new ec2-test-instance

ec2-test-instance/.gitignore

@@ -0,0 +1 @@
+setup/*-keypair

ec2-test-instance/.terraform-docs.yml

@@ -0,0 +1,44 @@
+formatter: markdown table
+
+header-from: main.tf
+footer-from: ""
+
+sections:
+##  hide: []
+  show: 
+    - data-sources
+    - header
+    - footer
+    - inputs
+    - modules
+    - outputs
+    - providers
+    - requirements
+    - resources
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+## output-values:
+##   enabled: false
+##   from: ""
+## 
+## sort:
+##   enabled: true
+##   by: name
+## 
+## settings:
+##   anchor: true
+##   color: true
+##   default: true
+##   description: false
+##   escape: true
+##   indent: 2
+##   required: true
+##   sensitive: true
+##   type: true

ec2-test-instance/README.md

@@ -0,0 +1,65 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
+| <a name="requirement_ldap"></a> [ldap](#requirement\_ldap) | >= 0.5.4 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0 |
+| <a name="provider_local"></a> [local](#provider\_local) | n/a |
+| <a name="provider_null"></a> [null](#provider\_null) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_role"></a> [role](#module\_role) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_instance.test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
+| [aws_key_pair.keypair](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
+| [local_file.test_addresses](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+| [null_resource.generate_keypair](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_ami.test_arm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_ami.test_x86](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_iam_policy.ssm_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_security_groups.test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_groups) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
+| <a name="input_bootstrap_commands"></a> [bootstrap\_commands](#input\_bootstrap\_commands) | List of commands to pass to the instance over SSH | `list(string)` | `[]` | no |
+| <a name="input_enable_bootstrap"></a> [enable\_bootstrap](#input\_enable\_bootstrap) | Flag to enable or disable bootstrap (yum and awscli setup) | `bool` | `true` | no |
+| <a name="input_enable_instances"></a> [enable\_instances](#input\_enable\_instances) | Flag to enable or disable creation of EC2 key and instances | `bool` | `true` | no |
+| <a name="input_instance_count"></a> [instance\_count](#input\_instance\_count) | Number to indicate how many instances (up to subnet-count x az-count) | `number` | `null` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_private_subnets_ids"></a> [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br>    subnet            = string<br>    label             = string<br>    availability_zone = string<br>    id                = string<br>  }))</pre> | `[]` | no |
+| <a name="input_public_subnets_ids"></a> [public\_subnets\_ids](#input\_public\_subnets\_ids) | List of public subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br>    subnet            = string<br>    label             = string<br>    availability_zone = string<br>    id                = string<br>  }))</pre> | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
+| <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
+| <a name="input_vpc_index"></a> [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
+| <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
+| <a name="input_vpc_short_name"></a> [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_keypair"></a> [keypair](#output\_keypair) | EC2 keypair for test instances |
+| <a name="output_test_instances"></a> [test\_instances](#output\_test\_instances) | Details about test instances |
+<!-- END_TF_DOCS -->

ec2-test-instance/bin/do-iperf.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+for f in $(awk '{print $2}' ips.txt); do echo "# from $(hostname) to $(grep $f ips.txt)"; iperf3 -c $f -t 60 -T "$(hostname -s)->$f"; done | tee iperf.$(date +%s).log

ec2-test-instance/bin/do-ping.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+for f in $(awk '{print $2}' ips.txt); do echo "# from $(hostname) to $(grep $f ips.txt)"; ping -c 10 $f; echo ""; done |& tee pings.$(date +%s).log

ec2-test-instance/bin/install-ssm.sh

@@ -0,0 +1,85 @@
+#!/bin/bash -x
+
+VERSION="1.3.0"
+
+echo "# starring install-ssm.sh v$VERSION at $(date)"
+
+echo "# disabling root password"
+passwd -d root
+
+echo "# installing packages"
+sudo yum install -y iperf3 bind-utils curl nc awscli jq lsof policycoreutils-python
+
+echo "# configuring AWS CLI" 
+REGION=$(curl --silent http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
+aws configure --profile default set region $REGION
+aws configure --profile default set output json
+sudo aws configure --profile default set region $REGION
+sudo aws configure --profile default set output json
+
+echo "# setup ssm"
+
+sudo yum install -y https://s3.$REGION.amazonaws.com/amazon-ssm-$REGION/latest/linux_amd64/amazon-ssm-agent.rpm
+sudo systemctl enable amazon-ssm-agent
+sudo systemctl start amazon-ssm-agent
+sudo systemctl status amazon-ssm-agent
+
+echo "# setp iperf3 service"
+sudo adduser iperf3 -s /sbin/nologin
+
+cat > /tmp/iperf3.service <<EOF
+[Unit]
+Description=iperf3 Service
+After=network.target
+
+[Service]
+Type=forking
+# User=iperf3
+ExecStart=/usr/bin/iperf3 -s -D
+ExecStop=/usr/bin/kill -KILL $MAINPID
+Restart=on-abort
+
+[Install]
+WantedBy=multi-user.targetEOF
+EOF
+
+sudo cp /tmp/iperf3.service /etc/systemd/system/iperf3.service
+rm /tmp/iperf3.service
+
+sudo systemctl daemon-reload && sleep 1
+sudo systemctl start iperf3.service
+sudo systemctl enable iperf3.service
+# sudo systemctl status iperf3
+
+echo "# setup iperf3@ service"
+
+cat > /tmp/iperf3@.service <<EOF
+[Unit]
+Description=iperf3 Service on port %i
+After=network.target
+
+[Service]
+Type=forking
+# User=iperf3
+# PermissionsStartOnly=true
+# ExecStartPre=-/usr/bin/mkdir -p /var/run/iperf3
+# ExecStartPre=/usr/bin/chown iperf3 /var/run/iperf3
+## this -I only works on a newer version of iperf3 (amazon linux2)
+# ExecStart=/usr/bin/iperf3 -s -D -p %i -I /var/run/iperf3/iperf3.%i.pid
+ExecStart=/usr/bin/iperf3 -s -D -p %i
+ExecStop=/usr/bin/kill -KILL $MAINPID
+# PIDFile=/var/run/iperf3/iperf3.%i.pid
+Restart=on-abort
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+sudo cp /tmp/iperf3@.service /etc/systemd/system/iperf3@.service
+rm /tmp/iperf3@.service
+
+sudo systemctl daemon-reload && sleep 1
+for i in {5202..52010} do
+  sudo systemctl start iperf3@$i.service
+  sudo systemctl enable iperf3@$i.service
+done

ec2-test-instance/bin/run-iperf3.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+TRY=$1
+if [ -z $TRY ]
+then
+  TRY=$(date +%s)
+fi
+
+for f in $(cat test-ips.txt)
+do
+  iperf3 -p 5001 -t 60 -c $f > iperf3.$f.${TRY}_5001.log 2>&1 &
+  iperf3 -p 5002 -t 60 -c $f > iperf3.$f.${TRY}_5002.log 2>&1 &
+  iperf3 -p 5003 -t 60 -c $f > iperf3.$f.${TRY}_5003.log 2>&1 &
+done

ec2-test-instance/bin/show-tunnel-status.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+PROFILE=$1
+if [ -z $PROFILE ]
+then
+  echo "* missing profile"
+  exit 1
+fi
+
+REGION=$2
+if [ -z $REGION ]
+then
+  echo "* missing region"
+  exit 1
+fi
+
+VPC=$3
+if [ -z "$VPC" ]
+then
+  VPC="*vpc3*"
+fi
+
+echo "* using profile $PROFILE region $REGION for VPC filter $VPC"
+
+if [ -z "$FULL" ]
+then
+  echo "## VPN"
+  aws --profile $PROFILE --region $REGION ec2 describe-vpn-connections --filters Name=tag:Name,Values="$VPC" --output text|grep -iE "VGW|TAG.*Name|customer.*cgw-"
+  echo "## Routes"
+  aws --profile $PROFILE --region $REGION ec2 describe-route-tables --filters Name=tag:Name,Values="${VPC}private*" --output text|grep -iE "^TAGS.*Name|vgw"
+elif [ "$FULL" == "json" ]
+then
+  echo "## VPN.json"
+  aws --profile $PROFILE --region $REGION ec2 describe-vpn-connections --filters Name=tag:Name,Values="$VPC" --output json
+  echo "## Routes.json"
+  aws --profile $PROFILE --region $REGION ec2 describe-route-tables --filters Name=tag:Name,Values="${VPC}private*" --output json
+else
+  echo "## VPN.full"
+  aws --profile $PROFILE --region $REGION ec2 describe-vpn-connections --filters Name=tag:Name,Values="$VPC" --output text
+  echo "## Routes.full"
+  aws --profile $PROFILE --region $REGION ec2 describe-route-tables --filters Name=tag:Name,Values="${VPC}private*" --output text
+fi

ec2-test-instance/bin/test-ping.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+DURATION=$1
+if [ -z $DURATION ]
+then
+  DURATION=15
+fi
+COUNT=$(( $DURATION * 60 ))
+if [ $COUNT == 0 ]
+then
+  COUNT=60
+fi
+
+STAMP=$(date "+%Y%m%d.%s")
+start=$(date +%s)
+
+echo "* running ping with count=$COUNT at $(date) start=$start"
+
+TIMEOUT=$(( $COUNT * 2 ))
+
+for f in $(cat test-ips.txt)
+do
+  echo "  * host $f"
+  ping -c $COUNT -w $TIMEOUT  $f > ping.$f.$STAMP.log 2>&1 &
+done
+
+end=$(date +%s)
+elapsed=$(( $end - $start ))
+
+echo "* done running ping with count=$COUNT at $(date) start=$start end=$end elapsed=$elapsed"

ec2-test-instance/bin/test-ssh.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+DURATION=$1
+if [ -z $DURATION ]
+then
+  DURATION=5
+fi
+
+STAMP=$(date "+%Y%m%d.%s")
+start=$(date +%s)
+
+TIMEOUT=$DURATION
+
+KEYPAIR=$(ls setup/*-keypair)
+echo "* running ssh timeout=$TIMEOUT with keypair=$KEYPAIR at $(date) start=$start"
+
+count=1
+ecount=0
+for f in $(cat test-ips.txt)
+do
+  echo "  * $count host $f"
+  SSH_AUTH_SOCK="" timeout $TIMEOUT ssh $SSH_OPTIONS -o StrictHostKeyChecking=false -o IdentityFile=$KEYPAIR  ec2-user@$f "hostname -f; date +%s"
+  status=$?
+  if [ $status != 0 ]
+  then
+    ecount=$(( $ecount + 1 ))
+  fi
+  count=$(( $count + 1 ))
+done
+
+end=$(date +%s)
+elapsed=$(( $end - $start ))
+
+echo "* done running ssh at $(date) count=$count error_count=$ecount start=$start end=$end elapsed=$elapsed"

ec2-test-instance/data.tf

@@ -0,0 +1,55 @@
+data "aws_ami" "test_x86" {
+  most_recent = true
+  owners      = ["self", "amazon", "aws-marketplace"]
+
+  filter {
+    name   = "description"
+    values = ["Amazon Linux 2*"]
+  }
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+}
+
+data "aws_ami" "test_arm" {
+  most_recent = true
+  owners      = ["self", "amazon", "aws-marketplace"]
+
+  filter {
+    name   = "description"
+    values = ["Amazon Linux 2*"]
+  }
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+  filter {
+    name   = "architecture"
+    values = ["arm64"]
+  }
+}
+
+data "aws_security_groups" "test" {
+  filter {
+    name   = "vpc-id"
+    values = [local.vpc_id]
+  }
+  filter {
+    name   = "group-name"
+    values = ["*linux*"]
+  }
+}
+