From a4752961dbc03ae365366156f6cc3eb83ce88e89 Mon Sep 17 00:00:00 2001 From: Roberto Jung Drebes Date: Wed, 24 Aug 2022 14:37:53 +0200 Subject: [PATCH] nginx-tls module --- .../nginx-tls/README.md | 61 +++++++++++++++++++ .../nginx-tls/files/customize.sh | 18 ++++++ .../nginx-tls/files/default.conf | 20 ++++++ .../cloud-config-container/nginx-tls/main.tf | 58 ++++++++++++++++++ .../nginx-tls/outputs.tf | 20 ++++++ .../nginx-tls/variables.tf | 27 ++++++++ .../nginx-tls/versions.tf | 29 +++++++++ 7 files changed, 233 insertions(+) create mode 100644 modules/cloud-config-container/nginx-tls/README.md create mode 100644 modules/cloud-config-container/nginx-tls/files/customize.sh create mode 100644 modules/cloud-config-container/nginx-tls/files/default.conf create mode 100644 modules/cloud-config-container/nginx-tls/main.tf create mode 100644 modules/cloud-config-container/nginx-tls/outputs.tf create mode 100644 modules/cloud-config-container/nginx-tls/variables.tf create mode 100644 modules/cloud-config-container/nginx-tls/versions.tf diff --git a/modules/cloud-config-container/nginx-tls/README.md b/modules/cloud-config-container/nginx-tls/README.md new file mode 100644 index 00000000..bf31d666 --- /dev/null +++ b/modules/cloud-config-container/nginx-tls/README.md @@ -0,0 +1,61 @@ +# Containerized Nginx with self-signed TLS on Container Optimized OS + +This module manages a `cloud-config` configuration that starts a containerized Nginx with a self-signed TLS cert on Container Optimized OS. +This can be useful if you need quickly a VM or instance group answering HTTPS for prototyping. + +The generated cloud config is rendered in the `cloud_config` output, and is meant to be used in instances or instance templates via the `user-data` metadata. + +This module depends on the [`cos-generic-metadata` module](../cos-generic-metadata) being in the parent folder. If you change its location be sure to adjust the `source` attribute in `main.tf`. + +## Examples + +### Default configuration + +```hcl +# Nginx with self-signed TLS config +module "cos-nginx-tls" { + source = "./modules/cloud-config-container/nginx-tls" +} + +# COS VM +module "vm-nginx-tls" { + source = "./modules/compute-vm" + project_id = local.project_id + zone = local.zone + name = "cos-nginx-tls" + network_interfaces = [{ + network = local.vpc.self_link, + subnetwork = local.vpc.subnet_self_link, + nat = false, + addresses = null + }] + + metadata = { + user-data = module.cos-nginx-tls.cloud_config + } + + boot_disk = { + image = "projects/cos-cloud/global/images/family/cos-stable" + type = "pd-ssd" + size = 10 + } + + service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] +} +``` + + +## Variables + +| name | description | type | required | default | +|---|---|:---:|:---:|:---:| +| [docker_logging](variables.tf#L23) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | bool | | true | +| [nginx_image](variables.tf#L17) | Nginx container image to use. | string | | "nginx:1.23.1" | + +## Outputs + +| name | description | sensitive | +|---|---|:---:| +| [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. | | + + diff --git a/modules/cloud-config-container/nginx-tls/files/customize.sh b/modules/cloud-config-container/nginx-tls/files/customize.sh new file mode 100644 index 00000000..29720345 --- /dev/null +++ b/modules/cloud-config-container/nginx-tls/files/customize.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +HOSTNAME=$(curl -s -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/hostname) +openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj /CN=$HOSTNAME/ -keyout /etc/ssl/self-signed.key -out /etc/ssl/self-signed.crt +sed -i "s/HOSTNAME/${HOSTNAME}/" /etc/nginx/conf.d/default.conf \ No newline at end of file diff --git a/modules/cloud-config-container/nginx-tls/files/default.conf b/modules/cloud-config-container/nginx-tls/files/default.conf new file mode 100644 index 00000000..b928902a --- /dev/null +++ b/modules/cloud-config-container/nginx-tls/files/default.conf @@ -0,0 +1,20 @@ +server { + listen 80; + listen 443 ssl; + server_name HOSTNAME; + ssl_certificate /etc/ssl/self-signed.crt; + ssl_certificate_key /etc/ssl/self-signed.key; + + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + + error_page 500 502 503 504 /50x.html; + + location = /50x.html { + root /usr/share/nginx/html; + } + +} \ No newline at end of file diff --git a/modules/cloud-config-container/nginx-tls/main.tf b/modules/cloud-config-container/nginx-tls/main.tf new file mode 100644 index 00000000..ae668cc7 --- /dev/null +++ b/modules/cloud-config-container/nginx-tls/main.tf @@ -0,0 +1,58 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "cos-envoy-td" { + source = "../cos-generic-metadata" + + boot_commands = [ + "systemctl start node-problem-detector", + ] + + container_image = var.nginx_image + container_name = "nginx" + container_args = "" + + container_volumes = [ + { host = "/etc/nginx/conf.d", container = "/etc/nginx/conf.d" }, + { host = "/etc/ssl", container = "/etc/ssl" }, + ] + + docker_args = "--network host --pid host" + + files = { + "/var/run/nginx/customize.sh" = { + content = file("${path.module}/files/customize.sh") + owner = "root" + permissions = "0744" + } + "/etc/nginx/conf.d/default.conf" = { + content = file("${path.module}/files/default.conf") + owner = "root" + permissions = "0644" + } + } + + gcp_logging = var.docker_logging + + run_commands = [ + "iptables -I INPUT 1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT", + "iptables -I INPUT 1 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT", + "/var/run/nginx/customize.sh", + "systemctl daemon-reload", + "systemctl start nginx", + ] + +} diff --git a/modules/cloud-config-container/nginx-tls/outputs.tf b/modules/cloud-config-container/nginx-tls/outputs.tf new file mode 100644 index 00000000..4ce8d247 --- /dev/null +++ b/modules/cloud-config-container/nginx-tls/outputs.tf @@ -0,0 +1,20 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "cloud_config" { + description = "Rendered cloud-config file to be passed as user-data instance metadata." + value = module.cos-envoy-td.cloud_config +} diff --git a/modules/cloud-config-container/nginx-tls/variables.tf b/modules/cloud-config-container/nginx-tls/variables.tf new file mode 100644 index 00000000..246e6d07 --- /dev/null +++ b/modules/cloud-config-container/nginx-tls/variables.tf @@ -0,0 +1,27 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "nginx_image" { + description = "Nginx container image to use." + type = string + default = "nginx:1.23.1" +} + +variable "docker_logging" { + description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead." + type = bool + default = true +} diff --git a/modules/cloud-config-container/nginx-tls/versions.tf b/modules/cloud-config-container/nginx-tls/versions.tf new file mode 100644 index 00000000..4278054b --- /dev/null +++ b/modules/cloud-config-container/nginx-tls/versions.tf @@ -0,0 +1,29 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +terraform { + required_version = ">= 1.1.0" + required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.32.0" # tftest + } + google-beta = { + source = "hashicorp/google-beta" + version = ">= 4.32.0" # tftest + } + } +} + +