Resolve ENG-8 "Update terraform on github to reference latest kasm ve…

…rsion (1.12)"

.gitignore

@@ -1,5 +1,6 @@
- Local .terraform directories
+# Local .terraform directories
 **/.terraform/*
+.terraform
 
 # .tfstate files
 *.tfstate
@@ -8,12 +9,12 @@
 # Crash log files
 crash.log
 
-# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# Exclude secrets.tfvars files, which are likely to contain sentitive data, such as
 # password, private keys, and other secrets. These should not be part of version
 # control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 #
-*.tfvars
+secrets.tfvars
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in

aws/multi_region/README.md

@@ -18,21 +18,17 @@ is deployed.
 [Image_Diagram]: https://f.hubspotusercontent30.net/hubfs/5856039/terraform/diagrams/aws-multi-region-int-gw.png "Diagram"
 
 
-
-
 # Pre-Configuration
 Consider creating a special sub account for the Kasm deployment.
 
 ### DNS Zone
 In your AWS account create a DNS Public zone that matches the desired domain name for the deployment. e.g `kasm.contoso.com`
 
 ### SSH Key Pair
-In the desired AWS region create an aws Key pair. This will be configured as the SSH key for the deployed EC2 machines
+In the each AWS region where you will deploy Kasm, create an aws Key pair with the same name. The key name will be value used in the `aws_key_pair` variable and it will be configured as the SSH key for the deployed EC2 machines.
 
 ### AWS API Keys
-Create a user via the IAM console that will be used for the terraform deployment. Give the user **Programatic Access**
-and attach the existing policy **AdministratorAccess**. Save the key and key secret
-
+Create a user via the IAM console that will be used for the terraform deployment. Give the user **Programatic Access** and attach the existing policy **AdministratorAccess**. Save the key and key secret.
 
 
 # Terraform Configuration
@@ -41,22 +37,61 @@ and attach the existing policy **AdministratorAccess**. Save the key and key sec
 
        terraform init
 
-2. Open `variables.tf` and update the global variables. The variable definitions and descriptions
-can be found in `<module-name>/variables.tf`
-
-3. Open `deployment.tf` and update the module level variables as desired. 
-
+2. Open `settings.tfvars` and update the variable values. The variable definitions, descriptions, and validation expectations can be found in the `variables.tf` file.
+
+> ***NOTE:*** This document assumes you are using a separate file named `secrets.tfvars` for the AWS credentials generated in the [AWS API Keys](#aws-api-keys) section above. The .gitignore file in this repository will ignore any files named `secrets.tfvars` since they are expected to have sensitive values in them. This will prevent you from accidentally committing them to source control.
+
+3. If you are deploying more than 2 regions, you will need to modify the `provider.tf` and the `deployment.tf` files. There are commented sections in both files indicating how to deploy additional regions.
+
+3. Verify the configuration
+
+       terraform plan -var-file settings.tfvars -var-file secrets.tfvars
+
+4. Deploy
+
+       terraform apply -var-file settings.tfvars -var-file secrets.tfvars
+
+5. Login to the Deployment as an Admin via the domain defined e.g `https://kasm.contoso.com`
 
-4. Verify the configuration
+6. Navigate to the Agents tab, and enable each Agent after it checks in. (May take a few minutes)
 
-       terraform plan
 
-5. Deploy
+# AWS Terraform Variable definitions
 
-       terraform apply
+| Variable | Description | Variable type | Example |
+|:--------:|-------------|---------------|---------|
+| `aws_access_key` | The AWS access key used for deployment. | String | `"AKIAJSIE27KKMHXI3BJQ"` |
+| `aws_secret_key` | The AWS secret key used for deployment. | String | `"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"` |
+| `aws_primary_region` | The AWS Region to deploy all Kasm Management resources. | String | `"us-east-1"` |
+| `project_name` | The name of the deployment (e.g dev, staging). A short single word of up to 15 characters. | String | `"kasm"` |
+| `aws_domain_name` | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https. | String | `"kasm.contoso.com"` |
+| `kasm_zone_name` | A name given to the kasm deployment Zone. | String | `"default"` |
+| `primary_vpc_subnet_cidr` | The subnet CIDR to use for the Primary region's VPC. | String | `"10.0.0.0/16"` |
+| `aws_key_pair` | The name of an aws keypair to use. | String | `"kasm_ssh_key"` |
+| `primary_region_ec2_ami_id` | The AMI used for the EC2 nodes in the Primary (Management) region. Recommended Ubuntu 20.04 LTS. | String | `"ami-09cd747c78a9add63"` |
+| `swap_size` | The amount of swap (in MB) to configure inside the Kasm servers. | Number | `2048` |
+| `webapp_instance_type` | The instance type for the Kasm WebApps. | String | `"t3.small"` |
+| `webapp_hdd_size_gb` | The HDD size for the WebApp EC2s in GB. | Number | `40` |
+| `db_instance_type` | The instance type for the Kasm Database. | String | `"t3.medium"` |
+| `db_hdd_size_gb` | The HDD size for the DB EC2 in GB. | Number | `40` |
+| `agent_instance_type` | The instance type for the Kasm Agents in the Primary region. | String | `"t3.medium"` |
+| `agent_hdd_size_gb` | The HDD size for the Agent EC2s in GB. | Number | `120` |
+| `num_webapps` | The number of WebApp role servers to create in this deployment. Acceptable ranges from 1-3. | Number | `2` |
+| `num_agents` | The number of static Kasm Agents to create in the primary region. Acceptable ranges from 0-100. | Number | `2` |
+| `allow_ssh_cidrs` | A list of subnets in CIDR notation allowed to SSH into your kasm servers (use `["0.0.0.0/0]"` to allow SSH from any IP). | List(String) | `["1.1.1.1/32","172.217.22.14/32"]` |
+| `web_access_cidrs` | A list of subnets in CIDR notation allowed Web access to your kasm servers (use `["0.0.0.0/0]"` to allow HTTP/HTTPS from any IP). | List(String) | `["0.0.0.0/0"]` |
+| `secondary_regions_settings` | A map of AWS environment settings for secondary regions. The Primary region is considered "region1", thus all secondary regions should be labeled "region2", "region3", etc. Refer to the commented settings in the `secondary_regions_settings` variable in the `settings.tf` for an example. | Map(any) | <pre>{<br/>&nbsp;&nbsp;region2 = {<br/>&nbsp;&nbsp;&nbsp;&nbsp;agent_region = "eu-central-1"<br/>&nbsp;&nbsp;&nbsp;&nbsp;agent_ec2_ami_id = "ami-0e067cc8a2b58de59"<br/>&nbsp;&nbsp;&nbsp;&nbsp;agent_instance_type = "t3.medium"<br/>&nbsp;&nbsp;&nbsp;&nbsp;num_agents = 2<br/>&nbsp;&nbsp;&nbsp;&nbsp;agent_vpc_cidr = "10.1.0.0/16"<br/>&nbsp;&nbsp;}<br/>}</pre>
+| `database_password` | The Kasm PostgreSQL database password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
+| `redis_password` | The Kasm Redis password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
+| `admin_password` | The Kasm Administrative user login password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
+| `user_password` | A Kasm standard (non-administrator) user password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
+| `manager_token` | The manager token value used by Kasm agents to authenticate to the Kasm WebApps. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
+| `kasm_build` | The download URL for the desired Kasm Workspaces version. | String | `"https://kasm-static-content.s3.amazonaws.com/kasm_release_1.12.0.d4fd8a.tar.gz"` |
+| `aws_default_tags` | A Map of all tags you wish to apply to all TF created resources in this deployment. | Map(Any) | <pre>{<br/>&nbsp;&nbsp;Service_name = "Kasm Workspaces"<br/>&nbsp;&nbsp;Kasm_version = "1.12"<br/>}</pre> |
 
 
-6. Login to the Deployment as an Admin via the domain defined e.g `https://kasm.contoso.com`
+# Detailed Terraform Deployment Diagram
 
-7. Navigate to the Agents tab, and enable each Agent after it checks in. (May take a few minutes)
+![Detailed Diagram][Detailed_Diagram]
 
+[Detailed_Diagram]: ./diagram/aws_multi_region.png "Detailed Diagram"

aws/multi_region/agents/agent.tf

@@ -1,29 +1,25 @@
 resource "aws_instance" "kasm-agent" {
-  count                       = "${var.num_agents}"
-  ami                         = "${var.ec2_ami}"
-  instance_type               = "${var.agent_instance_type}"
-  vpc_security_group_ids      = ["${aws_security_group.kasm-agent-sg.id}"]
-  subnet_id                   = "${aws_subnet.kasm-agent-subnet.id}"
-  key_name                    = "${var.aws_key_pair}"
+  count                  = var.num_agents
+  ami                    = var.ec2_ami
+  instance_type          = var.agent_instance_type
+  vpc_security_group_ids = [data.aws_security_group.data-kasm_agent_sg.id]
+  subnet_id              = data.aws_subnet.data-kasm_agent_subnet.id
+  key_name               = var.aws_key_pair
 
   root_block_device {
-    volume_size = "50"
+    volume_size = var.agent_hdd_size_gb
   }
 
-  user_data = <<-EOF
-              #!/bin/bash
-              fallocate -l 4g /mnt/kasm.swap
-              chmod 600 /mnt/kasm.swap
-              mkswap /mnt/kasm.swap
-              swapon /mnt/kasm.swap
-              echo '/mnt/kasm.swap swap swap defaults 0 0' | tee -a /etc/fstab
-              cd /tmp
-              wget ${var.kasm_build}
-              tar xvf kasm_*.tar.gz
-              PUBLIC_DNS=(`curl -s http://169.254.169.254/latest/meta-data/public-ipv4`)
-              bash kasm_release/install.sh -S agent -e  -p $PUBLIC_DNS -m ${var.zone_name}-lb.${var.aws_domain_name} -M ${var.manager_token}
-              EOF
+  user_data = templatefile("${path.module}/../userdata/agent_bootstrap.sh",
+    {
+      kasm_build_url  = var.kasm_build
+      swap_size       = var.swap_size
+      manager_address = var.aws_domain_name
+      manager_token   = var.manager_token
+    }
+  )
+
   tags = {
     Name = "${var.project_name}-${var.zone_name}-kasm-agent"
   }
-}
+}

aws/multi_region/agents/availability_zones.tf

@@ -0,0 +1,3 @@
+data "aws_availability_zones" "available" {
+  state = "available"
+}

aws/multi_region/agents/provider.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      #version = "4.56.0"
+    }
+  }
+}

aws/multi_region/agents/routes.tf

@@ -0,0 +1,21 @@
+resource "aws_route_table" "internet_access" {
+  vpc_id = data.aws_vpc.data-kasm_agent_vpc.id
+
+  route {
+    cidr_block = var.anywhere
+    gateway_id = data.aws_internet_gateway.data-kasm_agent_default_ig.id
+  }
+
+  tags = {
+    Name = "${var.project_name}-kasm-agent-default-route"
+  }
+}
+
+data "aws_route_table" "data-agent_internet_gateway_route_table" {
+  route_table_id = aws_route_table.internet_access.id
+}
+
+resource "aws_route_table_association" "agent_table_association" {
+  subnet_id      = data.aws_subnet.data-kasm_agent_subnet.id
+  route_table_id = data.aws_route_table.data-agent_internet_gateway_route_table.id
+}

aws/multi_region/agents/security_group.tf

@@ -1,26 +1,30 @@
 resource "aws_security_group" "kasm-agent-sg" {
   name        = "${var.project_name}-${var.zone_name}-kasm-agent-access"
   description = "Allow access to agents"
-  vpc_id      = "${aws_vpc.kasm-default-vpc.id}"
+  vpc_id      = data.aws_vpc.data-kasm_agent_vpc.id
 
   ingress {
     from_port   = 22
     to_port     = 22
     protocol    = "tcp"
-    cidr_blocks = ["${var.ssh_access_cidr}"]
+    cidr_blocks = var.ssh_access_cidrs
   }
 
   ingress {
     from_port   = 443
     to_port     = 443
     protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = [var.anywhere]
   }
 
   egress {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = [var.anywhere]
   }
-}
+}
+
+data "aws_security_group" "data-kasm_agent_sg" {
+  id = aws_security_group.kasm-agent-sg.id
+}

aws/multi_region/agents/subnet.tf

@@ -1,9 +1,19 @@
+locals {
+  kasm_agent_vpc_subnet_cidr_mask    = split("/", var.agent_vpc_cidr)[1]
+  kasm_agent_subnet_cidr_calculation = (8 - (local.kasm_agent_vpc_subnet_cidr_mask - 16))
+  kasm_agent_subnet_cidr_size        = local.kasm_agent_subnet_cidr_calculation < 0 ? 0 : local.kasm_agent_subnet_cidr_calculation
+}
+
 resource "aws_subnet" "kasm-agent-subnet" {
-  vpc_id                  = "${aws_vpc.kasm-default-vpc.id}"
-  cidr_block              = "10.0.40.0/24"
+  vpc_id                  = data.aws_vpc.data-kasm_agent_vpc.id
+  cidr_block              = cidrsubnet(var.agent_vpc_cidr, local.kasm_agent_subnet_cidr_size, 0)
   availability_zone       = data.aws_availability_zones.available.names[0]
   map_public_ip_on_launch = true
   tags = {
     Name = "${var.project_name}-${var.zone_name}-kasm-agent-subnet"
   }
-}
+}
+
+data "aws_subnet" "data-kasm_agent_subnet" {
+  id = aws_subnet.kasm-agent-subnet.id
+}

aws/multi_region/agents/variables.tf

@@ -1,51 +1,76 @@
-variable "aws_access_key" {
-  description = "The AWS access key used for deployment"
-}
-
-variable "aws_secret_key" {
-  description = "The AWS secret key used for deployment"
-}
-
 variable "project_name" {
   description = "The name of the deployment (e.g dev, staging). A short single word"
+  type        = string
 }
 
 variable "aws_domain_name" {
   description = "The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https"
+  type        = string
+}
+
+variable "agent_vpc_cidr" {
+  description = "Subnet CIDR range for Agent VPC"
+  type        = string
+}
+
+variable "swap_size" {
+  description = "The amount of swap (in MB) to configure inside the compute instances"
+  type        = number
 }
 
 variable "num_agents" {
   description = "The number of Agent Role Servers to create in the deployment"
+  type        = number
 }
 
 variable "agent_instance_type" {
-  description = "the instance type for the agents"
+  description = "The instance type for the agents"
+  type        = string
+}
+
+variable "agent_hdd_size_gb" {
+  description = "The HDD size for agents"
+  type        = number
 }
 
 variable "aws_region" {
   description = "The AWS region for the deployment. (e.g us-east-1)"
+  type        = string
 }
 
 variable "kasm_build" {
   description = "The URL for the Kasm Workspaces build"
+  type        = string
 }
 
 variable "zone_name" {
   description = "A name given to the Kasm deployment Zone"
+  type        = string
 }
 
 variable "aws_key_pair" {
   description = "The name of an aws keypair to use."
+  type        = string
 }
 
 variable "ec2_ami" {
-  description = "The AMI used for the EC2 nodes. Recommended Ubuntu 18.04 LTS."
+  description = "The AMI used for the EC2 nodes. Recommended Ubuntu 20.04 LTS."
+  type        = string
 }
 
 variable "manager_token" {
   description = "The password for the database. No special characters"
+  type        = string
+  sensitive   = true
 }
 
-variable "ssh_access_cidr" {
+variable "ssh_access_cidrs" {
   description = "CIDR notation of the bastion host allowed to SSH in to the machines"
+  type        = list(string)
+}
+
+variable "anywhere" {
+  description = "Anywhere subnet for routing and load ingress from all IPs"
+  type        = string
+  default     = "0.0.0.0/0"
 }

aws/multi_region/agents/vpc.tf

@@ -1,19 +1,23 @@
-resource "aws_vpc" "kasm-default-vpc" {
-  cidr_block = "10.0.0.0/16"
+resource "aws_vpc" "kasm-agent-vpc" {
+  cidr_block           = var.agent_vpc_cidr
+  enable_dns_hostnames = true
+  enable_dns_support   = true
   tags = {
     Name = "${var.project_name}-${var.zone_name}-kasm-vpc"
   }
 }
 
+data "aws_vpc" "data-kasm_agent_vpc" {
+  id = aws_vpc.kasm-agent-vpc.id
+}
+
 resource "aws_internet_gateway" "kasm-default-ig" {
-  vpc_id = "${aws_vpc.kasm-default-vpc.id}"
+  vpc_id = data.aws_vpc.data-kasm_agent_vpc.id
   tags = {
     Name = "${var.project_name}-${var.zone_name}-kasm-ig"
   }
 }
 
-resource "aws_route" "internet_access" {
-  route_table_id         = "${aws_vpc.kasm-default-vpc.main_route_table_id}"
-  destination_cidr_block = "0.0.0.0/0"
-  gateway_id             = "${aws_internet_gateway.kasm-default-ig.id}"
-}
+data "aws_internet_gateway" "data-kasm_agent_default_ig" {
+  internet_gateway_id = aws_internet_gateway.kasm-default-ig.id
+}