
-  replicas                 = length(module.vpc.availability_zones)
-  private                  = true
-  create_admin_user        = true
-  ec2_metadata_http_tokens = "required"
+  cluster_name               = var.cluster_name
+  openshift_version          = var.openshift_version
+  machine_cidr               = module.vpc.cidr_block
+  aws_subnet_ids             = module.vpc.private_subnets
+  replicas                   = 2
+  private                    = true
+  create_admin_user          = true
+  admin_credentials_username = "admin"
+  admin_credentials_password = random_password.password.result
+  ec2_metadata_http_tokens   = "required"
 
   // STS configuration
   create_account_roles  = true
@@ -27,25 +28,13 @@ module "hcp" {
   operator_role_prefix  = local.operator_role_prefix
 }
 
-############################
-# HTPASSWD IDP
-############################
-module "htpasswd_idp" {
-  source = "../../modules/idp"
-
-  cluster_id         = module.hcp.cluster_id
-  name               = "htpasswd-idp"
-  idp_type           = "htpasswd"
-  htpasswd_idp_users = [{ username = "test-user", password = random_password.password.result }]
-}
-
 resource "random_password" "password" {
-  length  = 14
-  special = true
-  min_lower = 1
+  length      = 14
+  special     = true
+  min_lower   = 1
   min_numeric = 1
   min_special = 1
-  min_upper = 1
+  min_upper   = 1
 }
 
 ############################
@@ -55,5 +44,42 @@ module "vpc" {
   source = "../../modules/vpc"
 
   name_prefix              = var.cluster_name
-  availability_zones_count = 3
+  availability_zones_count = 1
+}
+
+############################
+# Bastion instance for connection to the cluster
+############################
+data "aws_ami" "rhel9" {
+  most_recent = true
+
+  filter {
+    name   = "platform-details"
+    values = ["Red Hat Enterprise Linux"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+
+  filter {
+    name   = "manifest-location"
+    values = ["amazon/RHEL-9.*_HVM-*-x86_64-*-Hourly2-GP2"]
+  }
+
+  owners = ["309956199498"] # Amazon's "Official Red Hat" account
+}
+module "bastion_host" {
+  source         = "../../modules/bastion-host"
+  prefix         = var.cluster_name
+  vpc_id         = module.vpc.vpc_id
+  subnet_ids     = [module.vpc.public_subnets[0]]
+  ami_id         = data.aws_ami.rhel9.id
+  user_data_file = file("../../assets/bastion-host-user-data.yaml")
 }

examples/rosa-hcp-private/outputs.tf

@@ -1,8 +1,23 @@
+output "bastion_host_public_ip" {
+  value       = module.bastion_host.bastion_host_public_ip
+  description = "Bastion Host Public IP"
+}
+
 output "cluster_id" {
   value       = module.hcp.cluster_id
   description = "Unique identifier of the cluster."
 }
 
+output "cluster_api_url" {
+  value       = module.hcp.cluster_api_url
+  description = "The URL of the API server."
+}
+
+output "cluster_console_url" {
+  value       = module.hcp.cluster_console_url
+  description = "The URL of the console."
+}
+
 output "account_role_prefix" {
   value       = module.hcp.account_role_prefix
   description = "The prefix used for all generated AWS resources."

modules/bastion-host/README.md

@@ -0,0 +1,89 @@
+# Bastion Host
+
+## Introduction
+
+This is a Terraform manifest example for creating a bastion host aws ec2 instance. This example provides a structured configuration template that demonstrates how to deploy vpc and bastion host to your AWS environment by using Terraform.
+
+This example includes:
+- A VPC with both public and private subnets.
+- An EC2 instance attached to the public subnet of the vpc that allows connection to it so it may access the private network from within it.
+
+## Example Usage
+
+```
+############################
+# VPC
+############################
+module "vpc" {
+  source = "terraform-redhat/rosa-hcp/rhcs//modules/vpc"
+
+  name_prefix              = "my-vpc"
+  availability_zones_count = 1
+}
+
+############################
+# Bastion instance for connection to the cluster
+############################
+module "bastion_host" {
+  source     = "../../modules/bastion-host"
+  prefix     = "my-host"
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = [module.vpc.public_subnets[0]]
+  ami_id         = aws_ami.rhel9.id
+  user_data_file = file("bastion-host-user-data.yaml")
+}
+```
+
+
+<!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.35.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.35.0 |
+| <a name="provider_http"></a> [http](#provider\_http) | n/a |
+| <a name="provider_local"></a> [local](#provider\_local) | n/a |
+| <a name="provider_time"></a> [time](#provider\_time) | n/a |
+| <a name="provider_tls"></a> [tls](#provider\_tls) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_instance.bastion_host](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
+| [aws_key_pair.bastion_ssh_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
+| [aws_security_group.bastion_host_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [local_file.bastion_private_ssh_key](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+| [time_sleep.bastion_resources_wait](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [tls_private_key.pk](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [http_http.myip](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_ami_id"></a> [ami\_id](#input\_ami\_id) | Amazon Machine Image to run the bastion host with | `string` | `null` | no |
+| <a name="input_cidr_blocks"></a> [cidr\_blocks](#input\_cidr\_blocks) | CIDR ranges to include as ingress allowed ranges | `list(string)` | `null` | no |
+| <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | Instance type of the bastion hosts | `string` | `"t2.micro"` | no |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix for the name of each AWS resource | `string` | n/a | yes |
+| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | Set of subnet IDs to instantiate a bastion host against | `list(string)` | n/a | yes |
+| <a name="input_user_data_file"></a> [user\_data\_file](#input\_user\_data\_file) | User data for proxy configuration | `string` | `null` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the AWS VPC resource | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_bastion_host_public_ip"></a> [bastion\_host\_public\_ip](#output\_bastion\_host\_public\_ip) | Bastion Host Public IP |
+<!-- END_AUTOMATED_TF_DOCS_BLOCK -->