From f29f1a562ad90f816dcadeb54c48467cac40d37d Mon Sep 17 00:00:00 2001 From: Ludo Date: Sun, 11 Dec 2022 09:41:56 +0100 Subject: [PATCH] update changelog --- CHANGELOG.md | 3 + .../onprem2/assets/cloud-config.yaml | 154 ++++++++++++++++++ .../__need_fixing/onprem2/assets/ipsec-vti.sh | 64 ++++++++ .../__need_fixing/onprem2/assets/ipsec.conf | 49 ++++++ .../__need_fixing/onprem2/main.tf | 47 ++++++ .../__need_fixing/onprem2/outputs.tf | 20 +++ .../__need_fixing/onprem2/variables.tf | 49 ++++++ 7 files changed, 386 insertions(+) create mode 100644 modules/cloud-config-container/__need_fixing/onprem2/assets/cloud-config.yaml create mode 100644 modules/cloud-config-container/__need_fixing/onprem2/assets/ipsec-vti.sh create mode 100644 modules/cloud-config-container/__need_fixing/onprem2/assets/ipsec.conf create mode 100644 modules/cloud-config-container/__need_fixing/onprem2/main.tf create mode 100644 modules/cloud-config-container/__need_fixing/onprem2/outputs.tf create mode 100644 modules/cloud-config-container/__need_fixing/onprem2/variables.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 75497c848..748db55e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file. ### BLUEPRINTS +- [[#1045](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1045)] Assorted module fixes ([ludoo](https://github.com/ludoo)) - [[#1044](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1044)] **incompatible change:** Refactor net-glb module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) - [[#982](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/982)] Adding Secondary IP Utilization calculation ([brianhmj](https://github.com/brianhmj)) - [[#1037](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1037)] Bump qs and formidable in /blueprints/cloud-operations/apigee/functions/export ([dependabot[bot]](https://github.com/dependabot[bot])) @@ -69,6 +70,7 @@ All notable changes to this project will be documented in this file. ### DOCUMENTATION +- [[#1045](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1045)] Assorted module fixes ([ludoo](https://github.com/ludoo)) - [[#1014](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1014)] Update typos in `net-vpc-firewall` README.md ([aymanfarhat](https://github.com/aymanfarhat)) - [[#1044](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1044)] **incompatible change:** Refactor net-glb module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) - [[#1009](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1009)] Fix encryption in Data Playground blueprint ([lcaggio](https://github.com/lcaggio)) @@ -123,6 +125,7 @@ All notable changes to this project will be documented in this file. ### MODULES +- [[#1045](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1045)] Assorted module fixes ([ludoo](https://github.com/ludoo)) - [[#1040](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1040)] Fix name in google_pubsub_schema resource ([VictorCavalcanteLG](https://github.com/VictorCavalcanteLG)) - [[#1043](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1043)] added reverse lookup feature to module dns #1042 ([chemapolo](https://github.com/chemapolo)) - [[#1044](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1044)] **incompatible change:** Refactor net-glb module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) diff --git a/modules/cloud-config-container/__need_fixing/onprem2/assets/cloud-config.yaml b/modules/cloud-config-container/__need_fixing/onprem2/assets/cloud-config.yaml new file mode 100644 index 000000000..914a666d5 --- /dev/null +++ b/modules/cloud-config-container/__need_fixing/onprem2/assets/cloud-config.yaml @@ -0,0 +1,154 @@ +#cloud-config + +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +write_files: + - path: /etc/docker/daemon.json + owner: root:root + permissions: "0644" + content: | + {"log-driver": "json-file", "log-opts": {"max-size": "10m"}} + + - path: /etc/systemd/system/docker-onprem.service + permissions: "0644" + owner: root + content: | + [Install] + WantedBy=multi-user.target + [Unit] + Description=Start Docker Compose onprem infrastructure + After=network-online.target docker.socket + Wants=network-online.target docker.socket + [Service] + ExecStart=/bin/sh -c \ + "cd /var/run/onprem && /var/run/docker-compose up" + ExecStop=/bin/sh -c \ + "cd /var/run/onprem && /var/run/docker-compose down" + + - path: /var/run/onprem/docker-compose.yaml + permissions: "0644" + owner: root + content: | + version: "3" + services: + vpn: + image: debian:bullseye-slim + networks: + onprem: + ipv4_address: ${cidrhost(ip_range, 2)} + ports: + - "500:500/udp" + - "4500:4500/udp" + - "179:179/tcp" + privileged: true + cap_add: + - NET_ADMIN + - NET_BROADCAST + - NET_RAW + command: bash /start.sh + volumes: + - "/lib/modules:/lib/modules:ro" + - "/usr/share/zoneinfo/UTC:/etc/localtime:ro" + - "/var/run/onprem/vpn/ipsec.conf:/etc/ipsec.conf:ro" + - "/var/run/onprem/vpn/ipsec.secrets:/etc/ipsec.secrets:ro" + - "/var/run/onprem/vpn/ipsec-vti.sh:/etc/ipsec-vti.sh:ro" + - "/var/run/onprem/vpn/start.sh:/start.sh:ro" + environment: + - LAN_NETWORKS=${ip_range} + networks: + onprem: + ipam: + driver: default + config: + - subnet: ${ip_range} + + - path: /var/run/onprem/vpn/start.sh + owner: root:root + permissions: "0755" + content: | + #!/bin/bash + apt-get update + apt-get install -y bird procps strongswan + sysctl -w net.ipv4.ip_forward=1 + _stop_ipsec() { + echo "Shutting down strongSwan/ipsec..." + ipsec stop + } + trap _stop_ipsec TERM + echo "Starting up strongSwan/ipsec..." + ipsec start --nofork "$@" & + child=$! + wait "$child" + + - path: /var/run/onprem/vpn/ipsec.secrets + owner: root:root + permissions: "0600" + content: | + %{for peer in peer_configs}${peer.address} : PSK "${peer.shared_secret}"%{endfor} + + - path: /var/run/onprem/vpn/ipsec.conf + owner: root:root + permissions: "0644" + content: | + # ipsec.conf - strongswan IPsec configuration file + # https://developers.microad.co.jp/entry/2022/05/30/100000 + + config setup + # strictcrlpolicy=yes + # uniqueids = no + + # left: onprem Strongswan + # right: GCP VPN + + conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + keyexchange=ikev2 + mobike=no + type=tunnel + leftsubnet=0.0.0.0/0,::/0 + rightsubnet=0.0.0.0/0,::/0 + + %{~ for i, peer in peer_configs } + conn gcp-vpn-tunnel-${i} + esp=aes128-sha1-modp1024,3des-sha1-modp1024 + ikelifetime=600m + keylife=180m + rekeymargin=1m + keyingtries=5 + keyexchange=ikev2 + left = ${peer.bgp_session.local_address} + leftid = ${external_address} + leftupdown = /etc/ipsec-vti.sh + right = ${peer.address} + auto = start + mark=100 + %{~ endfor } + + - path: /var/run/onprem/vpn/ipsec-vti.sh + owner: root:root + permissions: "0644" + content: | + ${ipsec_vti} + +runcmd: + - wget -O /var/run/docker-compose https://github.com/docker/compose/releases/download/v2.14.0/docker-compose-linux-x86_64 + - chmod 755 /var/run/docker-compose + - systemctl daemon-reload + - systemctl enable docker-onprem.service + - systemctl start docker-onprem.service diff --git a/modules/cloud-config-container/__need_fixing/onprem2/assets/ipsec-vti.sh b/modules/cloud-config-container/__need_fixing/onprem2/assets/ipsec-vti.sh new file mode 100644 index 000000000..c79d1d691 --- /dev/null +++ b/modules/cloud-config-container/__need_fixing/onprem2/assets/ipsec-vti.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +# +# /etc/ipsec-vti.sh +# https://developers.microad.co.jp/entry/2022/05/30/100000 +# + +IP=$(which ip) +IPTABLES=$(which iptables) + +PLUTO_MARK_OUT_ARR=($${PLUTO_MARK_OUT//// }) +PLUTO_MARK_IN_ARR=($${PLUTO_MARK_IN//// }) + +case "$PLUTO_CONNECTION" in +%{~ for i, peer in peer_configs } +gcp-vpn-tunnel-${i}) + VTI_INTERFACE=vti0${i+1} + VTI_LOCALADDR=${peer.bgp_session.local_address}/30 + VTI_REMOTEADDR=${peer.bgp_session.peer_address}/30 + ;; +%{ endfor } +esac + +# output parameters to /var/log/messages for debug +logger "ipsec-vti.sh: =================================================" +logger "ipsec-vti.sh: PLUTO_CONNECTION = $${PLUTO_CONNECTION}" +logger "ipsec-vti.sh: PLUTO_VERB = $${PLUTO_VERB}" +logger "ipsec-vti.sh: VTI_INTERFACE = $${VTI_INTERFACE}" +logger "ipsec-vti.sh: PLUTO_ME = $${PLUTO_ME}" +logger "ipsec-vti.sh: PLUTO_PEER = $${PLUTO_PEER}" +logger "ipsec-vti.sh: PLUTO_MARK_IN_ARR[0] = $${PLUTO_MARK_IN_ARR[0]}" +logger "ipsec-vti.sh: PLUTO_MARK_OUT_ARR[0] = $${PLUTO_MARK_OUT_ARR[0]}" +logger "ipsec-vti.sh: PLUTO_MARK_IN = $${PLUTO_MARK_IN}" +logger "ipsec-vti.sh: =================================================" + +case "$${PLUTO_VERB}" in +up-client) + $IP link add $${VTI_INTERFACE} type vti \ + local $${PLUTO_ME} remote $${PLUTO_PEER} \ + okey $${PLUTO_MARK_OUT_ARR[0]} ikey $${PLUTO_MARK_IN_ARR[0]} + sysctl -w net.ipv4.conf.$${VTI_INTERFACE}.disable_policy=1 + sysctl -w net.ipv4.conf.$${VTI_INTERFACE}.rp_filter=2 || \ + sysctl -w net.ipv4.conf.$${VTI_INTERFACE}.rp_filter=0 + $IP addr add $${VTI_LOCALADDR} remote $${VTI_REMOTEADDR} dev $${VTI_INTERFACE} + $IP link set $${VTI_INTERFACE} up mtu 1436 + $IPTABLES -t mangle -I FORWARD -o $${VTI_INTERFACE} \ + -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + $IPTABLES -t mangle -I INPUT -p esp -s $${PLUTO_PEER} -d $${PLUTO_ME} \ + -j MARK --set-xmark $${PLUTO_MARK_IN} + $IP route flush table 220 + ;; +down-client) + $IP link del $${VTI_INTERFACE} + $IPTABLES -t mangle -D FORWARD -o $${VTI_INTERFACE} \ + -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + $IPTABLES -t mangle -D INPUT -p esp -s $${PLUTO_PEER} -d $${PLUTO_ME} \ + -j MARK --set-xmark $${PLUTO_MARK_IN} + ;; +esac + +# Enable IPv4 forwarding +sysctl -w net.ipv4.ip_forward=1 +sysctl -w net.ipv4.conf.eth0.disable_xfrm=1 +sysctl -w net.ipv4.conf.eth0.disable_policy=1 diff --git a/modules/cloud-config-container/__need_fixing/onprem2/assets/ipsec.conf b/modules/cloud-config-container/__need_fixing/onprem2/assets/ipsec.conf new file mode 100644 index 000000000..2fe55e789 --- /dev/null +++ b/modules/cloud-config-container/__need_fixing/onprem2/assets/ipsec.conf @@ -0,0 +1,49 @@ +# ipsec.conf - strongSwan IPsec configuration file +# https://developers.microad.co.jp/entry/2022/05/30/100000 + +config setup + # strictcrlpolicy=yes + # uniqueids = no + +# left: onprem Strongswan +# right: GCP VPN + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + keyexchange=ikev2 + mobike=no + type=tunnel + leftsubnet=0.0.0.0/0,::/0 + rightsubnet=0.0.0.0/0,::/0 + +conn gcp-vpn-tunnel01 + esp=aes128-sha1-modp1024,3des-sha1-modp1024 + ikelifetime=600m + keylife=180m + rekeymargin=1m + keyingtries=5 + keyexchange=ikev2 + left = ${ Own HostIP } + leftid = ${ PublicIP of own Site } + leftupdown = /etc/ipsec-vti.sh + right = ${ opposite IP address } + auto = start + mark=100 + +conn gcp-vpn-tunnel02 + esp=aes128-sha1-modp1024,3des-sha1-modp1024 + ikelifetime=600m + keylife=180m + rekeymargin=1m + keyingtries=5 + keyexchange=ikev2 + left = ${ Own HostIP } + leftid = ${ PublicIP of own Site } + leftupdown = /etc/ipsec-vti.sh + right = ${ opposite IP address } + auto = start + mark=200 diff --git a/modules/cloud-config-container/__need_fixing/onprem2/main.tf b/modules/cloud-config-container/__need_fixing/onprem2/main.tf new file mode 100644 index 000000000..c0e8bca82 --- /dev/null +++ b/modules/cloud-config-container/__need_fixing/onprem2/main.tf @@ -0,0 +1,47 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + _peer_ranges = [ + for i, peer in var.peer_configs : cidrsubnet("169.254.0.0/16", 14, i) + ] + cloud_config = templatefile("${path.module}/assets/cloud-config.yaml", { + asn = var.asn + external_address = var.external_address + ip_range = var.ip_range + ipsec_vti = indent(6, templatefile("${path.module}/assets/ipsec-vti.sh", { + peer_configs = local.peer_configs + })) + peer_configs = local.peer_configs + }) + peer_configs = [ + for i, peer in var.peer_configs : merge(peer, { + bgp_session = { + asn = peer.bgp_session.asn + local_address = ( + peer.bgp_session.local_address == null + ? cidrhost(local._peer_ranges, i, 1) + : peer.bgp_session.local_address + ) + peer_address = ( + peer.bgp_session.local_address == null + ? cidrhost(local._peer_ranges, i, 0) + : peer.bgp_session.local_address + ) + } + }) + ] +} diff --git a/modules/cloud-config-container/__need_fixing/onprem2/outputs.tf b/modules/cloud-config-container/__need_fixing/onprem2/outputs.tf new file mode 100644 index 000000000..e22d1930c --- /dev/null +++ b/modules/cloud-config-container/__need_fixing/onprem2/outputs.tf @@ -0,0 +1,20 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "cloud_config" { + description = "Cloud config content to be set in user-data metadata." + value = local.cloud_config +} diff --git a/modules/cloud-config-container/__need_fixing/onprem2/variables.tf b/modules/cloud-config-container/__need_fixing/onprem2/variables.tf new file mode 100644 index 000000000..47b1a021d --- /dev/null +++ b/modules/cloud-config-container/__need_fixing/onprem2/variables.tf @@ -0,0 +1,49 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "asn" { + description = "Local BGP asn." + type = number + default = 64521 + nullable = false +} + +variable "external_address" { + description = "Public address of the instance." + type = string + nullable = false +} + +variable "ip_range" { + description = "Local address range used for the Docker network and announced via BGP." + type = string + default = "192.168.128.0/24" + nullable = false +} + +variable "peer_configs" { + description = "Peer configurations." + type = list(object({ + address = string + shared_secret = string + bgp_session = optional(object({ + asn = optional(number, 64520) + local_address = optional(string) + peer_address = optional(string) + }), {}) + })) + nullable = false +}