update, not done yet

ec2-test-instance/README.md

@@ -20,13 +20,16 @@
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_role"></a> [role](#module\_role) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade |
+| <a name="module_sg"></a> [sg](#module\_sg) | git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//custom | tf-upgrade |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_instance.test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
 | [aws_key_pair.keypair](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
+| [local_file.ip_addresses_full](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+| [local_file.ip_addresses_full_json](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.test_addresses](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [null_resource.generate_keypair](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_ami.test_arm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
@@ -38,23 +41,9 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
-| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
-| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
-| <a name="input_bootstrap_commands"></a> [bootstrap\_commands](#input\_bootstrap\_commands) | List of commands to pass to the instance over SSH | `list(string)` | `[]` | no |
 | <a name="input_enable_bootstrap"></a> [enable\_bootstrap](#input\_enable\_bootstrap) | Flag to enable or disable bootstrap (yum and awscli setup) | `bool` | `true` | no |
 | <a name="input_enable_instances"></a> [enable\_instances](#input\_enable\_instances) | Flag to enable or disable creation of EC2 key and instances | `bool` | `true` | no |
 | <a name="input_instance_count"></a> [instance\_count](#input\_instance\_count) | Number to indicate how many instances (up to subnet-count x az-count) | `number` | `null` | no |
-| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
-| <a name="input_private_subnets_ids"></a> [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br>    subnet            = string<br>    label             = string<br>    availability_zone = string<br>    id                = string<br>  }))</pre> | `[]` | no |
-| <a name="input_public_subnets_ids"></a> [public\_subnets\_ids](#input\_public\_subnets\_ids) | List of public subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br>    subnet            = string<br>    label             = string<br>    availability_zone = string<br>    id                = string<br>  }))</pre> | `[]` | no |
-| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
-| <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
-| <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
-| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
-| <a name="input_vpc_index"></a> [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
-| <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
-| <a name="input_vpc_short_name"></a> [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
 
 ## Outputs
 

ec2-test-instance/bin/install-ssm.sh

@@ -1,14 +1,14 @@
 #!/bin/bash -x
 
-VERSION="1.3.0"
+VERSION="1.3.2"
 
 echo "# starring install-ssm.sh v$VERSION at $(date)"
 
 echo "# disabling root password"
 passwd -d root
 
 echo "# installing packages"
-sudo yum install -y iperf3 bind-utils curl nc awscli jq lsof policycoreutils-python
+sudo yum install -y --skip-broken iperf3 bind-utils curl nc awscli jq lsof policycoreutils-python
 
 echo "# configuring AWS CLI" 
 REGION=$(curl --silent http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
@@ -24,7 +24,17 @@ sudo systemctl enable amazon-ssm-agent
 sudo systemctl start amazon-ssm-agent
 sudo systemctl status amazon-ssm-agent
 
-echo "# setp iperf3 service"
+echo "# setup sysctl"
+cat > /etc/sysctl.d/10-iperf3-sysctl.conf <<EOF
+net.core.wmem_max = 4194304
+net.core.rmem_max = 12582912
+net.ipv4.tcp_rmem = 4096 87380 4194304
+net.ipv4.tcp_wmem = 4096 87380 4194304
+EOF
+
+/sbin/sysctl -p /etc/sysctl.d/10-iperf3-sysctl.conf
+
+echo "# setup iperf3 service"
 sudo adduser iperf3 -s /sbin/nologin
 
 cat > /tmp/iperf3.service <<EOF
@@ -40,7 +50,7 @@ ExecStop=/usr/bin/kill -KILL $MAINPID
 Restart=on-abort
 
 [Install]
-WantedBy=multi-user.targetEOF
+WantedBy=multi-user.target
 EOF
 
 sudo cp /tmp/iperf3.service /etc/systemd/system/iperf3.service
@@ -78,8 +88,9 @@ EOF
 sudo cp /tmp/iperf3@.service /etc/systemd/system/iperf3@.service
 rm /tmp/iperf3@.service
 
-sudo systemctl daemon-reload && sleep 1
-for i in {5202..52010} do
-  sudo systemctl start iperf3@$i.service
-  sudo systemctl enable iperf3@$i.service
+sudo systemctl daemon-reload && sleep 2
+for i in {5202..5210} 
+do
+  sudo systemctl start iperf3@${i}.service
+  sudo systemctl enable iperf3@${i}.service
 done

ec2-test-instance/bin/show-tunnel-status.sh

@@ -27,16 +27,37 @@ then
   echo "## VPN"
   aws --profile $PROFILE --region $REGION ec2 describe-vpn-connections --filters Name=tag:Name,Values="$VPC" --output text|grep -iE "VGW|TAG.*Name|customer.*cgw-"
   echo "## Routes"
-  aws --profile $PROFILE --region $REGION ec2 describe-route-tables --filters Name=tag:Name,Values="${VPC}private*" --output text|grep -iE "^TAGS.*Name|vgw"
+  aws --profile $PROFILE --region $REGION ec2 describe-route-tables --filters Name=tag:Name,Values="${VPC}*private*" --output text|grep -iE "^TAGS.*Name|vgw"
+  echo "## TGW Routes"
+#  aws --profile $PROFILE --region $REGION ec2 describe-transit-gateway-route-tables --filters Name=tag:Name,Values="*vpn*${VPC}*" --output text|grep -iE "^TAGS.*Name|tgw|^ROUTE"
+  for rt in $(aws --profile $PROFILE --region $REGION ec2 describe-transit-gateway-route-tables --filters Name=tag:Name,Values="*vpn*${VPC}*" --output text|grep ^TRA|awk '{print $7}')
+  do
+    echo "> tgw-route-table $rt"
+    aws --profile $PROFILE --region $REGION ec2 search-transit-gateway-routes  --transit-gateway-route-table-id $rt --filters Name=type,Values=propagated --output text|grep ^ROUTE
+  done
 elif [ "$FULL" == "json" ]
 then
   echo "## VPN.json"
   aws --profile $PROFILE --region $REGION ec2 describe-vpn-connections --filters Name=tag:Name,Values="$VPC" --output json
   echo "## Routes.json"
-  aws --profile $PROFILE --region $REGION ec2 describe-route-tables --filters Name=tag:Name,Values="${VPC}private*" --output json
+  aws --profile $PROFILE --region $REGION ec2 describe-route-tables --filters Name=tag:Name,Values="${VPC}*private*" --output json
+  echo "## TGW Routes.json"
+#  aws --profile $PROFILE --region $REGION ec2 describe-transit-gateway-route-tables --filters Name=tag:Name,Values="*vpn*${VPC}*" --output json
+  for rt in $(aws --profile $PROFILE --region $REGION ec2 describe-transit-gateway-route-tables --filters Name=tag:Name,Values="*vpn*${VPC}*" --output text|grep ^TRA|awk '{print $7}')
+  do
+    echo "> tgw-route-table $rt"
+    aws --profile $PROFILE --region $REGION ec2 search-transit-gateway-routes  --transit-gateway-route-table-id $rt --filters Name=type,Values=propagated --output json
+  done
 else
   echo "## VPN.full"
   aws --profile $PROFILE --region $REGION ec2 describe-vpn-connections --filters Name=tag:Name,Values="$VPC" --output text
   echo "## Routes.full"
-  aws --profile $PROFILE --region $REGION ec2 describe-route-tables --filters Name=tag:Name,Values="${VPC}private*" --output text
+  aws --profile $PROFILE --region $REGION ec2 describe-route-tables --filters Name=tag:Name,Values="${VPC}*private*" --output text
+  echo "## TGW Routes.full"
+#  aws --profile $PROFILE --region $REGION ec2 describe-transit-gateway-route-tables --filters Name=tag:Name,Values="*vpn*${VPC}*" --output text
+  for rt in $(aws --profile $PROFILE --region $REGION ec2 describe-transit-gateway-route-tables --filters Name=tag:Name,Values="*vpn*${VPC}*" --output text|grep ^TRA|awk '{print $7}')
+  do
+    echo "> tgw-route-table $rt"
+    aws --profile $PROFILE --region $REGION ec2 search-transit-gateway-routes  --transit-gateway-route-table-id $rt --filters Name=type,Values=propagated --output text
+  done
 fi

ec2-test-instance/ec2-role.tf

@@ -10,11 +10,16 @@ data "aws_iam_policy" "ssm_policies" {
   name     = each.key
 }
 
+#data "aws_iam_policy" "bucket" {
+#  name = "p-tgw-testing"
+#}
+
 module "role" {
   source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
 
-  role_name               = local.ec2_role_name
-  create                  = var.enable_instances
+  role_name = local.ec2_role_name
+  create    = var.enable_instances
+  #  attached_policies       = concat([for k, v in data.aws_iam_policy.ssm_policies : v.arn],[data.aws_iam_policy.bucket.arn])
   attached_policies       = [for k, v in data.aws_iam_policy.ssm_policies : v.arn]
   enable_instance_profile = true
   assume_policy_document  = data.terraform_remote_state.common.outputs.custom_policy_documents["ec2_assume"].policy

ec2-test-instance/ec2.tf

@@ -1,5 +1,18 @@
 # https://cloudanddevopstech.com/2020/11/01/terraform-aws-ec2-with-ssm-agent-installed/
 
+locals {
+  bootstrap_commands = [
+    #      "sudo bash /tmp/bootstrap.sh /tmp/${var.git_deploy_path} ${local.bootstrap_args} |& tee /tmp/bootstrap.log",
+    "sleep 60",
+    "sudo yum install -y iperf3 bind-utils curl nc awscli",
+    # set region in default profile
+    "aws configure --profile default set region ${local.region}",
+    "aws configure --profile default set output json",
+    "sudo aws configure --profile default set region ${local.region}",
+    "sudo aws configure --profile default set output json",
+  ]
+}
+
 resource "aws_instance" "test" {
   for_each = var.enable_instances ? { for k, v in local.private_subnets_id_list : k => local.private_subnets_id_map[v.label] } : {}
 
@@ -8,7 +21,7 @@ resource "aws_instance" "test" {
   availability_zone      = each.value.availability_zone
   key_name               = local.key_name
   subnet_id              = each.value.id
-  vpc_security_group_ids = local.security_groups
+  vpc_security_group_ids = concat(local.security_groups, [module.sg.this_security_group_id])
   iam_instance_profile   = module.role.instance_profile_name
 
   root_block_device {
@@ -19,7 +32,7 @@ resource "aws_instance" "test" {
   }
 
   provisioner "remote-exec" {
-    inline     = var.enable_bootstrap && length(var.bootstrap_commands) > 0 ? var.bootstrap_commands : []
+    inline     = var.enable_bootstrap ? local.bootstrap_commands : []
     on_failure = continue
 
     connection {
@@ -28,11 +41,11 @@ resource "aws_instance" "test" {
       host        = self.private_ip
       agent       = false
       private_key = file("${path.root}/setup/${local.key_name}")
-      timeout     = var.enable_bootstrap && length(var.bootstrap_commands) > 0 ? "5m" : "5s"
+      timeout     = var.enable_bootstrap && length(local.bootstrap_commands) > 0 ? "5m" : "5s"
     }
   }
 
-  user_data = file("${path.module}/bin/install-ssm.sh")
+  user_data = file("${path.root}/install-ssm.sh")
 
   volume_tags = merge(
     local.common_tags,
@@ -43,6 +56,10 @@ resource "aws_instance" "test" {
     local.common_tags,
     tomap({ "Name" = format("%v-test-%v.%v", local.vpc_short_name, each.key, var.vpc_domain_name) }),
   )
+
+  lifecycle {
+    ignore_changes = [ami]
+  }
 }
 
 output "test_instances" {
@@ -56,6 +73,39 @@ output "test_instances" {
 }
 
 resource "local_file" "test_addresses" {
-  content  = templatefile("${path.root}/templates/test-ips.txt.tpl", { instances = aws_instance.test })
-  filename = "${path.root}/test-ips.txt"
+  content = templatefile("${path.root}/templates/test-ips.txt.tpl", {
+    instances     = aws_instance.test
+    account_id    = var.account_id
+    account_alias = var.account_alias
+    region        = local.region
+    vpc_name      = local.vpc_short_name
+  })
+  filename        = "${path.root}/test-ips.txt"
+  file_permission = "0644"
+}
+
+resource "local_file" "ip_addresses_full" {
+  content = templatefile("${path.root}/templates/ip-addresses-full.txt.tpl", {
+    instances     = aws_instance.test
+    account_id    = var.account_id
+    account_alias = var.account_alias
+    region        = local.region
+    vpc_name      = local.vpc_short_name
+    name_prefix   = "test"
+  })
+  filename        = "${path.root}/ip-addresses-full.txt"
+  file_permission = "0644"
+}
+
+resource "local_file" "ip_addresses_full_json" {
+  content = templatefile("${path.root}/templates/ip-addresses-full.json.tpl", {
+    instances     = aws_instance.test
+    account_id    = var.account_id
+    account_alias = var.account_alias
+    region        = local.region
+    vpc_name      = local.vpc_short_name
+    name_prefix   = "test"
+  })
+  filename        = "${path.root}/ip-addresses-full.json"
+  file_permission = "0644"
 }

ec2-test-instance/etc/sysctl.d/10-iperf3-sysctl.conf

@@ -0,0 +1,4 @@
+net.core.wmem_max = 4194304
+net.core.rmem_max = 12582912
+net.ipv4.tcp_rmem = 4096 87380 4194304
+net.ipv4.tcp_wmem = 4096 87380 4194304

ec2-test-instance/locals.tf

@@ -1,3 +1,4 @@
 locals {
-  vpc_outputs = data.terraform_remote_state.vpc_west_vpc1.outputs
+  vpc_outputs = data.terraform_remote_state.vpc_east_vpc1.outputs
+  account_id  = data.aws_caller_identity.current.account_id
 }

ec2-test-instance/region.tf

@@ -1,4 +1,3 @@
 locals {
   region = var.region
 }
-

ec2-test-instance/settings.tf

@@ -1,4 +1,5 @@
 locals {
+  vpc_outputs    = data.terraform_remote_state.vpc_east_vpc1.outputs
   vpc_short_name = local.vpc_outputs.vpc_info["vpc_short_name"]
 
   private_subnets_ids    = local.vpc_outputs.private_subnets_ids

ec2-test-instance/sg.tf

@@ -0,0 +1,18 @@
+module "sg" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//custom?ref=tf-upgrade"
+
+  vpc_id            = local.vpc_id
+  name              = format("%v-test", local.vpc_short_name)
+  description       = format("Security group for %v-test", local.vpc_short_name)
+  short_description = "testing"
+  ingress_port_list = [
+    [5201, 5210, "tcp", "iperf3", ["0.0.0.0/0"]],
+    [5201, 5210, "udp", "iperf3", ["0.0.0.0/0"]],
+    [8080, 8080, "tcp", "http", ["0.0.0.0/0"]],
+    [8443, 8443, "tcp", "https", ["0.0.0.0/0"]],
+  ]
+  tags = merge(
+    local.common_tags,
+    tomap({ "Name" = format("%v-test", local.vpc_short_name) }),
+  )
+}

ec2-test-instance/templates/ip-addresses-full.json.tpl

@@ -0,0 +1,17 @@
+[
+%{ for k,v in instances ~}
+  {
+    "label": "${k}",
+    "hostname": "${vpc_name}-${name_prefix}-${k}",
+    "fqdn": "${v.tags.Name}",
+    "account_id": "${account_id}",
+    "account_alias":  "${account_alias}",
+    "region": "${region}",
+    "vpc_name": "${vpc_name}"
+    "availability_zone": "${v.availability_zone}",
+    "ip_address": "${v.private_ip}",
+    "instance_id": "${v.id}"
+  }
+%{ if length(instances)>1 },%{ endif ~}
+%{ endfor ~}
+]

ec2-test-instance/templates/ip-addresses-full.txt.tpl

@@ -0,0 +1,3 @@
+%{ for k,v in instances ~}
+${account_id} ${account_alias} ${region} ${vpc_name} ${v.availability_zone} ${v.private_ip} ${vpc_name}-${name_prefix}-${k} ${v.id}
+%{ endfor ~}

ec2-test-instance/tf-run.data

@@ -1,17 +1,20 @@
-VERSION 1.1.3
+VERSION 1.1.7
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
 COMMAND tf-init -upgrade
 null_resource.generate_keypair
 COMMAND tf-directory-setup.py -l s3
 
+COMMAND rm provider.infoblox.*
 COMMAND ln -sf ../variables.vpc.auto.tfvars .
 COMMAND ln -sf ../variables.vpc.tf .
 LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars
 LINKTOP provider_configs.d/provider.ldap_new.tf
 LINKTOP provider_configs.d/provider.ldap_new.variables.tf
+## LINKTOP vpc/apps/tgw-testing/remote_state.vpc_apps_tgw-testing.tf
 
+module.sg
 ALL
 
 COMMENT   echo *-keypair >> .gitignore

ec2-test-instance/variables.tf

@@ -10,12 +10,6 @@ variable "enable_bootstrap" {
   default     = true
 }
 
-variable "bootstrap_commands" {
-  description = "List of commands to pass to the instance over SSH"
-  type        = list(string)
-  default     = []
-}
-
 variable "instance_count" {
   description = "Number to indicate how many instances (up to subnet-count x az-count)"
   type        = number