10391 dynamo migrations kysely vpn

web-api/terraform/applyables/allColors/allColors.tf

@@ -189,6 +189,42 @@ resource "aws_db_subnet_group" "group" {
   subnet_ids = [module.vpc_east.subnet_a_id, module.vpc_east.subnet_b_id]
 }
 
+
+resource "aws_db_subnet_group" "group_west" {
+  name       = "${var.environment}-group"
+  subnet_ids = [module.vpc_west.subnet_a_id, module.vpc_west.subnet_b_id]
+  provider = aws.us-west-1
+}
+
+resource "aws_route" "west_to_east_private_a" {
+  route_table_id            = module.vpc_west.private_route_table_id
+  destination_cidr_block    = "10.0.4.0/24"
+  vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
+  provider = aws.us-west-1
+}
+
+resource "aws_route" "west_to_east_private_b" {
+  route_table_id            = module.vpc_west.private_route_table_id
+  destination_cidr_block    = "10.0.5.0/24"
+  vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
+  provider = aws.us-west-1
+}
+
+
+resource "aws_route" "east_to_west_private_a" {
+  route_table_id            = module.vpc_east.private_route_table_id
+  destination_cidr_block    = "10.1.4.0/24"
+  vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
+  provider = aws.us-east-1
+}
+
+resource "aws_route" "east_to_west_private_b" {
+  route_table_id            = module.vpc_east.private_route_table_id
+  destination_cidr_block    = "10.1.5.0/24"
+  vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
+  provider = aws.us-east-1
+}
+
 module "tunnel" {
   source            = "../../modules/tunnel"
   environment       = var.environment
@@ -202,10 +238,38 @@ module "rds" {
   environment       = var.environment
   postgres_user     = var.postgres_user
   postgres_password = var.postgres_password
+  db_name = "${var.environment}_dawson"
+  security_group_cidr_blocks = ["10.1.4.0/24", "10.1.5.0/24"]
   vpc_id = module.vpc_east.vpc_id
   subnet_group_name = aws_db_subnet_group.group.name
   security_group_ids = [
     aws_security_group.east_security_group.id, 
-    module.tunnel.tunnel_security_group_id
+    # module.tunnel.tunnel_security_group_id
   ]
 }
+
+module "rds_replica" {
+  source            = "../../modules/rds"
+  environment       = var.environment
+  postgres_user     = null
+  postgres_password = null
+  security_group_cidr_blocks = ["10.0.4.0/24", "10.0.5.0/24"]
+  vpc_id = module.vpc_west.vpc_id
+  subnet_group_name = aws_db_subnet_group.group_west.name
+  security_group_ids = [
+    aws_security_group.west_security_group.id, 
+    # module.tunnel.tunnel_security_group_id
+  ]
+  replicate_source_db = module.rds.identifier
+  providers = {
+    aws = aws.us-west-1
+  }
+}
+
+module "vpn" {
+  source = "../../modules/vpn"
+  environment       = var.environment
+  vpc_id = module.vpc_east.vpc_id
+  subnet_id = module.vpc_east.public_subnet
+  public_key_name = var.tunnel_key_name
+}

web-api/terraform/applyables/allColors/outputs.tf

@@ -76,4 +76,16 @@ output east_security_group_id {
 
 output tunnel_ip {
   value = module.tunnel.tunnel_ip
+}
+
+output "ec2_instance_dns" {
+  value = module.vpn.ec2_instance_dns
+}
+
+output "ec2_instance_ip" {
+  value = module.vpn.ec2_instance_ip
+}
+
+output "connection_string" {
+  value = module.vpn.connection_string
 }

web-api/terraform/modules/rds/outputs.tf

@@ -1,3 +1,7 @@
 output "address" {
   value = aws_db_instance.postgres.address
 }
+
+output "identifier" {
+  value = aws_db_instance.postgres.identifier
+}

web-api/terraform/modules/rds/rds.tf

@@ -3,7 +3,7 @@ resource "aws_db_instance" "postgres" {
   engine               = "postgres"
   engine_version       = "16.3"
   instance_class       = var.instance_size
-  db_name              = "${var.environment}_dawson"
+  db_name              = var.db_name
   username             = var.postgres_user
   password             = var.postgres_password
   parameter_group_name = aws_db_parameter_group.postgres.name
@@ -12,6 +12,7 @@ resource "aws_db_instance" "postgres" {
   skip_final_snapshot = true
   publicly_accessible = false
   apply_immediately = true
+  replicate_source_db = var.replicate_source_db
 }
 
 resource "aws_db_parameter_group" "postgres" {
@@ -34,6 +35,13 @@ resource "aws_security_group" "postgres" {
     security_groups = var.security_group_ids
   }
 
+  ingress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = var.security_group_cidr_blocks
+  }
+
   egress {
     from_port   = 0
     to_port     = 0

web-api/terraform/modules/rds/variables.tf

@@ -25,4 +25,18 @@ variable "subnet_group_name" {
 
 variable "security_group_ids" {
   type = list(string)
+}
+
+variable "security_group_cidr_blocks" {
+  type = list(string)
+}
+
+variable "replicate_source_db" {
+  type = string
+  default = null
+}
+
+variable "db_name" {
+  type = string
+  default = null
 }

web-api/terraform/modules/vpc/outputs.tf

@@ -13,4 +13,8 @@ output "subnet_b_id" {
 
 output "public_subnet" {
   value = aws_subnet.nat_subnet.id
+}
+
+output "private_route_table_id" {
+  value = aws_route_table.private.id
 }

web-api/terraform/modules/vpn/.gitignore

@@ -0,0 +1 @@
+*.pem

web-api/terraform/modules/vpn/outputs.tf

@@ -0,0 +1,11 @@
+output "ec2_instance_dns" {
+  value = aws_eip.openvpn_eip.public_dns
+}
+
+output "ec2_instance_ip" {
+  value = aws_eip.openvpn_eip.public_ip
+}
+
+output "connection_string" {
+  value = "'ssh -i ${var.ssh_private_key_file} ${var.ec2_username}@${aws_eip.openvpn_eip.public_dns}'"
+}

web-api/terraform/modules/vpn/scripts/update_users.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+
+# Note that this Bash script relies on the the following assumption to work correctly:
+# For each input into this script as 'CLIENT', the underlying 'openvpn-install.sh' Bash script creates a certificate nameded 'CLIENT.ovpn'.
+# _Excess client certificates_ are then defined as provsioned client certificates that have no corresponding entry in the input to this script.
+
+
+# Set the nullglob option so that the array is empty if there are no matches; see also <https://stackoverflow.com/a/10981499> for details
+shopt -s nullglob
+
+# A pint for the person who can do this in one line using readily available Bash primitives!
+function is_in_array {
+  array=$2
+  for i in ${array[@]}
+  do
+    if [[ "${i}" == "$1" ]]
+    then
+      return 0
+    fi
+  done
+  return 1
+}
+
+# Input paramter checking and alerting if there are none (which is synonymous with revoking all client certificates)
+if [[ "$#" -eq "0" ]]
+then
+  script_name=$(basename "$0")
+  echo "Usage: ${script_name} <username1> ... <usernameN>"
+  echo "Example: ${script_name} userOne"
+  echo "Example: ${script_name} userOne userTwo"
+  echo ""
+	until [[ $REVOKE_ALL_CLIENT_CERTIFICATES =~ ^(Y|n)$ ]]; do
+    read -p "You've supplied no username. This will REVOKE ALL CLIENT CERTIFICATES! Are you sure? [Y/n]" -n 1 -r REVOKE_ALL_CLIENT_CERTIFICATES
+    echo ""
+  done
+  if [[ $REVOKE_ALL_CLIENT_CERTIFICATES =~ ^[Y]$ ]]
+  then
+    echo "Alright. REVOKING ALL CLIENT CERTIFICATES then..."
+  else
+    echo "Aborting."
+    exit -1
+  fi
+fi
+
+# Declare all additional parameters to be user names
+USERNAMES="$@"
+
+
+# Create a list of provisioned OVPN users from existing *.ovpn files
+declare -a ovpn_users
+for ovpn_filename in *.ovpn
+do
+  ovpn_users=("${ovpn_users[@]}" "${ovpn_filename%.*}")
+done
+
+# Revoke excess client certificates
+for ovpn_user in ${ovpn_users[@]}
+do
+  if is_in_array "${ovpn_user}" "${USERNAMES}"
+  then
+    echo "Keeping certificate for user ${ovpn_user}."
+  else
+    echo "Revoking certificate for user ${ovpn_user}!"
+
+    # Export the corresponding options and revoke the user certificate
+    export MENU_OPTION="2"
+    export CLIENT="${ovpn_user}"
+    ./openvpn-install.sh
+  fi
+done
+
+
+# Provision an OVPN file for each new user
+for username in ${USERNAMES}
+do
+  # Skip all user names that already have a corresponding OVPN file
+  ovpn_filename="${username}.ovpn"
+  if [ -f "${ovpn_filename}" ]
+  then
+      echo "File '${ovpn_filename}' already exists. Skipping."
+      continue
+  fi
+
+  # Export the corresponding options and add the user name
+  export MENU_OPTION="1"
+  export CLIENT="${username}"
+  export PASS="1"
+  ./openvpn-install.sh
+done

web-api/terraform/modules/vpn/variables.tf

@@ -0,0 +1,54 @@
+
+variable "environment" {
+  type = string
+}
+
+variable "vpc_id" {
+  type = string
+}
+
+variable "subnet_id" {
+  type = string
+}
+
+variable "public_key_name" {
+  type = string
+}
+
+variable "instance_type" {
+  type = string 
+  default = "t2.micro"
+}
+
+variable "instance_root_block_device_volume_size" {
+  type = string
+  default = "8"
+}
+
+variable "openvpn_install_script_location" {
+  description = "The location of an OpenVPN installation script compatible with https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh"
+  default     = "https://raw.githubusercontent.com/dumrauf/openvpn-install/master/openvpn-install.sh"
+}
+
+variable "ovpn_users" {
+  type        = list(string)
+  description = "The list of users to automatically provision with OpenVPN access"
+  default = [
+    "cody"
+  ]
+}
+
+variable "ec2_username" {
+  type = string
+  default = "ec2-user"
+}
+
+variable "ssh_private_key_file" {
+  type = string
+  default = "cody-test.pem"
+}
+
+variable "ovpn_config_directory" {
+  description = "The name of the directory to eventually download the OVPN configuration files to"
+  default     = "generated/ovpn-config"
+}