├── playbooks
    ├── my.cnf
    ├── README.md
    ├── dbpass.sql
    ├── nginx
    │   ├── proxy-confs
    │   │   └── cloudworkstation.conf
    │   └── nginx.conf
    ├── httpd-ssl.conf
    ├── httpd.conf
    └── cloud_workstation_aws.yml
├── cloud_workstation_gnome.png
├── cloud_workstation_xfce.png
├── .gitignore
├── README.md
└── aws
    ├── cw-output.tf
    ├── cw-ami.tf
    ├── cw-network.tf
    ├── cw-instance.tf
    ├── cw-security.tf
    ├── .terraform.lock.hcl
    ├── cw.tfvars
    ├── cw-s3.tf
    ├── cw-generic.tf
    ├── cw-iam.tf
    ├── cw-ssm.tf
    ├── cw-kmscmk.tf
    └── README.md


/playbooks/my.cnf:
--------------------------------------------------------------------------------
1 | [client]
2 | user = root
3 | password = {{ guacdb_root_pass.stdout }}
4 | 


--------------------------------------------------------------------------------
/cloud_workstation_gnome.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chadgeary/cloudworkstation/HEAD/cloud_workstation_gnome.png


--------------------------------------------------------------------------------
/cloud_workstation_xfce.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chadgeary/cloudworkstation/HEAD/cloud_workstation_xfce.png


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | tf-nifi-lambda-node-down.zip
2 | terraform.*
3 | *.terraform
4 | *.terraform*.tfstate*.lock*.
5 | pvars.*
6 | 


--------------------------------------------------------------------------------
/playbooks/README.md:
--------------------------------------------------------------------------------
1 | # Reference
2 | The Ansible playbook to install/configure a desktop (xfce), remote desktop (xrdp), web interface (Guacamole), and web proxy (Apache httpd).
3 | 


--------------------------------------------------------------------------------
/playbooks/dbpass.sql:
--------------------------------------------------------------------------------
1 | CREATE DATABASE guacamole_db;
2 | CREATE USER 'guacamole_user'@'{{ guacnet_guacamole }}' IDENTIFIED BY '{{ guacdb_guacamole_pass.stdout }}';
3 | GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'{{ guacnet_guacamole }}';
4 | FLUSH PRIVILEGES;
5 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Reference
 2 | A browser-based linux desktop workstation in AWS. Built with Apache Guacamole, deployed automatically via Terraform and Ansible. Step-by-step instructions included! Desktops supported include gnome and XFCE:
 3 | ![gnome](cloud_workstation_gnome.png)
 4 | ![XFCE](cloud_workstation_xfce.png)
 5 | 
 6 | # Instructions
 7 | See the sub-directory of each cloud provider for specific instructions, including Windows users.
 8 | 
 9 | # Discussion
10 | [Discord Room](https://discord.gg/vG3UKd2RRn)
11 | 


--------------------------------------------------------------------------------
/aws/cw-output.tf:
--------------------------------------------------------------------------------
 1 | output "cloudworkstation-output" {
 2 |   value = <<OUTPUT
 3 | ## SSH ##
 4 | ssh ubuntu@${aws_eip.cw-eip-1.public_ip}
 5 |   
 6 | ## WebUI ##
 7 | # Username: guacadmin
 8 | https://${var.enable_duckdns == 1 ? var.duckdns_domain : aws_eip.cw-eip-1.public_ip}/guacamole/
 9 |   
10 | ## Container Updates ##
11 | # SSH (or RDP) to instance
12 | ssh ubuntu@${aws_eip.cw-eip-1.public_ip}
13 | # Remove old containers
14 | sudo docker rm -f web_proxy guacamole guacdb guacd duckdnsupdater
15 | # Re-run the playbook via AWS SSM from your local machine
16 | ~/.local/bin/aws ssm start-associations-once --region ${var.aws_region} --association-ids ${aws_ssm_association.cw-ssm-assoc.association_id}
17 | OUTPUT
18 | }
19 | 


--------------------------------------------------------------------------------
/playbooks/nginx/proxy-confs/cloudworkstation.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 | 
 3 |     listen 443 ssl;
 4 |     listen [::]:443 ssl;
 5 |     server_name {{ duckdns_domain }};
 6 |     include /config/nginx/ssl.conf;
 7 |     client_max_body_size 0;
 8 |     access_log /dev/stdout;
 9 |     error_log /dev/stderr warn;
10 | 
11 |     location / {
12 |         include /config/nginx/proxy.conf;
13 |         include /config/nginx/resolver.conf;
14 |         set $upstream_app {{ guacnet_guacamole }};
15 |         set $upstream_port 8080;
16 |         set $upstream_proto http;
17 |         proxy_pass $upstream_proto://$upstream_app:$upstream_port;
18 |         proxy_max_temp_file_size 2048m;
19 |         proxy_set_header X-Forwarded-Host $host:$server_port;
20 |         proxy_set_header X-Forwarded-Server $host;
21 |         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
22 |         proxy_buffering off;
23 |     }
24 | }
25 | 


--------------------------------------------------------------------------------
/aws/cw-ami.tf:
--------------------------------------------------------------------------------
 1 | # Vendor AMI
 2 | data "aws_ami" "cw-vendor-ami-latest" {
 3 |   most_recent = true
 4 |   owners      = [var.vendor_ami_account_number]
 5 |   filter {
 6 |     name   = "name"
 7 |     values = [var.vendor_ami_name_string]
 8 |   }
 9 |   filter {
10 |     name   = "virtualization-type"
11 |     values = ["hvm"]
12 |   }
13 |   filter {
14 |     name   = "architecture"
15 |     values = ["x86_64"]
16 |   }
17 |   filter {
18 |     name   = "root-device-type"
19 |     values = ["ebs"]
20 |   }
21 | }
22 | 
23 | # Create AMI with KMS CMK from latest Vendor AMI
24 | resource "aws_ami_copy" "cw-latest-vendor-ami-with-cmk" {
25 |   name              = "${var.name_prefix}-encrypted-ami-${random_string.cw-random.result}"
26 |   description       = "KMS CMK-encrypted AMI of latest official vendor AMI"
27 |   source_ami_id     = data.aws_ami.cw-vendor-ami-latest.id
28 |   source_ami_region = var.aws_region
29 |   encrypted         = true
30 |   kms_key_id        = aws_kms_key.cw-kmscmk-ec2.arn
31 |   tags = {
32 |     Name = "${var.name_prefix}-encrypted-ami-${random_string.cw-random.result}"
33 |   }
34 | }
35 | 


--------------------------------------------------------------------------------
/aws/cw-network.tf:
--------------------------------------------------------------------------------
 1 | # vpc and gateway
 2 | resource "aws_vpc" "cw-vpc" {
 3 |   cidr_block           = var.vpc_cidr
 4 |   enable_dns_support   = "true"
 5 |   enable_dns_hostnames = "true"
 6 |   tags = {
 7 |     Name = "${var.name_prefix}-vpc-${random_string.cw-random.result}"
 8 |   }
 9 | }
10 | 
11 | # internet gateway 
12 | resource "aws_internet_gateway" "cw-gw" {
13 |   vpc_id = aws_vpc.cw-vpc.id
14 |   tags = {
15 |     Name = "${var.name_prefix}-gw-${random_string.cw-random.result}"
16 |   }
17 | }
18 | 
19 | # public route table
20 | resource "aws_route_table" "cw-pubrt" {
21 |   vpc_id = aws_vpc.cw-vpc.id
22 |   route {
23 |     cidr_block = "0.0.0.0/0"
24 |     gateway_id = aws_internet_gateway.cw-gw.id
25 |   }
26 |   tags = {
27 |     Name = "${var.name_prefix}-pubrt-${random_string.cw-random.result}"
28 |   }
29 | }
30 | 
31 | # net
32 | resource "aws_subnet" "cw-net" {
33 |   vpc_id            = aws_vpc.cw-vpc.id
34 |   availability_zone = data.aws_availability_zones.cw-azs.names[0]
35 |   cidr_block        = var.net_cidr
36 |   tags = {
37 |     Name = "${var.name_prefix}-net-${random_string.cw-random.result}"
38 |   }
39 |   depends_on = [aws_internet_gateway.cw-gw]
40 | }
41 | 
42 | # public route table associations
43 | resource "aws_route_table_association" "rt-assoc-net" {
44 |   subnet_id      = aws_subnet.cw-net.id
45 |   route_table_id = aws_route_table.cw-pubrt.id
46 | }
47 | 


--------------------------------------------------------------------------------
/playbooks/httpd-ssl.conf:
--------------------------------------------------------------------------------
 1 | # Cloud_workstation HTTPS Proxy Conf
 2 | # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&ocsp=false&guideline=5.6
 3 | Listen 443
 4 | SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
 5 | SSLHonorCipherOrder     off
 6 | SSLSessionTickets       off
 7 | 
 8 | SSLPassPhraseDialog  builtin
 9 | SSLSessionCache        "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
10 | SSLSessionCacheTimeout  300
11 | 
12 | <VirtualHost _default_:443>
13 | 
14 | # proxy to pihole
15 |   ProxyPreserveHost On
16 |   ProxyPass / http://{{ guacnet_guacamole }}:8080/
17 |   ProxyPassReverse / http://{{ guacnet_guacamole }}:8080/
18 | 
19 | # vhost settings
20 |   DocumentRoot "/usr/local/apache2/htdocs"
21 |   ServerName {{ guacnet_webproxy }}:443
22 |   ServerAdmin root@{{ guacnet_webproxy }}
23 |   ErrorLog /proc/self/fd/2
24 |   TransferLog /proc/self/fd/1
25 |   Header always set Strict-Transport-Security "max-age=63072000"
26 |   SSLEngine on
27 | 
28 | # mounted via Docker
29 |   SSLCertificateFile "/usr/local/apache2/conf/server.crt"
30 |   SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
31 | 
32 |   <FilesMatch "\.(cgi|shtml|phtml|php)$">
33 |     SSLOptions +StdEnvVars
34 |   </FilesMatch>
35 |   <Directory "/usr/local/apache2/cgi-bin">
36 |     SSLOptions +StdEnvVars
37 |   </Directory>
38 | 
39 | # vhost log
40 |   CustomLog /proc/self/fd/1 \
41 |     "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
42 | </VirtualHost>
43 | 


--------------------------------------------------------------------------------
/aws/cw-instance.tf:
--------------------------------------------------------------------------------
 1 | # Instance Key
 2 | resource "aws_key_pair" "cw-instance-key" {
 3 |   key_name   = "${var.name_prefix}-instance-key-${random_string.cw-random.result}"
 4 |   public_key = var.instance_key
 5 |   tags = {
 6 |     Name = "${var.name_prefix}-instance-key"
 7 |   }
 8 | }
 9 | 
10 | # Instance(s)
11 | resource "aws_instance" "cw-instance-1" {
12 |   ami                    = aws_ami_copy.cw-latest-vendor-ami-with-cmk.id
13 |   instance_type          = var.instance_type
14 |   iam_instance_profile   = aws_iam_instance_profile.cw-instance-profile.name
15 |   key_name               = aws_key_pair.cw-instance-key.key_name
16 |   subnet_id              = aws_subnet.cw-net.id
17 |   private_ip             = var.net_instance_ip
18 |   vpc_security_group_ids = [aws_security_group.cw-sg.id]
19 |   tags = {
20 |     Name = "${var.name_prefix}-workstation-1-${random_string.cw-random.result}",
21 |     cw   = "True"
22 |   }
23 |   user_data = <<EOF
24 | #!/bin/bash
25 | # set hostname
26 | hostnamectl set-hostname ${var.name_prefix}-workstation-1-${random_string.cw-random.result}
27 | EOF
28 |   root_block_device {
29 |     volume_size = var.instance_vol_size
30 |     volume_type = var.instance_vol_type
31 |     encrypted   = "true"
32 |     kms_key_id  = aws_kms_key.cw-kmscmk-ec2.arn
33 |   }
34 |   depends_on = [aws_iam_role_policy_attachment.cw-iam-attach-ssm, aws_iam_role_policy_attachment.cw-iam-attach-s3]
35 | }
36 | 
37 | # Elastic IP for Instance(s)
38 | resource "aws_eip" "cw-eip-1" {
39 |   vpc                       = true
40 |   instance                  = aws_instance.cw-instance-1.id
41 |   associate_with_private_ip = var.net_instance_ip
42 |   depends_on                = [aws_internet_gateway.cw-gw]
43 | }
44 | 


--------------------------------------------------------------------------------
/aws/cw-security.tf:
--------------------------------------------------------------------------------
 1 | # security groups
 2 | resource "aws_security_group" "cw-sg" {
 3 |   name        = "${var.name_prefix}-sg"
 4 |   description = "Security group for public traffic"
 5 |   vpc_id      = aws_vpc.cw-vpc.id
 6 |   tags = {
 7 |     Name = "cw-sg"
 8 |   }
 9 | }
10 | 
11 | # public sg rules
12 | resource "aws_security_group_rule" "cw-sg-mgmt-ssh-in" {
13 |   security_group_id = aws_security_group.cw-sg.id
14 |   type              = "ingress"
15 |   description       = "IN FROM MGMT - SSH MGMT"
16 |   from_port         = "22"
17 |   to_port           = "22"
18 |   protocol          = "tcp"
19 |   cidr_blocks       = [var.mgmt_cidr]
20 | }
21 | 
22 | resource "aws_security_group_rule" "cw-sg-mgmt-https-in" {
23 |   security_group_id = aws_security_group.cw-sg.id
24 |   type              = "ingress"
25 |   description       = "IN FROM SELF, MGMT - HTTPS"
26 |   from_port         = "443"
27 |   to_port           = "443"
28 |   protocol          = "tcp"
29 |   cidr_blocks       = [var.mgmt_cidr, "${aws_eip.cw-eip-1.public_ip}/32"]
30 | }
31 | 
32 | resource "aws_security_group_rule" "cw-sg-out-tcp" {
33 |   security_group_id = aws_security_group.cw-sg.id
34 |   type              = "egress"
35 |   description       = "OUT TO WORLD - TCP"
36 |   from_port         = 0
37 |   to_port           = 65535
38 |   protocol          = "tcp"
39 |   cidr_blocks       = ["0.0.0.0/0"]
40 | }
41 | 
42 | resource "aws_security_group_rule" "cw-sg-out-udp" {
43 |   security_group_id = aws_security_group.cw-sg.id
44 |   type              = "egress"
45 |   description       = "OUT TO WORLD - UDP"
46 |   from_port         = 0
47 |   to_port           = 65535
48 |   protocol          = "udp"
49 |   cidr_blocks       = ["0.0.0.0/0"]
50 | }
51 | 


--------------------------------------------------------------------------------
/aws/.terraform.lock.hcl:
--------------------------------------------------------------------------------
 1 | # This file is maintained automatically by "terraform init".
 2 | # Manual edits may be lost in future updates.
 3 | 
 4 | provider "registry.terraform.io/hashicorp/aws" {
 5 |   version = "3.60.0"
 6 |   hashes = [
 7 |     "h1:vwRjnpZOFwDlbFb2WX10JM2zNEEVyRLc8cBwkxCXlAE=",
 8 |     "zh:01323eedb8f006c8f9fffdfc23b449625b1446c1e43b8454e4a40a7461193661",
 9 |     "zh:03513ffdae205832be480b30d332b47a573e48623390e8f9f833141c8ceccb6a",
10 |     "zh:47611a8b361ced9a3b58b9868be2004677cf4ea0d04cfb5f54c6ae95e997e7c7",
11 |     "zh:9a7e80c2a2ed0f2e59b05e27374daaafd64785161546ed40f4db11048fbc78a7",
12 |     "zh:9e809746c4fdaa4214700e81a67b35f02afc1f2873591b0360c473cfd7193877",
13 |     "zh:a009d48e4ebcf78e24af9299c6a8664e0375411b4f16d5d0d7c7454b12052c10",
14 |     "zh:adc910f48f5ddc402e7653e70429d150d61bee5190aba7495575303aba6ca6c8",
15 |     "zh:b702e219532bc09be58f8a30cb3239626ffc9bc0e42b44497b0644f9ecc657b5",
16 |     "zh:bc50d787593e714acb54d65e8df026490a968e54d2184496efda7ba07c211836",
17 |     "zh:bd74e3b1c815d5a9c710cb5c55f2d5f6742471a23e63f924fd3a6493f384cd43",
18 |     "zh:fa7eb23bcf4c01f93d74c509c0e9b039148f43424c3b4ce64619af17ee12265c",
19 |   ]
20 | }
21 | 
22 | provider "registry.terraform.io/hashicorp/random" {
23 |   version = "3.1.0"
24 |   hashes = [
25 |     "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
26 |     "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
27 |     "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
28 |     "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
29 |     "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
30 |     "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
31 |     "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
32 |     "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
33 |     "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
34 |     "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
35 |     "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
36 |     "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
37 |   ]
38 | }
39 | 


--------------------------------------------------------------------------------
/aws/cw.tfvars:
--------------------------------------------------------------------------------
 1 | ## COMMON ##
 2 | # public ssh key
 3 | instance_key = "ssh-rsa AAAAreplace_me_replace_me_replace_me"
 4 | 
 5 | # the ip subnet permitted to connect to guacamole 
 6 | mgmt_cidr = "a.b.c.d/32"
 7 | 
 8 | # existing aws iam user granted access to the kms key (for browsing KMS encrypted services like S3 or SNS).
 9 | kms_manager = "some_iam_user"
10 | 
11 | # the guacadmin and ubuntu user password - note the EC2 instance has access to this secret (a consideration for multi-user setups).
12 | cw_password = "changeme"
13 | 
14 | # region to build the services in
15 | aws_region = "us-east-1"
16 | 
17 | # desktop, either xfce or gnome
18 | desktop = "xfce"
19 | 
20 | ## UNCOMMON ##
21 | # aws profile (e.g. from aws configure, usually "default")
22 | aws_profile = "default"
23 | 
24 | # a short prefix to label various resources
25 | name_prefix = "cw"
26 | 
27 | # size according to workload, must be amd64 (not arm)
28 | instance_type = "t3.medium"
29 | 
30 | # the root block size of the instance(s) (in GiB) and storage type: standard, gp2, gp3, io1, io2, sc1, or st1
31 | instance_vol_size = 20
32 | instance_vol_type = "gp3"
33 | 
34 | # the vendor supplying the AMI and the AMI name - default is official Ubuntu 20.04, must be amd64 (not arm)
35 | # To get the latest in your region, run the command below (replace the region)
36 | # AWS_REGION=us-east-2 && aws ec2 describe-images --region $AWS_REGION --owners 099720109477 --filters 'Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-*-20.04-amd64-server-*' 'Name=state,Values=available' --query 'sort_by(Images, &CreationDate)[-1].Name'
37 | vendor_ami_account_number = "099720109477"
38 | vendor_ami_name_string    = "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210720"
39 | 
40 | # vpc specific vars, modify these values if there would be overlap with existing resources in the aws account.
41 | vpc_cidr        = "10.10.11.0/24"
42 | net_cidr        = "10.10.11.0/26"
43 | net_instance_ip = "10.10.11.5"
44 | 
45 | # docker specific vars, modify these values if there would be overlap with existing resources on the ec2 instance (or client networks).
46 | guacnet_cidr           = "172.16.20.0/24"
47 | guacnet_guacd          = "172.16.20.2"
48 | guacnet_guacdb         = "172.16.20.3"
49 | guacnet_guacamole      = "172.16.20.4"
50 | guacnet_webproxy       = "172.16.20.5"
51 | guacnet_duckdnsupdater = "172.16.20.6"
52 | 
53 | ## DUCKDNS HIGHLY SUGGESTED ##
54 | # if using duckdns, set to 1 and fill in the complete domain, e.g.: duckdns_domain = "chadworkstation1.duckdns.org", duckdns_token, and your email address (for letsencrypt notices)
55 | enable_duckdns    = 0
56 | duckdns_domain    = ""
57 | duckdns_token     = ""
58 | letsencrypt_email = ""
59 | 


--------------------------------------------------------------------------------
/aws/cw-s3.tf:
--------------------------------------------------------------------------------
 1 | # s3 bucket
 2 | resource "aws_s3_bucket" "cw-bucket" {
 3 |   bucket = "${var.name_prefix}-bucket-${random_string.cw-random.result}"
 4 |   acl    = "private"
 5 |   versioning {
 6 |     enabled = true
 7 |   }
 8 |   server_side_encryption_configuration {
 9 |     rule {
10 |       apply_server_side_encryption_by_default {
11 |         kms_master_key_id = aws_kms_key.cw-kmscmk-s3.arn
12 |         sse_algorithm     = "aws:kms"
13 |       }
14 |     }
15 |   }
16 |   force_destroy = true
17 |   policy        = <<POLICY
18 | {
19 |   "Version": "2012-10-17",
20 |   "Statement": [
21 |     {
22 |       "Sid": "KMS Manager",
23 |       "Effect": "Allow",
24 |       "Principal": {
25 |         "AWS": ["${data.aws_iam_user.cw-kmsmanager.arn}"]
26 |       },
27 |       "Action": [
28 |         "s3:*"
29 |       ],
30 |       "Resource": [
31 |         "arn:aws:s3:::${var.name_prefix}-bucket-${random_string.cw-random.result}",
32 |         "arn:aws:s3:::${var.name_prefix}-bucket-${random_string.cw-random.result}/*"
33 |       ]
34 |     },
35 |     {
36 |       "Sid": "Instance List",
37 |       "Effect": "Allow",
38 |       "Principal": {
39 |         "AWS": ["${aws_iam_role.cw-instance-iam-role.arn}"]
40 |       },
41 |       "Action": [
42 |         "s3:ListBucket"
43 |       ],
44 |       "Resource": ["arn:aws:s3:::${var.name_prefix}-bucket-${random_string.cw-random.result}"]
45 |     },
46 |     {
47 |       "Sid": "Instance Get",
48 |       "Effect": "Allow",
49 |       "Principal": {
50 |         "AWS": ["${aws_iam_role.cw-instance-iam-role.arn}"]
51 |       },
52 |       "Action": [
53 |         "s3:GetObject",
54 |         "s3:GetObjectVersion"
55 |       ],
56 |       "Resource": ["arn:aws:s3:::${var.name_prefix}-bucket-${random_string.cw-random.result}/*"]
57 |     },
58 |     {
59 |       "Sid": "Instance Put",
60 |       "Effect": "Allow",
61 |       "Principal": {
62 |         "AWS": ["${aws_iam_role.cw-instance-iam-role.arn}"]
63 |       },
64 |       "Action": [
65 |         "s3:PutObject",
66 |         "s3:PutObjectAcl"
67 |       ],
68 |       "Resource": [
69 |         "arn:aws:s3:::${var.name_prefix}-bucket-${random_string.cw-random.result}/ssm/*"
70 |       ]
71 |     }
72 |   ]
73 | }
74 | POLICY
75 | }
76 | 
77 | # s3 block all public access to bucket
78 | resource "aws_s3_bucket_public_access_block" "cw-bucket-pubaccessblock" {
79 |   bucket                  = aws_s3_bucket.cw-bucket.id
80 |   block_public_acls       = true
81 |   block_public_policy     = true
82 |   ignore_public_acls      = true
83 |   restrict_public_buckets = true
84 | }
85 | 
86 | # s3 objects (playbook)
87 | resource "aws_s3_bucket_object" "cw-workstation-files" {
88 |   for_each       = fileset("../playbooks/", "**")
89 |   bucket         = aws_s3_bucket.cw-bucket.id
90 |   key            = "playbook/${each.value}"
91 |   content_base64 = base64encode(file("${path.module}/../playbooks/${each.value}"))
92 |   kms_key_id     = aws_kms_key.cw-kmscmk-s3.arn
93 | }
94 | 


--------------------------------------------------------------------------------
/aws/cw-generic.tf:
--------------------------------------------------------------------------------
  1 | variable "aws_region" {
  2 |   type = string
  3 | }
  4 | 
  5 | variable "aws_profile" {
  6 |   type = string
  7 | }
  8 | 
  9 | variable "vpc_cidr" {
 10 |   type = string
 11 | }
 12 | 
 13 | variable "net_cidr" {
 14 |   type = string
 15 | }
 16 | 
 17 | variable "net_instance_ip" {
 18 |   type = string
 19 | }
 20 | 
 21 | variable "guacnet_cidr" {
 22 |   type = string
 23 | }
 24 | 
 25 | variable "guacnet_guacd" {
 26 |   type = string
 27 | }
 28 | 
 29 | variable "guacnet_guacdb" {
 30 |   type = string
 31 | }
 32 | 
 33 | variable "guacnet_guacamole" {
 34 |   type = string
 35 | }
 36 | 
 37 | variable "guacnet_webproxy" {
 38 |   type = string
 39 | }
 40 | 
 41 | variable "guacnet_duckdnsupdater" {
 42 |   type = string
 43 | }
 44 | 
 45 | variable "mgmt_cidr" {
 46 |   type        = string
 47 |   description = "Subnet CIDR allowed to access WebUI and SSH, e.g. 172.16.10.0/30"
 48 | }
 49 | 
 50 | variable "instance_type" {
 51 |   type        = string
 52 |   description = "The type of EC2 instance to deploy"
 53 | }
 54 | 
 55 | variable "instance_key" {
 56 |   type        = string
 57 |   description = "A public key for SSH access to instance(s)"
 58 | }
 59 | 
 60 | variable "instance_vol_size" {
 61 |   type        = number
 62 |   description = "The volume size of the instances' root block device"
 63 | }
 64 | 
 65 | variable "instance_vol_type" {
 66 |   type        = string
 67 |   description = "The type of volume standard, gp2, gp3, io1, io2, sc1, or st1"
 68 | }
 69 | 
 70 | variable "kms_manager" {
 71 |   type        = string
 72 |   description = "An IAM user for management of KMS key"
 73 | }
 74 | 
 75 | variable "name_prefix" {
 76 |   type        = string
 77 |   description = "A friendly name prefix for the AMI and EC2 instances, e.g. 'cw' or 'dev'"
 78 | }
 79 | 
 80 | variable "cw_password" {
 81 |   type        = string
 82 |   description = "The password to replace guacadmin's default Web UI password"
 83 | }
 84 | 
 85 | variable "desktop" {
 86 |   type        = string
 87 |   description = "Desktop environment, either gnome or xfce"
 88 | }
 89 | 
 90 | variable "vendor_ami_account_number" {
 91 |   type        = string
 92 |   description = "The account number of the vendor supplying the base AMI"
 93 | }
 94 | 
 95 | variable "vendor_ami_name_string" {
 96 |   type        = string
 97 |   description = "The search string for the name of the AMI from the AMI Vendor"
 98 | }
 99 | 
100 | provider "aws" {
101 |   region  = var.aws_region
102 |   profile = var.aws_profile
103 | }
104 | 
105 | # region azs
106 | data "aws_availability_zones" "cw-azs" {
107 |   state = "available"
108 | }
109 | 
110 | # account id
111 | data "aws_caller_identity" "cw-aws-account" {
112 | }
113 | 
114 | # kms cmk manager - granted read access to KMS CMKs
115 | data "aws_iam_user" "cw-kmsmanager" {
116 |   user_name = var.kms_manager
117 | }
118 | 
119 | resource "random_string" "cw-random" {
120 |   length  = 5
121 |   upper   = false
122 |   special = false
123 | }
124 | 
125 | variable "enable_duckdns" {
126 |   type = number
127 | }
128 | 
129 | variable "duckdns_domain" {
130 |   type = string
131 | }
132 | 
133 | variable "duckdns_token" {
134 |   type = string
135 | }
136 | 
137 | variable "letsencrypt_email" {
138 |   type = string
139 | }
140 | 


--------------------------------------------------------------------------------
/playbooks/nginx/nginx.conf:
--------------------------------------------------------------------------------
  1 | ## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
  2 | 
  3 | user abc;
  4 | 
  5 | # Set number of worker processes automatically based on number of CPU cores.
  6 | include /config/nginx/worker_processes.conf;
  7 | 
  8 | # Enables the use of JIT for regular expressions to speed-up their processing.
  9 | pcre_jit on;
 10 | 
 11 | # Configures default error logger.
 12 | error_log /config/log/nginx/error.log;
 13 | 
 14 | # Includes files with directives to load dynamic modules.
 15 | include /etc/nginx/modules/*.conf;
 16 | 
 17 | events {
 18 |     # The maximum number of simultaneous connections that can be opened by
 19 |     # a worker process.
 20 |     worker_connections 1024;
 21 |     # multi_accept on;
 22 | }
 23 | 
 24 | http {
 25 |     # Includes mapping of file name extensions to MIME types of responses
 26 |     # and defines the default type.
 27 |     include /etc/nginx/mime.types;
 28 |     default_type application/octet-stream;
 29 | 
 30 |     # Name servers used to resolve names of upstream servers into addresses.
 31 |     # It's also needed when using tcpsocket and udpsocket in Lua modules.
 32 |     #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
 33 |     include /config/nginx/resolver.conf;
 34 | 
 35 |     # Don't tell nginx version to the clients. Default is 'on'.
 36 |     server_tokens off;
 37 | 
 38 |     # Specifies the maximum accepted body size of a client request, as
 39 |     # indicated by the request header Content-Length. If the stated content
 40 |     # length is greater than this size, then the client receives the HTTP
 41 |     # error code 413. Set to 0 to disable. Default is '1m'.
 42 |     client_max_body_size 0;
 43 | 
 44 |     # Sendfile copies data between one FD and other from within the kernel,
 45 |     # which is more efficient than read() + write(). Default is off.
 46 |     sendfile on;
 47 | 
 48 |     # Causes nginx to attempt to send its HTTP response head in one packet,
 49 |     # instead of using partial frames. Default is 'off'.
 50 |     tcp_nopush on;
 51 | 
 52 |     # Helper variable for proxying websockets.
 53 |     map $http_upgrade $connection_upgrade {
 54 |         default upgrade;
 55 |         '' close;
 56 |     }
 57 | 
 58 |     # Sets the path, format, and configuration for a buffered log write.
 59 |     access_log /config/log/nginx/access.log;
 60 | 
 61 |     # Includes virtual hosts configs.
 62 |     #include /etc/nginx/http.d/*.conf;
 63 | 
 64 |     # WARNING: Don't use this directory for virtual hosts anymore.
 65 |     # This include will be moved to the root context in Alpine 3.14.
 66 |     #include /etc/nginx/conf.d/*.conf;
 67 | 
 68 | 
 69 |     ##
 70 |     # Basic Settings
 71 |     ##
 72 | 
 73 |     client_body_buffer_size 128k;
 74 |     keepalive_timeout 65;
 75 |     large_client_header_buffers 4 16k;
 76 |     send_timeout 5m;
 77 |     tcp_nodelay on;
 78 |     types_hash_max_size 2048;
 79 |     variables_hash_max_size 2048;
 80 |     # server_names_hash_bucket_size 64;
 81 |     # server_name_in_redirect off;
 82 | 
 83 |     ##
 84 |     # Gzip Settings
 85 |     ##
 86 | 
 87 |     gzip on;
 88 |     gzip_disable "msie6";
 89 |     # gzip_vary on;
 90 |     # gzip_proxied any;
 91 |     # gzip_comp_level 6;
 92 |     # gzip_buffers 16 8k;
 93 |     # gzip_http_version 1.1;
 94 |     # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
 95 | 
 96 |     ##
 97 |     # Virtual Host Configs
 98 |     ##
 99 |     include /config/nginx/site-confs/*;
100 |     include /config/nginx/proxy-confs/cloudworkstation.conf;
101 |     #Removed lua. Do not remove this comment
102 | 
103 | }
104 | 
105 | daemon off;
106 | pid /run/nginx.pid;
107 | 


--------------------------------------------------------------------------------
/aws/cw-iam.tf:
--------------------------------------------------------------------------------
  1 | # SSM Managed Policy
  2 | data "aws_iam_policy" "cw-instance-policy-ssm" {
  3 |   arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
  4 | }
  5 | 
  6 | # Instance Policy SSM Parameter
  7 | resource "aws_iam_policy" "cw-instance-policy-ssmparameter" {
  8 |   name        = "${var.name_prefix}-instance-policy-ssmparameter-${random_string.cw-random.result}"
  9 |   path        = "/"
 10 |   description = "Provides cw instances access to ssm parameter(s)"
 11 |   policy      = <<EOF
 12 | {
 13 |   "Version": "2012-10-17",
 14 |   "Statement": [
 15 |     {
 16 |       "Sid": "GetSSMParameter",
 17 |       "Effect": "Allow",
 18 |       "Action": [
 19 |         "ssm:GetParameters"
 20 |       ],
 21 |       "Resource": ["${aws_ssm_parameter.cw-ssm-param-pass.arn}"]
 22 |     },
 23 |     {
 24 |       "Sid": "SSMCMK",
 25 |       "Effect": "Allow",
 26 |       "Action": "kms:Decrypt",
 27 |       "Resource": ["${aws_kms_key.cw-kmscmk-ssm.arn}"]
 28 |     }
 29 |   ]
 30 | }
 31 | EOF
 32 | }
 33 | 
 34 | # Instance Policy S3
 35 | resource "aws_iam_policy" "cw-instance-policy-s3" {
 36 |   name        = "${var.name_prefix}-instance-policy-s3-${random_string.cw-random.result}"
 37 |   path        = "/"
 38 |   description = "Provides cw instances access to s3 objects/bucket"
 39 |   policy      = <<EOF
 40 | {
 41 |   "Version": "2012-10-17",
 42 |   "Statement": [
 43 |     {
 44 |       "Sid": "ListObjectsinBucket",
 45 |       "Effect": "Allow",
 46 |       "Action": [
 47 |         "s3:ListBucket"
 48 |       ],
 49 |       "Resource": ["${aws_s3_bucket.cw-bucket.arn}"]
 50 |     },
 51 |     {
 52 |       "Sid": "GetObjectsinBucketPrefix",
 53 |       "Effect": "Allow",
 54 |       "Action": [
 55 |         "s3:GetObject",
 56 |         "s3:GetObjectVersion"
 57 |       ],
 58 |       "Resource": ["${aws_s3_bucket.cw-bucket.arn}/*"]
 59 |     },
 60 |     {
 61 |       "Sid": "PutObjectsinBucketPrefix",
 62 |       "Effect": "Allow",
 63 |       "Action": [
 64 |         "s3:PutObject",
 65 |         "s3:PutObjectAcl"
 66 |       ],
 67 |       "Resource": ["${aws_s3_bucket.cw-bucket.arn}/workstation/*","${aws_s3_bucket.cw-bucket.arn}/ssm/*"]
 68 |     },
 69 |     {
 70 |       "Sid": "S3CMK",
 71 |       "Effect": "Allow",
 72 |       "Action": [
 73 |         "kms:Encrypt",
 74 |         "kms:ReEncrypt*",
 75 |         "kms:GenerateDataKey*",
 76 |         "kms:DescribeKey"
 77 |       ],
 78 |       "Resource": ["${aws_kms_key.cw-kmscmk-s3.arn}"]
 79 |     }
 80 |   ]
 81 | }
 82 | EOF
 83 | }
 84 | 
 85 | # Instance Role
 86 | resource "aws_iam_role" "cw-instance-iam-role" {
 87 |   name               = "${var.name_prefix}-instance-role-${random_string.cw-random.result}"
 88 |   path               = "/"
 89 |   assume_role_policy = <<EOF
 90 | {
 91 |   "Version": "2012-10-17",
 92 |   "Statement": [
 93 |       {
 94 |           "Action": "sts:AssumeRole",
 95 |           "Principal": {
 96 |              "Service": "ec2.amazonaws.com"
 97 |           },
 98 |           "Effect": "Allow",
 99 |           "Sid": ""
100 |       }
101 |   ]
102 | }
103 | EOF
104 | }
105 | 
106 | # Instance Role Attachments
107 | resource "aws_iam_role_policy_attachment" "cw-iam-attach-ssm" {
108 |   role       = aws_iam_role.cw-instance-iam-role.name
109 |   policy_arn = data.aws_iam_policy.cw-instance-policy-ssm.arn
110 | }
111 | 
112 | resource "aws_iam_role_policy_attachment" "cw-iam-attach-ssmparameter" {
113 |   role       = aws_iam_role.cw-instance-iam-role.name
114 |   policy_arn = aws_iam_policy.cw-instance-policy-ssmparameter.arn
115 | }
116 | 
117 | resource "aws_iam_role_policy_attachment" "cw-iam-attach-s3" {
118 |   role       = aws_iam_role.cw-instance-iam-role.name
119 |   policy_arn = aws_iam_policy.cw-instance-policy-s3.arn
120 | }
121 | 
122 | # Instance Profile
123 | resource "aws_iam_instance_profile" "cw-instance-profile" {
124 |   name = "${var.name_prefix}-instance-profile-${random_string.cw-random.result}"
125 |   role = aws_iam_role.cw-instance-iam-role.name
126 | }
127 | 


--------------------------------------------------------------------------------
/playbooks/httpd.conf:
--------------------------------------------------------------------------------
  1 | # Cloudblock HTTP Proxy Conf
  2 | ServerRoot "/usr/local/apache2"
  3 | Listen 80
  4 | 
  5 | LoadModule mpm_event_module modules/mod_mpm_event.so
  6 | LoadModule authn_file_module modules/mod_authn_file.so
  7 | LoadModule authn_core_module modules/mod_authn_core.so
  8 | LoadModule authz_host_module modules/mod_authz_host.so
  9 | LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
 10 | LoadModule authz_user_module modules/mod_authz_user.so
 11 | LoadModule authz_core_module modules/mod_authz_core.so
 12 | LoadModule access_compat_module modules/mod_access_compat.so
 13 | LoadModule auth_basic_module modules/mod_auth_basic.so
 14 | LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
 15 | LoadModule watchdog_module modules/mod_watchdog.so
 16 | LoadModule reqtimeout_module modules/mod_reqtimeout.so
 17 | LoadModule filter_module modules/mod_filter.so
 18 | LoadModule xml2enc_module modules/mod_xml2enc.so
 19 | LoadModule proxy_html_module modules/mod_proxy_html.so
 20 | LoadModule mime_module modules/mod_mime.so
 21 | LoadModule log_config_module modules/mod_log_config.so
 22 | LoadModule env_module modules/mod_env.so
 23 | LoadModule headers_module modules/mod_headers.so
 24 | LoadModule setenvif_module modules/mod_setenvif.so
 25 | LoadModule version_module modules/mod_version.so
 26 | LoadModule proxy_module modules/mod_proxy.so
 27 | LoadModule proxy_http_module modules/mod_proxy_http.so
 28 | LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
 29 | LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
 30 | LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
 31 | LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
 32 | LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
 33 | LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
 34 | LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
 35 | LoadModule proxy_express_module modules/mod_proxy_express.so
 36 | LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
 37 | LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
 38 | LoadModule ssl_module modules/mod_ssl.so
 39 | LoadModule proxy_http2_module modules/mod_proxy_http2.so
 40 | LoadModule unixd_module modules/mod_unixd.so
 41 | LoadModule status_module modules/mod_status.so
 42 | LoadModule autoindex_module modules/mod_autoindex.so
 43 | 
 44 | <IfModule !mpm_prefork_module>
 45 |         #LoadModule cgid_module modules/mod_cgid.so
 46 | </IfModule>
 47 | <IfModule mpm_prefork_module>
 48 |         #LoadModule cgi_module modules/mod_cgi.so
 49 | </IfModule>
 50 | 
 51 | LoadModule dir_module modules/mod_dir.so
 52 | LoadModule alias_module modules/mod_alias.so
 53 | 
 54 | <IfModule unixd_module>
 55 | User daemon
 56 | Group daemon
 57 | </IfModule>
 58 | 
 59 | ServerAdmin root@{{ guacnet_webproxy }}
 60 | 
 61 | <Directory />
 62 |     AllowOverride none
 63 |     Require all denied
 64 | </Directory>
 65 | 
 66 | DocumentRoot "/usr/local/apache2/htdocs"
 67 | 
 68 | <Directory "/usr/local/apache2/htdocs">
 69 |     Options Indexes FollowSymLinks
 70 |     AllowOverride None
 71 |     Require all granted
 72 | </Directory>
 73 | 
 74 | <IfModule dir_module>
 75 |     DirectoryIndex index.html
 76 | </IfModule>
 77 | 
 78 | <Files ".ht*">
 79 |     Require all denied
 80 | </Files>
 81 | 
 82 | ErrorLog /proc/self/fd/2
 83 | LogLevel warn
 84 | 
 85 | <IfModule log_config_module>
 86 |     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
 87 |     LogFormat "%h %l %u %t \"%r\" %>s %b" common
 88 |     <IfModule logio_module>
 89 |       # You need to enable mod_logio.c to use %I and %O
 90 |       LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
 91 |     </IfModule>
 92 |     CustomLog /proc/self/fd/1 common
 93 | </IfModule>
 94 | 
 95 | <IfModule alias_module>
 96 |     ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
 97 | </IfModule>
 98 | 
 99 | <IfModule cgid_module>
100 | </IfModule>
101 | 
102 | <Directory "/usr/local/apache2/cgi-bin">
103 |     AllowOverride None
104 |     Options None
105 |     Require all granted
106 | </Directory>
107 | 
108 | <IfModule headers_module>
109 |     RequestHeader unset Proxy early
110 | </IfModule>
111 | 
112 | <IfModule mime_module>
113 |     TypesConfig conf/mime.types
114 |     AddType application/x-compress .Z
115 |     AddType application/x-gzip .gz .tgz
116 | </IfModule>
117 | 
118 | <IfModule proxy_html_module>
119 | Include conf/extra/proxy-html.conf
120 | </IfModule>
121 | 
122 | Include conf/extra/httpd-ssl.conf
123 | 
124 | <IfModule ssl_module>
125 | SSLRandomSeed startup builtin
126 | SSLRandomSeed connect builtin
127 | </IfModule>
128 | 


--------------------------------------------------------------------------------
/aws/cw-ssm.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_ssm_parameter" "cw-ssm-param-pass" {
  2 |   name   = "${var.name_prefix}-cw-web-password-${random_string.cw-random.result}"
  3 |   type   = "SecureString"
  4 |   key_id = aws_kms_key.cw-kmscmk-ssm.key_id
  5 |   value  = var.cw_password
  6 | }
  7 | 
  8 | resource "aws_ssm_document" "cw-ssm-doc" {
  9 |   name          = "${var.name_prefix}-ssm-doc-${random_string.cw-random.result}"
 10 |   document_type = "Command"
 11 |   content       = <<DOC
 12 |   {
 13 |     "schemaVersion": "2.2",
 14 |     "description": "Ansible Playbooks via SSM for Ubuntu 18.04 and 20.04, installs Ansible properly.",
 15 |     "parameters": {
 16 |     "SourceType": {
 17 |       "description": "(Optional) Specify the source type.",
 18 |       "type": "String",
 19 |       "allowedValues": [
 20 |       "GitHub",
 21 |       "S3"
 22 |       ]
 23 |     },
 24 |     "SourceInfo": {
 25 |       "description": "Specify 'path'. Important: If you specify S3, then the IAM instance profile on your managed instances must be configured with read access to Amazon S3.",
 26 |       "type": "StringMap",
 27 |       "displayType": "textarea",
 28 |       "default": {}
 29 |     },
 30 |     "PlaybookFile": {
 31 |       "type": "String",
 32 |       "description": "(Optional) The Playbook file to run (including relative path). If the main Playbook file is located in the ./automation directory, then specify automation/playbook.yml.",
 33 |       "default": "hello-world-playbook.yml",
 34 |       "allowedPattern": "[(a-z_A-Z0-9\\-)/]+(.yml|.yaml)$"
 35 |     },
 36 |     "ExtraVariables": {
 37 |       "type": "String",
 38 |       "description": "(Optional) Additional variables to pass to Ansible at runtime. Enter key/value pairs separated by a space. For example: color=red flavor=cherry",
 39 |       "default": "SSM=True",
 40 |       "displayType": "textarea",
 41 |       "allowedPattern": "^$|^\\w+\\=[^\\s|:();&]+(\\s\\w+\\=[^\\s|:();&]+)*$"
 42 |     },
 43 |     "Verbose": {
 44 |       "type": "String",
 45 |       "description": "(Optional) Set the verbosity level for logging Playbook executions. Specify -v for low verbosity, -vv or vvv for medium verbosity, and -vvvv for debug level.",
 46 |       "allowedValues": [
 47 |       "-v",
 48 |       "-vv",
 49 |       "-vvv",
 50 |       "-vvvv"
 51 |       ],
 52 |       "default": "-v"
 53 |     }
 54 |     },
 55 |     "mainSteps": [
 56 |     {
 57 |       "action": "aws:downloadContent",
 58 |       "name": "downloadContent",
 59 |       "inputs": {
 60 |       "SourceType": "{{ SourceType }}",
 61 |       "SourceInfo": "{{ SourceInfo }}"
 62 |       }
 63 |     },
 64 |     {
 65 |       "action": "aws:runShellScript",
 66 |       "name": "runShellScript",
 67 |       "inputs": {
 68 |       "runCommand": [
 69 |         "#!/bin/bash",
 70 |         "# Ensure ansible is installed",
 71 |         "sudo apt-get update",
 72 |         "sudo DEBIAN_FRONTEND=noninteractive apt-get -y install python3-pip git",
 73 |         "sudo pip3 install ansible",
 74 |         "echo \"Running Ansible in `pwd`\"",
 75 |         "#this section locates files and unzips them",
 76 |         "for zip in $(find -iname '*.zip'); do",
 77 |         "  unzip -o $zip",
 78 |         "done",
 79 |         "PlaybookFile=\"{{PlaybookFile}}\"",
 80 |         "if [ ! -f  \"$${PlaybookFile}\" ] ; then",
 81 |         "   echo \"The specified Playbook file doesn't exist in the downloaded bundle. Please review the relative path and file name.\" >&2",
 82 |         "   exit 2",
 83 |         "fi",
 84 |         "/usr/local/bin/ansible-playbook -i \"localhost,\" -c local -e \"{{ExtraVariables}}\" \"{{Verbose}}\" \"$${PlaybookFile}\""
 85 |       ]
 86 |       }
 87 |     }
 88 |     ]
 89 |   }
 90 | DOC
 91 | }
 92 | 
 93 | resource "aws_ssm_association" "cw-ssm-assoc" {
 94 |   association_name = "${var.name_prefix}-ssm-assoc-${random_string.cw-random.result}"
 95 |   name             = aws_ssm_document.cw-ssm-doc.name
 96 |   targets {
 97 |     key    = "tag:cw"
 98 |     values = ["True"]
 99 |   }
100 |   output_location {
101 |     s3_bucket_name = aws_s3_bucket.cw-bucket.id
102 |     s3_key_prefix  = "ssm"
103 |   }
104 |   parameters = {
105 |     ExtraVariables = "name_prefix=${var.name_prefix} name_suffix=${random_string.cw-random.result} guacnet_cidr=${var.guacnet_cidr} guacnet_guacd=${var.guacnet_guacd} guacnet_guacdb=${var.guacnet_guacdb} guacnet_guacamole=${var.guacnet_guacamole} guacnet_webproxy=${var.guacnet_webproxy} guacnet_duckdnsupdater=${var.guacnet_duckdnsupdater} aws_region=${var.aws_region} desktop=${var.desktop} enable_duckdns=${var.enable_duckdns} duckdns_domain=${var.duckdns_domain} duckdns_token=${var.duckdns_token} letsencrypt_email=${var.letsencrypt_email}"
106 |     PlaybookFile   = "cloud_workstation_aws.yml"
107 |     SourceInfo     = "{\"path\":\"https://s3.${var.aws_region}.amazonaws.com/${aws_s3_bucket.cw-bucket.id}/playbook/\"}"
108 |     SourceType     = "S3"
109 |     Verbose        = "-v"
110 |   }
111 |   depends_on = [aws_iam_role_policy_attachment.cw-iam-attach-ssm, aws_iam_role_policy_attachment.cw-iam-attach-s3, aws_s3_bucket_object.cw-workstation-files]
112 | }
113 | 


--------------------------------------------------------------------------------
/aws/cw-kmscmk.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_kms_key" "cw-kmscmk-s3" {
  2 |   description              = "Key for cw s3"
  3 |   key_usage                = "ENCRYPT_DECRYPT"
  4 |   customer_master_key_spec = "SYMMETRIC_DEFAULT"
  5 |   enable_key_rotation      = "true"
  6 |   tags = {
  7 |     Name = "cw-kmscmk-s3-${random_string.cw-random.result}"
  8 |   }
  9 |   policy = <<EOF
 10 | {
 11 |   "Id": "cw-kmskeypolicy-s3",
 12 |   "Version": "2012-10-17",
 13 |   "Statement": [
 14 |     {
 15 |       "Sid": "Enable IAM User Permissions",
 16 |       "Effect": "Allow",
 17 |       "Principal": {
 18 |         "AWS": "${data.aws_iam_user.cw-kmsmanager.arn}"
 19 |       },
 20 |       "Action": "kms:*",
 21 |       "Resource": "*"
 22 |     },
 23 |     {
 24 |       "Sid": "Allow EC2 Encrypt",
 25 |       "Effect": "Allow",
 26 |       "Principal": {
 27 |         "AWS": "${aws_iam_role.cw-instance-iam-role.arn}"
 28 |       },
 29 |       "Action": [
 30 |         "kms:Encrypt",
 31 |         "kms:ReEncrypt*",
 32 |         "kms:GenerateDataKey*",
 33 |         "kms:DescribeKey"
 34 |       ],
 35 |       "Resource": "*",
 36 |       "Condition": {
 37 |         "StringEquals": {
 38 |           "kms:CallerAccount": "${data.aws_caller_identity.cw-aws-account.account_id}",
 39 |           "kms:ViaService": "ec2.${var.aws_region}.amazonaws.com"
 40 |         }
 41 |       }
 42 |     },
 43 |     {
 44 |       "Sid": "Allow access through S3",
 45 |       "Effect": "Allow",
 46 |       "Principal": {
 47 |         "AWS": "${aws_iam_role.cw-instance-iam-role.arn}"
 48 |       },
 49 |       "Action": [
 50 |         "kms:Encrypt",
 51 |         "kms:Decrypt",
 52 |         "kms:ReEncrypt*",
 53 |         "kms:GenerateDataKey*",
 54 |         "kms:DescribeKey"
 55 |       ],
 56 |       "Resource": "*",
 57 |       "Condition": {
 58 |         "StringEquals": {
 59 |           "kms:CallerAccount": "${data.aws_caller_identity.cw-aws-account.account_id}",
 60 |           "kms:ViaService": "s3.${var.aws_region}.amazonaws.com"
 61 |         }
 62 |       }
 63 |     }
 64 |   ]
 65 | }
 66 | EOF
 67 | }
 68 | 
 69 | resource "aws_kms_alias" "cw-kmscmk-s3-alias" {
 70 |   name          = "alias/${var.name_prefix}-kmscmk-s3-${random_string.cw-random.result}"
 71 |   target_key_id = aws_kms_key.cw-kmscmk-s3.key_id
 72 | }
 73 | 
 74 | resource "aws_kms_key" "cw-kmscmk-ec2" {
 75 |   description              = "Key for cw ec2/ebs"
 76 |   key_usage                = "ENCRYPT_DECRYPT"
 77 |   customer_master_key_spec = "SYMMETRIC_DEFAULT"
 78 |   enable_key_rotation      = "true"
 79 |   tags = {
 80 |     Name = "cw-kmscmk-ec2-${random_string.cw-random.result}"
 81 |   }
 82 |   policy = <<EOF
 83 | {
 84 |   "Id": "cw-kmskeypolicy-ec2",
 85 |   "Version": "2012-10-17",
 86 |   "Statement": [
 87 |     {
 88 |       "Sid": "Enable IAM User Permissions",
 89 |       "Effect": "Allow",
 90 |       "Principal": {
 91 |         "AWS": "${data.aws_iam_user.cw-kmsmanager.arn}"
 92 |       },
 93 |       "Action": "kms:*",
 94 |       "Resource": "*"
 95 |     },
 96 |     {
 97 |       "Sid": "Allow attachment of persistent resources",
 98 |       "Effect": "Allow",
 99 |       "Principal": {
100 |         "AWS": "${aws_iam_role.cw-instance-iam-role.arn}"
101 |       },
102 |       "Action": [
103 |         "kms:CreateGrant",
104 |         "kms:ListGrants",
105 |         "kms:RevokeGrant"
106 |       ],
107 |       "Resource": "*",
108 |       "Condition": {
109 |         "Bool": {
110 |           "kms:GrantIsForAWSResource": "true"
111 |         }
112 |       }
113 |     },
114 |     {
115 |       "Sid": "Allow access through EC2",
116 |       "Effect": "Allow",
117 |       "Principal": {
118 |         "AWS": "${aws_iam_role.cw-instance-iam-role.arn}"
119 |       },
120 |       "Action": [
121 |         "kms:Encrypt",
122 |         "kms:Decrypt",
123 |         "kms:ReEncrypt*",
124 |         "kms:GenerateDataKey*",
125 |         "kms:DescribeKey"
126 |       ],
127 |       "Resource": "*",
128 |       "Condition": {
129 |         "StringEquals": {
130 |           "kms:CallerAccount": "${data.aws_caller_identity.cw-aws-account.account_id}",
131 |           "kms:ViaService": "ec2.${var.aws_region}.amazonaws.com"
132 |         }
133 |       }
134 |     }
135 |   ]
136 | }
137 | EOF
138 | }
139 | 
140 | resource "aws_kms_alias" "cw-kmscmk-ec2-alias" {
141 |   name          = "alias/${var.name_prefix}-kmscmk-ec2-${random_string.cw-random.result}"
142 |   target_key_id = aws_kms_key.cw-kmscmk-ec2.key_id
143 | }
144 | 
145 | resource "aws_kms_key" "cw-kmscmk-ssm" {
146 |   description              = "Key for cw ssm/ebs"
147 |   key_usage                = "ENCRYPT_DECRYPT"
148 |   customer_master_key_spec = "SYMMETRIC_DEFAULT"
149 |   enable_key_rotation      = "true"
150 |   tags = {
151 |     Name = "cw-kmscmk-ssm-${random_string.cw-random.result}"
152 |   }
153 |   policy = <<EOF
154 | {
155 |   "Id": "cw-kmskeypolicy-ssm",
156 |   "Version": "2012-10-17",
157 |   "Statement": [
158 |     {
159 |       "Sid": "Enable IAM User Permissions",
160 |       "Effect": "Allow",
161 |       "Principal": {
162 |         "AWS": "${data.aws_iam_user.cw-kmsmanager.arn}"
163 |       },
164 |       "Action": "kms:*",
165 |       "Resource": "*"
166 |     },
167 |     {
168 |       "Sid": "Allow access through EC2",
169 |       "Effect": "Allow",
170 |       "Principal": {
171 |         "AWS": "${aws_iam_role.cw-instance-iam-role.arn}"
172 |       },
173 |       "Action": "kms:Decrypt",
174 |       "Resource": "*",
175 |       "Condition": {
176 |         "StringEquals": {
177 |           "kms:CallerAccount": "${data.aws_caller_identity.cw-aws-account.account_id}",
178 |           "kms:ViaService": "ssm.${var.aws_region}.amazonaws.com"
179 |         }
180 |       }
181 |     }
182 |   ]
183 | }
184 | EOF
185 | }
186 | 
187 | resource "aws_kms_alias" "cw-kmscmk-ssm-alias" {
188 |   name          = "alias/${var.name_prefix}-kmscmk-ssm-${random_string.cw-random.result}"
189 |   target_key_id = aws_kms_key.cw-kmscmk-ssm.key_id
190 | }
191 | 


--------------------------------------------------------------------------------
/aws/README.md:
--------------------------------------------------------------------------------
  1 | # Reference
  2 | The AWS deployment for cloud_workstation.
  3 | 
  4 | # Requirements
  5 | - An AWS account
  6 | - Follow Step-by-Step (compatible with Windows and Ubuntu)
  7 | 
  8 | # Step-by-Step 
  9 | Windows Users install WSL (Windows Subsystem Linux)
 10 | ```
 11 | #############################
 12 | ## Windows Subsystem Linux ##
 13 | #############################
 14 | # Launch an ELEVATED Powershell prompt (right click -> Run as Administrator)
 15 | 
 16 | # Enable Windows Subsystem Linux
 17 | dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart
 18 | 
 19 | # Reboot your Windows PC
 20 | shutdown /r /t 5
 21 | 
 22 | # After reboot, launch a REGULAR Powershell prompt (left click).
 23 | # Do NOT proceed with an ELEVATED Powershell prompt.
 24 | 
 25 | # Download the Ubuntu 1804 package from Microsoft
 26 | curl.exe -L -o ubuntu-1804.appx https://aka.ms/wsl-ubuntu-1804
 27 |  
 28 | # Rename the package
 29 | Rename-Item ubuntu-1804.appx ubuntu-1804.zip
 30 |  
 31 | # Expand the zip
 32 | Expand-Archive ubuntu-1804.zip ubuntu-1804
 33 |  
 34 | # Change to the zip directory
 35 | cd ubuntu-1804
 36 |  
 37 | # Execute the ubuntu 1804 installer
 38 | .\ubuntu1804.exe
 39 |  
 40 | # Create a username and password when prompted
 41 | ```
 42 | Install Terraform, Git, and create an SSH key pair
 43 | ```
 44 | #############################
 45 | ##  Terraform + Git + SSH  ##
 46 | #############################
 47 | # Add terraform's apt key (enter previously created password at prompt)
 48 | curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
 49 |  
 50 | # Add terraform's apt repository
 51 | sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
 52 |  
 53 | # Install terraform and git
 54 | sudo apt-get update && sudo apt-get -y install terraform git
 55 |  
 56 | # Clone the cloud_workstation project
 57 | git clone https://github.com/chadgeary/cloud_workstation
 58 | 
 59 | # Create SSH key pair (RETURN for defaults)
 60 | ssh-keygen
 61 | ```
 62 | 
 63 | Install the AWS cli and create non-root AWS user
 64 | ```
 65 | #############################
 66 | ##          AWS            ##
 67 | #############################
 68 | # Open powershell and start WSL
 69 | wsl
 70 | 
 71 | # Change to home directory
 72 | cd ~
 73 | 
 74 | # Install python3 pip
 75 | sudo apt update && sudo DEBIAN_FRONTEND=noninteractive apt-get -q -y install python3-pip
 76 | 
 77 | # Install awscli via pip
 78 | pip3 install --user --upgrade awscli
 79 | 
 80 | # Create a non-root AWS user in the AWS web console with admin permissions
 81 | # This user must be the same user running terraform apply
 82 | # Create the user at the AWS Web Console under IAM -> Users -> Add user -> Check programmatic access and AWS Management console -> Attach existing policies -> AdministratorAccess -> copy Access key ID and Secret Access key
 83 | # See for more information: https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html#getting-started_create-admin-group-console
 84 | 
 85 | # Set admin user credentials
 86 | ~/.local/bin/aws configure
 87 | 
 88 | # Validate configuration
 89 | ~/.local/bin/aws sts get-caller-identity 
 90 | ```
 91 | 
 92 | Customize the deployment - See variables section below
 93 | ```
 94 | # Change to the project's aws directory in powershell
 95 | cd ~/cloud_workstation/aws/
 96 | 
 97 | # Open File Explorer in a separate window
 98 | # Navigate to aws project directory - change \chad\ to your WSL username
 99 | %HOMEPATH%\ubuntu-1804\rootfs\home\chad\cloud_workstation\aws
100 | 
101 | # Edit the cw.tfvars file using notepad and save
102 | ```
103 | 
104 | Deploy
105 | ```
106 | # In powershell's WSL window, change to the project's aws directory
107 | cd ~/cloud_workstation/aws/
108 | 
109 | # Initialize terraform and apply the terraform state
110 | terraform init
111 | terraform apply -var-file="cw.tfvars"
112 | 
113 | # Note the outputs from terraform after the apply completes
114 | 
115 | # Wait for the virtual machine to become ready (Ansible will setup the services for us)
116 | ```
117 | 
118 | Want to watch Ansible setup the virtual machine? SSH to the cloud instance - see the terraform output.
119 | ```
120 | # Connect to the virtual machine via ssh
121 | ssh ubuntu@<some ip address terraform told us about>
122 | 
123 | # Check the Ansible output (from AWS SSM)
124 | export ASSOC_ID=$(sudo bash -c 'ls -t /var/lib/amazon/ssm/*/document/orchestration/' | awk 'NR==1 { print $1 }') && sudo bash -c 'cat /var/lib/amazon/ssm/i-*/document/orchestration/'"$ASSOC_ID"'/awsrunShellScript/runShellScript/stdout'
125 | ```
126 | 
127 | Alternatively, check [AWS State Manager](https://console.aws.amazon.com/systems-manager/state-manager) though you'll need to be logged into AWS as the user created in the previous AWS steps. 
128 | 
129 | # Variables
130 | Edit the vars file (cw.tfvars) to customize the deployment, especially:
131 | ```
132 | # instance_key
133 | # a public SSH key for SSH access to the instance via user `ubuntu`.
134 | # cat ~/.ssh/id_rsa.pub
135 | 
136 | # mgmt_cidr
137 | # an IP range granted webUI, SSH access.
138 | # deploying from home? This should be your public IP address with a /32 suffix.
139 | 
140 | # kms_manager
141 | # The AWS username (not root) granted access to various resources (including SSM logs in S3, SSM parameter store).
142 | 
143 | # cw_password
144 | # password for guacadmin webUI account and ubuntu user
145 | 
146 | # aws_region
147 | # region to build the services in
148 | 
149 | # And as of July 2021, please use duckdns.org to generate a domain and token and set the appropriate variabels in aws.tfvars
150 | ```
151 | 
152 | # Post-Deployment
153 | - Wait for Ansible Playbook, watch [AWS State Manager](https://console.aws.amazon.com/systems-manager/state-manager)
154 | - See terraform output for WebUI link. Username: `guacadmin`
155 | 
156 | # FAQs
157 | - Using an ISP with a dynamic IP (DHCP) and the IP address changed? Pihole webUI and SSH access will be blocked until the mgmt_cidr is updated.
158 |   - Follow the steps below to quickly update the cloud firewall using terraform.
159 | 
160 | ```
161 | # Open Powershell and start WSL
162 | wsl
163 | 
164 | # Change to the project directory
165 | cd ~/cloud_workstation/aws/
166 | 
167 | # Update the mgmt_cidr variable - be sure to replace change_me with your public IP address
168 | sed -i -e "s#^mgmt_cidr = .*#mgmt_cidr = \"change_me/32\"#" cw.tfvars
169 | 
170 | # Rerun terraform apply, terraform will update the cloud firewall rules
171 | terraform apply -var-file="cw.tfvars"
172 | ```
173 | 
174 | - How do I update docker containers?
175 |   - Containers must be removed manually first:
176 |   - SSH to the cloud_workstation instance.
177 |   - Remove the container(s) (local data is kept), e.g.:
178 | ```
179 | sudo docker rm -f guacd
180 | ```
181 |   - Re-apply the AWS SSM association to re-run the Ansible playbook. Ansible will re-install the container(s). 
182 |   - Newer versions of cloud_workstation display an AWS CLI command to re-apply the AWS SSM association.
183 | 


--------------------------------------------------------------------------------
/playbooks/cloud_workstation_aws.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | - name: workstation.yml
  3 |   hosts: localhost
  4 |   become: True
  5 |   become_user: root
  6 |   tasks:
  7 | 
  8 |     - name: if not defined, set duckdns_domain to blank value
  9 |       set_fact:
 10 |         duckdns_domain: "{% if duckdns_domain is not defined %}{% else %}{{ duckdns_domain }}{% endif %}"
 11 | 
 12 |     - name: if not defined, set duckdns_token to blank value
 13 |       set_fact:
 14 |         duckdns_token: "{% if duckdns_token is not defined %}{% else %}{{ duckdns_token }}{% endif %}"
 15 | 
 16 |     - name: if not defined, set letsencrypt_email to blank value
 17 |       set_fact:
 18 |         letsencrypt_email: "{% if letsencrypt_email is not defined %}{% else %}{{ letsencrypt_email }}{% endif %}"
 19 | 
 20 |     - name: if not defined, set docker_duckdnsupdater to blank value
 21 |       set_fact:
 22 |         guacnet_duckdnsupdater: "{% if guacnet_duckdnsupdater is not defined %}{% else %}{{ guacnet_duckdnsupdater }}{% endif %}"
 23 | 
 24 |     - name: docker pip3 ssl xfce and xrdp
 25 |       apt:
 26 |         pkg:
 27 |           - docker.io
 28 |           - python3-pip
 29 |           - ssl-cert
 30 |           - xfce4
 31 |           - xfce4-terminal
 32 |           - xrdp
 33 |         state: latest
 34 |         update_cache: yes
 35 |       retries: 3
 36 |       delay: 30
 37 |       register: packages_install
 38 |       until: packages_install is not failed
 39 |       when: desktop == "xfce"
 40 | 
 41 |     - name: docker gnome pip3 ssl and xrdp
 42 |       apt:
 43 |         pkg:
 44 |           - docker.io
 45 |           - gdm3
 46 |           - gnome-session
 47 |           - gnome-terminal
 48 |           - python3-pip
 49 |           - ssl-cert
 50 |           - xrdp
 51 |         state: latest
 52 |         update_cache: yes
 53 |       retries: 3
 54 |       delay: 30
 55 |       register: packages_install
 56 |       until: packages_install is not failed
 57 |       when: desktop == "gnome"
 58 | 
 59 |     - name: install boto3 botocore and docker python package for ansible
 60 |       pip:
 61 |         executable: /usr/bin/pip3
 62 |         name:
 63 |           - boto3
 64 |           - botocore
 65 |           - docker
 66 | 
 67 |     - name: add xrdp user to ssl-cert group
 68 |       user:
 69 |         name: xrdp
 70 |         groups: ssl-cert
 71 |         append: yes
 72 | 
 73 |     - name: set xrdp listen local (docker) only
 74 |       lineinfile:
 75 |         path: /etc/xrdp/xrdp.ini
 76 |         insertbefore: '^; tcp port to listen'
 77 |         line: address=172.17.0.1
 78 |       register: xrdp_ini
 79 | 
 80 |     - name: disable permit root rdp
 81 |       lineinfile:
 82 |         path: /etc/xrdp/sesman.ini
 83 |         regexp: '^AllowRootLogin='
 84 |         line: 'AllowRootLogin=False'
 85 |       register: sesman_ini
 86 | 
 87 |     - name: xsession for ubuntu user
 88 |       blockinfile:
 89 |         path: /home/ubuntu/.xsession
 90 |         create: yes
 91 |         owner: xrdp
 92 |         group: xrdp
 93 |         mode: '0544'
 94 |         block: |
 95 |           # Enables the session for ubuntu user 
 96 |           export LOGNAME=$USER
 97 |           export LIBGL_ALWAYS_INDIRECT=0
 98 |           unset SESSION_MANAGER
 99 |           unset DBUS_SESSION_BUS_ADDRESS
100 |           {% if desktop == 'xfce' %}xfce4-session{% elif desktop == 'gnome' %}gnome-session{% endif %}
101 | 
102 |     - name: colord for gnome
103 |       blockinfile:
104 |         path: /etc/polkit-1/localauthority/50-local.d/allow-colord.pkla
105 |         create: yes
106 |         owner: root
107 |         group: root
108 |         mode: '0444'
109 |         block: |
110 |           [Allow colord for all users]
111 |           Identity=unix-user:*
112 |           Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile 
113 |           ResultAny=yes
114 |           ResualtInactive=auth_admin
115 |           ResultActive=yes
116 |       when: desktop == 'gnome'
117 | 
118 |     - name: set xrdp sesman systemd unit to wait for docker
119 |       lineinfile:
120 |         path: /lib/systemd/system/xrdp-sesman.service
121 |         regexp: '^After=network.target'
122 |         line: 'After=network.target docker.service'
123 | 
124 |     - name: enable / start docker and xrdp
125 |       systemd:
126 |         name: "{{ item }}"
127 |         state: started
128 |         enabled: yes
129 |         daemon_reload: yes
130 |       with_items:
131 |         - docker
132 |         - xrdp
133 | 
134 |     - name: restart xrdp if inis changed
135 |       systemd:
136 |         name: xrdp
137 |         state: restarted
138 |       when: xrdp_ini.changed or sesman_ini.changed
139 | 
140 |     - name: Container dirs
141 |       file:
142 |         path: "/opt/{{ item }}"
143 |         state: directory
144 |         owner: root
145 |         group: root
146 |         mode: '0750'
147 |       with_items:
148 |         - guacamole
149 |         - webproxy
150 |         - webproxy/nginx
151 |         - webproxy/nginx/proxy-confs
152 | 
153 |     - name: secure web proxy confs
154 |       template:
155 |         src: "{{ item }}"
156 |         dest: "/opt/webproxy/{{ item }}"
157 |         owner: root
158 |         group: root
159 |         mode: 0444
160 |       with_items:
161 |         - httpd-ssl.conf
162 |         - httpd.conf
163 |         - nginx/nginx.conf
164 |         - nginx/proxy-confs/cloudworkstation.conf
165 |       register: proxy_conf_files
166 | 
167 |     - name: Determine db passwords set (root)
168 |       stat:
169 |         path: /opt/guacamole/guacdb_root_file
170 |       register: guacdb_root_file
171 | 
172 |     - name: Determine db passwords set (guacamole)
173 |       stat:
174 |         path: /opt/guacamole/guacdb_guacamole_file
175 |       register: guacdb_guacamole_file
176 | 
177 |     - name: Create db passwords when not set (root)
178 |       shell: |
179 |         head /dev/urandom | tr -dc A-Za-z0-9 | head -c 20 > /opt/guacamole/guacdb_root_file
180 |       when: guacdb_root_file.stat.exists|bool == False
181 | 
182 |     - name: Create db passwords when not set (guacamole)
183 |       shell: |
184 |         head /dev/urandom | tr -dc A-Za-z0-9 | head -c 20 > /opt/guacamole/guacdb_guacamole_file
185 |       when: guacdb_guacamole_file.stat.exists|bool == False
186 | 
187 |     - name: Register db passwords
188 |       shell: |
189 |         cat /opt/guacamole/guacdb_root_file
190 |       register: guacdb_root_pass
191 | 
192 |     - name: Register db pass (guacamole)
193 |       shell: |
194 |         cat /opt/guacamole/guacdb_guacamole_file
195 |       register: guacdb_guacamole_pass
196 | 
197 |     - name: Docker Volume (db)
198 |       docker_volume:
199 |         name: guacdb
200 | 
201 |     - name: Docker Network
202 |       docker_network:
203 |         name: guacnet
204 |         ipam_config:
205 |           - subnet: "{{ guacnet_cidr }}"
206 | 
207 |     - name: Docker Container - guacd
208 |       docker_container:
209 |         name: guacd
210 |         image: guacamole/guacd:1.4.0
211 |         networks:
212 |           - name: guacnet
213 |             ipv4_address: "{{ guacnet_guacd }}"
214 |         restart_policy: "always"
215 | 
216 |     - name: Docker Container - guacdb
217 |       docker_container:
218 |         name: guacdb
219 |         env:
220 |           MYSQL_ROOT_PASSWORD: "{{ guacdb_root_pass.stdout }}"
221 |         image: mysql/mysql-server
222 |         networks:
223 |           - name: guacnet
224 |             ipv4_address: "{{ guacnet_guacdb }}"
225 |         purge_networks: yes
226 |         restart_policy: "always"
227 |         volumes:
228 |           - guacdb:/var/lib/mysql
229 | 
230 |     - name: Docker Container - guacamole
231 |       docker_container:
232 |         name: guacamole
233 |         env:
234 |           MYSQL_HOSTNAME: "{{ guacnet_guacdb }}"
235 |           MYSQL_PORT: "3306"
236 |           MYSQL_DATABASE: "guacamole_db"
237 |           MYSQL_USER: "guacamole_user"
238 |           MYSQL_PASSWORD: "{{ guacdb_guacamole_pass.stdout }}"
239 |           GUACD_HOSTNAME: "{{ guacnet_guacd }}"
240 |           GUACD_PORT: "4822"
241 |           GUACD_LOG_LEVEL: "debug"
242 |         image: guacamole/guacamole:1.4.0
243 |         links:
244 |           - "guacd:guacd"
245 |           - "guacdb:mysql"
246 |         networks:
247 |           - name: guacnet
248 |             ipv4_address: "{{ guacnet_guacamole }}"
249 |         purge_networks: yes
250 |         restart_policy: "always"
251 | 
252 |     - name: web proxy container
253 |       docker_container:
254 |         name: web_proxy
255 |         image: httpd:2.4
256 |         networks:
257 |           - name: guacnet
258 |             ipv4_address: "{{ guacnet_webproxy }}"
259 |         ports:
260 |           - "443:443"
261 |         volumes:
262 |           - /opt/webproxy/httpd-ssl.conf:/usr/local/apache2/conf/extra/httpd-ssl.conf:ro
263 |           - /opt/webproxy/httpd.conf:/usr/local/apache2/conf/httpd.conf:ro
264 |           - /etc/ssl/certs/ssl-cert-snakeoil.pem:/usr/local/apache2/conf/server.crt:ro
265 |           - /etc/ssl/private/ssl-cert-snakeoil.key:/usr/local/apache2/conf/server.key:ro
266 |         purge_networks: yes
267 |         restart_policy: "always"
268 |         restart: "{% if proxy_conf_files.changed %}yes{% else %}no{% endif %}"
269 |       when: duckdns_domain == ""
270 | 
271 |     - name: duckdnsupdater container
272 |       docker_container:
273 |         name: duckdnsupdater
274 |         hostname: duckdnsupdater
275 |         image: ghcr.io/linuxserver/duckdns
276 |         networks:
277 |           - name: guacnet
278 |             ipv4_address: "{{ guacnet_duckdnsupdater }}"
279 |         env:
280 |           PUID: "1000"
281 |           PGID: "1000"
282 |           TZ: "UTC"
283 |           SUBDOMAINS: "{{ duckdns_domain.split('.')[0] }}"
284 |           TOKEN: "{{ duckdns_token }}"
285 |         pull: yes
286 |         purge_networks: yes
287 |         restart_policy: "always"
288 |         container_default_behavior: "compatibility"
289 |       when: duckdns_domain != ""
290 | 
291 |     - name: duckdns web proxy container
292 |       docker_container:
293 |         name: web_proxy
294 |         hostname: webproxy
295 |         image: ghcr.io/linuxserver/swag
296 |         networks:
297 |           - name: guacnet
298 |             ipv4_address: "{{ guacnet_webproxy }}"
299 |         env:
300 |           PUID: "1000"
301 |           PGID: "1000"
302 |           TZ: "UTC"
303 |           URL: "{{ duckdns_domain }}"
304 |           DUCKDNSTOKEN: "{{ duckdns_token }}"
305 |           EMAIL: "{{ letsencrypt_email }}"
306 |           VALIDATION: "duckdns"
307 |         ports:
308 |           - "443:443"
309 |         volumes: "/opt/webproxy:/config"
310 |         pull: yes
311 |         purge_networks: yes
312 |         restart_policy: "always"
313 |         container_default_behavior: "compatibility"
314 |         restart: "{% if proxy_conf_files.changed %}yes{% else %}no{% endif %}"
315 |       when: duckdns_domain != ""
316 | 
317 |     - name: Determine if (One Time) was done
318 |       stat:
319 |         path: /opt/guacamole/db_conf_done
320 |       register: guacdb_one_time_done
321 | 
322 |     - name: Set my.cnf and dbpass.sql
323 |       template:
324 |         src: "{{ item }}"
325 |         dest: "/opt/guacamole/{{ item }}"
326 |         owner: root
327 |         group: root
328 |         mode: '0400'
329 |       with_items:
330 |         - my.cnf
331 |         - dbpass.sql
332 |       when: guacdb_one_time_done.stat.exists|bool == False
333 | 
334 |     - name: Wait for mysqld on 3306
335 |       shell: |
336 |         docker logs guacdb 2>&1 | grep --quiet 'port: 3306'
337 |       register: wait_for_mysqld
338 |       until: wait_for_mysqld.rc == 0
339 |       retries: 15
340 |       delay: 15
341 |       when: guacdb_one_time_done.stat.exists|bool == False
342 | 
343 |     - name: Configure DB (One Time)
344 |       shell: |
345 |         # credentials
346 |         docker cp /opt/guacamole/my.cnf guacdb:/root/.my.cnf
347 |         docker cp /opt/guacamole/dbpass.sql guacdb:dbpass.sql
348 |         docker exec -i guacdb /bin/bash -c "mysql < dbpass.sql"
349 |         touch /opt/guacamole/one_time_done
350 |         # schema
351 |         docker exec -i guacamole /bin/bash -c 'cat /opt/guacamole/mysql/schema/*.sql' > /opt/guacamole/dbschema.sql
352 |         docker cp /opt/guacamole/dbschema.sql guacdb:dbschema.sql
353 |         docker exec -i guacdb /bin/bash -c "mysql guacamole_db < dbschema.sql"
354 |       when: guacdb_one_time_done.stat.exists|bool == False
355 | 
356 |     - name: Set One Time
357 |       file:
358 |         path: /opt/guacamole/db_conf_done
359 |         state: touch
360 | 
361 | # The following sets the default AMI user (ubuntu)'s password from a random string,
362 | # guacadmin's password to cw_password from AWS Parameter secret
363 | # and creates a default RDP connection for the Ubuntu user in Guacamole
364 |     - name: Determine User and Session one-time setup complete
365 |       stat:
366 |         path: /opt/guacamole/user_session_done
367 |       register: usersession_one_time_done
368 | 
369 |     - name: Get SSM parameter cw_password (One Time)
370 |       set_fact:
371 |         cw_password: "{{ lookup('aws_ssm', name_prefix + '-cw-web-password-' + name_suffix, decrypt=True, region=aws_region) }}"
372 |       when: usersession_one_time_done.stat.exists|bool == False
373 |       no_log: True
374 | 
375 |     - name: Set Ubuntu password (One Time)
376 |       user:
377 |         name: ubuntu
378 |         password: "{{ cw_password | password_hash('sha512') }}"
379 |       when: usersession_one_time_done.stat.exists|bool == False
380 | 
381 |     - name: Get Auth Token from Guacamole with Default Credentials (One Time)
382 |       uri:
383 |         url: "https://{% if duckdns_domain != '' %}{{ duckdns_domain }}{% else %}127.0.0.1{% endif %}:443/guacamole/api/tokens"
384 |         method: POST
385 |         body: "username=guacadmin&password=guacadmin"
386 |         validate_certs: "{% if duckdns_domain == '' %}no{% else %}yes{% endif %}"
387 |       register: GUAC_AUTH_RESPONSE
388 |       retries: 60
389 |       delay: 1
390 |       until: "'authToken' in GUAC_AUTH_RESPONSE.json"
391 |       when: usersession_one_time_done.stat.exists|bool == False
392 | 
393 |     - name: Add RDP Connection to Cloud Workstation (One Time)
394 |       uri:
395 |         url: https://{% if duckdns_domain != "" %}{{ duckdns_domain }}{% else %}127.0.0.1{% endif %}:443/guacamole/api/session/data/mysql/connections?token={{ GUAC_AUTH_RESPONSE.json.authToken }}
396 | #        url: https://{% if duckdns_domain != "" %}{{ duckdns_domain }}{% else %}127.0.0.1{% endif %}:443/guacamole/api/session/data/mysql/connections?token=cheese
397 |         method: POST
398 |         body_format: json
399 |         body: '{"parentIdentifier":"ROOT","name":"cloud_workstation","protocol":"rdp","parameters":{"port":"3389","read-only":"","swap-red-blue":"","cursor":"","color-depth":"","clipboard-encoding":"","disable-copy":"","disable-paste":"","dest-port":"","recording-exclude-output":"","recording-exclude-mouse":"","recording-include-keys":"","create-recording-path":"","enable-sftp":"","sftp-port":"","sftp-server-alive-interval":"","sftp-disable-download":"","sftp-disable-upload":"","enable-audio":"","wol-send-packet":"","wol-wait-time":"","security":"","disable-auth":"","ignore-cert":"true","gateway-port":"","server-layout":"","timezone":null,"console":"","width":"","height":"","dpi":"","resize-method":"","console-audio":"","disable-audio":"","enable-audio-input":"","enable-printing":"","enable-drive":"","disable-download":"","disable-upload":"","create-drive-path":"","enable-wallpaper":"","enable-theming":"","enable-font-smoothing":"","enable-full-window-drag":"","enable-desktop-composition":"","enable-menu-animations":"","disable-bitmap-caching":"","disable-offscreen-caching":"","disable-glyph-caching":"","preconnection-id":"","hostname":"172.17.0.1","username":"ubuntu","password":"{{ cw_password }}"},"attributes":{"max-connections":"5","max-connections-per-user":"5","weight":"","failover-only":"","guacd-port":"4822","guacd-encryption":"","guacd-hostname":"{{ guacnet_guacd }}"}}'
400 |         validate_certs: "{% if duckdns_domain == '' %}no{% else %}yes{% endif %}"
401 |       register: GUAC_ADD_RDP_RESPONSE
402 |       failed_when: "'url' not in GUAC_ADD_RDP_RESPONSE"
403 |       when: usersession_one_time_done.stat.exists|bool == False
404 | 
405 |     - name: Set guacadmin Password to cw_password (One Time)
406 |       uri:
407 |         url: https://{% if duckdns_domain != "" %}{{ duckdns_domain }}{% else %}127.0.0.1{% endif %}:443/guacamole/api/session/data/mysql/users/guacadmin/password?token={{ GUAC_AUTH_RESPONSE.json.authToken }}
408 |         method: PUT
409 |         body_format: json
410 |         body: '{"oldPassword":"guacadmin","newPassword":"{{ cw_password }}"}'
411 |         validate_certs: "{% if duckdns_domain == '' %}no{% else %}yes{% endif %}"
412 |       register: GUAC_GUACADMIN_CHANGE_PASS
413 |       failed_when: GUAC_GUACADMIN_CHANGE_PASS.status != 204
414 |       when: usersession_one_time_done.stat.exists|bool == False
415 | 
416 |     - name: Set User and Session one-time setup complete
417 |       file:
418 |         path: /opt/guacamole/user_session_done
419 |         state: touch
420 | 


--------------------------------------------------------------------------------