Bastion (#64)

* Upgrade to tf 0.14

* Make admin key pair

* Configure bastion

* Fix DNS records

* Fix comment

terraform/README.md

@@ -16,6 +16,10 @@ We use [Terraform](https://www.terraform.io/docs/index.html) to manage our infra
 
 Contains configuration to create a terraform S3 backend. `provider.tf` in is configured to use the remote S3 backend.
 
+## bastion
+
+Configures a bastion that allows Team Leads to exec into pods (normally to run manage.py commands).
+
 ## db-backup.tf
 
 Grants the `db-backup` IAM role access to the `sql.pennlabs.org` S3 bucket.

terraform/bastion.tf

@@ -0,0 +1,54 @@
+// IAM
+resource "aws_iam_instance_profile" "bastion" {
+  name = "bastion"
+  role = aws_iam_role.kubectl.name
+}
+
+// EC2 Instance
+resource "aws_instance" "bastion" {
+  // Ubuntu 20.04 Server
+  ami                    = "ami-042e8287309f5df03"
+  instance_type          = "t3.nano"
+  subnet_id              = module.vpc.public_subnets[0]
+  vpc_security_group_ids = [aws_security_group.bastion.id]
+  iam_instance_profile   = aws_iam_instance_profile.bastion.name
+  key_name               = aws_key_pair.admin.key_name
+  user_data = templatefile("files/bastion/user_data.sh", {
+    CONTAIN_EXEC_ENTRY  = file("files/bastion/container_exec_entry.sh")
+    CONTAIN_EXEC        = file("files/bastion/container_exec.sh")
+    SSH_AUTHORIZED_KEYS = file("files/bastion/ssh_authorized_keys")
+  })
+  tags = {
+    Name       = "Bastion"
+    created-by = "terraform"
+  }
+}
+
+resource "aws_security_group" "bastion" {
+  name        = "bastion"
+  description = "Allow TLS inbound traffic"
+  vpc_id      = module.vpc.vpc_id
+
+  // SSH
+  ingress {
+    description = "SSH"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  // Access to internet (can't restrict to just the cluster
+  // because we need to download tools on first startup)
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name       = "Bastion"
+    created-by = "terraform"
+  }
+}

terraform/eks.tf

@@ -63,10 +63,17 @@ data "aws_iam_policy_document" "kubectl" {
   statement {
     actions = ["sts:AssumeRole"]
 
+    // Allow users to assume role
     principals {
       identifiers = concat([for member in local.platform_members : aws_iam_user.platform[member].arn], [aws_iam_user.gh-actions.arn])
       type        = "AWS"
     }
+
+    // Allow bastion instance to assume role
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
   }
 }
 

terraform/files/bastion/container_exec.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Need to escape all $ because of TF formatting
+# Disable environment type since staging doesn't exist yet
+# echo -n "Would you like to connect to staging or production? [production] "
+# read dep_type
+
+# if [ -z \$dep_type ] || [ \$dep_type == "production" ] || [ \$dep_type == "prod" ]; then
+# 	namespace="default"
+# elif [ \$dep_type == "staging" ]; then
+# 	namespace="staging"
+# else
+#   echo "Please enter nothing, production, prod, or staging. You entered: \${dep_type}"
+#   echo "Press enter to exit"
+#   read dummy
+# 	exit 1
+# fi
+namespace="default"
+
+echo "List of deployments: "
+kubectl get deployment -n \$namespace
+
+echo -n "Enter deployment name: "
+read dep_name
+
+kubectl exec -it -n \$namespace \$(kubectl get pod -n \$namespace | grep \$dep_name | head -n 1 | cut -d " " -f 1) -- /bin/bash
+echo "Press enter to exit"
+read

terraform/files/bastion/container_exec_entry.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Need to escape all $ because of TF formatting
+if [[ \$2 == "startexec" ]]; then
+  container_exec.sh
+  exit \$?
+fi
+
+echo "List of active sessions:"
+
+tmux ls 2>/dev/null || echo "No active sessions"
+
+echo -n "Enter session name: "
+
+read session_name
+
+tmux has-session -t \$session_name 2>/dev/null
+
+
+if [[ \$? != 0 ]]; then
+  tmux new -s \$session_name "startexec"
+else
+  tmux attach -t \$session_name
+fi