From cc620bf814c096b331d0bac096f9980b267c2bfe Mon Sep 17 00:00:00 2001 From: Dima Ilchenko <dima@goteleport.com> Date: Thu, 27 Oct 2022 23:59:02 -0400 Subject: [PATCH 1/7] Fix bug https://github.com/hashicorp/terraform-provider-aws/issues/25909#issuecomment-1218625304 --- auth_asg.tf | 5 +++-- monitor_asg.tf | 7 ++++--- node_asg.tf | 5 +++-- proxy_asg.tf | 5 +++-- 4 files changed, 13 insertions(+), 9 deletions(-) diff --git a/auth_asg.tf b/auth_asg.tf index d46e3e9..3da9d37 100644 --- a/auth_asg.tf +++ b/auth_asg.tf @@ -47,7 +47,7 @@ resource "aws_launch_configuration" "auth" { name_prefix = "${substr(var.cluster_name, 0, 16)}-auth-" image_id = var.ami_id instance_type = var.auth_instance_type - user_data = templatefile( + user_data = templatefile( "${path.module}/auth-user-data.tpl", { region = data.aws_region.current.name @@ -67,7 +67,8 @@ resource "aws_launch_configuration" "auth" { } ) metadata_options { - http_tokens = "required" + http_endpoint = "enabled" + http_tokens = "required" } root_block_device { encrypted = true diff --git a/monitor_asg.tf b/monitor_asg.tf index f115572..2cb8421 100644 --- a/monitor_asg.tf +++ b/monitor_asg.tf @@ -85,7 +85,7 @@ resource "aws_launch_configuration" "monitor" { name_prefix = "${var.cluster_name}-monitor-" image_id = var.ami_id instance_type = var.monitor_instance_type - user_data = templatefile( + user_data = templatefile( "${path.module}/monitor-user-data.tpl", { region = data.aws_region.current.name @@ -99,7 +99,8 @@ resource "aws_launch_configuration" "monitor" { } ) metadata_options { - http_tokens = "required" + http_endpoint = "enabled" + http_tokens = "required" } root_block_device { encrypted = true @@ -116,7 +117,7 @@ resource "aws_security_group" "monitor" { name = "${var.cluster_name}-monitor" description = "SG for ${var.cluster_name}-monitor" vpc_id = local.vpc_id - tags = { + tags = { TeleportCluster = var.cluster_name } } diff --git a/node_asg.tf b/node_asg.tf index 05b86e0..d9ac5f8 100644 --- a/node_asg.tf +++ b/node_asg.tf @@ -41,7 +41,7 @@ resource "aws_launch_configuration" "node" { name_prefix = "${var.cluster_name}-node-" image_id = var.ami_id instance_type = var.node_instance_type - user_data = templatefile( + user_data = templatefile( "${path.module}/node-user-data.tpl", { region = data.aws_region.current.name @@ -53,7 +53,8 @@ resource "aws_launch_configuration" "node" { } ) metadata_options { - http_tokens = "required" + http_endpoint = "enabled" + http_tokens = "required" } root_block_device { encrypted = true diff --git a/proxy_asg.tf b/proxy_asg.tf index 1e9628f..f954c7e 100644 --- a/proxy_asg.tf +++ b/proxy_asg.tf @@ -100,7 +100,7 @@ resource "aws_launch_configuration" "proxy" { name_prefix = "${substr(var.cluster_name, 0, 16)}-proxy-" image_id = var.ami_id instance_type = var.proxy_instance_type - user_data = templatefile( + user_data = templatefile( "${path.module}/proxy-user-data.tpl", { region = data.aws_region.current.name @@ -117,7 +117,8 @@ resource "aws_launch_configuration" "proxy" { } ) metadata_options { - http_tokens = "required" + http_endpoint = "enabled" + http_tokens = "required" } root_block_device { encrypted = true From de91df0bae301fff4cdcf2f17fcfd41eb6fb323d Mon Sep 17 00:00:00 2001 From: Dima Ilchenko <dima@goteleport.com> Date: Fri, 28 Oct 2022 00:28:07 -0400 Subject: [PATCH 2/7] Attempt new proxy ACM validation approach --- acm.tf | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/acm.tf b/acm.tf index 7330785..5d198c5 100644 --- a/acm.tf +++ b/acm.tf @@ -18,16 +18,26 @@ resource "aws_acm_certificate" "cert" { } resource "aws_route53_record" "cert_validation" { - name = tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_name - type = tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_type - zone_id = data.aws_route53_zone.proxy.zone_id - records = [tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_value] - ttl = 60 - count = var.use_acm ? 1 : 0 + for_each = { + for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + } + } + name = each.value.name + records = [each.value.record] + type = each.value.type + allow_overwrite = true + zone_id = data.aws_route53_zone.proxy.zone_id + + depends_on = [ + aws_acm_certificate.cert + ] } resource "aws_acm_certificate_validation" "cert" { certificate_arn = aws_acm_certificate.cert[0].arn - validation_record_fqdns = [aws_route53_record.cert_validation[0].fqdn] + validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn] count = var.use_acm ? 1 : 0 } From bba16f33f78c59c299cb30f48ed02f61954ec0b0 Mon Sep 17 00:00:00 2001 From: Dima Ilchenko <dima@goteleport.com> Date: Fri, 28 Oct 2022 00:38:21 -0400 Subject: [PATCH 3/7] Attempt new proxy ACM validation approach --- acm.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/acm.tf b/acm.tf index 5d198c5..2a79921 100644 --- a/acm.tf +++ b/acm.tf @@ -18,13 +18,13 @@ resource "aws_acm_certificate" "cert" { } resource "aws_route53_record" "cert_validation" { - for_each = { - for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => { + for_each = [ + for dvo in aws_acm_certificate.cert.domain_validation_options : { name = dvo.resource_record_name record = dvo.resource_record_value type = dvo.resource_record_type } - } + ] name = each.value.name records = [each.value.record] type = each.value.type From 944786c68d12feb59d8e2856124530b542c28aa0 Mon Sep 17 00:00:00 2001 From: Dima Ilchenko <dima@goteleport.com> Date: Fri, 28 Oct 2022 00:52:10 -0400 Subject: [PATCH 4/7] Attempt new proxy ACM validation approach --- acm.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/acm.tf b/acm.tf index 2a79921..149eb78 100644 --- a/acm.tf +++ b/acm.tf @@ -18,13 +18,13 @@ resource "aws_acm_certificate" "cert" { } resource "aws_route53_record" "cert_validation" { - for_each = [ - for dvo in aws_acm_certificate.cert.domain_validation_options : { + for_each = { + for dvo in aws_acm_certificate.cert[0].domain_validation_options : dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value type = dvo.resource_record_type } - ] + } name = each.value.name records = [each.value.record] type = each.value.type From d26c52c62062e52d7fbd4ff6d08049e4f1efe10d Mon Sep 17 00:00:00 2001 From: Dima Ilchenko <dima@goteleport.com> Date: Fri, 28 Oct 2022 00:54:43 -0400 Subject: [PATCH 5/7] No more license file --- data.tf | 5 ----- ssm.tf | 4 ++-- variables.tf | 6 ++++++ 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/data.tf b/data.tf index c6d0ece..170bfd6 100644 --- a/data.tf +++ b/data.tf @@ -8,8 +8,3 @@ data "aws_region" "current" {} data "aws_kms_alias" "ssm" { name = var.kms_alias_name } - -# Pick up the license path and make it accessible as a file -data "local_file" "license" { - filename = var.license_path -} diff --git a/ssm.tf b/ssm.tf index 436f41d..85b1e8a 100644 --- a/ssm.tf +++ b/ssm.tf @@ -3,10 +3,10 @@ // is destroyed, cluster will overwrite them with real values resource "aws_ssm_parameter" "license" { - count = var.license_path != "" ? 1 : 0 + count = var.teleport_license != "" ? 1 : 0 name = "/teleport/${var.cluster_name}/license" type = "SecureString" - value = data.local_file.license.content + value = var.teleport_license overwrite = true } diff --git a/variables.tf b/variables.tf index 0b190bc..601a568 100644 --- a/variables.tf +++ b/variables.tf @@ -83,6 +83,12 @@ variable "license_path" { default = "" } +variable "teleport_license" { + type = string + default = "" + sensitive = true +} + # Instance type used for auth autoscaling group variable "auth_instance_type" { type = string From 27773a2316f066816b7fc484cfb61d1c28f78162 Mon Sep 17 00:00:00 2001 From: Dima Ilchenko <dima@goteleport.com> Date: Fri, 28 Oct 2022 01:18:22 -0400 Subject: [PATCH 6/7] terraform fmt --- acm.tf | 10 +++++----- auth_asg.tf | 2 +- monitor_asg.tf | 4 ++-- node_asg.tf | 2 +- proxy_asg.tf | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/acm.tf b/acm.tf index 149eb78..d6134f1 100644 --- a/acm.tf +++ b/acm.tf @@ -19,11 +19,11 @@ resource "aws_acm_certificate" "cert" { resource "aws_route53_record" "cert_validation" { for_each = { - for dvo in aws_acm_certificate.cert[0].domain_validation_options : dvo.domain_name => { - name = dvo.resource_record_name - record = dvo.resource_record_value - type = dvo.resource_record_type - } + for dvo in aws_acm_certificate.cert[0].domain_validation_options : dvo.domain_name => { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + } } name = each.value.name records = [each.value.record] diff --git a/auth_asg.tf b/auth_asg.tf index 3da9d37..1ff4a4b 100644 --- a/auth_asg.tf +++ b/auth_asg.tf @@ -47,7 +47,7 @@ resource "aws_launch_configuration" "auth" { name_prefix = "${substr(var.cluster_name, 0, 16)}-auth-" image_id = var.ami_id instance_type = var.auth_instance_type - user_data = templatefile( + user_data = templatefile( "${path.module}/auth-user-data.tpl", { region = data.aws_region.current.name diff --git a/monitor_asg.tf b/monitor_asg.tf index 2cb8421..23ceb25 100644 --- a/monitor_asg.tf +++ b/monitor_asg.tf @@ -85,7 +85,7 @@ resource "aws_launch_configuration" "monitor" { name_prefix = "${var.cluster_name}-monitor-" image_id = var.ami_id instance_type = var.monitor_instance_type - user_data = templatefile( + user_data = templatefile( "${path.module}/monitor-user-data.tpl", { region = data.aws_region.current.name @@ -117,7 +117,7 @@ resource "aws_security_group" "monitor" { name = "${var.cluster_name}-monitor" description = "SG for ${var.cluster_name}-monitor" vpc_id = local.vpc_id - tags = { + tags = { TeleportCluster = var.cluster_name } } diff --git a/node_asg.tf b/node_asg.tf index d9ac5f8..8f004a4 100644 --- a/node_asg.tf +++ b/node_asg.tf @@ -41,7 +41,7 @@ resource "aws_launch_configuration" "node" { name_prefix = "${var.cluster_name}-node-" image_id = var.ami_id instance_type = var.node_instance_type - user_data = templatefile( + user_data = templatefile( "${path.module}/node-user-data.tpl", { region = data.aws_region.current.name diff --git a/proxy_asg.tf b/proxy_asg.tf index f954c7e..dd79d95 100644 --- a/proxy_asg.tf +++ b/proxy_asg.tf @@ -100,7 +100,7 @@ resource "aws_launch_configuration" "proxy" { name_prefix = "${substr(var.cluster_name, 0, 16)}-proxy-" image_id = var.ami_id instance_type = var.proxy_instance_type - user_data = templatefile( + user_data = templatefile( "${path.module}/proxy-user-data.tpl", { region = data.aws_region.current.name From 317bc5eb685f1be74a74e4ac5326d5d22e6ff371 Mon Sep 17 00:00:00 2001 From: Dima Ilchenko <dima@goteleport.com> Date: Fri, 28 Oct 2022 11:24:52 -0400 Subject: [PATCH 7/7] Add comment to variable --- variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/variables.tf b/variables.tf index 601a568..76c6352 100644 --- a/variables.tf +++ b/variables.tf @@ -83,6 +83,7 @@ variable "license_path" { default = "" } +# Contents of the Teleport Enterprise license to be used for the cluster variable "teleport_license" { type = string default = ""