buncha refactoring

chasezheng · chasezheng · commit 499917eb68e1 · 2022-05-27T21:54:40.000+02:00
diff --git a/main.tf b/main.tf
@@ -2,47 +2,20 @@
 # creates and deletes users accordingly
 
 locals {
-  metadata = merge(var.metadata, {
-    sshKeys = "${var.remote_user}:${tls_private_key.ssh-key.public_key_openssh}"
-  })
-  ssh_tag     = ["allow-ssh"]
-  openvpn_tag = ["openvpn-${var.name}"]
-  tags        = toset(concat(var.tags, local.ssh_tag, local.openvpn_tag))
-
-  output_folder    = var.output_dir
   private_key_file = "private-key.pem"
   # adding the null_resource to prevent evaluating this until the openvpn_update_users has executed
   refetch_user_ovpn = null_resource.openvpn_update_users_script.id != "" ? !alltrue([for x in var.users : fileexists("${var.output_dir}/${x}.ovpn")]) : false
-  name              = var.name == "" ? "" : "${var.name}-"
-  access_config = [{
-    nat_ip       = google_compute_address.default.address
-    network_tier = var.network_tier
-  }]
 }
 
-resource "google_compute_firewall" "allow-external-ssh" {
-  name    = "openvpn-${var.name}-allow-external-ssh"
-  project = var.project_id
-  network = var.network
-
-  allow {
-    protocol = "tcp"
-    ports    = ["22"]
-  }
-
-  source_ranges = ["0.0.0.0/0"]
-  target_tags   = local.ssh_tag
-}
-
-resource "google_compute_firewall" "allow-openvpn-udp-port" {
-  name        = "openvpn-${var.name}-allow"
+resource "google_compute_firewall" "allow-ingress-to-openvpn-server" {
+  name        = "openvpn-${var.name}-allow-ingress"
   project     = var.project_id
   network     = var.network
   description = "Creates firewall rule targeting the openvpn instance"
 
   allow {
     protocol = "tcp"
-    ports    = ["1194"]
+    ports    = ["1194", "22"]
   }
 
   allow {
@@ -51,10 +24,9 @@ resource "google_compute_firewall" "allow-openvpn-udp-port" {
   }
 
   source_ranges = ["0.0.0.0/0"]
-  target_tags   = local.openvpn_tag
+  target_tags   = ["openvpn-${var.name}"]
 }
 
-
 resource "google_compute_address" "default" {
   name         = "openvpn-${var.name}-global-ip"
   project      = var.project_id
@@ -63,53 +35,40 @@ resource "google_compute_address" "default" {
 }
 
 resource "tls_private_key" "ssh-key" {
-  algorithm = "RSA"
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P521"
 }
 
-
 // SSH Private Key
 resource "local_sensitive_file" "private_key" {
   content         = tls_private_key.ssh-key.private_key_pem
   filename        = "${var.output_dir}/${local.private_key_file}"
   file_permission = "0400"
 }
 
-resource "random_id" "this" {
-  byte_length = "8"
-}
-
-resource "random_id" "password" {
-  byte_length = "16"
+resource "random_string" "openvpn_server_suffix" {
+  length  = 8
+  special = false
+  upper   = false
 }
 
-// Use a persistent disk so that it can be remounted on another instance.
-resource "google_compute_disk" "this" {
-  name    = "openvpn-${var.name}-disk"
-  image   = var.image_family
-  size    = var.disk_size_gb
-  type    = var.disk_type
-  project = var.project_id
-  zone    = var.zone
-}
-
-#-------------------
-# Instance Template
-#-------------------
-resource "google_compute_instance_template" "tpl" {
-  name_prefix  = "openvpn-${var.name}-"
+resource "google_compute_instance" "openvpn_server" {
+  name         = "openvpn-${var.name}-${random_string.openvpn_server_suffix.id}"
   project      = var.project_id
   machine_type = var.machine_type
   labels       = var.labels
-  metadata     = local.metadata
-  region       = var.region
+  metadata = merge(
+    var.metadata,
+    { sshKeys = "${var.remote_user}:${tls_private_key.ssh-key.public_key_openssh}" }
+  )
+  zone = var.zone
 
   metadata_startup_script = <<SCRIPT
     curl -O ${var.install_script_url}
     chmod +x openvpn-install.sh
     mv openvpn-install.sh /home/${var.remote_user}/
     chown ${var.remote_user}:${var.remote_user} /home/${var.remote_user}/openvpn-install.sh
     export AUTO_INSTALL=y
-    export PASS=1
     # Using Custom DNS
     export DNS=13
     export DNS1="${var.dns_servers[0]}"
@@ -119,63 +78,53 @@ resource "google_compute_instance_template" "tpl" {
     /home/${var.remote_user}/openvpn-install.sh
   SCRIPT
 
-  disk {
-    auto_delete = var.auto_delete_disk
-    boot        = true
-    source      = google_compute_disk.this.name
+  boot_disk {
+    auto_delete = true
+    initialize_params {
+      type  = "pd-standard"
+      image = "ubuntu-minimal-2004-focal-v20220419a"
+    }
   }
 
   dynamic "service_account" {
-    for_each = [var.service_account]
+    for_each = var.service_account == null ? [] : [var.service_account]
 
     content {
-      email  = lookup(service_account.value, "email", null)
-      scopes = lookup(service_account.value, "scopes", null)
+      email  = try(each.value.email, null)
+      scopes = try(each.scopes, [])
     }
   }
 
   network_interface {
     network    = var.network
     subnetwork = var.subnetwork
 
-    dynamic "access_config" {
-      for_each = local.access_config
-
-      content {
-        nat_ip       = access_config.value.nat_ip
-        network_tier = access_config.value.network_tier
-      }
+    access_config {
+      nat_ip       = google_compute_address.default.address
+      network_tier = var.network_tier
     }
   }
 
-  tags = local.tags
+  tags = toset(
+    concat(var.tags, tolist(google_compute_firewall.allow-ingress-to-openvpn-server.target_tags))
+  )
+
 
   lifecycle {
     create_before_destroy = "true"
   }
-}
 
-resource "google_compute_instance_from_template" "this" {
-  name    = "openvpn-${var.name}"
-  project = var.project_id
-  zone    = var.zone
-
-  network_interface {
-    network    = var.network
-    subnetwork = var.subnetwork
-    access_config {
-      nat_ip       = google_compute_address.default.address
-      network_tier = var.network_tier
-    }
+  provisioner "local-exec" {
+    command = "ssh-keygen -R \"${self.network_interface[0].access_config[0].nat_ip}\" || true"
+    when    = destroy
   }
-  source_instance_template = google_compute_instance_template.tpl.self_link
 }
 
 # Updates/creates the users VPN credentials on the VPN server
 resource "null_resource" "openvpn_update_users_script" {
   triggers = {
     users    = join(",", var.users)
-    instance = google_compute_instance_from_template.this.instance_id
+    instance = google_compute_instance.openvpn_server.instance_id
   }
 
   connection {
@@ -184,6 +133,7 @@ resource "null_resource" "openvpn_update_users_script" {
     host        = google_compute_address.default.address
     private_key = tls_private_key.ssh-key.private_key_pem
     agent       = false
+    timeout     = "60s"
   }
 
   provisioner "file" {
@@ -195,9 +145,10 @@ resource "null_resource" "openvpn_update_users_script" {
   # Create New User with MENU_OPTION=1
   provisioner "remote-exec" {
     inline = [
-      "while [ ! -f /etc/openvpn/server.conf ]; do sleep 10; done",
+      "while [ ! -f /etc/openvpn/server.conf ]; do sleep 1; done",
+      "while [ ! -f /etc/openvpn/client-template.txt ]; do sleep 1; done",
       "chmod +x ~${var.remote_user}/update_users.sh",
-      "sudo ROUTE_ONLY_PRIVATE_IPS='${var.route_only_private_ips}' ~${var.remote_user}/update_users.sh ${join(" ", var.users)}",
+      "sudo REVOKE_ALL_CLIENT_CERTIFICATES=n ROUTE_ONLY_PRIVATE_IPS='${var.route_only_private_ips}' ~${var.remote_user}/update_users.sh ${join(" ", var.users)}",
     ]
     when = create
   }
@@ -208,10 +159,9 @@ resource "null_resource" "openvpn_update_users_script" {
     when    = create
   }
 
-  depends_on = [google_compute_instance_from_template.this, local_sensitive_file.private_key]
+  depends_on = [google_compute_instance.openvpn_server, local_sensitive_file.private_key, tls_private_key.ssh-key]
 }
 
-
 # Download user configurations to output_dir
 resource "null_resource" "openvpn_download_configurations" {
   triggers = {
diff --git a/variables.tf b/variables.tf
@@ -27,35 +27,14 @@ variable "subnetwork" {
   default     = null
 }
 
-variable "image_family" {
-  type    = string
-  default = "ubuntu-2004-lts"
-}
-
-variable "disk_type" {
-  description = "(Optional) The GCE disk type. Can be either pd-ssd, local-ssd, pd-balanced or pd-standard"
-  default     = "pd-standard"
-}
-
-variable "disk_size_gb" {
-  type    = string
-  default = "30"
-}
-
-variable "auto_delete_disk" {
-  description = "Whether or not the boot disk should be auto-deleted"
-  default     = false
-}
-
 variable "service_account" {
-  default = {
-    email  = null
-    scopes = []
-  }
-  type = object({
-    email  = string,
-    scopes = set(string)
-  })
+  default = null
+  type = object(
+    {
+      email  = string,
+      scopes = set(string)
+    }
+  )
   description = "Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template.html#service_account."
 }
 
@@ -97,7 +76,7 @@ variable "remote_user" {
 
 variable "machine_type" {
   description = "Machine type to create, e.g. n1-standard-1"
-  default     = "n1-standard-1"
+  default     = "e2-micro"
 }
 
 variable "route_only_private_ips" {
@@ -106,9 +85,9 @@ variable "route_only_private_ips" {
 }
 
 variable "install_script_url" {
-  description = "The commit sha we are using in order to determine which version of the install file to use: https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh"
+  description = "Openvpn install script url."
   type        = string
-  default     = "https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh"
+  default     = "https://raw.githubusercontent.com/angristan/openvpn-install/b3b7593b2d4dd146f9c9da810bcec9b07a69c026/openvpn-install.sh"
 }
 
 variable "dns_servers" {
