├── .gitignore ├── COPYING ├── README.md ├── ex1-reqs └── README.md ├── ex2-iac ├── README.md ├── cloudformation │ ├── 01-initial-parameters │ ├── 01-initial-parameters.json │ ├── 02-changed-name.json │ ├── 03-changed-prefix.json │ └── vpc-template.yaml └── terraform │ ├── 01-initial-parameters.tfvars │ ├── 02-changed-name.tfvars │ ├── 03-changed-prefix.tfvars │ └── vpc.tf ├── ex3-web ├── README.md ├── s3-access-policy.json ├── s3 │ ├── image.png │ └── index.html └── terraform │ ├── amazon_linux_2.tfvars │ ├── s3-access-policy.json │ ├── ubuntu.tfvars │ ├── web_server.cloud-config │ └── web_server.tf ├── ex4-infra ├── README.md ├── connectivity_test └── terraform │ ├── another.cloud-config │ ├── apply.svg │ ├── jump_host.cloud-config │ ├── the_plan.svg │ ├── vni.tf │ └── web_server.cloud-config ├── ex5-ipv6 ├── README.md ├── connectivity_test └── terraform │ ├── another.cloud-config │ ├── jump_host.cloud-config │ ├── vni.tf │ └── web_server.cloud-config ├── ex6-sec └── README.md ├── extra ├── amazon-linux2 │ ├── README.md │ ├── amazon_linux_2.tf │ └── web_server.cloud-config └── s3-pab │ ├── README.md │ ├── disable_completely.tfvars │ └── s3_pab.tf └── solution-template.md /.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | *.pyc 3 | .terraform/ 4 | terraform.tfstate 5 | terraform.tfstate.backup 6 | .terraform.tfstate.lock.info 7 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Networking in Public Cloud Deployments 2020 2 | 3 | This is a repository for my solutions to hands-on assignments (exercises) 4 | of the 5 | [Networking in Public Cloud Deployments](https://www.ipspace.net/PubCloud/) 6 | course during spring of 2020. 7 | 8 | This repository fulfills a dual purpose: 9 | 10 | 1. To submit solutions to the course exercises. 11 | 2. As a reference for me (and potentially others). 12 | 13 | My solutions may be longer than strictly necessary. 14 | I want to really understand what happens, 15 | and I want to create a reference for me. 16 | This probably takes more time than just hacking togther a solution, 17 | but it results in a better learning experience for me. 18 | Additionally, I take notes while working on the assignments, 19 | instead of creating a report after the fact. 20 | I even keep mistakes in the report, 21 | as long as I think they can be a useful reference. 22 | 23 | ## Links to the Exercise Solutions 24 | 25 | 1. [Define the Requirements](ex1-reqs/) - ruminations on cloud use 26 | 2. [Simple Infrastructure-as-Code Setup](ex2-iac/) - looking at AWS, 27 | AWS CloudFormation, and Terraform 28 | 3. [Deploy a Cloud-Based Web Server](ex3-web/) - all of SSH, Security Groups, 29 | EC2, Cloud-Init, S3, and S3 static web site hosting in a single Terraform 30 | configuration 31 | 4. [Deploy a Virtual Network Infrastructure](ex4-infra/) - a VPC, public and 32 | private subnets, elastic IP address, elastic network interfaces, and 33 | three EC2 instances 34 | 5. [Deploy IPv6 in Your Cloud Virtual Network](ex5-ipv6/) - where we find out 35 | that IPv6 is different from IPv4 36 | 37 | ## Additional Stuff 38 | 39 | Since I want to use this repository as a reference, 40 | I'll add additional stuff not part of the hands-on exercises as well. 41 | 42 | 1. [S3 Public Access Block](extra/s3-pab/) - controlling the S3 Public Access 43 | Block with Terraform 44 | 2. [Amazon Linux 2](extra/amazon-linux2/) - playing with Amazon Linux 2, where 45 | we install Apache and add a second network interface 46 | 47 | --- 48 | 49 | [My GitHub user page](https://github.com/auerswal) | 50 | [My home page](https://www.unix-ag.uni-kl.de/~auerswal/) 51 | -------------------------------------------------------------------------------- /ex1-reqs/README.md: -------------------------------------------------------------------------------- 1 | # Exercise 1: Define the Requirements 2 | 3 | The first exercise is about defining requirements for a cloud deployment. 4 | While it is suggested to use a real project, 5 | I do not have this possibility. 6 | I will instead use a fictitious project inspired by real opportunities, 7 | but aligned with the course objectives. 8 | 9 | ## Cloud Provider for Exercises 10 | 11 | I intend to use 12 | [Amazon web Services](https://aws.amazon.com/) 13 | (AWS) for the course exercises as well as for cloud service examples. 14 | The course allows to use any cloud providers that allow implementing 15 | solutions to the exercises. 16 | AWS, Azure, and Google Cloud are given as examples that can be used. 17 | I have not yet used any cloud, 18 | but at first glance AWS seems to me to be both most popular and versatile, 19 | thus I will look into AWS. 20 | 21 | ## The Project 22 | 23 | The fictitious project is based on replacing use of a server from a 24 | dedicated hosting service by using cloud services. 25 | This more or less aligns with the *web site* sample project for this 26 | exercise. 27 | 28 | ### Reality 29 | 30 | > This dramatization is inspired by true events. However, certain scenes, 31 | > characters, names, businesses, incidents, locations, and events have been 32 | > fictionalized for dramatic purposes. 33 | 34 | The real project aligns quite well with the 35 | [AWS Architecture Blog](https://aws.amazon.com/blogs/architecture/) 36 | post 37 | [Architecting a Low-Cost Web Content Publishing System](https://aws.amazon.com/de/blogs/architecture/architecting-a-low-cost-web-content-publishing-system/) 38 | that is given as a simple case study in the first course section. 39 | It is actually a bit simpler and would not require any 40 | [EC2](https://aws.amazon.com/ec2/) 41 | instance, 42 | since the single content management system used can directly write to 43 | [S3](https://aws.amazon.com/s3/). 44 | 45 | The dedicated server provides DNS services in addition to a web site. 46 | A good way to move this to the cloud would be to use a DNS SaaS 47 | offering, e.g., 48 | [Amazon Route 53](http://aws.amazon.com/route53/). 49 | 50 | A possible use for an EC2 instance would be hosting the content management 51 | system in the cloud, 52 | but starting the instance only when needed instead of always running it, 53 | to avoid gratuitous expenses. 54 | The content could be stored using a DBaaS offering, 55 | allowing to create an EC2 instance on-demand from a pre-built image. 56 | The equivalent of a Chromebook might then suffice for content creators. 57 | 58 | Anyway, I do not intend to look into the fine details of the above 59 | and instead focus on learning the course content. 60 | The course content relies on several virtual machines 61 | (e.g., EC2 instances) 62 | using different virtual networks 63 | (e.g., [VPC](https://aws.amazon.com/vpc/)s) 64 | with differing connectivity requirements. 65 | 66 | ### Fiction 67 | 68 | Thus I am using a fictitious public cloud solution oriented on the 69 | *web site* sample project suggestion. 70 | A similar setup *could* be used for the real project, 71 | but it seems to me to miss out on the potential benefits provided 72 | by consequent use of cloud offerings, 73 | and thus *should not* be used. 74 | 75 | ## Requirements 76 | 77 | The exercise contains a list of questions. 78 | Answers to those describe the requirements for the public cloud deployment. 79 | 80 | I try to keep the requirements independent from actual implementations. 81 | For example, instead of proscribing use of HTTPS and two-factor authentication 82 | in order to change web site content, 83 | the requirement is that only authorized personnel may change web content. 84 | 85 | ### What services should the public cloud deployment offer to the customers? 86 | 87 | * The public cloud deployment should offer a public web site. 88 | * The content of the web site is static in nature, 89 | but needs to be updated regularly. 90 | * The public web site content should be easy to manage for non-technical staff. 91 | 92 | ### How will the users consume those services? 93 | 94 | #### Will they use Internet access or will you have to provide a more dedicated connectivity solution? 95 | 96 | * Users will access the web site via the Internet. 97 | * Users shall be able to use either IPv4 or IPv6. 98 | 99 | ### Identify the data needed by the solution you're deploying. 100 | 101 | #### What data is shared with other applications? Where will the data reside? 102 | 103 | * All the content data is dedicated to the web site. 104 | * The web site content storage should provide 105 | [ACID](https://en.wikipedia.org/wiki/ACID) 106 | properties. 107 | * No other systems need to be queried. 108 | 109 | ### What are the security requirements of your application? 110 | 111 | * Only authorized personnel may change the web content. 112 | * Some resiliency against (distributed) denial of service attacks would be 113 | nice to have, 114 | but web site availability is not directly vital for the company. 115 | * Software needs to be kept current (*patched*). 116 | 117 | ### What are the high availability requirements? 118 | 119 | * The web site does not need to be highly available. 120 | * The web site data needs to be backed up to a separate system. 121 | 122 | ### Do you have to provide connectivity to your on-premises data center? 123 | 124 | * No connectivity to the on-premises data center is needed. 125 | 126 | #### If so, how will you implement it? 127 | 128 | *not applicable* 129 | 130 | ### Do you have to implement connectivity to other (customer) sites? 131 | 132 | * Connectivity is needed from office locations to manage web site content. 133 | * No dedicated connectivity to customer sites is needed. 134 | 135 | #### If so, how will you implement it? 136 | 137 | Connectivity will use Internet access from the office locations. 138 | The office locations use static public IPv4 and IPv6 addresses that can be 139 | used in security controls. 140 | Web content is updated via HTTPS. 141 | 142 | ## Reality Check 143 | 144 | While the above requirements seem correct at the time of writing, 145 | they may well change over time. 146 | The experience of implementing a solution may result in requirement changes 147 | as well. 148 | 149 | As an example it may become helpful to provide some kind of VPN access, 150 | but this is not obvious at the moment. 151 | As another example the importance of the web site might change, 152 | resulting in needs for higher availability and resilience. 153 | 154 | There may even come to light that features deemed superfluous at first 155 | are so simple and cheap to use that the benefits outweigh the costs. 156 | 157 | I do not know this yet since I am at the start of this journey. ☺ 158 | 159 | Anyway, whenever some existing requirement changes, 160 | or a new requirement emerges, 161 | there is a real risk to overlook existing requirements 162 | when searching for a solution for an unexpected problem resulting in new 163 | requirements. 164 | It is necessary to verify that the adjusted solution fulfills the 165 | still valid pre-existing requirements. 166 | 167 | --- 168 | 169 | [PubCloud2020 GitHub repository](https://github.com/auerswal/pubcloud2020) | 170 | [My GitHub user page](https://github.com/auerswal) | 171 | [My home page](https://www.unix-ag.uni-kl.de/~auerswal/) 172 | -------------------------------------------------------------------------------- /ex2-iac/cloudformation/01-initial-parameters: -------------------------------------------------------------------------------- 1 | ParameterKey=Ipv4Prefix,ParameterValue=10.42.0.0/16 2 | ParameterKey=Name,ParameterValue=cfn-vpc 3 | -------------------------------------------------------------------------------- /ex2-iac/cloudformation/01-initial-parameters.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "Ipv4Prefix", 4 | "ParameterValue": "10.42.0.0/16" 5 | }, 6 | { 7 | "ParameterKey": "Name", 8 | "ParameterValue": "cfn-vpc" 9 | } 10 | ] 11 | -------------------------------------------------------------------------------- /ex2-iac/cloudformation/02-changed-name.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "Ipv4Prefix", 4 | "ParameterValue": "10.42.0.0/16" 5 | }, 6 | { 7 | "ParameterKey": "Name", 8 | "ParameterValue": "CloudFormation-VPC" 9 | } 10 | ] 11 | -------------------------------------------------------------------------------- /ex2-iac/cloudformation/03-changed-prefix.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "Ipv4Prefix", 4 | "ParameterValue": "10.43.0.0/16" 5 | }, 6 | { 7 | "ParameterKey": "Name", 8 | "ParameterValue": "CloudFormation-VPC" 9 | } 10 | ] 11 | -------------------------------------------------------------------------------- /ex2-iac/cloudformation/vpc-template.yaml: -------------------------------------------------------------------------------- 1 | # AWS CloudFormation template for an AWS Virtual Private Cloud (VPC). 2 | # Copyright (C) 2020 Erik Auerswald 3 | # 4 | # This program is free software: you can redistribute it and/or modify 5 | # it under the terms of the GNU General Public License as published by 6 | # the Free Software Foundation, either version 3 of the License, or 7 | # (at your option) any later version. 8 | # 9 | # This program is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | # GNU General Public License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program. If not, see . 16 | --- 17 | AWSTemplateFormatVersion: 2010-09-09 18 | Description: Basic Virtual Private Cloud (VPC) template 19 | Parameters: 20 | Ipv4Prefix: 21 | Description: IPv4 prefix (CIDR notation) 22 | Type: String 23 | Default: 10.0.0.0/16 24 | Name: 25 | Description: Name for this VPC (tag "name") 26 | Type: String 27 | Default: unnamed 28 | Resources: 29 | TheVPC: 30 | Type: AWS::EC2::VPC 31 | Properties: 32 | CidrBlock: !Ref Ipv4Prefix 33 | EnableDnsHostnames: true 34 | EnableDnsSupport: true 35 | InstanceTenancy: default 36 | Tags: 37 | - Key: name 38 | Value: !Ref Name 39 | Outputs: 40 | VpcId: 41 | Description: VPC ID 42 | Value: !Ref TheVPC 43 | Prefix: 44 | Description: CIDR Prefix 45 | Value: !Ref Ipv4Prefix 46 | -------------------------------------------------------------------------------- /ex2-iac/terraform/01-initial-parameters.tfvars: -------------------------------------------------------------------------------- 1 | prefix = "10.47.0.0/16" 2 | name = "tf-vpc" 3 | -------------------------------------------------------------------------------- /ex2-iac/terraform/02-changed-name.tfvars: -------------------------------------------------------------------------------- 1 | prefix = "10.47.0.0/16" 2 | name = "Terraform-VPC" 3 | -------------------------------------------------------------------------------- /ex2-iac/terraform/03-changed-prefix.tfvars: -------------------------------------------------------------------------------- 1 | prefix = "10.48.0.0/16" 2 | name = "Terraform-VPC" 3 | -------------------------------------------------------------------------------- /ex2-iac/terraform/vpc.tf: -------------------------------------------------------------------------------- 1 | # Terraform configuration for an AWS Virtual Private Cloud (VPC). 2 | # Copyright (C) 2020 Erik Auerswald 3 | # 4 | # This program is free software: you can redistribute it and/or modify 5 | # it under the terms of the GNU General Public License as published by 6 | # the Free Software Foundation, either version 3 of the License, or 7 | # (at your option) any later version. 8 | # 9 | # This program is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | # GNU General Public License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program. If not, see . 16 | 17 | # providers - AWS in this case 18 | provider "aws" { 19 | version = "~> 2.52" 20 | profile = "default" 21 | region = "eu-central-1" 22 | } 23 | 24 | # variables - prefix and name 25 | variable "prefix" { 26 | default = "10.0.0.0/16" 27 | } 28 | 29 | variable "name" { 30 | default = "unnamed" 31 | } 32 | 33 | # resources - a VPC 34 | resource "aws_vpc" "TheVPC" { 35 | cidr_block = var.prefix 36 | enable_dns_support = true 37 | enable_dns_hostnames = true 38 | instance_tenancy = "default" 39 | tags = { 40 | Name = var.name 41 | } 42 | } 43 | 44 | # outputs - VPC ID and CIDR prefix 45 | output "VPC_ID" { 46 | value = aws_vpc.TheVPC.id 47 | } 48 | 49 | output "Prefix" { 50 | value = aws_vpc.TheVPC.cidr_block 51 | } 52 | -------------------------------------------------------------------------------- /ex3-web/s3-access-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "PublicReadGetObject", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "s3:GetObject", 9 | "Resource": "arn:aws:s3:::pubcloud2020-website-auerswal/*" 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /ex3-web/s3/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/auerswal/pubcloud2020/1c027bcf215c6e68b2f2da14a0a337ba5c798262/ex3-web/s3/image.png -------------------------------------------------------------------------------- /ex3-web/s3/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | PubCloud 2020 - Exercise 3 - Static S3 Website 4 | 5 | 6 |

PubCloud 2020 - Exercise 3 - Static S3 Website

7 |

This website is part of my solution to hands-on exercise 3 8 | of the 9 | Networking in Public Cloud Deployments 10 | course in the spring of 2020.

11 |

The exercise requires hosting of an image: 12 | PubCloud 2020 Hands-on Exercise 3 Image File Stored in AWS S3 (C) 2020 Erik Auerswald

13 | 14 | 15 | -------------------------------------------------------------------------------- /ex3-web/terraform/amazon_linux_2.tfvars: -------------------------------------------------------------------------------- 1 | ami_owner = "amazon" 2 | ami_name = "amzn2-ami-hvm-2.0.????????.?-x86_64-gp2" 3 | -------------------------------------------------------------------------------- /ex3-web/terraform/s3-access-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "PublicReadGetObject", 6 | "Effect": "Allow", 7 | "Principal": "*", 8 | "Action": "s3:GetObject", 9 | "Resource": "arn:aws:s3:::pubcloud2020-ex3-website-auerswal/*" 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /ex3-web/terraform/ubuntu.tfvars: -------------------------------------------------------------------------------- 1 | ami_owner = "099720109477" 2 | ami_name = "ubuntu/images/hvm-ssd/ubuntu-*-18.04-amd64-server-????????" 3 | -------------------------------------------------------------------------------- /ex3-web/terraform/web_server.cloud-config: -------------------------------------------------------------------------------- 1 | ## template: jinja 2 | #cloud-config 3 | package_update: true 4 | package_upgrade: true 5 | packages: 6 | - apache2 7 | write_files: 8 | - path: /var/www/html/index.html 9 | owner: 'root:root' 10 | permissions: '0644' 11 | content: | 12 | 13 | 14 | PubCloud 2020 - Exercise 3 - Static EC2 Website 15 | 16 | 17 |

PubCloud 2020 - Exercise 3 - Static EC2 Website

18 |

This website is part of my solution to hands-on exercise 3 19 | of the Networking 20 | in Public Cloud Deployments course in the spring of 2020.

21 |

The following image is hosted as a static website on S3:

22 |

image stored in S3 bucket

24 |

This request was served from host {{v1.local_hostname}} with 25 | local IP address {{ds.meta_data.local_ipv4}} in availability 26 | zone {{v1.availability_zone}} of region {{v1.region}}. 27 |

28 | 29 | 30 | -------------------------------------------------------------------------------- /ex3-web/terraform/web_server.tf: -------------------------------------------------------------------------------- 1 | # Terraform configuration for a static website on AWS. 2 | # Copyright (C) 2020 Erik Auerswald 3 | # 4 | # This program is free software: you can redistribute it and/or modify 5 | # it under the terms of the GNU General Public License as published by 6 | # the Free Software Foundation, either version 3 of the License, or 7 | # (at your option) any later version. 8 | # 9 | # This program is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | # GNU General Public License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program. If not, see . 16 | 17 | # providers - AWS in this case, region from AWS CLI is ignored 18 | provider "aws" { 19 | version = "~> 2.52" 20 | profile = "default" 21 | region = "eu-central-1" 22 | } 23 | 24 | ### variables - select AMI flavor 25 | variable "ami_owner" {} 26 | variable "ami_name" {} 27 | 28 | ### data sources 29 | 30 | # AMI ID for web server 31 | data "aws_ami" "gnu_linux_image" { 32 | owners = [var.ami_owner] 33 | most_recent = true 34 | 35 | filter { 36 | name = "name" 37 | values = [var.ami_name] 38 | } 39 | 40 | filter { 41 | name = "state" 42 | values = ["available"] 43 | } 44 | } 45 | 46 | # default VPC 47 | data "aws_vpc" "default" { 48 | default = true 49 | } 50 | 51 | ### resources 52 | 53 | # public SSH key for remote access to EC2 instance 54 | resource "aws_key_pair" "course_ssh_key" { 55 | key_name = "tf-pubcloud2020" 56 | public_key = file("../../../pubcloud2020_rsa_id.pub") 57 | } 58 | 59 | # S3 bucket 60 | resource "aws_s3_bucket" "s3_image" { 61 | bucket = "pubcloud2020-ex3-website-auerswal" 62 | acl = "public-read" 63 | policy = file("s3-access-policy.json") 64 | 65 | website { 66 | index_document = "index.html" 67 | } 68 | 69 | tags = { 70 | Name = "S3_bucket_for_image" 71 | } 72 | } 73 | 74 | # disable S3 Public Access Block - once per AWS account 75 | resource "aws_s3_account_public_access_block" "s3_pab" {} 76 | 77 | # image file in S3 bucket 78 | resource "aws_s3_bucket_object" "image" { 79 | bucket = aws_s3_bucket.s3_image.id 80 | key = "image.png" 81 | source = "../s3/image.png" 82 | content_type = "image/png" 83 | acl = "public-read" 84 | etag = filemd5("../s3/image.png") 85 | } 86 | 87 | # index document for S3 static website 88 | resource "aws_s3_bucket_object" "index" { 89 | bucket = aws_s3_bucket.s3_image.id 90 | key = "index.html" 91 | source = "../s3/index.html" 92 | content_type = "text/html" 93 | acl = "public-read" 94 | etag = filemd5("../s3/index.html") 95 | } 96 | 97 | # Security Group 98 | resource "aws_security_group" "sg_web" { 99 | name = "tf-sg-web" 100 | description = "Allow HTTP(S) and SSH access to web server" 101 | vpc_id = data.aws_vpc.default.id 102 | 103 | ingress { 104 | self = true 105 | from_port = 0 106 | to_port = 0 107 | protocol = "-1" 108 | description = "Allow everything inside the SG" 109 | } 110 | 111 | ingress { 112 | from_port = 22 113 | to_port = 22 114 | protocol = "tcp" 115 | cidr_blocks = ["0.0.0.0/0"] 116 | description = "Allow SSH from the Internet" 117 | } 118 | 119 | ingress { 120 | from_port = 80 121 | to_port = 80 122 | protocol = "tcp" 123 | cidr_blocks = ["0.0.0.0/0"] 124 | description = "Allow HTTP from the Internet" 125 | } 126 | 127 | ingress { 128 | from_port = 443 129 | to_port = 443 130 | protocol = "tcp" 131 | cidr_blocks = ["0.0.0.0/0"] 132 | description = "Allow HTTPS from the Internet" 133 | } 134 | 135 | egress { 136 | from_port = 0 137 | to_port = 0 138 | protocol = "-1" 139 | cidr_blocks = ["0.0.0.0/0"] 140 | description = "Allow Internet access for, e.g., updates" 141 | } 142 | 143 | tags = { 144 | Name = "Web_Server_Security_Group" 145 | } 146 | } 147 | 148 | # web server EC2 instance 149 | resource "aws_instance" "ec2_web" { 150 | depends_on = [aws_s3_bucket.s3_image, 151 | aws_s3_bucket_object.image, 152 | aws_s3_bucket_object.index] 153 | ami = data.aws_ami.gnu_linux_image.id 154 | instance_type = "t2.micro" 155 | associate_public_ip_address = true 156 | key_name = aws_key_pair.course_ssh_key.id 157 | vpc_security_group_ids = [aws_security_group.sg_web.id] 158 | user_data = file("web_server.cloud-config") 159 | tags = { 160 | Name = "Web_Server_EC2_Instance" 161 | } 162 | } 163 | 164 | ### outputs 165 | 166 | # S3 bucket info 167 | output "s3_url" { 168 | value = aws_s3_bucket.s3_image.website_endpoint 169 | } 170 | 171 | # web server info 172 | output "web_server_name" { 173 | value = aws_instance.ec2_web.public_dns 174 | } 175 | 176 | output "web_server_ip" { 177 | value = aws_instance.ec2_web.public_ip 178 | } 179 | -------------------------------------------------------------------------------- /ex4-infra/connectivity_test: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | # connectivity_test - check virtual network infrastructure connectivity 4 | # Copyright (C) 2020 Erik Auerswald 5 | # 6 | # This program is free software: you can redistribute it and/or modify 7 | # it under the terms of the GNU General Public License as published by 8 | # the Free Software Foundation, either version 3 of the License, or 9 | # (at your option) any later version. 10 | # 11 | # This program is distributed in the hope that it will be useful, 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | # GNU General Public License for more details. 15 | # 16 | # You should have received a copy of the GNU General Public License 17 | # along with this program. If not, see . 18 | 19 | set -e 20 | set -u 21 | 22 | TF_STATE=terraform/terraform.tfstate 23 | R_USER=ubuntu 24 | SSH_OPTS='-oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null' 25 | 26 | # report test failure on error 27 | trap 'printf -- "***\n*** --- CONNECTIVITY TEST FAILED ---\n***\n"' ERR 28 | 29 | # directly connect to web server via elastic IP address 30 | echo '--> connecting to elastic IP address via IP address...' 31 | EIP_IP=$(jq -r '.outputs.eip_ip.value' "$TF_STATE") 32 | ssh $SSH_OPTS "${R_USER}@${EIP_IP}" true 33 | echo '--> OK' 34 | echo '--> connecting to elastic IP address via DNS name...' 35 | EIP_DNS=$(jq -r '.outputs.eip_name.value' "$TF_STATE") 36 | ssh $SSH_OPTS "${R_USER}@${EIP_DNS}" true 37 | echo '--> OK' 38 | 39 | # directly connect to jump server 40 | echo '--> connecting to jump server via IP address...' 41 | J_IP=$(jq -r '.outputs.jump_host_ip.value' "$TF_STATE") 42 | ssh $SSH_OPTS "${R_USER}@${J_IP}" true 43 | echo '--> OK' 44 | echo '--> connecting to jump server via DNS name...' 45 | J_DNS=$(jq -r '.outputs.jump_host_name.value' "$TF_STATE") 46 | ssh $SSH_OPTS "${R_USER}@${J_DNS}" true 47 | echo '--> OK' 48 | 49 | # access web page of web server 50 | echo '--> accessing web page via IP address...' 51 | wget -q -O/dev/null "http://${EIP_IP}/" 52 | echo '--> OK' 53 | echo '--> accessing web page via DNS name...' 54 | wget -q -O/dev/null "http://${EIP_DNS}/" 55 | echo '--> OK' 56 | 57 | # jump host is no web server 58 | echo '--> check that jump host is no web server (via IP)...' 59 | if wget -q -O/dev/null "http://${J_IP}/" 60 | then false 61 | else echo '--> OK' 62 | fi 63 | echo '--> check that jump host is no web server (via DNS)...' 64 | if wget -q -O/dev/null "http://${J_DNS}/" 65 | then false 66 | else echo '--> OK' 67 | fi 68 | 69 | # access host on private subnet via jump host 70 | echo '--> connecting via jump host to host on private subnet...' 71 | P_IP=$(jq -r '.outputs.private_host_ip.value' "$TF_STATE") 72 | ssh $SSH_OPTS -o "ProxyJump=${R_USER}@${J_IP}" "${R_USER}@${P_IP}" true 73 | echo '--> OK' 74 | 75 | # ping internal IP of web server from host on private subnet 76 | echo '--> testing internal connectivity of host on private subnet...' 77 | W_P_IP=$(jq -r '.outputs.web_server_private_ip.value' "$TF_STATE") 78 | ssh $SSH_OPTS -o "ProxyJump=${R_USER}@${J_IP}" "${R_USER}@${P_IP}" \ 79 | "ping -c2 $W_P_IP" 80 | echo '--> OK' 81 | 82 | # ping Google's 8.8.8.8 from host on private subnet 83 | echo '--> testing for no external connectivity of host on private subnet...' 84 | W_P_IP=$(jq -r '.outputs.web_server_private_ip.value' "$TF_STATE") 85 | if ssh $SSH_OPTS -o "ProxyJump=${R_USER}@${J_IP}" "${R_USER}@${P_IP}" \ 86 | 'ping -c2 8.8.8.8' 87 | then false 88 | else echo '--> OK' 89 | fi 90 | 91 | # report success if this point in the script is reached 92 | echo 93 | echo '==> All tests passed successfully, :-)' 94 | -------------------------------------------------------------------------------- /ex4-infra/terraform/another.cloud-config: -------------------------------------------------------------------------------- 1 | ## template: jinja 2 | #cloud-config 3 | package_update: false 4 | package_upgrade: false 5 | -------------------------------------------------------------------------------- /ex4-infra/terraform/apply.svg: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 9 | 10 | %3 11 | 12 | 13 | 14 | [root] aws_default_security_group.def_sg (prepare state) 15 | 16 | aws_default_security_group.def_sg 17 | 18 | 19 | 20 | [root] provider.aws 21 | 22 | provider.aws 23 | 24 | 25 | 26 | [root] aws_default_security_group.def_sg (prepare state)->[root] provider.aws 27 | 28 | 29 | 30 | 31 | 32 | [root] aws_instance.ex4_jump (prepare state) 33 | 34 | aws_instance.ex4_jump 35 | 36 | 37 | 38 | [root] aws_instance.ex4_jump (prepare state)->[root] provider.aws 39 | 40 | 41 | 42 | 43 | 44 | [root] aws_instance.ex4_other (prepare state) 45 | 46 | aws_instance.ex4_other 47 | 48 | 49 | 50 | [root] aws_instance.ex4_other (prepare state)->[root] provider.aws 51 | 52 | 53 | 54 | 55 | 56 | [root] aws_instance.ex4_web (prepare state) 57 | 58 | aws_instance.ex4_web 59 | 60 | 61 | 62 | [root] aws_instance.ex4_web (prepare state)->[root] provider.aws 63 | 64 | 65 | 66 | 67 | 68 | [root] aws_internet_gateway.ex4_igw (prepare state) 69 | 70 | aws_internet_gateway.ex4_igw 71 | 72 | 73 | 74 | [root] aws_internet_gateway.ex4_igw (prepare state)->[root] provider.aws 75 | 76 | 77 | 78 | 79 | 80 | [root] aws_key_pair.course_ssh_key (prepare state) 81 | 82 | aws_key_pair.course_ssh_key 83 | 84 | 85 | 86 | [root] aws_key_pair.course_ssh_key (prepare state)->[root] provider.aws 87 | 88 | 89 | 90 | 91 | 92 | [root] aws_route_table.ex4_rt (prepare state) 93 | 94 | aws_route_table.ex4_rt 95 | 96 | 97 | 98 | [root] aws_route_table.ex4_rt (prepare state)->[root] provider.aws 99 | 100 | 101 | 102 | 103 | 104 | [root] aws_route_table_association.rt2public (prepare state) 105 | 106 | aws_route_table_association.rt2public 107 | 108 | 109 | 110 | [root] aws_route_table_association.rt2public (prepare state)->[root] provider.aws 111 | 112 | 113 | 114 | 115 | 116 | [root] aws_subnet.ex4_private (prepare state) 117 | 118 | aws_subnet.ex4_private 119 | 120 | 121 | 122 | [root] aws_subnet.ex4_private (prepare state)->[root] provider.aws 123 | 124 | 125 | 126 | 127 | 128 | [root] aws_subnet.ex4_public (prepare state) 129 | 130 | aws_subnet.ex4_public 131 | 132 | 133 | 134 | [root] aws_subnet.ex4_public (prepare state)->[root] provider.aws 135 | 136 | 137 | 138 | 139 | 140 | [root] aws_vpc.ex4_vpc (prepare state) 141 | 142 | aws_vpc.ex4_vpc 143 | 144 | 145 | 146 | [root] aws_vpc.ex4_vpc (prepare state)->[root] provider.aws 147 | 148 | 149 | 150 | 151 | 152 | [root] data.aws_ami.gnu_linux_image (prepare state) 153 | 154 | data.aws_ami.gnu_linux_image 155 | 156 | 157 | 158 | [root] data.aws_ami.gnu_linux_image (prepare state)->[root] provider.aws 159 | 160 | 161 | 162 | 163 | 164 | [root] output.VPC_prefix 165 | 166 | 167 | 168 | output.VPC_prefix 169 | 170 | 171 | 172 | [root] output.VPC_prefix->[root] aws_vpc.ex4_vpc (prepare state) 173 | 174 | 175 | 176 | 177 | 178 | [root] output.jump_host_ip 179 | 180 | 181 | 182 | output.jump_host_ip 183 | 184 | 185 | 186 | [root] output.jump_host_ip->[root] aws_instance.ex4_jump (prepare state) 187 | 188 | 189 | 190 | 191 | 192 | [root] output.jump_host_name 193 | 194 | 195 | 196 | output.jump_host_name 197 | 198 | 199 | 200 | [root] output.jump_host_name->[root] aws_instance.ex4_jump (prepare state) 201 | 202 | 203 | 204 | 205 | 206 | [root] output.private_host_ip 207 | 208 | 209 | 210 | output.private_host_ip 211 | 212 | 213 | 214 | [root] output.private_host_ip->[root] aws_instance.ex4_jump (prepare state) 215 | 216 | 217 | 218 | 219 | 220 | [root] output.private_host_name 221 | 222 | 223 | 224 | output.private_host_name 225 | 226 | 227 | 228 | [root] output.private_host_name->[root] aws_instance.ex4_jump (prepare state) 229 | 230 | 231 | 232 | 233 | 234 | [root] output.private_subnet_prefix 235 | 236 | 237 | 238 | output.private_subnet_prefix 239 | 240 | 241 | 242 | [root] output.private_subnet_prefix->[root] aws_subnet.ex4_private (prepare state) 243 | 244 | 245 | 246 | 247 | 248 | [root] output.public_subnet_prefix 249 | 250 | 251 | 252 | output.public_subnet_prefix 253 | 254 | 255 | 256 | [root] output.public_subnet_prefix->[root] aws_subnet.ex4_public (prepare state) 257 | 258 | 259 | 260 | 261 | 262 | [root] output.web_server_ip 263 | 264 | 265 | 266 | output.web_server_ip 267 | 268 | 269 | 270 | [root] output.web_server_ip->[root] aws_instance.ex4_web (prepare state) 271 | 272 | 273 | 274 | 275 | 276 | [root] output.web_server_name 277 | 278 | 279 | 280 | output.web_server_name 281 | 282 | 283 | 284 | [root] output.web_server_name->[root] aws_instance.ex4_web (prepare state) 285 | 286 | 287 | 288 | 289 | 290 | [root] var.ami_name 291 | 292 | 293 | 294 | var.ami_name 295 | 296 | 297 | 298 | [root] var.ami_owner 299 | 300 | 301 | 302 | var.ami_owner 303 | 304 | 305 | 306 | [root] var.priv_prefix 307 | 308 | 309 | 310 | var.priv_prefix 311 | 312 | 313 | 314 | [root] var.pub_prefix 315 | 316 | 317 | 318 | var.pub_prefix 319 | 320 | 321 | 322 | [root] var.vpc_prefix 323 | 324 | 325 | 326 | var.vpc_prefix 327 | 328 | 329 | 330 | [root] meta.count-boundary (EachMode fixup) 331 | 332 | [root] meta.count-boundary (EachMode fixup) 333 | 334 | 335 | 336 | [root] meta.count-boundary (EachMode fixup)->[root] aws_default_security_group.def_sg (prepare state) 337 | 338 | 339 | 340 | 341 | 342 | [root] meta.count-boundary (EachMode fixup)->[root] aws_instance.ex4_other (prepare state) 343 | 344 | 345 | 346 | 347 | 348 | [root] meta.count-boundary (EachMode fixup)->[root] aws_internet_gateway.ex4_igw (prepare state) 349 | 350 | 351 | 352 | 353 | 354 | [root] meta.count-boundary (EachMode fixup)->[root] aws_key_pair.course_ssh_key (prepare state) 355 | 356 | 357 | 358 | 359 | 360 | [root] meta.count-boundary (EachMode fixup)->[root] aws_route_table.ex4_rt (prepare state) 361 | 362 | 363 | 364 | 365 | 366 | [root] meta.count-boundary (EachMode fixup)->[root] aws_route_table_association.rt2public (prepare state) 367 | 368 | 369 | 370 | 371 | 372 | [root] meta.count-boundary (EachMode fixup)->[root] data.aws_ami.gnu_linux_image (prepare state) 373 | 374 | 375 | 376 | 377 | 378 | [root] meta.count-boundary (EachMode fixup)->[root] output.VPC_prefix 379 | 380 | 381 | 382 | 383 | 384 | [root] meta.count-boundary (EachMode fixup)->[root] output.jump_host_ip 385 | 386 | 387 | 388 | 389 | 390 | [root] meta.count-boundary (EachMode fixup)->[root] output.jump_host_name 391 | 392 | 393 | 394 | 395 | 396 | [root] meta.count-boundary (EachMode fixup)->[root] output.private_host_ip 397 | 398 | 399 | 400 | 401 | 402 | [root] meta.count-boundary (EachMode fixup)->[root] output.private_host_name 403 | 404 | 405 | 406 | 407 | 408 | [root] meta.count-boundary (EachMode fixup)->[root] output.private_subnet_prefix 409 | 410 | 411 | 412 | 413 | 414 | [root] meta.count-boundary (EachMode fixup)->[root] output.public_subnet_prefix 415 | 416 | 417 | 418 | 419 | 420 | [root] meta.count-boundary (EachMode fixup)->[root] output.web_server_ip 421 | 422 | 423 | 424 | 425 | 426 | [root] meta.count-boundary (EachMode fixup)->[root] output.web_server_name 427 | 428 | 429 | 430 | 431 | 432 | [root] meta.count-boundary (EachMode fixup)->[root] var.ami_name 433 | 434 | 435 | 436 | 437 | 438 | [root] meta.count-boundary (EachMode fixup)->[root] var.ami_owner 439 | 440 | 441 | 442 | 443 | 444 | [root] meta.count-boundary (EachMode fixup)->[root] var.priv_prefix 445 | 446 | 447 | 448 | 449 | 450 | [root] meta.count-boundary (EachMode fixup)->[root] var.pub_prefix 451 | 452 | 453 | 454 | 455 | 456 | [root] meta.count-boundary (EachMode fixup)->[root] var.vpc_prefix 457 | 458 | 459 | 460 | 461 | 462 | [root] provider.aws (close) 463 | 464 | [root] provider.aws (close) 465 | 466 | 467 | 468 | [root] provider.aws (close)->[root] aws_default_security_group.def_sg (prepare state) 469 | 470 | 471 | 472 | 473 | 474 | [root] provider.aws (close)->[root] aws_instance.ex4_jump (prepare state) 475 | 476 | 477 | 478 | 479 | 480 | [root] provider.aws (close)->[root] aws_instance.ex4_other (prepare state) 481 | 482 | 483 | 484 | 485 | 486 | [root] provider.aws (close)->[root] aws_instance.ex4_web (prepare state) 487 | 488 | 489 | 490 | 491 | 492 | [root] provider.aws (close)->[root] aws_internet_gateway.ex4_igw (prepare state) 493 | 494 | 495 | 496 | 497 | 498 | [root] provider.aws (close)->[root] aws_key_pair.course_ssh_key (prepare state) 499 | 500 | 501 | 502 | 503 | 504 | [root] provider.aws (close)->[root] aws_route_table.ex4_rt (prepare state) 505 | 506 | 507 | 508 | 509 | 510 | [root] provider.aws (close)->[root] aws_route_table_association.rt2public (prepare state) 511 | 512 | 513 | 514 | 515 | 516 | [root] provider.aws (close)->[root] aws_subnet.ex4_private (prepare state) 517 | 518 | 519 | 520 | 521 | 522 | [root] provider.aws (close)->[root] aws_subnet.ex4_public (prepare state) 523 | 524 | 525 | 526 | 527 | 528 | [root] provider.aws (close)->[root] aws_vpc.ex4_vpc (prepare state) 529 | 530 | 531 | 532 | 533 | 534 | [root] provider.aws (close)->[root] data.aws_ami.gnu_linux_image (prepare state) 535 | 536 | 537 | 538 | 539 | 540 | [root] root 541 | 542 | [root] root 543 | 544 | 545 | 546 | [root] root->[root] meta.count-boundary (EachMode fixup) 547 | 548 | 549 | 550 | 551 | 552 | [root] root->[root] provider.aws (close) 553 | 554 | 555 | 556 | 557 | 558 | -------------------------------------------------------------------------------- /ex4-infra/terraform/jump_host.cloud-config: -------------------------------------------------------------------------------- 1 | ## template: jinja 2 | #cloud-config 3 | package_update: true 4 | package_upgrade: true 5 | write_files: 6 | - path: /etc/netplan/51-eth1.yaml 7 | owner: 'root:root' 8 | permissions: '0644' 9 | content: | 10 | network: 11 | version: 2 12 | ethernets: 13 | eth1: 14 | dhcp4: true 15 | runcmd: 16 | - [ netplan, apply ] 17 | -------------------------------------------------------------------------------- /ex4-infra/terraform/the_plan.svg: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 9 | 10 | %3 11 | 12 | 13 | 14 | [root] aws_default_security_group.def_sg 15 | 16 | aws_default_security_group.def_sg 17 | 18 | 19 | 20 | [root] aws_vpc.ex4_vpc 21 | 22 | aws_vpc.ex4_vpc 23 | 24 | 25 | 26 | [root] aws_default_security_group.def_sg->[root] aws_vpc.ex4_vpc 27 | 28 | 29 | 30 | 31 | 32 | [root] aws_instance.ex4_jump 33 | 34 | aws_instance.ex4_jump 35 | 36 | 37 | 38 | [root] aws_internet_gateway.ex4_igw 39 | 40 | aws_internet_gateway.ex4_igw 41 | 42 | 43 | 44 | [root] aws_instance.ex4_jump->[root] aws_internet_gateway.ex4_igw 45 | 46 | 47 | 48 | 49 | 50 | [root] aws_key_pair.course_ssh_key 51 | 52 | aws_key_pair.course_ssh_key 53 | 54 | 55 | 56 | [root] aws_instance.ex4_jump->[root] aws_key_pair.course_ssh_key 57 | 58 | 59 | 60 | 61 | 62 | [root] aws_subnet.ex4_public 63 | 64 | aws_subnet.ex4_public 65 | 66 | 67 | 68 | [root] aws_instance.ex4_jump->[root] aws_subnet.ex4_public 69 | 70 | 71 | 72 | 73 | 74 | [root] data.aws_ami.gnu_linux_image 75 | 76 | data.aws_ami.gnu_linux_image 77 | 78 | 79 | 80 | [root] aws_instance.ex4_jump->[root] data.aws_ami.gnu_linux_image 81 | 82 | 83 | 84 | 85 | 86 | [root] aws_instance.ex4_other 87 | 88 | aws_instance.ex4_other 89 | 90 | 91 | 92 | [root] aws_instance.ex4_other->[root] aws_key_pair.course_ssh_key 93 | 94 | 95 | 96 | 97 | 98 | [root] aws_subnet.ex4_private 99 | 100 | aws_subnet.ex4_private 101 | 102 | 103 | 104 | [root] aws_instance.ex4_other->[root] aws_subnet.ex4_private 105 | 106 | 107 | 108 | 109 | 110 | [root] aws_instance.ex4_other->[root] data.aws_ami.gnu_linux_image 111 | 112 | 113 | 114 | 115 | 116 | [root] aws_instance.ex4_web 117 | 118 | aws_instance.ex4_web 119 | 120 | 121 | 122 | [root] aws_instance.ex4_web->[root] aws_internet_gateway.ex4_igw 123 | 124 | 125 | 126 | 127 | 128 | [root] aws_instance.ex4_web->[root] aws_key_pair.course_ssh_key 129 | 130 | 131 | 132 | 133 | 134 | [root] aws_instance.ex4_web->[root] aws_subnet.ex4_public 135 | 136 | 137 | 138 | 139 | 140 | [root] aws_instance.ex4_web->[root] data.aws_ami.gnu_linux_image 141 | 142 | 143 | 144 | 145 | 146 | [root] aws_internet_gateway.ex4_igw->[root] aws_vpc.ex4_vpc 147 | 148 | 149 | 150 | 151 | 152 | [root] provider.aws 153 | 154 | provider.aws 155 | 156 | 157 | 158 | [root] aws_key_pair.course_ssh_key->[root] provider.aws 159 | 160 | 161 | 162 | 163 | 164 | [root] aws_route_table.ex4_rt 165 | 166 | aws_route_table.ex4_rt 167 | 168 | 169 | 170 | [root] aws_route_table.ex4_rt->[root] aws_internet_gateway.ex4_igw 171 | 172 | 173 | 174 | 175 | 176 | [root] aws_route_table_association.rt2public 177 | 178 | aws_route_table_association.rt2public 179 | 180 | 181 | 182 | [root] aws_route_table_association.rt2public->[root] aws_route_table.ex4_rt 183 | 184 | 185 | 186 | 187 | 188 | [root] aws_route_table_association.rt2public->[root] aws_subnet.ex4_public 189 | 190 | 191 | 192 | 193 | 194 | [root] aws_subnet.ex4_private->[root] aws_vpc.ex4_vpc 195 | 196 | 197 | 198 | 199 | 200 | [root] var.priv_prefix 201 | 202 | 203 | 204 | var.priv_prefix 205 | 206 | 207 | 208 | [root] aws_subnet.ex4_private->[root] var.priv_prefix 209 | 210 | 211 | 212 | 213 | 214 | [root] aws_subnet.ex4_public->[root] aws_vpc.ex4_vpc 215 | 216 | 217 | 218 | 219 | 220 | [root] var.pub_prefix 221 | 222 | 223 | 224 | var.pub_prefix 225 | 226 | 227 | 228 | [root] aws_subnet.ex4_public->[root] var.pub_prefix 229 | 230 | 231 | 232 | 233 | 234 | [root] aws_vpc.ex4_vpc->[root] provider.aws 235 | 236 | 237 | 238 | 239 | 240 | [root] var.vpc_prefix 241 | 242 | 243 | 244 | var.vpc_prefix 245 | 246 | 247 | 248 | [root] aws_vpc.ex4_vpc->[root] var.vpc_prefix 249 | 250 | 251 | 252 | 253 | 254 | [root] data.aws_ami.gnu_linux_image->[root] provider.aws 255 | 256 | 257 | 258 | 259 | 260 | [root] var.ami_name 261 | 262 | 263 | 264 | var.ami_name 265 | 266 | 267 | 268 | [root] data.aws_ami.gnu_linux_image->[root] var.ami_name 269 | 270 | 271 | 272 | 273 | 274 | [root] var.ami_owner 275 | 276 | 277 | 278 | var.ami_owner 279 | 280 | 281 | 282 | [root] data.aws_ami.gnu_linux_image->[root] var.ami_owner 283 | 284 | 285 | 286 | 287 | 288 | [root] output.VPC_prefix 289 | 290 | 291 | 292 | output.VPC_prefix 293 | 294 | 295 | 296 | [root] output.VPC_prefix->[root] aws_vpc.ex4_vpc 297 | 298 | 299 | 300 | 301 | 302 | [root] output.jump_host_ip 303 | 304 | 305 | 306 | output.jump_host_ip 307 | 308 | 309 | 310 | [root] output.jump_host_ip->[root] aws_instance.ex4_jump 311 | 312 | 313 | 314 | 315 | 316 | [root] output.jump_host_name 317 | 318 | 319 | 320 | output.jump_host_name 321 | 322 | 323 | 324 | [root] output.jump_host_name->[root] aws_instance.ex4_jump 325 | 326 | 327 | 328 | 329 | 330 | [root] output.private_host_ip 331 | 332 | 333 | 334 | output.private_host_ip 335 | 336 | 337 | 338 | [root] output.private_host_ip->[root] aws_instance.ex4_jump 339 | 340 | 341 | 342 | 343 | 344 | [root] output.private_host_name 345 | 346 | 347 | 348 | output.private_host_name 349 | 350 | 351 | 352 | [root] output.private_host_name->[root] aws_instance.ex4_jump 353 | 354 | 355 | 356 | 357 | 358 | [root] output.private_subnet_prefix 359 | 360 | 361 | 362 | output.private_subnet_prefix 363 | 364 | 365 | 366 | [root] output.private_subnet_prefix->[root] aws_subnet.ex4_private 367 | 368 | 369 | 370 | 371 | 372 | [root] output.public_subnet_prefix 373 | 374 | 375 | 376 | output.public_subnet_prefix 377 | 378 | 379 | 380 | [root] output.public_subnet_prefix->[root] aws_subnet.ex4_public 381 | 382 | 383 | 384 | 385 | 386 | [root] output.web_server_ip 387 | 388 | 389 | 390 | output.web_server_ip 391 | 392 | 393 | 394 | [root] output.web_server_ip->[root] aws_instance.ex4_web 395 | 396 | 397 | 398 | 399 | 400 | [root] output.web_server_name 401 | 402 | 403 | 404 | output.web_server_name 405 | 406 | 407 | 408 | [root] output.web_server_name->[root] aws_instance.ex4_web 409 | 410 | 411 | 412 | 413 | 414 | [root] meta.count-boundary (EachMode fixup) 415 | 416 | [root] meta.count-boundary (EachMode fixup) 417 | 418 | 419 | 420 | [root] meta.count-boundary (EachMode fixup)->[root] aws_default_security_group.def_sg 421 | 422 | 423 | 424 | 425 | 426 | [root] meta.count-boundary (EachMode fixup)->[root] aws_instance.ex4_other 427 | 428 | 429 | 430 | 431 | 432 | [root] meta.count-boundary (EachMode fixup)->[root] aws_route_table_association.rt2public 433 | 434 | 435 | 436 | 437 | 438 | [root] meta.count-boundary (EachMode fixup)->[root] output.VPC_prefix 439 | 440 | 441 | 442 | 443 | 444 | [root] meta.count-boundary (EachMode fixup)->[root] output.jump_host_ip 445 | 446 | 447 | 448 | 449 | 450 | [root] meta.count-boundary (EachMode fixup)->[root] output.jump_host_name 451 | 452 | 453 | 454 | 455 | 456 | [root] meta.count-boundary (EachMode fixup)->[root] output.private_host_ip 457 | 458 | 459 | 460 | 461 | 462 | [root] meta.count-boundary (EachMode fixup)->[root] output.private_host_name 463 | 464 | 465 | 466 | 467 | 468 | [root] meta.count-boundary (EachMode fixup)->[root] output.private_subnet_prefix 469 | 470 | 471 | 472 | 473 | 474 | [root] meta.count-boundary (EachMode fixup)->[root] output.public_subnet_prefix 475 | 476 | 477 | 478 | 479 | 480 | [root] meta.count-boundary (EachMode fixup)->[root] output.web_server_ip 481 | 482 | 483 | 484 | 485 | 486 | [root] meta.count-boundary (EachMode fixup)->[root] output.web_server_name 487 | 488 | 489 | 490 | 491 | 492 | [root] provider.aws (close) 493 | 494 | [root] provider.aws (close) 495 | 496 | 497 | 498 | [root] provider.aws (close)->[root] aws_default_security_group.def_sg 499 | 500 | 501 | 502 | 503 | 504 | [root] provider.aws (close)->[root] aws_instance.ex4_jump 505 | 506 | 507 | 508 | 509 | 510 | [root] provider.aws (close)->[root] aws_instance.ex4_other 511 | 512 | 513 | 514 | 515 | 516 | [root] provider.aws (close)->[root] aws_instance.ex4_web 517 | 518 | 519 | 520 | 521 | 522 | [root] provider.aws (close)->[root] aws_route_table_association.rt2public 523 | 524 | 525 | 526 | 527 | 528 | [root] root 529 | 530 | [root] root 531 | 532 | 533 | 534 | [root] root->[root] meta.count-boundary (EachMode fixup) 535 | 536 | 537 | 538 | 539 | 540 | [root] root->[root] provider.aws (close) 541 | 542 | 543 | 544 | 545 | 546 | -------------------------------------------------------------------------------- /ex4-infra/terraform/vni.tf: -------------------------------------------------------------------------------- 1 | # Terraform configuration for AWS virtual network infrastructure. 2 | # Copyright (C) 2020 Erik Auerswald 3 | # 4 | # This program is free software: you can redistribute it and/or modify 5 | # it under the terms of the GNU General Public License as published by 6 | # the Free Software Foundation, either version 3 of the License, or 7 | # (at your option) any later version. 8 | # 9 | # This program is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | # GNU General Public License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program. If not, see . 16 | 17 | # providers - AWS in this case, region from AWS CLI is ignored 18 | provider "aws" { 19 | version = "~> 2.52" 20 | profile = "default" 21 | region = "eu-central-1" 22 | } 23 | 24 | ### variables 25 | 26 | # select AMI flavor for VMs 27 | variable "ami_owner" { 28 | default = "099720109477" 29 | } 30 | variable "ami_name" { 31 | default = "ubuntu/images/hvm-ssd/ubuntu-*-18.04-amd64-server-????????" 32 | } 33 | 34 | # CIDR prefixes to use 35 | variable "vpc_prefix" { 36 | default = "10.42.0.0/16" 37 | } 38 | variable "priv_prefix" { 39 | default = "10.42.0.0/24" 40 | } 41 | variable "pub_prefix" { 42 | default = "10.42.255.0/24" 43 | } 44 | 45 | ### data sources 46 | 47 | # AMI ID for the three servers 48 | data "aws_ami" "gnu_linux_image" { 49 | owners = [var.ami_owner] 50 | most_recent = true 51 | filter { 52 | name = "name" 53 | values = [var.ami_name] 54 | } 55 | filter { 56 | name = "state" 57 | values = ["available"] 58 | } 59 | } 60 | 61 | ### resources 62 | 63 | # public SSH key for remote access to EC2 instances 64 | resource "aws_key_pair" "course_ssh_key" { 65 | key_name = "tf-pubcloud2020" 66 | public_key = file("../../../pubcloud2020_rsa_id.pub") 67 | } 68 | 69 | # a new VPC for this deployment 70 | resource "aws_vpc" "ex4_vpc" { 71 | cidr_block = var.vpc_prefix 72 | enable_dns_support = true 73 | enable_dns_hostnames = true 74 | # dedicated hardware not needed -> use default tenancy 75 | instance_tenancy = "default" 76 | tags = { 77 | Name = "Ex. 4 VPC" 78 | } 79 | } 80 | 81 | # a new (public) subnet in the new VPC 82 | resource "aws_subnet" "ex4_public" { 83 | vpc_id = aws_vpc.ex4_vpc.id 84 | cidr_block = var.pub_prefix 85 | map_public_ip_on_launch = true 86 | tags = { 87 | Name = "Ex. 4 public subnet" 88 | } 89 | } 90 | 91 | # a new (private) subnet in the new VPC 92 | resource "aws_subnet" "ex4_private" { 93 | vpc_id = aws_vpc.ex4_vpc.id 94 | availability_zone = aws_subnet.ex4_public.availability_zone 95 | cidr_block = var.priv_prefix 96 | tags = { 97 | Name = "Ex. 4 private subnet" 98 | } 99 | } 100 | 101 | # a new Internet Gateway for the VPC 102 | resource "aws_internet_gateway" "ex4_igw" { 103 | vpc_id = aws_vpc.ex4_vpc.id 104 | tags = { 105 | Name = "Ex. 4 Internet gateway" 106 | } 107 | } 108 | 109 | # a new route table for the public subnet with default route to the IGW 110 | resource "aws_route_table" "ex4_rt" { 111 | vpc_id = aws_vpc.ex4_vpc.id 112 | route { 113 | cidr_block = "0.0.0.0/0" 114 | gateway_id = aws_internet_gateway.ex4_igw.id 115 | } 116 | tags = { 117 | Name = "Ex. 4 route table for Internet access" 118 | } 119 | } 120 | 121 | # associate the route table with the public subnet 122 | resource "aws_route_table_association" "rt2public" { 123 | subnet_id = aws_subnet.ex4_public.id 124 | route_table_id = aws_route_table.ex4_rt.id 125 | } 126 | 127 | # default Security Group of the new VPC 128 | resource "aws_default_security_group" "def_sg" { 129 | vpc_id = aws_vpc.ex4_vpc.id 130 | ingress { 131 | self = true 132 | from_port = 0 133 | to_port = 0 134 | protocol = "-1" 135 | description = "Allow everything inside the SG" 136 | } 137 | ingress { 138 | from_port = 22 139 | to_port = 22 140 | protocol = "tcp" 141 | cidr_blocks = ["0.0.0.0/0"] 142 | description = "Allow SSH from the Internet" 143 | } 144 | ingress { 145 | from_port = 80 146 | to_port = 80 147 | protocol = "tcp" 148 | cidr_blocks = ["0.0.0.0/0"] 149 | description = "Allow HTTP from the Internet" 150 | } 151 | ingress { 152 | from_port = 443 153 | to_port = 443 154 | protocol = "tcp" 155 | cidr_blocks = ["0.0.0.0/0"] 156 | description = "Allow HTTPS from the Internet" 157 | } 158 | egress { 159 | from_port = 0 160 | to_port = 0 161 | protocol = "-1" 162 | cidr_blocks = ["0.0.0.0/0"] 163 | description = "Allow Internet access for, e.g., updates" 164 | } 165 | tags = { 166 | Name = "Ex. 4 default Security Group" 167 | } 168 | } 169 | 170 | # web server EC2 instance 171 | resource "aws_instance" "ex4_web" { 172 | depends_on = [aws_internet_gateway.ex4_igw] 173 | ami = data.aws_ami.gnu_linux_image.id 174 | instance_type = "t2.micro" 175 | subnet_id = aws_subnet.ex4_public.id 176 | key_name = aws_key_pair.course_ssh_key.id 177 | user_data = file("web_server.cloud-config") 178 | tags = { 179 | Name = "Ex. 4 web server" 180 | } 181 | } 182 | 183 | # jump host EC2 instance 184 | resource "aws_instance" "ex4_jump" { 185 | depends_on = [aws_internet_gateway.ex4_igw] 186 | ami = data.aws_ami.gnu_linux_image.id 187 | instance_type = "t2.micro" 188 | subnet_id = aws_subnet.ex4_public.id 189 | key_name = aws_key_pair.course_ssh_key.id 190 | user_data = file("jump_host.cloud-config") 191 | tags = { 192 | Name = "Ex. 4 jump host" 193 | } 194 | } 195 | 196 | # another EC2 instance 197 | resource "aws_instance" "ex4_other" { 198 | ami = data.aws_ami.gnu_linux_image.id 199 | instance_type = "t2.micro" 200 | subnet_id = aws_subnet.ex4_private.id 201 | key_name = aws_key_pair.course_ssh_key.id 202 | user_data = file("another.cloud-config") 203 | tags = { 204 | Name = "Ex. 4 private host" 205 | } 206 | } 207 | 208 | # elastic IP address 209 | resource "aws_eip" "ex4_eip" { 210 | depends_on = [aws_internet_gateway.ex4_igw] 211 | instance = aws_instance.ex4_web.id 212 | vpc = true 213 | } 214 | 215 | # elastic network interface 216 | resource "aws_network_interface" "ex4_eni" { 217 | subnet_id = aws_subnet.ex4_private.id 218 | attachment { 219 | instance = aws_instance.ex4_jump.id 220 | device_index = 1 221 | } 222 | } 223 | 224 | ### outputs 225 | 226 | # CIDR prefixes 227 | output "VPC_prefix" { 228 | value = aws_vpc.ex4_vpc.cidr_block 229 | } 230 | output "private_subnet_prefix" { 231 | value = aws_subnet.ex4_private.cidr_block 232 | } 233 | output "public_subnet_prefix" { 234 | value = aws_subnet.ex4_public.cidr_block 235 | } 236 | 237 | # web server info (probably wrong b/c of EIP) 238 | output "web_server_name" { 239 | value = aws_instance.ex4_web.public_dns 240 | } 241 | output "web_server_ip" { 242 | value = aws_instance.ex4_web.public_ip 243 | } 244 | output "web_server_private_name" { 245 | value = aws_instance.ex4_web.private_dns 246 | } 247 | output "web_server_private_ip" { 248 | value = aws_instance.ex4_web.private_ip 249 | } 250 | 251 | # jump host info 252 | output "jump_host_name" { 253 | value = aws_instance.ex4_jump.public_dns 254 | } 255 | output "jump_host_ip" { 256 | value = aws_instance.ex4_jump.public_ip 257 | } 258 | output "jump_host_privat_name" { 259 | value = aws_instance.ex4_jump.private_dns 260 | } 261 | output "jump_host_privat_ip" { 262 | value = aws_instance.ex4_jump.private_ip 263 | } 264 | 265 | # private host info 266 | output "private_host_name" { 267 | value = aws_instance.ex4_other.private_dns 268 | } 269 | output "private_host_ip" { 270 | value = aws_instance.ex4_other.private_ip 271 | } 272 | 273 | # EIP info 274 | output "eip_ip" { 275 | value = aws_eip.ex4_eip.public_ip 276 | } 277 | output "eip_name" { 278 | value = aws_eip.ex4_eip.public_dns 279 | } 280 | output "eip_private_ip" { 281 | value = aws_eip.ex4_eip.private_ip 282 | } 283 | output "eip_private_name" { 284 | value = aws_eip.ex4_eip.private_dns 285 | } 286 | 287 | # ENI info 288 | output "eni_private_ip" { 289 | value = aws_network_interface.ex4_eni.private_ip 290 | } 291 | -------------------------------------------------------------------------------- /ex4-infra/terraform/web_server.cloud-config: -------------------------------------------------------------------------------- 1 | ## template: jinja 2 | #cloud-config 3 | package_update: true 4 | package_upgrade: true 5 | packages: 6 | - apache2 7 | write_files: 8 | - path: /var/www/html/index.html 9 | owner: 'root:root' 10 | permissions: '0644' 11 | content: | 12 | 13 | 14 | PubCloud 2020 - Exercise 4 - Virtual Network Infrastructure 15 | 16 | 17 |

PubCloud 2020 - Exercise 4 - Virtual Network Infrastructure

18 |

This website is part of my solution to hands-on exercise 4 19 | of the Networking 20 | in Public Cloud Deployments course in the spring of 2020.

21 |

This request was served from host {{v1.local_hostname}} with 22 | local IP address {{ds.meta_data.local_ipv4}} in availability 23 | zone {{v1.availability_zone}} of region {{v1.region}}. 24 |

25 | 26 | 27 | -------------------------------------------------------------------------------- /ex5-ipv6/connectivity_test: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | # connectivity_test - check virtual network infrastructure connectivity 4 | # Copyright (C) 2020 Erik Auerswald 5 | # 6 | # This program is free software: you can redistribute it and/or modify 7 | # it under the terms of the GNU General Public License as published by 8 | # the Free Software Foundation, either version 3 of the License, or 9 | # (at your option) any later version. 10 | # 11 | # This program is distributed in the hope that it will be useful, 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | # GNU General Public License for more details. 15 | # 16 | # You should have received a copy of the GNU General Public License 17 | # along with this program. If not, see . 18 | 19 | set -e 20 | set -u 21 | 22 | TF_STATE=terraform/terraform.tfstate 23 | R_USER=ubuntu 24 | SSH_OPTS='-oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null' 25 | 26 | # report test failure on error 27 | trap 'printf -- "***\n*** --- CONNECTIVITY TEST FAILED ---\n***\n"' ERR 28 | 29 | # extract address and name informationen from Terraform & AWS 30 | echo '--> determining IPv4 and IPv6 addresses, and DNS names...' 31 | EIP_IP=$(jq -r '.outputs.eip_ip.value' "$TF_STATE") 32 | echo "--> web server EIP IP: $EIP_IP" 33 | EIP_DNS=$(jq -r '.outputs.eip_name.value' "$TF_STATE") 34 | echo "--> web server EIP DNS: $EIP_DNS" 35 | W_IP6=$(jq -r '.outputs.web_server_ipv6.value[0]' "$TF_STATE") 36 | echo "--> web server IPv6: $W_IP6" 37 | W_P_IP=$(jq -r '.outputs.web_server_private_ipv4.value' "$TF_STATE") 38 | echo "--> web server private IPv4: $W_P_IP" 39 | J_IP=$(jq -r '.outputs.jump_host_ipv4.value' "$TF_STATE") 40 | echo "--> jump host IPv4: $J_IP" 41 | J_DNS=$(jq -r '.outputs.jump_host_name.value' "$TF_STATE") 42 | echo "--> jump host DNS: $J_DNS" 43 | J_IP6=$(jq -r '.outputs.jump_host_ipv6.value[0]' "$TF_STATE") 44 | echo "--> jump host IPv6: $J_IP6" 45 | J_P_IP=$(jq -r '.outputs.jump_host_privat_ipv4.value' "$TF_STATE") 46 | echo "--> jump host private IPv4: $J_P_IP" 47 | ENI_IP=$(jq -r '.outputs.eni_private_ipv4.value' "$TF_STATE") 48 | echo "--> jump host 2nd IPv4: $ENI_IP" 49 | ENI_ID=$(jq -r \ 50 | '.resources[]|select(.name=="ex5_eni").instances[].attributes.id' \ 51 | "$TF_STATE") 52 | ENI_IP6=$(aws ec2 describe-network-interfaces \ 53 | --filter Name=network-interface-id,Values="$ENI_ID" --output json \ 54 | | jq -r 'recurse|.Ipv6Address?|select(.!=null)') 55 | echo "--> jump host 2nd IPv6: $ENI_IP6" 56 | P_IP=$(jq -r '.outputs.private_host_ipv4.value' "$TF_STATE") 57 | echo "--> other host IPv4: $P_IP" 58 | P_IP6=$(jq -r '.outputs.private_host_ipv6.value[0]' "$TF_STATE") 59 | echo "--> other host IPv6: $P_IP6" 60 | 61 | # test using IPv4 addresses 62 | echo '--> connecting via SSH to elastic IP address via IPv4 address...' 63 | ssh $SSH_OPTS "${R_USER}@${EIP_IP}" true 64 | echo '--> OK' 65 | echo '--> connecting via SSH to jump server via IPv4 address...' 66 | ssh $SSH_OPTS "${R_USER}@${J_IP}" true 67 | echo '--> OK' 68 | echo '--> accessing web page via IPv4 address...' 69 | wget -q -O/dev/null "http://${EIP_IP}/" 70 | echo '--> OK' 71 | echo '--> check that jump host is no web server (via IPv4)...' 72 | if wget -q -O/dev/null "http://${J_IP}/" 73 | then false 74 | else echo '--> OK' 75 | fi 76 | 77 | # test using DNS names 78 | echo '--> connecting via SSH to elastic IP address via DNS name...' 79 | ssh $SSH_OPTS "${R_USER}@${EIP_DNS}" true 80 | echo '--> OK' 81 | echo '--> connecting via SSH to web server via IPv6 address...' 82 | ssh $SSH_OPTS -l "${R_USER}" "${W_IP6}" true 83 | echo '--> OK' 84 | echo '--> accessing web page via DNS name...' 85 | wget -q -O/dev/null "http://${EIP_DNS}/" 86 | echo '--> OK' 87 | echo '--> connecting via SSH to jump server via DNS name...' 88 | ssh $SSH_OPTS "${R_USER}@${J_DNS}" true 89 | echo '--> OK' 90 | echo '--> check that jump host is no web server (via DNS)...' 91 | if wget -q -O/dev/null "http://${J_DNS}/" 92 | then false 93 | else echo '--> OK' 94 | fi 95 | 96 | # test using IPv6 addresses 97 | echo '--> check that 2nd ENI of jump host does not allow SSH via IPv6...' 98 | if ssh $SSH_OPTS -l "${R_USER}" -6 "${ENI_IP6}" true 99 | then false 100 | else echo '--> OK' 101 | fi 102 | echo '--> accessing web page via IPv6 address...' 103 | wget -q -O/dev/null "http://[${W_IP6}]/" 104 | echo '--> OK' 105 | #echo '--> check that jump host is no web server (via IPv6)...' 106 | #if wget -q -O/dev/null "http://[${J_IP6}]/" 107 | #then false 108 | #else echo '--> OK' 109 | #fi 110 | echo '--> check that global IPv6 does not allow SSH access to private subnet...' 111 | if ssh $SSH_OPTS -l "${R_USER}" -6 "${P_IP6}" true 112 | then false 113 | else echo '--> OK' 114 | fi 115 | #echo '--> connecting via SSH to jump server via IPv6 address...' 116 | #ssh $SSH_OPTS -l "${R_USER}" -6 "${J_IP6}" true 117 | #echo '--> OK' 118 | 119 | # access host on private subnet via jump host 120 | echo '--> connecting via SSH via jump host to host on private subnet...' 121 | echo '---> using private IPv4 address' 122 | ssh $SSH_OPTS -o"ProxyJump=${R_USER}@${J_IP}" "${R_USER}@${P_IP}" true 123 | echo '--> OK' 124 | # ProxyJump and IPv6 does not work, disable test 125 | #echo '---> using (global) IPv6 address' 126 | #ssh $SSH_OPTS -o"ProxyJump=${R_USER}@${J_IP}" -l "${R_USER}" -6 "${P_IP6}" true 127 | #echo '--> OK' 128 | # use a manual "proxy jump" instead 129 | echo '---> using (global) IPv6 address' 130 | ssh $SSH_OPTS -A "${R_USER}@${J_IP}" "ssh $SSH_OPTS ${P_IP6} true" 131 | echo '--> OK' 132 | 133 | # ping internal IP of web server from host on private subnet 134 | echo '--> testing internal IPv4 connectivity of host on private subnet...' 135 | ssh $SSH_OPTS -o"ProxyJump=${R_USER}@${J_IP}" "${R_USER}@${P_IP}" \ 136 | "ping -c2 $W_P_IP" 137 | echo '--> OK' 138 | echo '--> testing internal IPv6 connectivity of host on private subnet...' 139 | ssh $SSH_OPTS -o"ProxyJump=${R_USER}@${J_IP}" "${R_USER}@${P_IP}" \ 140 | "ping -c2 $W_IP6" 141 | echo '--> OK' 142 | 143 | # ping internal IP of jump host eth0 from host on private subnet -> broken 144 | #echo '--> testing internal IPv4 connectivity of host on private subnet...' 145 | #ssh $SSH_OPTS -o"ProxyJump=${R_USER}@${J_IP}" "${R_USER}@${P_IP}" \ 146 | # "ping -c2 $J_P_IP" 147 | #echo '--> OK' 148 | echo '--> testing internal IPv6 connectivity of host on private subnet...' 149 | ssh $SSH_OPTS -o"ProxyJump=${R_USER}@${J_IP}" "${R_USER}@${P_IP}" \ 150 | "ping -c2 $J_IP6" 151 | echo '--> OK' 152 | 153 | # ping internal IP of jump host eth1 from host on private subnet 154 | echo '--> testing internal IPv4 connectivity of host on private subnet...' 155 | ssh $SSH_OPTS -o"ProxyJump=${R_USER}@${J_IP}" "${R_USER}@${P_IP}" \ 156 | "ping -c2 $ENI_IP" 157 | echo '--> OK' 158 | echo '--> testing internal IPv6 connectivity of host on private subnet...' 159 | ssh $SSH_OPTS -o"ProxyJump=${R_USER}@${J_IP}" "${R_USER}@${P_IP}" \ 160 | "ping -c2 $ENI_IP6" 161 | echo '--> OK' 162 | 163 | # ping Google's 8.8.8.8 from host on private subnet 164 | echo '--> testing for no external v4 connectivity of host on private subnet...' 165 | if ssh $SSH_OPTS -o"ProxyJump=${R_USER}@${J_IP}" "${R_USER}@${P_IP}" \ 166 | 'ping -c2 8.8.8.8' 167 | then false 168 | else echo '--> OK' 169 | fi 170 | 171 | # ping Google's 2001:4860:4860::8888 from host on private subnet 172 | echo '--> testing for no external v6 connectivity of host on private subnet...' 173 | if ssh $SSH_OPTS -o"ProxyJump=${R_USER}@${J_IP}" "${R_USER}@${P_IP}" \ 174 | 'ping -c2 2001:4860:4860::8888' 175 | then false 176 | else echo '--> OK' 177 | fi 178 | 179 | # report success if this point in the script is reached 180 | echo 181 | echo '==> All tests passed successfully. :-)' 182 | echo 183 | -------------------------------------------------------------------------------- /ex5-ipv6/terraform/another.cloud-config: -------------------------------------------------------------------------------- 1 | ## template: jinja 2 | #cloud-config 3 | package_update: false 4 | package_upgrade: false 5 | -------------------------------------------------------------------------------- /ex5-ipv6/terraform/jump_host.cloud-config: -------------------------------------------------------------------------------- 1 | ## template: jinja 2 | #cloud-config 3 | package_update: true 4 | package_upgrade: true 5 | write_files: 6 | - path: /etc/netplan/51-eth1.yaml 7 | owner: 'root:root' 8 | permissions: '0644' 9 | content: | 10 | network: 11 | version: 2 12 | ethernets: 13 | eth1: 14 | dhcp4: true 15 | runcmd: 16 | - [ netplan, apply ] 17 | -------------------------------------------------------------------------------- /ex5-ipv6/terraform/vni.tf: -------------------------------------------------------------------------------- 1 | # Terraform configuration for dual-stack AWS virtual network infrastructure. 2 | # Copyright (C) 2020 Erik Auerswald 3 | # 4 | # This program is free software: you can redistribute it and/or modify 5 | # it under the terms of the GNU General Public License as published by 6 | # the Free Software Foundation, either version 3 of the License, or 7 | # (at your option) any later version. 8 | # 9 | # This program is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | # GNU General Public License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program. If not, see . 16 | 17 | # providers - AWS in this case, region from AWS CLI is ignored 18 | provider "aws" { 19 | version = "~> 2.52" 20 | profile = "default" 21 | region = "eu-central-1" 22 | } 23 | 24 | ### variables 25 | 26 | # select AMI flavor for VMs 27 | variable "ami_owner" { 28 | default = "099720109477" 29 | } 30 | variable "ami_name" { 31 | default = "ubuntu/images/hvm-ssd/ubuntu-*-18.04-amd64-server-????????" 32 | } 33 | 34 | ## CIDR prefixes to use 35 | # IPv4 - specify complete prefixes 36 | variable "vpc_prefix" { 37 | default = "10.42.0.0/16" 38 | } 39 | variable "priv_prefix" { 40 | default = "10.42.0.0/24" 41 | } 42 | variable "pub_prefix" { 43 | default = "10.42.255.0/24" 44 | } 45 | # IPv6 - /56 prefix is AWS assigned, but can be subnetted manually 46 | variable "priv_v6_sub" { 47 | default = "0" 48 | } 49 | variable "pub_v6_sub" { 50 | default = "255" 51 | } 52 | 53 | ### data sources 54 | 55 | # AMI ID for the three servers 56 | data "aws_ami" "gnu_linux_image" { 57 | owners = [var.ami_owner] 58 | most_recent = true 59 | filter { 60 | name = "name" 61 | values = [var.ami_name] 62 | } 63 | filter { 64 | name = "state" 65 | values = ["available"] 66 | } 67 | } 68 | 69 | ### resources 70 | 71 | # public SSH key for remote access to EC2 instances 72 | resource "aws_key_pair" "course_ssh_key" { 73 | key_name = "tf-pubcloud2020" 74 | public_key = file("../../../pubcloud2020_rsa_id.pub") 75 | } 76 | 77 | # a new VPC for this deployment 78 | resource "aws_vpc" "ex5_vpc" { 79 | cidr_block = var.vpc_prefix 80 | assign_generated_ipv6_cidr_block = true 81 | enable_dns_support = true 82 | enable_dns_hostnames = true 83 | # dedicated hardware not needed -> use default tenancy 84 | instance_tenancy = "default" 85 | tags = { 86 | Name = "Ex. 5 VPC" 87 | } 88 | } 89 | 90 | # a new (public) subnet in the new VPC 91 | resource "aws_subnet" "ex5_public" { 92 | vpc_id = aws_vpc.ex5_vpc.id 93 | cidr_block = var.pub_prefix 94 | ipv6_cidr_block = cidrsubnet(aws_vpc.ex5_vpc.ipv6_cidr_block, 8, var.pub_v6_sub) 95 | assign_ipv6_address_on_creation = true 96 | map_public_ip_on_launch = true 97 | tags = { 98 | Name = "Ex. 5 public subnet" 99 | } 100 | } 101 | 102 | # a new (private) subnet in the new VPC 103 | resource "aws_subnet" "ex5_private" { 104 | vpc_id = aws_vpc.ex5_vpc.id 105 | availability_zone = aws_subnet.ex5_public.availability_zone 106 | cidr_block = var.priv_prefix 107 | ipv6_cidr_block = cidrsubnet(aws_vpc.ex5_vpc.ipv6_cidr_block, 8, var.priv_v6_sub) 108 | assign_ipv6_address_on_creation = true 109 | tags = { 110 | Name = "Ex. 5 private subnet" 111 | } 112 | } 113 | 114 | # a new Internet Gateway for the VPC 115 | resource "aws_internet_gateway" "ex5_igw" { 116 | vpc_id = aws_vpc.ex5_vpc.id 117 | tags = { 118 | Name = "Ex. 5 Internet gateway" 119 | } 120 | } 121 | 122 | # a new route table for the public subnet with default route to the IGW 123 | resource "aws_route_table" "ex5_rt" { 124 | vpc_id = aws_vpc.ex5_vpc.id 125 | route { 126 | cidr_block = "0.0.0.0/0" 127 | gateway_id = aws_internet_gateway.ex5_igw.id 128 | } 129 | route { 130 | ipv6_cidr_block = "::/0" 131 | gateway_id = aws_internet_gateway.ex5_igw.id 132 | } 133 | tags = { 134 | Name = "Ex. 5 route table for Internet access" 135 | } 136 | } 137 | 138 | # associate the route table with the public subnet 139 | resource "aws_route_table_association" "rt2public" { 140 | subnet_id = aws_subnet.ex5_public.id 141 | route_table_id = aws_route_table.ex5_rt.id 142 | } 143 | 144 | # default Security Group of the new VPC 145 | resource "aws_default_security_group" "def_sg" { 146 | vpc_id = aws_vpc.ex5_vpc.id 147 | ingress { 148 | self = true 149 | from_port = 0 150 | to_port = 0 151 | protocol = "-1" 152 | description = "Allow everything inside the SG" 153 | } 154 | ingress { 155 | from_port = 22 156 | to_port = 22 157 | protocol = "tcp" 158 | cidr_blocks = ["0.0.0.0/0"] 159 | description = "Allow SSH from the legacy Internet" 160 | } 161 | ingress { 162 | from_port = 22 163 | to_port = 22 164 | protocol = "tcp" 165 | ipv6_cidr_blocks = ["::/0"] 166 | description = "Allow SSH from the Internet" 167 | } 168 | ingress { 169 | from_port = 80 170 | to_port = 80 171 | protocol = "tcp" 172 | cidr_blocks = ["0.0.0.0/0"] 173 | description = "Allow HTTP from the legacy Internet" 174 | } 175 | ingress { 176 | from_port = 80 177 | to_port = 80 178 | protocol = "tcp" 179 | ipv6_cidr_blocks = ["::/0"] 180 | description = "Allow HTTP from the Internet" 181 | } 182 | ingress { 183 | from_port = 443 184 | to_port = 443 185 | protocol = "tcp" 186 | cidr_blocks = ["0.0.0.0/0"] 187 | description = "Allow HTTPS from the legacy Internet" 188 | } 189 | ingress { 190 | from_port = 443 191 | to_port = 443 192 | protocol = "tcp" 193 | ipv6_cidr_blocks = ["::/0"] 194 | description = "Allow HTTPS from the Internet" 195 | } 196 | egress { 197 | from_port = 0 198 | to_port = 0 199 | protocol = "-1" 200 | cidr_blocks = ["0.0.0.0/0"] 201 | description = "Allow legacy Internet access for, e.g., updates" 202 | } 203 | egress { 204 | from_port = 0 205 | to_port = 0 206 | protocol = "-1" 207 | ipv6_cidr_blocks = ["::/0"] 208 | description = "Allow Internet access for, e.g., updates" 209 | } 210 | tags = { 211 | Name = "Ex. 5 default Security Group" 212 | } 213 | } 214 | 215 | # web server EC2 instance 216 | resource "aws_instance" "ex5_web" { 217 | depends_on = [aws_internet_gateway.ex5_igw] 218 | ami = data.aws_ami.gnu_linux_image.id 219 | instance_type = "t2.micro" 220 | subnet_id = aws_subnet.ex5_public.id 221 | key_name = aws_key_pair.course_ssh_key.id 222 | user_data = file("web_server.cloud-config") 223 | tags = { 224 | Name = "Ex. 5 web server" 225 | } 226 | } 227 | 228 | # jump host EC2 instance 229 | resource "aws_instance" "ex5_jump" { 230 | depends_on = [aws_internet_gateway.ex5_igw] 231 | ami = data.aws_ami.gnu_linux_image.id 232 | instance_type = "t2.micro" 233 | subnet_id = aws_subnet.ex5_public.id 234 | source_dest_check = false 235 | key_name = aws_key_pair.course_ssh_key.id 236 | user_data = file("jump_host.cloud-config") 237 | tags = { 238 | Name = "Ex. 5 jump host" 239 | } 240 | } 241 | 242 | # another EC2 instance 243 | resource "aws_instance" "ex5_other" { 244 | ami = data.aws_ami.gnu_linux_image.id 245 | instance_type = "t2.micro" 246 | subnet_id = aws_subnet.ex5_private.id 247 | key_name = aws_key_pair.course_ssh_key.id 248 | user_data = file("another.cloud-config") 249 | tags = { 250 | Name = "Ex. 5 private host" 251 | } 252 | } 253 | 254 | # elastic IP address 255 | resource "aws_eip" "ex5_eip" { 256 | depends_on = [aws_internet_gateway.ex5_igw] 257 | instance = aws_instance.ex5_web.id 258 | vpc = true 259 | } 260 | 261 | # elastic network interface 262 | resource "aws_network_interface" "ex5_eni" { 263 | subnet_id = aws_subnet.ex5_private.id 264 | source_dest_check = false 265 | attachment { 266 | instance = aws_instance.ex5_jump.id 267 | device_index = 1 268 | } 269 | } 270 | 271 | ### outputs 272 | 273 | # CIDR prefixes 274 | output "VPC_v4_prefix" { 275 | value = aws_vpc.ex5_vpc.cidr_block 276 | } 277 | output "VPC_v6_prefix" { 278 | value = aws_vpc.ex5_vpc.ipv6_cidr_block 279 | } 280 | output "private_subnet_v4_prefix" { 281 | value = aws_subnet.ex5_private.cidr_block 282 | } 283 | output "private_subnet_v6_prefix" { 284 | value = aws_subnet.ex5_private.ipv6_cidr_block 285 | } 286 | output "public_subnet_v4_prefix" { 287 | value = aws_subnet.ex5_public.cidr_block 288 | } 289 | output "public_subnet_v6_prefix" { 290 | value = aws_subnet.ex5_public.ipv6_cidr_block 291 | } 292 | 293 | # web server info (probably wrong b/c of EIP) 294 | output "web_server_name" { 295 | value = aws_instance.ex5_web.public_dns 296 | } 297 | output "web_server_ipv4" { 298 | value = aws_instance.ex5_web.public_ip 299 | } 300 | output "web_server_ipv6" { 301 | value = aws_instance.ex5_web.ipv6_addresses 302 | } 303 | output "web_server_private_name" { 304 | value = aws_instance.ex5_web.private_dns 305 | } 306 | output "web_server_private_ipv4" { 307 | value = aws_instance.ex5_web.private_ip 308 | } 309 | 310 | # jump host info 311 | output "jump_host_name" { 312 | value = aws_instance.ex5_jump.public_dns 313 | } 314 | output "jump_host_ipv4" { 315 | value = aws_instance.ex5_jump.public_ip 316 | } 317 | output "jump_host_ipv6" { 318 | value = aws_instance.ex5_jump.ipv6_addresses 319 | } 320 | output "jump_host_privat_name" { 321 | value = aws_instance.ex5_jump.private_dns 322 | } 323 | output "jump_host_privat_ipv4" { 324 | value = aws_instance.ex5_jump.private_ip 325 | } 326 | 327 | # private host info 328 | output "private_host_name" { 329 | value = aws_instance.ex5_other.private_dns 330 | } 331 | output "private_host_ipv4" { 332 | value = aws_instance.ex5_other.private_ip 333 | } 334 | output "private_host_ipv6" { 335 | value = aws_instance.ex5_other.ipv6_addresses 336 | } 337 | 338 | # EIP info 339 | output "eip_ip" { 340 | value = aws_eip.ex5_eip.public_ip 341 | } 342 | output "eip_name" { 343 | value = aws_eip.ex5_eip.public_dns 344 | } 345 | output "eip_private_ip" { 346 | value = aws_eip.ex5_eip.private_ip 347 | } 348 | output "eip_private_name" { 349 | value = aws_eip.ex5_eip.private_dns 350 | } 351 | 352 | # ENI info (no documented IPv6 attribute) 353 | output "eni_private_ipv4" { 354 | value = aws_network_interface.ex5_eni.private_ip 355 | } 356 | -------------------------------------------------------------------------------- /ex5-ipv6/terraform/web_server.cloud-config: -------------------------------------------------------------------------------- 1 | ## template: jinja 2 | #cloud-config 3 | package_update: true 4 | package_upgrade: true 5 | packages: 6 | - apache2 7 | write_files: 8 | - path: /var/www/html/index.html 9 | owner: 'root:root' 10 | permissions: '0644' 11 | content: | 12 | 13 | 14 | PubCloud 2020 - Exercise 5 - IPv6 in VNI 15 | 16 | 17 |

PubCloud 2020 - Exercise 5 - IPv6 in VNI

18 |

This website is part of my solution to hands-on exercise 5 19 | of the Networking 20 | in Public Cloud Deployments course in the spring of 2020.

21 |

This request was served from host {{v1.local_hostname}} with 22 | local IP address {{ds.meta_data.local_ipv4}} in availability 23 | zone {{v1.availability_zone}} of region {{v1.region}}. 24 |

25 | 26 | 27 | -------------------------------------------------------------------------------- /ex6-sec/README.md: -------------------------------------------------------------------------------- 1 | # Exercise 6: Secure Your Virtuel Network Infrastructure 2 | 3 | This exercise continues with the virtual betwork infrastructure from the 4 | two preceding hands-on exercises. 5 | Here we are to add security to the existing deployment. 6 | While this makes sense from a teaching perspective, 7 | a production deployment *must* include security from the beginning, 8 | or it will be insecure. 9 | 10 | ## Overview 11 | 12 | This hands-on exercise is comprised of four topics 13 | that each comprise several requirements. 14 | Two of the topics and some of the requirements are optional: 15 | 16 | 1. Traffic Filters 17 | 2. Identity and Access Management 18 | 3. Application Firewall (*optional*) 19 | 4. Session Logging (*optional*) 20 | 21 | ### Traffic Filters 22 | 23 | We have already implemented traffic filters, 24 | i.e., Security Groups for AWS, 25 | in the previous hands-on exercises. 26 | Now we shall adjust these to be a bit more restrictive than before: 27 | 28 | 1. Anyone can connect to the web server over HTTP and HTTPS. 29 | 2. Specified IP addresses can connect to the SSH jump host over SSH. 30 | 3. SSH jump host can connect to any VM within the virtual network over SSH. 31 | 4. Web server(s) can connect to database server(s) over HTTP and MySQL 32 | (or any other similar service). 33 | 5. Database server(s) can communicate over HTTP and MySQL. 34 | 35 | ### Identity and Access Management 36 | 37 | We need to create multiple users within our account (or subscription): 38 | 39 | 1. A user that has read-only access. When using those credentials you should be 40 | able to see the networking and compute resources, but not modify them. 41 | 2. A user that can modify the storage bucket you created in the third exercise, 42 | but not anything else (*optional*). 43 | 3. A user that can view networking resources and modify compute resources. 44 | Split the deployment procedure into two parts, and deploy networking and 45 | compute resources using two separate users (*optional*). 46 | 47 | ### Application Firewall (*optional*) 48 | 49 | Add a web application firewall (WAF) in front of your web server 50 | and block any attempts to access `/admin` or `/login` URLs. 51 | 52 | ### Session Logging (*optional*) 53 | 54 | Log all sessions to and from the SSH jump host. 55 | 56 | --- 57 | 58 | [PubCloud2020 GitHub repository](https://github.com/auerswal/pubcloud2020) | 59 | [My GitHub user page](https://github.com/auerswal) | 60 | [My home page](https://www.unix-ag.uni-kl.de/~auerswal/) 61 | -------------------------------------------------------------------------------- /extra/amazon-linux2/README.md: -------------------------------------------------------------------------------- 1 | # Extra: Playing with Amazon Linux 2 2 | 3 | I want to play a bit with 4 | [Amazon Linux 2](https://aws.amazon.com/amazon-linux-2/) 5 | instead of only using 6 | [Ubuntu](https://ubuntu.com/). 7 | 8 | I have used Ubuntu for both hands-on exercises 9 | [three](../../ex3-web/) 10 | and 11 | [four](../../ex4-infra/). 12 | While Ubuntu worked fine for running a web server in both exercises, 13 | it did not nicely handle an additional *elastic network interface* (ENI). 14 | I did find a workaround for the ENI problem, 15 | but the AWS documentation claims 16 | that Amazon Linux includes support for additional ENIs 17 | via the package `ec2-net-utils`. 18 | I expect this to just work, 19 | possibly after add the `ec2-net-utils` package to cloud-config. 20 | 21 | ## Simple Web Server with Two Network Interfaces 22 | 23 | I want to play both with using Amazon Linux 2 for a web server, 24 | and adding an additional ENI. 25 | Thus I create a 26 | [Terraform configuration](amazon_linux_2.tf) 27 | based on those from exercises three and four. 28 | 29 | I want to find out two things: 30 | 31 | 1. Does the web server need explicit activation? 32 | 2. Does additional ENI support require explicit package installation? 33 | 34 | Both above points are part of the 35 | [cloud-config](web_server.cloud-config) 36 | file. 37 | 38 | ### Initial Attempt 39 | 40 | The initial file looks as follows: 41 | 42 | ``` 43 | #cloud-config 44 | package_update: true 45 | package_upgrade: true 46 | packages: 47 | - apache2 48 | write_files: 49 | - path: /var/www/html/index.html 50 | owner: 'root:root' 51 | permissions: '0644' 52 | content: | 53 | 54 | 55 | PubCloud 2020 - Extra - Amazon Linux 2 56 | 57 | 58 |

PubCloud 2020 - Extra - Amazon Linux 2

59 |

Static web site running on Amazon Linux 2

60 | 61 | 62 | ``` 63 | 64 | I use `terraform init` to initialize the Terraform workspace, 65 | `terraform fmt` and then `terraform validate` to format and check the 66 | configuration, 67 | and then `terraform apply`: 68 | 69 | ``` 70 | $ terraform fmt 71 | ``` 72 | ``` 73 | $ terraform validate 74 | Success! The configuration is valid. 75 | 76 | ``` 77 | ``` 78 | $ terraform apply 79 | data.aws_ami.gnu_linux_image: Refreshing state... 80 | 81 | An execution plan has been generated and is shown below. 82 | Resource actions are indicated with the following symbols: 83 | + create 84 | 85 | Terraform will perform the following actions: 86 | 87 | # aws_default_security_group.def_sg will be created 88 | + resource "aws_default_security_group" "def_sg" { 89 | + arn = (known after apply) 90 | + description = (known after apply) 91 | + egress = [ 92 | + { 93 | + cidr_blocks = [ 94 | + "0.0.0.0/0", 95 | ] 96 | + description = "Allow Internet access for, e.g., updates" 97 | + from_port = 0 98 | + ipv6_cidr_blocks = [] 99 | + prefix_list_ids = [] 100 | + protocol = "-1" 101 | + security_groups = [] 102 | + self = false 103 | + to_port = 0 104 | }, 105 | ] 106 | + id = (known after apply) 107 | + ingress = [ 108 | + { 109 | + cidr_blocks = [ 110 | + "0.0.0.0/0", 111 | ] 112 | + description = "Allow HTTP from the Internet" 113 | + from_port = 80 114 | + ipv6_cidr_blocks = [] 115 | + prefix_list_ids = [] 116 | + protocol = "tcp" 117 | + security_groups = [] 118 | + self = false 119 | + to_port = 80 120 | }, 121 | + { 122 | + cidr_blocks = [ 123 | + "0.0.0.0/0", 124 | ] 125 | + description = "Allow HTTPS from the Internet" 126 | + from_port = 443 127 | + ipv6_cidr_blocks = [] 128 | + prefix_list_ids = [] 129 | + protocol = "tcp" 130 | + security_groups = [] 131 | + self = false 132 | + to_port = 443 133 | }, 134 | + { 135 | + cidr_blocks = [ 136 | + "0.0.0.0/0", 137 | ] 138 | + description = "Allow SSH from the Internet" 139 | + from_port = 22 140 | + ipv6_cidr_blocks = [] 141 | + prefix_list_ids = [] 142 | + protocol = "tcp" 143 | + security_groups = [] 144 | + self = false 145 | + to_port = 22 146 | }, 147 | + { 148 | + cidr_blocks = [] 149 | + description = "Allow everything inside the SG" 150 | + from_port = 0 151 | + ipv6_cidr_blocks = [] 152 | + prefix_list_ids = [] 153 | + protocol = "-1" 154 | + security_groups = [] 155 | + self = true 156 | + to_port = 0 157 | }, 158 | ] 159 | + name = (known after apply) 160 | + owner_id = (known after apply) 161 | + revoke_rules_on_delete = false 162 | + tags = { 163 | + "Name" = "Ex. 4 default Security Group" 164 | } 165 | + vpc_id = (known after apply) 166 | } 167 | 168 | # aws_instance.ec2_web will be created 169 | + resource "aws_instance" "ec2_web" { 170 | + ami = "ami-076431be05aaf8080" 171 | + arn = (known after apply) 172 | + associate_public_ip_address = (known after apply) 173 | + availability_zone = (known after apply) 174 | + cpu_core_count = (known after apply) 175 | + cpu_threads_per_core = (known after apply) 176 | + get_password_data = false 177 | + host_id = (known after apply) 178 | + id = (known after apply) 179 | + instance_state = (known after apply) 180 | + instance_type = "t2.micro" 181 | + ipv6_address_count = (known after apply) 182 | + ipv6_addresses = (known after apply) 183 | + key_name = (known after apply) 184 | + network_interface_id = (known after apply) 185 | + password_data = (known after apply) 186 | + placement_group = (known after apply) 187 | + primary_network_interface_id = (known after apply) 188 | + private_dns = (known after apply) 189 | + private_ip = (known after apply) 190 | + public_dns = (known after apply) 191 | + public_ip = (known after apply) 192 | + security_groups = (known after apply) 193 | + source_dest_check = true 194 | + subnet_id = (known after apply) 195 | + tags = { 196 | + "Name" = "Amazon Linux 2 Web Server EC2 Instance" 197 | } 198 | + tenancy = (known after apply) 199 | + user_data = "a89b15ed08b1001d85a70163a8d2b34df0cc4f79" 200 | + volume_tags = (known after apply) 201 | + vpc_security_group_ids = (known after apply) 202 | 203 | + ebs_block_device { 204 | + delete_on_termination = (known after apply) 205 | + device_name = (known after apply) 206 | + encrypted = (known after apply) 207 | + iops = (known after apply) 208 | + kms_key_id = (known after apply) 209 | + snapshot_id = (known after apply) 210 | + volume_id = (known after apply) 211 | + volume_size = (known after apply) 212 | + volume_type = (known after apply) 213 | } 214 | 215 | + ephemeral_block_device { 216 | + device_name = (known after apply) 217 | + no_device = (known after apply) 218 | + virtual_name = (known after apply) 219 | } 220 | 221 | + network_interface { 222 | + delete_on_termination = (known after apply) 223 | + device_index = (known after apply) 224 | + network_interface_id = (known after apply) 225 | } 226 | 227 | + root_block_device { 228 | + delete_on_termination = (known after apply) 229 | + encrypted = (known after apply) 230 | + iops = (known after apply) 231 | + kms_key_id = (known after apply) 232 | + volume_id = (known after apply) 233 | + volume_size = (known after apply) 234 | + volume_type = (known after apply) 235 | } 236 | } 237 | 238 | # aws_internet_gateway.igw will be created 239 | + resource "aws_internet_gateway" "igw" { 240 | + id = (known after apply) 241 | + owner_id = (known after apply) 242 | + tags = { 243 | + "Name" = "Internet gateway" 244 | } 245 | + vpc_id = (known after apply) 246 | } 247 | 248 | # aws_key_pair.course_ssh_key will be created 249 | + resource "aws_key_pair" "course_ssh_key" { 250 | + fingerprint = (known after apply) 251 | + id = (known after apply) 252 | + key_name = "tf-pubcloud2020" 253 | + key_pair_id = (known after apply) 254 | + public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDiXuVGxn6zqLCPKbcojNC813FAnOPBWToBz/XTQaMzMsoAeKMRwVrUoyHEVj8UTFiuEUbTz/0jHItv5ZmFXI1DNY1m+hXxCDVcBp8ojCutX3+AJ012qG2PIZaloaYCjrTkhHj9VmMHAl1jzJ0EbPsoU/Qc4pZCNUNaCVCkG6EHisOUy9wx20i4gA/nrDnjIxk9TD2mGdlVCK7SESH/vGWgMtU6fLI65trtC4eojPNNUyMq8tTLyJxoTdYEwMY5alKkcjjw6+yVBOrtYgZSlMW02WLTkJT7eCxwVHig8a+bywiwAxuvYlUgfmOHEGEIXXTGk/+KNiLrDXdmkK4kuUvlf6rD7qR/kedqQAt0k5v/PiW3ufpej7n1ZBZroSsBT/0Yp5UcCLxpzskUYu+TRLRp+6gI50KsNe/oT8tesNtOVTK2ePD4eXApXAYwQpXy1389c4gGgh4wWljmHyeoFjcd4Soq847/PNspRdswR/u5jyswTsCROKsCJ4+whJRme8JoqaZHGBTpTu9n6gaZJVXbFM/55RYh0bpuCD5BHrdk0+HX4BmhJ1KqdDTDR84y2riwlpv6Eiw8AX8N2GVLOpP6RMt/AUCNUEy5nPWJosKb+UQE/j1dRJ9iorm2EGbh30dv/nRCb2Cu7BVyNWbmSrVaKdJub28SfV5L51sd+ATBw== auerswald@short" 255 | } 256 | 257 | # aws_network_interface.eni will be created 258 | + resource "aws_network_interface" "eni" { 259 | + id = (known after apply) 260 | + mac_address = (known after apply) 261 | + private_dns_name = (known after apply) 262 | + private_ip = (known after apply) 263 | + private_ips = (known after apply) 264 | + private_ips_count = (known after apply) 265 | + security_groups = (known after apply) 266 | + source_dest_check = true 267 | + subnet_id = (known after apply) 268 | 269 | + attachment { 270 | + attachment_id = (known after apply) 271 | + device_index = 1 272 | + instance = (known after apply) 273 | } 274 | } 275 | 276 | # aws_route_table.rt will be created 277 | + resource "aws_route_table" "rt" { 278 | + id = (known after apply) 279 | + owner_id = (known after apply) 280 | + propagating_vgws = (known after apply) 281 | + route = [ 282 | + { 283 | + cidr_block = "0.0.0.0/0" 284 | + egress_only_gateway_id = "" 285 | + gateway_id = (known after apply) 286 | + instance_id = "" 287 | + ipv6_cidr_block = "" 288 | + nat_gateway_id = "" 289 | + network_interface_id = "" 290 | + transit_gateway_id = "" 291 | + vpc_peering_connection_id = "" 292 | }, 293 | ] 294 | + tags = { 295 | + "Name" = "route table for Internet access" 296 | } 297 | + vpc_id = (known after apply) 298 | } 299 | 300 | # aws_route_table_association.rt2public will be created 301 | + resource "aws_route_table_association" "rt2public" { 302 | + id = (known after apply) 303 | + route_table_id = (known after apply) 304 | + subnet_id = (known after apply) 305 | } 306 | 307 | # aws_subnet.private will be created 308 | + resource "aws_subnet" "private" { 309 | + arn = (known after apply) 310 | + assign_ipv6_address_on_creation = false 311 | + availability_zone = (known after apply) 312 | + availability_zone_id = (known after apply) 313 | + cidr_block = "10.42.0.0/24" 314 | + id = (known after apply) 315 | + ipv6_cidr_block = (known after apply) 316 | + ipv6_cidr_block_association_id = (known after apply) 317 | + map_public_ip_on_launch = false 318 | + owner_id = (known after apply) 319 | + tags = { 320 | + "Name" = "private subnet" 321 | } 322 | + vpc_id = (known after apply) 323 | } 324 | 325 | # aws_subnet.public will be created 326 | + resource "aws_subnet" "public" { 327 | + arn = (known after apply) 328 | + assign_ipv6_address_on_creation = false 329 | + availability_zone = (known after apply) 330 | + availability_zone_id = (known after apply) 331 | + cidr_block = "10.42.255.0/24" 332 | + id = (known after apply) 333 | + ipv6_cidr_block = (known after apply) 334 | + ipv6_cidr_block_association_id = (known after apply) 335 | + map_public_ip_on_launch = true 336 | + owner_id = (known after apply) 337 | + tags = { 338 | + "Name" = "public subnet" 339 | } 340 | + vpc_id = (known after apply) 341 | } 342 | 343 | # aws_vpc.vpc will be created 344 | + resource "aws_vpc" "vpc" { 345 | + arn = (known after apply) 346 | + assign_generated_ipv6_cidr_block = false 347 | + cidr_block = "10.42.0.0/16" 348 | + default_network_acl_id = (known after apply) 349 | + default_route_table_id = (known after apply) 350 | + default_security_group_id = (known after apply) 351 | + dhcp_options_id = (known after apply) 352 | + enable_classiclink = (known after apply) 353 | + enable_classiclink_dns_support = (known after apply) 354 | + enable_dns_hostnames = true 355 | + enable_dns_support = true 356 | + id = (known after apply) 357 | + instance_tenancy = "default" 358 | + ipv6_association_id = (known after apply) 359 | + ipv6_cidr_block = (known after apply) 360 | + main_route_table_id = (known after apply) 361 | + owner_id = (known after apply) 362 | + tags = { 363 | + "Name" = "VPC" 364 | } 365 | } 366 | 367 | Plan: 10 to add, 0 to change, 0 to destroy. 368 | 369 | Do you want to perform these actions? 370 | Terraform will perform the actions described above. 371 | Only 'yes' will be accepted to approve. 372 | 373 | Enter a value: yes 374 | 375 | aws_key_pair.course_ssh_key: Creating... 376 | aws_vpc.vpc: Creating... 377 | aws_key_pair.course_ssh_key: Creation complete after 1s [id=tf-pubcloud2020] 378 | aws_vpc.vpc: Creation complete after 7s [id=vpc-065e8836614487066] 379 | aws_internet_gateway.igw: Creating... 380 | aws_subnet.public: Creating... 381 | aws_default_security_group.def_sg: Creating... 382 | aws_subnet.public: Creation complete after 4s [id=subnet-0a7dff3ac1da7d2e3] 383 | aws_subnet.private: Creating... 384 | aws_internet_gateway.igw: Creation complete after 5s [id=igw-00fb41024a1ca3b6c] 385 | aws_route_table.rt: Creating... 386 | aws_instance.ec2_web: Creating... 387 | aws_default_security_group.def_sg: Creation complete after 6s [id=sg-0b12e3bcfaf5acd53] 388 | aws_subnet.private: Creation complete after 3s [id=subnet-08f464bc19986296e] 389 | aws_route_table.rt: Creation complete after 3s [id=rtb-0cc9621d69dd8b0e1] 390 | aws_route_table_association.rt2public: Creating... 391 | aws_route_table_association.rt2public: Creation complete after 1s [id=rtbassoc-07d49b7d3af27399e] 392 | aws_instance.ec2_web: Still creating... [10s elapsed] 393 | aws_instance.ec2_web: Still creating... [20s elapsed] 394 | aws_instance.ec2_web: Creation complete after 29s [id=i-00bd5764764ffe6b2] 395 | aws_network_interface.eni: Creating... 396 | aws_network_interface.eni: Creation complete after 3s [id=eni-0d1f6ced39e21fa8a] 397 | 398 | Apply complete! Resources: 10 added, 0 changed, 0 destroyed. 399 | 400 | Outputs: 401 | 402 | VPC_prefix = 10.42.0.0/16 403 | eni_private_ip = 10.42.0.100 404 | private_subnet_az = eu-central-1b 405 | private_subnet_prefix = 10.42.0.0/24 406 | public_subnet_az = eu-central-1b 407 | public_subnet_prefix = 10.42.255.0/24 408 | web_server_private_ip = 10.42.255.53 409 | web_server_private_name = ip-10-42-255-53.eu-central-1.compute.internal 410 | web_server_public_ip = 3.121.229.138 411 | web_server_public_name = ec2-3-121-229-138.eu-central-1.compute.amazonaws.com 412 | ``` 413 | 414 | Well, the web server is not active: 415 | 416 | ``` 417 | $ lynx -dump ec2-3-121-229-138.eu-central-1.compute.amazonaws.com 418 | 419 | Looking up ec2-3-121-229-138.eu-central-1.compute.amazonaws.com 420 | Making HTTP connection to ec2-3-121-229-138.eu-central-1.compute.amazonaws.com 421 | Alert!: Unable to connect to remote host. 422 | 423 | lynx: Can't access startfile http://ec2-3-121-229-138.eu-central-1.compute.amazonaws.com/ 424 | ``` 425 | 426 | Let's look at the ENI: 427 | 428 | ``` 429 | $ ssh ec2-user@ec2-3-121-229-138.eu-central-1.compute.amazonaws.com 430 | Last login: Fri May 1 16:09:08 2020 from 46.114.4.172 431 | 432 | __| __|_ ) 433 | _| ( / Amazon Linux 2 AMI 434 | ___|\___|___| 435 | 436 | https://aws.amazon.com/amazon-linux-2/ 437 | No packages needed for security; 4 packages available 438 | Run "sudo yum update" to apply all updates. 439 | [ec2-user@ip-10-42-255-53 ~]$ ip a 440 | 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 441 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 442 | inet 127.0.0.1/8 scope host lo 443 | valid_lft forever preferred_lft forever 444 | inet6 ::1/128 scope host 445 | valid_lft forever preferred_lft forever 446 | 2: eth0: mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 447 | link/ether 06:e3:28:61:eb:5c brd ff:ff:ff:ff:ff:ff 448 | inet 10.42.255.53/24 brd 10.42.255.255 scope global dynamic eth0 449 | valid_lft 3179sec preferred_lft 3179sec 450 | inet6 fe80::4e3:28ff:fe61:eb5c/64 scope link 451 | valid_lft forever preferred_lft forever 452 | 3: eth1: mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 453 | link/ether 06:ab:00:fd:bb:76 brd ff:ff:ff:ff:ff:ff 454 | inet 10.42.0.100/24 brd 10.42.0.255 scope global dynamic eth1 455 | valid_lft 3192sec preferred_lft 3192sec 456 | inet6 fe80::4ab:ff:fefd:bb76/64 scope link 457 | valid_lft forever preferred_lft forever 458 | ``` 459 | 460 | So that worked. 461 | 462 | Non-security updates were not installed, 463 | although the cloud-config requested package updates. 464 | That seems to require special treatment as well. 465 | 466 | Amazon Linux 2 is a bit strange in that commands do not work via SSH: 467 | 468 | ``` 469 | $ ssh ec2-user@ec2-3-121-229-138.eu-central-1.compute.amazonaws.com ip address show 470 | bash: ip: command not found 471 | ``` 472 | 473 | We have seen before that the iproute2 binary `ip` is available. 474 | So all is not well with Amazon Linux 2 either. 475 | It seems as if the `PATH` variable is set too late, 476 | or perhaps in the wrong configuration file. 477 | But SSH command mode does work, 478 | since Bash was invoked, 479 | but did not find the binary to execute. 480 | This can be seen in the output from later attempts 481 | (therefore we see different IP addresses and DNS names), too: 482 | 483 | ``` 484 | $ ssh ec2-user@ec2-3-121-87-192.eu-central-1.compute.amazonaws.com which ip 485 | which: no ip in (/usr/local/bin:/usr/bin) 486 | ``` 487 | ``` 488 | $ ssh ec2-user@ec2-3-121-87-192.eu-central-1.compute.amazonaws.com /sbin/ip a 489 | 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 490 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 491 | inet 127.0.0.1/8 scope host lo 492 | valid_lft forever preferred_lft forever 493 | inet6 ::1/128 scope host 494 | valid_lft forever preferred_lft forever 495 | 2: eth0: mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 496 | link/ether 02:d2:58:01:cb:e2 brd ff:ff:ff:ff:ff:ff 497 | inet 10.42.255.72/24 brd 10.42.255.255 scope global dynamic eth0 498 | valid_lft 3523sec preferred_lft 3523sec 499 | inet6 fe80::d2:58ff:fe01:cbe2/64 scope link 500 | valid_lft forever preferred_lft forever 501 | 3: eth1: mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 502 | link/ether 02:51:2e:27:6b:22 brd ff:ff:ff:ff:ff:ff 503 | inet 10.42.0.180/24 brd 10.42.0.255 scope global dynamic eth1 504 | valid_lft 3545sec preferred_lft 3545sec 505 | inet6 fe80::51:2eff:fe27:6b22/64 scope link 506 | valid_lft forever preferred_lft forever 507 | ``` 508 | 509 | The problem seems to be that `/usr/sbin` is added to the `PATH` in 510 | `/etc/profile`, 511 | thus only for interactive shells. 512 | 513 | #### Amazon Linux 2 as SSH Jump Host 514 | 515 | I would like to use the `ProxyJump` functionality of OpenSSH, 516 | even with Amazon Linux 2 as jump host. 517 | I have not looked into how this works exactly, 518 | but when I tried to use `ProxyJump` with the Windows 10 fork of OpenSSH, 519 | that SSH implementation failed with an error message 520 | that hints at creating another SSH process for *jumping*. 521 | While this were to be created on the client host, 522 | the options used for this helper SSH process suggest using it 523 | to start an SSH process on the jump host. 524 | The `ssh` binary is usually located in `/usr/bin/` and thus should 525 | be available for non-interactive sessions on Amazon Linux 2. 526 | Instead of checking all the parts and pieces, 527 | I just tried using the Amazon Linux 2 instance as an SSH jump host, 528 | which did work fine. 529 | Amazon Linux 2 can be used as an SSH jump host 530 | without any special configuration. 531 | 532 | ### Trying Again 533 | 534 | Anyway, let's continue and activate the web server. 535 | There are a couple of issues compared to Ubuntu: 536 | 537 | 1. The package is called `httpd`, not `apache2`. 538 | 2. The web server needs to be enabled explicitly. 539 | 3. Then the web server needs to be started manually. 540 | 541 | So I'll destroy the deployment, 542 | adjust the cloud-init configuration file, 543 | and try again. 544 | 545 | The cloud-config file now looks as follows: 546 | 547 | ``` 548 | #cloud-config 549 | package_update: true 550 | package_upgrade: true 551 | packages: 552 | - httpd 553 | write_files: 554 | - path: /var/www/html/index.html 555 | owner: 'root:root' 556 | permissions: '0644' 557 | content: | 558 | 559 | 560 | PubCloud 2020 - Extra - Amazon Linux 2 561 | 562 | 563 |

PubCloud 2020 - Extra - Amazon Linux 2

564 |

Static web site running on Amazon Linux 2

565 | 566 | 567 | runcmd: 568 | - [ systemctl, enable, httpd ] 569 | - [ systemctl, start, httpd ] 570 | ``` 571 | 572 | The result of `terraform destroy` and `terraform apply` 573 | is a running web server 574 | with a functional ENI: 575 | 576 | ``` 577 | [...output omitted...] 578 | Apply complete! Resources: 10 added, 0 changed, 0 destroyed. 579 | 580 | Outputs: 581 | 582 | VPC_prefix = 10.42.0.0/16 583 | eni_private_ip = 10.42.0.115 584 | private_subnet_az = eu-central-1b 585 | private_subnet_prefix = 10.42.0.0/24 586 | public_subnet_az = eu-central-1b 587 | public_subnet_prefix = 10.42.255.0/24 588 | web_server_private_ip = 10.42.255.9 589 | web_server_private_name = ip-10-42-255-9.eu-central-1.compute.internal 590 | web_server_public_ip = 3.122.230.250 591 | web_server_public_name = ec2-3-122-230-250.eu-central-1.compute.amazonaws.com 592 | ``` 593 | ``` 594 | $ lynx -dump ec2-3-122-230-250.eu-central-1.compute.amazonaws.com 595 | PubCloud 2020 - Extra - Amazon Linux 2 596 | 597 | Static web site running on Amazon Linux 2 598 | ``` 599 | ``` 600 | $ ssh ec2-user@ec2-3-122-230-250.eu-central-1.compute.amazonaws.com 601 | The authenticity of host 'ec2-3-122-230-250.eu-central-1.compute.amazonaws.com (3.122.230.250)' can't be established. 602 | ECDSA key fingerprint is SHA256:6ejDaKkiHueV2mBDz4JF2I1KEVMvfYibfw8zw8BPsyw. 603 | Are you sure you want to continue connecting (yes/no)? yes 604 | Warning: Permanently added 'ec2-3-122-230-250.eu-central-1.compute.amazonaws.com,3.122.230.250' (ECDSA) to the list of known hosts. 605 | 606 | __| __|_ ) 607 | _| ( / Amazon Linux 2 AMI 608 | ___|\___|___| 609 | 610 | https://aws.amazon.com/amazon-linux-2/ 611 | No packages needed for security; 4 packages available 612 | Run "sudo yum update" to apply all updates. 613 | [ec2-user@ip-10-42-255-9 ~]$ ip a 614 | 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 615 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 616 | inet 127.0.0.1/8 scope host lo 617 | valid_lft forever preferred_lft forever 618 | inet6 ::1/128 scope host 619 | valid_lft forever preferred_lft forever 620 | 2: eth0: mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 621 | link/ether 06:9c:e8:a9:df:a0 brd ff:ff:ff:ff:ff:ff 622 | inet 10.42.255.9/24 brd 10.42.255.255 scope global dynamic eth0 623 | valid_lft 3407sec preferred_lft 3407sec 624 | inet6 fe80::49c:e8ff:fea9:dfa0/64 scope link 625 | valid_lft forever preferred_lft forever 626 | 3: eth1: mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 627 | link/ether 06:a7:3a:fb:2e:aa brd ff:ff:ff:ff:ff:ff 628 | inet 10.42.0.115/24 brd 10.42.0.255 scope global dynamic eth1 629 | valid_lft 3442sec preferred_lft 3442sec 630 | inet6 fe80::4a7:3aff:fefb:2eaa/64 scope link 631 | valid_lft forever preferred_lft forever 632 | ``` 633 | 634 | The cloud-init used by Amazon Linux 2 is documented to be modified, 635 | without exhaustively describing the modifications. 636 | That is OK, 637 | but complete documentation would be better. 638 | Anyway, package updates seem to require the following on Amazon Linux 2: 639 | 640 | ``` 641 | repo_update: true 642 | repo_upgrade: all 643 | ``` 644 | 645 | ### The Third Time is the Charm 646 | 647 | So I modify the cloud-init configuration 648 | [web\_server.cloud-config](web_server.cloud-config) 649 | again: 650 | 651 | ``` 652 | #cloud-config 653 | repo_update: true 654 | repo_upgrade: all 655 | packages: 656 | - httpd 657 | write_files: 658 | - path: /var/www/html/index.html 659 | owner: 'root:root' 660 | permissions: '0644' 661 | content: | 662 | 663 | 664 | PubCloud 2020 - Extra - Amazon Linux 2 665 | 666 | 667 |

PubCloud 2020 - Extra - Amazon Linux 2

668 |

Static web site running on Amazon Linux 2

669 | 670 | 671 | runcmd: 672 | - [ systemctl, enable, httpd ] 673 | - [ systemctl, start, httpd ] 674 | ``` 675 | 676 | This worked. :-) 677 | 678 | ``` 679 | [...output omitted...] 680 | Apply complete! Resources: 10 added, 0 changed, 0 destroyed. 681 | 682 | Outputs: 683 | 684 | VPC_prefix = 10.42.0.0/16 685 | eni_private_ip = 10.42.0.107 686 | private_subnet_az = eu-central-1b 687 | private_subnet_prefix = 10.42.0.0/24 688 | public_subnet_az = eu-central-1b 689 | public_subnet_prefix = 10.42.255.0/24 690 | web_server_private_ip = 10.42.255.236 691 | web_server_private_name = ip-10-42-255-236.eu-central-1.compute.internal 692 | web_server_public_ip = 3.127.249.143 693 | web_server_public_name = ec2-3-127-249-143.eu-central-1.compute.amazonaws.com 694 | ``` 695 | ``` 696 | $ ssh ec2-user@ec2-3-127-249-143.eu-central-1.compute.amazonaws.com 697 | The authenticity of host 'ec2-3-127-249-143.eu-central-1.compute.amazonaws.com (3.127.249.143)' can't be established. 698 | ECDSA key fingerprint is SHA256:SnHJ1C1QSM8pfIpiTap+dAnAoCvwuLY47fUzgzfE1FM. 699 | Are you sure you want to continue connecting (yes/no)? yes 700 | Warning: Permanently added 'ec2-3-127-249-143.eu-central-1.compute.amazonaws.com,3.127.249.143' (ECDSA) to the list of known hosts. 701 | 702 | __| __|_ ) 703 | _| ( / Amazon Linux 2 AMI 704 | ___|\___|___| 705 | 706 | https://aws.amazon.com/amazon-linux-2/ 707 | [ec2-user@ip-10-42-255-236 ~]$ ip a 708 | 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 709 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 710 | inet 127.0.0.1/8 scope host lo 711 | valid_lft forever preferred_lft forever 712 | inet6 ::1/128 scope host 713 | valid_lft forever preferred_lft forever 714 | 2: eth0: mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 715 | link/ether 06:b3:4a:71:e9:22 brd ff:ff:ff:ff:ff:ff 716 | inet 10.42.255.236/24 brd 10.42.255.255 scope global dynamic eth0 717 | valid_lft 3487sec preferred_lft 3487sec 718 | inet6 fe80::4b3:4aff:fe71:e922/64 scope link 719 | valid_lft forever preferred_lft forever 720 | 3: eth1: mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 721 | link/ether 06:f3:ba:84:c0:82 brd ff:ff:ff:ff:ff:ff 722 | inet 10.42.0.107/24 brd 10.42.0.255 scope global dynamic eth1 723 | valid_lft 3513sec preferred_lft 3513sec 724 | inet6 fe80::4f3:baff:fe84:c082/64 scope link 725 | valid_lft forever preferred_lft forever 726 | [ec2-user@ip-10-42-255-236 ~]$ systemctl status httpd 727 | ● httpd.service - The Apache HTTP Server 728 | Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) 729 | Active: active (running) since Fr 2020-05-01 16:43:18 UTC; 1min 53s ago 730 | Docs: man:httpd.service(8) 731 | Main PID: 3491 (httpd) 732 | Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" 733 | CGroup: /system.slice/httpd.service 734 | ├─3491 /usr/sbin/httpd -DFOREGROUND 735 | ├─3492 /usr/sbin/httpd -DFOREGROUND 736 | ├─3493 /usr/sbin/httpd -DFOREGROUND 737 | ├─3494 /usr/sbin/httpd -DFOREGROUND 738 | ├─3495 /usr/sbin/httpd -DFOREGROUND 739 | └─3496 /usr/sbin/httpd -DFOREGROUND 740 | 741 | Mai 01 16:43:18 ip-10-42-255-236.eu-central-1.compute.internal systemd[1]: St... 742 | Mai 01 16:43:18 ip-10-42-255-236.eu-central-1.compute.internal systemd[1]: St... 743 | Hint: Some lines were ellipsized, use -l to show in full. 744 | [ec2-user@ip-10-42-255-236 ~]$ sudo yum update -y 745 | Loaded plugins: extras_suggestions, langpacks, priorities, update-motd 746 | No packages marked for update 747 | [ec2-user@ip-10-42-255-236 ~]$ logout 748 | Connection to ec2-3-127-249-143.eu-central-1.compute.amazonaws.com closed. 749 | ``` 750 | ``` 751 | $ lynx -dump ec2-user@ec2-3-127-249-143.eu-central-1.compute.amazonaws.com 752 | PubCloud 2020 - Extra - Amazon Linux 2 753 | 754 | Static web site running on Amazon Linux 2 755 | ``` 756 | 757 | Now all package updates have been applied, 758 | Apache is installed, running, and serving the custom web page, 759 | and the ENI is active without any additional action. 760 | 761 | The need to explicitly enable and start the installed services 762 | is a documented policy of Red Hat distributions and their 763 | derivatives, including Amazon Linux 2. 764 | 765 | ## Cleaning Up 766 | 767 | I clean up with `terraform destroy`, as always. 768 | 769 | ``` 770 | [...output omitted...] 771 | Destroy complete! Resources: 10 destroyed. 772 | ``` 773 | 774 | ## Conclusion 775 | 776 | So the two questions have been answered: 777 | 778 | 1. Apache needs to be explicitly enabled and started on Amazon Linux 2. 779 | 2. A second *elastic network interface* (ENI) works out-of-the-box. 780 | 781 | --- 782 | 783 | [PubCloud2020 GitHub repository](https://github.com/auerswal/pubcloud2020) | 784 | [My GitHub user page](https://github.com/auerswal) | 785 | [My home page](https://www.unix-ag.uni-kl.de/~auerswal/) 786 | -------------------------------------------------------------------------------- /extra/amazon-linux2/amazon_linux_2.tf: -------------------------------------------------------------------------------- 1 | # Terraform configuration for Amazon Linux 2 web server with 2nd ENI. 2 | # Copyright (C) 2020 Erik Auerswald 3 | # 4 | # This program is free software: you can redistribute it and/or modify 5 | # it under the terms of the GNU General Public License as published by 6 | # the Free Software Foundation, either version 3 of the License, or 7 | # (at your option) any later version. 8 | # 9 | # This program is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | # GNU General Public License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program. If not, see . 16 | 17 | # providers - AWS in this case, region from AWS CLI is ignored 18 | provider "aws" { 19 | version = "~> 2.52" 20 | profile = "default" 21 | region = "eu-central-1" 22 | } 23 | 24 | ### variables 25 | 26 | # CIDR prefixes to use 27 | variable "vpc_prefix" { 28 | default = "10.42.0.0/16" 29 | } 30 | variable "priv_prefix" { 31 | default = "10.42.0.0/24" 32 | } 33 | variable "pub_prefix" { 34 | default = "10.42.255.0/24" 35 | } 36 | 37 | ### data sources 38 | 39 | # AMI ID for Amazon Linux 2 based web server 40 | data "aws_ami" "gnu_linux_image" { 41 | owners = ["amazon"] 42 | most_recent = true 43 | filter { 44 | name = "name" 45 | values = ["amzn2-ami-hvm-2.0.????????.?-x86_64-gp2"] 46 | } 47 | filter { 48 | name = "state" 49 | values = ["available"] 50 | } 51 | } 52 | 53 | ### resources 54 | 55 | # public SSH key for remote access to EC2 instance 56 | resource "aws_key_pair" "course_ssh_key" { 57 | key_name = "tf-pubcloud2020" 58 | public_key = file("../../../pubcloud2020_rsa_id.pub") 59 | } 60 | 61 | # web server EC2 instance 62 | resource "aws_instance" "ec2_web" { 63 | depends_on = [aws_internet_gateway.igw] 64 | ami = data.aws_ami.gnu_linux_image.id 65 | instance_type = "t2.micro" 66 | subnet_id = aws_subnet.public.id 67 | key_name = aws_key_pair.course_ssh_key.id 68 | user_data = file("web_server.cloud-config") 69 | tags = { 70 | Name = "Amazon Linux 2 Web Server EC2 Instance" 71 | } 72 | } 73 | 74 | # a new VPC for this deployment 75 | resource "aws_vpc" "vpc" { 76 | cidr_block = var.vpc_prefix 77 | enable_dns_support = true 78 | enable_dns_hostnames = true 79 | # dedicated hardware not needed -> use default tenancy 80 | instance_tenancy = "default" 81 | tags = { 82 | Name = "VPC" 83 | } 84 | } 85 | 86 | # a new (public) subnet in the new VPC 87 | resource "aws_subnet" "public" { 88 | vpc_id = aws_vpc.vpc.id 89 | cidr_block = var.pub_prefix 90 | map_public_ip_on_launch = true 91 | tags = { 92 | Name = "public subnet" 93 | } 94 | } 95 | 96 | # a new (private) subnet in the new VPC 97 | resource "aws_subnet" "private" { 98 | vpc_id = aws_vpc.vpc.id 99 | availability_zone = aws_subnet.public.availability_zone 100 | cidr_block = var.priv_prefix 101 | tags = { 102 | Name = "private subnet" 103 | } 104 | } 105 | 106 | # a new Internet Gateway for the VPC 107 | resource "aws_internet_gateway" "igw" { 108 | vpc_id = aws_vpc.vpc.id 109 | tags = { 110 | Name = "Internet gateway" 111 | } 112 | } 113 | 114 | # a new route table for the public subnet with default route to the IGW 115 | resource "aws_route_table" "rt" { 116 | vpc_id = aws_vpc.vpc.id 117 | route { 118 | cidr_block = "0.0.0.0/0" 119 | gateway_id = aws_internet_gateway.igw.id 120 | } 121 | tags = { 122 | Name = "route table for Internet access" 123 | } 124 | } 125 | 126 | # associate the route table with the public subnet 127 | resource "aws_route_table_association" "rt2public" { 128 | subnet_id = aws_subnet.public.id 129 | route_table_id = aws_route_table.rt.id 130 | } 131 | 132 | # default Security Group of the new VPC 133 | resource "aws_default_security_group" "def_sg" { 134 | vpc_id = aws_vpc.vpc.id 135 | ingress { 136 | self = true 137 | from_port = 0 138 | to_port = 0 139 | protocol = "-1" 140 | description = "Allow everything inside the SG" 141 | } 142 | ingress { 143 | from_port = 22 144 | to_port = 22 145 | protocol = "tcp" 146 | cidr_blocks = ["0.0.0.0/0"] 147 | description = "Allow SSH from the Internet" 148 | } 149 | ingress { 150 | from_port = 80 151 | to_port = 80 152 | protocol = "tcp" 153 | cidr_blocks = ["0.0.0.0/0"] 154 | description = "Allow HTTP from the Internet" 155 | } 156 | ingress { 157 | from_port = 443 158 | to_port = 443 159 | protocol = "tcp" 160 | cidr_blocks = ["0.0.0.0/0"] 161 | description = "Allow HTTPS from the Internet" 162 | } 163 | egress { 164 | from_port = 0 165 | to_port = 0 166 | protocol = "-1" 167 | cidr_blocks = ["0.0.0.0/0"] 168 | description = "Allow Internet access for, e.g., updates" 169 | } 170 | tags = { 171 | Name = "Ex. 4 default Security Group" 172 | } 173 | } 174 | 175 | # elastic network interface 176 | resource "aws_network_interface" "eni" { 177 | subnet_id = aws_subnet.private.id 178 | attachment { 179 | instance = aws_instance.ec2_web.id 180 | device_index = 1 181 | } 182 | } 183 | 184 | ### outputs 185 | 186 | # CIDR prefixes and Availability Zones 187 | output "VPC_prefix" { 188 | value = aws_vpc.vpc.cidr_block 189 | } 190 | output "private_subnet_prefix" { 191 | value = aws_subnet.private.cidr_block 192 | } 193 | output "private_subnet_az" { 194 | value = aws_subnet.private.availability_zone 195 | } 196 | output "public_subnet_prefix" { 197 | value = aws_subnet.public.cidr_block 198 | } 199 | output "public_subnet_az" { 200 | value = aws_subnet.public.availability_zone 201 | } 202 | 203 | # web server info 204 | output "web_server_private_name" { 205 | value = aws_instance.ec2_web.private_dns 206 | } 207 | output "web_server_private_ip" { 208 | value = aws_instance.ec2_web.private_ip 209 | } 210 | output "web_server_public_name" { 211 | value = aws_instance.ec2_web.public_dns 212 | } 213 | output "web_server_public_ip" { 214 | value = aws_instance.ec2_web.public_ip 215 | } 216 | 217 | # ENI info 218 | output "eni_private_ip" { 219 | value = aws_network_interface.eni.private_ip 220 | } 221 | -------------------------------------------------------------------------------- /extra/amazon-linux2/web_server.cloud-config: -------------------------------------------------------------------------------- 1 | #cloud-config 2 | repo_update: true 3 | repo_upgrade: all 4 | packages: 5 | - httpd 6 | write_files: 7 | - path: /var/www/html/index.html 8 | owner: 'root:root' 9 | permissions: '0644' 10 | content: | 11 | 12 | 13 | PubCloud 2020 - Extra - Amazon Linux 2 14 | 15 | 16 |

PubCloud 2020 - Extra - Amazon Linux 2

17 |

Static web site running on Amazon Linux 2

18 | 19 | 20 | runcmd: 21 | - [ systemctl, enable, httpd ] 22 | - [ systemctl, start, httpd ] 23 | -------------------------------------------------------------------------------- /extra/s3-pab/README.md: -------------------------------------------------------------------------------- 1 | # Extra: S3 Public Access Block Control 2 | 3 | As found out on 4 | [hands-on exercise 3](../../ex3-web/), 5 | the AWS CLI included in Ubuntu 18.04 LTS cannot control the 6 | *S3 Public Access Block*. 7 | Terraform *can*, 8 | but *destroying* the respective resource 9 | *does not* re-instate the previous settings. 10 | Thus I want to write a Terraform configuration 11 | that allows to easily control just this account wide setting. 12 | Instead of Terraform's *insecure by default*, 13 | I use a *secure by default* approach, 14 | i.e., *applying* the Terraform configuration 15 | [s3\_pab.tf](s3_pab.tf) 16 | in this directory without specifying any variable values activates all blocks. 17 | 18 | Let's see how this works. 19 | I have applied and destroyed the web server configuration 20 | from hands-on exercise 3, 21 | and see in the AWS Console that the 22 | [S3 Public Access Block](https://s3.console.aws.amazon.com/s3/settings?region=eu-central-1) 23 | has been disabled completely. 24 | 25 | First I initialize Terraform using `terraform init`: 26 | 27 | ``` 28 | $ terraform init 29 | 30 | Initializing the backend... 31 | 32 | Initializing provider plugins... 33 | 34 | Terraform has been successfully initialized! 35 | 36 | You may now begin working with Terraform. Try running "terraform plan" to see 37 | any changes that are required for your infrastructure. All Terraform commands 38 | should now work. 39 | 40 | If you ever set or change modules or backend configuration for Terraform, 41 | rerun this command to reinitialize your working directory. If you forget, other 42 | commands will detect it and remind you to do so if necessary. 43 | ``` 44 | 45 | I then *apply* the Terraform configuration: 46 | 47 | ``` 48 | $ terraform apply 49 | 50 | An execution plan has been generated and is shown below. 51 | Resource actions are indicated with the following symbols: 52 | + create 53 | 54 | Terraform will perform the following actions: 55 | 56 | # aws_s3_account_public_access_block.s3_pab will be created 57 | + resource "aws_s3_account_public_access_block" "s3_pab" { 58 | + account_id = (known after apply) 59 | + block_public_acls = true 60 | + block_public_policy = true 61 | + id = (known after apply) 62 | + ignore_public_acls = true 63 | + restrict_public_buckets = true 64 | } 65 | 66 | Plan: 1 to add, 0 to change, 0 to destroy. 67 | 68 | Do you want to perform these actions? 69 | Terraform will perform the actions described above. 70 | Only 'yes' will be accepted to approve. 71 | 72 | Enter a value: yes 73 | 74 | aws_s3_account_public_access_block.s3_pab: Creating... 75 | aws_s3_account_public_access_block.s3_pab: Creation complete after 1s [id=143440624024] 76 | 77 | Apply complete! Resources: 1 added, 0 changed, 0 destroyed. 78 | ``` 79 | 80 | I can verify via AWS Console that the S3 Public Access Block is now active. 81 | Next I try to disable it using the variable file 82 | [disable\_completely.tfvars](disable_completely.tfvars): 83 | 84 | ``` 85 | $ terraform apply --var-file disable_completely.tfvars 86 | aws_s3_account_public_access_block.s3_pab: Refreshing state... [id=143440624024] 87 | 88 | An execution plan has been generated and is shown below. 89 | Resource actions are indicated with the following symbols: 90 | ~ update in-place 91 | 92 | Terraform will perform the following actions: 93 | 94 | # aws_s3_account_public_access_block.s3_pab will be updated in-place 95 | ~ resource "aws_s3_account_public_access_block" "s3_pab" { 96 | account_id = "143440624024" 97 | ~ block_public_acls = true -> false 98 | ~ block_public_policy = true -> false 99 | id = "143440624024" 100 | ~ ignore_public_acls = true -> false 101 | ~ restrict_public_buckets = true -> false 102 | } 103 | 104 | Plan: 0 to add, 1 to change, 0 to destroy. 105 | 106 | Do you want to perform these actions? 107 | Terraform will perform the actions described above. 108 | Only 'yes' will be accepted to approve. 109 | 110 | Enter a value: yes 111 | 112 | aws_s3_account_public_access_block.s3_pab: Modifying... [id=143440624024] 113 | aws_s3_account_public_access_block.s3_pab: Modifications complete after 1s [id=143440624024] 114 | 115 | Apply complete! Resources: 0 added, 1 changed, 0 destroyed. 116 | ``` 117 | 118 | The AWS Console now shows that all of the S3 Public Access Block is disabled. 119 | 120 | Now I change the settings via AWS Console, 121 | because I want to try out to read the current state with `terraform refresh`: 122 | 123 | ``` 124 | $ terraform refresh 125 | aws_s3_account_public_access_block.s3_pab: Refreshing state... [id=143440624024] 126 | ``` 127 | 128 | Now the updated (*refreshed*) state can be displayed using `terraform show`: 129 | 130 | ``` 131 | $ terraform show 132 | # aws_s3_account_public_access_block.s3_pab: 133 | resource "aws_s3_account_public_access_block" "s3_pab" { 134 | account_id = "143440624024" 135 | block_public_acls = true 136 | block_public_policy = true 137 | id = "143440624024" 138 | ignore_public_acls = false 139 | restrict_public_buckets = false 140 | } 141 | ``` 142 | 143 | Since I want to re-activate all of the S3 Public Access Block settings, 144 | I apply the Terraform configuration without variable values again: 145 | 146 | ``` 147 | $ terraform apply 148 | aws_s3_account_public_access_block.s3_pab: Refreshing state... [id=143440624024] 149 | 150 | An execution plan has been generated and is shown below. 151 | Resource actions are indicated with the following symbols: 152 | ~ update in-place 153 | 154 | Terraform will perform the following actions: 155 | 156 | # aws_s3_account_public_access_block.s3_pab will be updated in-place 157 | ~ resource "aws_s3_account_public_access_block" "s3_pab" { 158 | account_id = "143440624024" 159 | block_public_acls = true 160 | block_public_policy = true 161 | id = "143440624024" 162 | ~ ignore_public_acls = false -> true 163 | ~ restrict_public_buckets = false -> true 164 | } 165 | 166 | Plan: 0 to add, 1 to change, 0 to destroy. 167 | 168 | Do you want to perform these actions? 169 | Terraform will perform the actions described above. 170 | Only 'yes' will be accepted to approve. 171 | 172 | Enter a value: yes 173 | 174 | aws_s3_account_public_access_block.s3_pab: Modifying... [id=143440624024] 175 | aws_s3_account_public_access_block.s3_pab: Modifications complete after 2s [id=143440624024] 176 | 177 | Apply complete! Resources: 0 added, 1 changed, 0 destroyed. 178 | ``` 179 | 180 | --- 181 | 182 | [PubCloud2020 GitHub repository](https://github.com/auerswal/pubcloud2020) | 183 | [My GitHub user page](https://github.com/auerswal) | 184 | [My home page](https://www.unix-ag.uni-kl.de/~auerswal/) 185 | -------------------------------------------------------------------------------- /extra/s3-pab/disable_completely.tfvars: -------------------------------------------------------------------------------- 1 | block_public_acls = false 2 | block_public_policy = false 3 | ignore_public_acls = false 4 | restrict_public_buckets = false 5 | -------------------------------------------------------------------------------- /extra/s3-pab/s3_pab.tf: -------------------------------------------------------------------------------- 1 | # Terraform configuration to control AWS S3 Public Access Block settings. 2 | # Copyright (C) 2020 Erik Auerswald 3 | # 4 | # This program is free software: you can redistribute it and/or modify 5 | # it under the terms of the GNU General Public License as published by 6 | # the Free Software Foundation, either version 3 of the License, or 7 | # (at your option) any later version. 8 | # 9 | # This program is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | # GNU General Public License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program. If not, see . 16 | 17 | # providers - AWS in this case, region from AWS CLI is ignored 18 | provider "aws" { 19 | version = "~> 2.52" 20 | profile = "default" 21 | region = "eu-central-1" 22 | } 23 | 24 | ### variables - control S3 Public Access Block details (secure by default) 25 | variable "block_public_acls" { 26 | default = true 27 | } 28 | variable "block_public_policy" { 29 | default = true 30 | } 31 | variable "ignore_public_acls" { 32 | default = true 33 | } 34 | variable "restrict_public_buckets" { 35 | default = true 36 | } 37 | 38 | ### resources - control S3 Public Access Block - once per AWS account 39 | resource "aws_s3_account_public_access_block" "s3_pab" { 40 | block_public_acls = var.block_public_acls 41 | block_public_policy = var.block_public_policy 42 | ignore_public_acls = var.ignore_public_acls 43 | restrict_public_buckets = var.restrict_public_buckets 44 | } 45 | -------------------------------------------------------------------------------- /solution-template.md: -------------------------------------------------------------------------------- 1 | # Exercise : 2 | 3 | --- 4 | 5 | [PubCloud2020 GitHub repository](https://github.com/auerswal/pubcloud2020) | 6 | [My GitHub user page](https://github.com/auerswal) | 7 | [My home page](https://www.unix-ag.uni-kl.de/~auerswal/) 8 | --------------------------------------------------------------------------------