zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update changelog

This commit is contained in:
Ludo 2022-12-11 09:41:56 +01:00
parent d2015b0bc3
commit f29f1a562a
7 changed files with 386 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.md
View File

@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file.
### BLUEPRINTS
- [[#1045](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1045)] Assorted module fixes ([ludoo](https://github.com/ludoo)) <!-- 2022-12-10 14:40:15+00:00 -->
- [[#1044](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1044)] **incompatible change:** Refactor net-glb module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-12-08 16:35:45+00:00 -->
- [[#982](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/982)] Adding Secondary IP Utilization calculation ([brianhmj](https://github.com/brianhmj)) <!-- 2022-12-07 10:45:21+00:00 -->
- [[#1037](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1037)] Bump qs and formidable in /blueprints/cloud-operations/apigee/functions/export ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 2022-12-06 15:43:35+00:00 -->
@ -69,6 +70,7 @@ All notable changes to this project will be documented in this file.
### DOCUMENTATION
- [[#1045](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1045)] Assorted module fixes ([ludoo](https://github.com/ludoo)) <!-- 2022-12-10 14:40:15+00:00 -->
- [[#1014](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1014)] Update typos in `net-vpc-firewall` README.md ([aymanfarhat](https://github.com/aymanfarhat)) <!-- 2022-12-08 16:48:26+00:00 -->
- [[#1044](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1044)] **incompatible change:** Refactor net-glb module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-12-08 16:35:45+00:00 -->
- [[#1009](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1009)] Fix encryption in Data Playground blueprint ([lcaggio](https://github.com/lcaggio)) <!-- 2022-11-25 15:19:02+00:00 -->
@ -123,6 +125,7 @@ All notable changes to this project will be documented in this file.
### MODULES
- [[#1045](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1045)] Assorted module fixes ([ludoo](https://github.com/ludoo)) <!-- 2022-12-10 14:40:15+00:00 -->
- [[#1040](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1040)] Fix name in google_pubsub_schema resource ([VictorCavalcanteLG](https://github.com/VictorCavalcanteLG)) <!-- 2022-12-08 17:25:36+00:00 -->
- [[#1043](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1043)] added reverse lookup feature to module dns #1042 ([chemapolo](https://github.com/chemapolo)) <!-- 2022-12-08 17:13:05+00:00 -->
- [[#1044](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1044)] **incompatible change:** Refactor net-glb module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-12-08 16:35:45+00:00 -->

154
modules/cloud-config-container/__need_fixing/onprem2/assets/cloud-config.yaml Normal file
View File

@ -0,0 +1,154 @@
#cloud-config
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
write_files:
- path: /etc/docker/daemon.json
owner: root:root
permissions: "0644"
content: |
{"log-driver": "json-file", "log-opts": {"max-size": "10m"}}
- path: /etc/systemd/system/docker-onprem.service
permissions: "0644"
owner: root
content: |
[Install]
WantedBy=multi-user.target
[Unit]
Description=Start Docker Compose onprem infrastructure
After=network-online.target docker.socket
Wants=network-online.target docker.socket
[Service]
ExecStart=/bin/sh -c \
"cd /var/run/onprem && /var/run/docker-compose up"
ExecStop=/bin/sh -c \
"cd /var/run/onprem && /var/run/docker-compose down"
- path: /var/run/onprem/docker-compose.yaml
permissions: "0644"
owner: root
content: |
version: "3"
services:
vpn:
image: debian:bullseye-slim
networks:
onprem:
ipv4_address: ${cidrhost(ip_range, 2)}
ports:
- "500:500/udp"
- "4500:4500/udp"
- "179:179/tcp"
privileged: true
cap_add:
- NET_ADMIN
- NET_BROADCAST
- NET_RAW
command: bash /start.sh
volumes:
- "/lib/modules:/lib/modules:ro"
- "/usr/share/zoneinfo/UTC:/etc/localtime:ro"
- "/var/run/onprem/vpn/ipsec.conf:/etc/ipsec.conf:ro"
- "/var/run/onprem/vpn/ipsec.secrets:/etc/ipsec.secrets:ro"
- "/var/run/onprem/vpn/ipsec-vti.sh:/etc/ipsec-vti.sh:ro"
- "/var/run/onprem/vpn/start.sh:/start.sh:ro"
environment:
- LAN_NETWORKS=${ip_range}
networks:
onprem:
ipam:
driver: default
config:
- subnet: ${ip_range}
- path: /var/run/onprem/vpn/start.sh
owner: root:root
permissions: "0755"
content: |
#!/bin/bash
apt-get update
apt-get install -y bird procps strongswan
sysctl -w net.ipv4.ip_forward=1
_stop_ipsec() {
echo "Shutting down strongSwan/ipsec..."
ipsec stop
}
trap _stop_ipsec TERM
echo "Starting up strongSwan/ipsec..."
ipsec start --nofork "$@" &
child=$!
wait "$child"
- path: /var/run/onprem/vpn/ipsec.secrets
owner: root:root
permissions: "0600"
content: |
%{for peer in peer_configs}${peer.address} : PSK "${peer.shared_secret}"%{endfor}
- path: /var/run/onprem/vpn/ipsec.conf
owner: root:root
permissions: "0644"
content: |
# ipsec.conf - strongswan IPsec configuration file
# https://developers.microad.co.jp/entry/2022/05/30/100000
config setup
# strictcrlpolicy=yes
# uniqueids = no
# left: onprem Strongswan
# right: GCP VPN
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
type=tunnel
leftsubnet=0.0.0.0/0,::/0
rightsubnet=0.0.0.0/0,::/0
%{~ for i, peer in peer_configs }
conn gcp-vpn-tunnel-${i}
esp=aes128-sha1-modp1024,3des-sha1-modp1024
ikelifetime=600m
keylife=180m
rekeymargin=1m
keyingtries=5
keyexchange=ikev2
left = ${peer.bgp_session.local_address}
leftid = ${external_address}
leftupdown = /etc/ipsec-vti.sh
right = ${peer.address}
auto = start
mark=100
%{~ endfor }
- path: /var/run/onprem/vpn/ipsec-vti.sh
owner: root:root
permissions: "0644"
content: |
${ipsec_vti}
runcmd:
- wget -O /var/run/docker-compose https://github.com/docker/compose/releases/download/v2.14.0/docker-compose-linux-x86_64
- chmod 755 /var/run/docker-compose
- systemctl daemon-reload
- systemctl enable docker-onprem.service
- systemctl start docker-onprem.service

64
modules/cloud-config-container/__need_fixing/onprem2/assets/ipsec-vti.sh Normal file
View File

@ -0,0 +1,64 @@
#!/bin/bash
#
# /etc/ipsec-vti.sh
# https://developers.microad.co.jp/entry/2022/05/30/100000
#
IP=$(which ip)
IPTABLES=$(which iptables)
PLUTO_MARK_OUT_ARR=($${PLUTO_MARK_OUT//// })
PLUTO_MARK_IN_ARR=($${PLUTO_MARK_IN//// })
case "$PLUTO_CONNECTION" in
%{~ for i, peer in peer_configs }
gcp-vpn-tunnel-${i})
VTI_INTERFACE=vti0${i+1}
VTI_LOCALADDR=${peer.bgp_session.local_address}/30
VTI_REMOTEADDR=${peer.bgp_session.peer_address}/30
;;
%{ endfor }
esac
# output parameters to /var/log/messages for debug
logger "ipsec-vti.sh: ================================================="
logger "ipsec-vti.sh: PLUTO_CONNECTION = $${PLUTO_CONNECTION}"
logger "ipsec-vti.sh: PLUTO_VERB = $${PLUTO_VERB}"
logger "ipsec-vti.sh: VTI_INTERFACE = $${VTI_INTERFACE}"
logger "ipsec-vti.sh: PLUTO_ME = $${PLUTO_ME}"
logger "ipsec-vti.sh: PLUTO_PEER = $${PLUTO_PEER}"
logger "ipsec-vti.sh: PLUTO_MARK_IN_ARR[0] = $${PLUTO_MARK_IN_ARR[0]}"
logger "ipsec-vti.sh: PLUTO_MARK_OUT_ARR[0] = $${PLUTO_MARK_OUT_ARR[0]}"
logger "ipsec-vti.sh: PLUTO_MARK_IN = $${PLUTO_MARK_IN}"
logger "ipsec-vti.sh: ================================================="
case "$${PLUTO_VERB}" in
up-client)
$IP link add $${VTI_INTERFACE} type vti \
local $${PLUTO_ME} remote $${PLUTO_PEER} \
okey $${PLUTO_MARK_OUT_ARR[0]} ikey $${PLUTO_MARK_IN_ARR[0]}
sysctl -w net.ipv4.conf.$${VTI_INTERFACE}.disable_policy=1
sysctl -w net.ipv4.conf.$${VTI_INTERFACE}.rp_filter=2 || \
sysctl -w net.ipv4.conf.$${VTI_INTERFACE}.rp_filter=0
$IP addr add $${VTI_LOCALADDR} remote $${VTI_REMOTEADDR} dev $${VTI_INTERFACE}
$IP link set $${VTI_INTERFACE} up mtu 1436
$IPTABLES -t mangle -I FORWARD -o $${VTI_INTERFACE} \
-p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -t mangle -I INPUT -p esp -s $${PLUTO_PEER} -d $${PLUTO_ME} \
-j MARK --set-xmark $${PLUTO_MARK_IN}
$IP route flush table 220
;;
down-client)
$IP link del $${VTI_INTERFACE}
$IPTABLES -t mangle -D FORWARD -o $${VTI_INTERFACE} \
-p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -t mangle -D INPUT -p esp -s $${PLUTO_PEER} -d $${PLUTO_ME} \
-j MARK --set-xmark $${PLUTO_MARK_IN}
;;
esac
# Enable IPv4 forwarding
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.eth0.disable_xfrm=1
sysctl -w net.ipv4.conf.eth0.disable_policy=1

49
modules/cloud-config-container/__need_fixing/onprem2/assets/ipsec.conf Normal file
View File

@ -0,0 +1,49 @@
# ipsec.conf - strongSwan IPsec configuration file
# https://developers.microad.co.jp/entry/2022/05/30/100000
config setup
# strictcrlpolicy=yes
# uniqueids = no
# left: onprem Strongswan
# right: GCP VPN
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
type=tunnel
leftsubnet=0.0.0.0/0,::/0
rightsubnet=0.0.0.0/0,::/0
conn gcp-vpn-tunnel01
esp=aes128-sha1-modp1024,3des-sha1-modp1024
ikelifetime=600m
keylife=180m
rekeymargin=1m
keyingtries=5
keyexchange=ikev2
left = ${ Own HostIP }
leftid = ${ PublicIP of own Site }
leftupdown = /etc/ipsec-vti.sh
right = ${ opposite IP address }
auto = start
mark=100
conn gcp-vpn-tunnel02
esp=aes128-sha1-modp1024,3des-sha1-modp1024
ikelifetime=600m
keylife=180m
rekeymargin=1m
keyingtries=5
keyexchange=ikev2
left = ${ Own HostIP }
leftid = ${ PublicIP of own Site }
leftupdown = /etc/ipsec-vti.sh
right = ${ opposite IP address }
auto = start
mark=200

47
modules/cloud-config-container/__need_fixing/onprem2/main.tf Normal file
View File

@ -0,0 +1,47 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
locals {
_peer_ranges = [
for i, peer in var.peer_configs : cidrsubnet("169.254.0.0/16", 14, i)
]
cloud_config = templatefile("${path.module}/assets/cloud-config.yaml", {
asn = var.asn
external_address = var.external_address
ip_range = var.ip_range
ipsec_vti = indent(6, templatefile("${path.module}/assets/ipsec-vti.sh", {
peer_configs = local.peer_configs
}))
peer_configs = local.peer_configs
})
peer_configs = [
for i, peer in var.peer_configs : merge(peer, {
bgp_session = {
asn = peer.bgp_session.asn
local_address = (
peer.bgp_session.local_address == null
? cidrhost(local._peer_ranges, i, 1)
: peer.bgp_session.local_address
)
peer_address = (
peer.bgp_session.local_address == null
? cidrhost(local._peer_ranges, i, 0)
: peer.bgp_session.local_address
)
}
})
]
}

20
modules/cloud-config-container/__need_fixing/onprem2/outputs.tf Normal file
View File

@ -0,0 +1,20 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "cloud_config" {
description = "Cloud config content to be set in user-data metadata."
value = local.cloud_config
}

49
modules/cloud-config-container/__need_fixing/onprem2/variables.tf Normal file
View File

@ -0,0 +1,49 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "asn" {
description = "Local BGP asn."
type = number
default = 64521
nullable = false
}
variable "external_address" {
description = "Public address of the instance."
type = string
nullable = false
}
variable "ip_range" {
description = "Local address range used for the Docker network and announced via BGP."
type = string
default = "192.168.128.0/24"
nullable = false
}
variable "peer_configs" {
description = "Peer configurations."
type = list(object({
address = string
shared_secret = string
bgp_session = optional(object({
asn = optional(number, 64520)
local_address = optional(string)
peer_address = optional(string)
}), {})
}))
nullable = false
}