├── .gitignore
├── LICENSE
├── README.md
├── cloudinit.yml
├── main.tf
├── netbox.sh
├── outputs.tf
├── security_groups.tf
└── variables.tf


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Local .terraform directories
 2 | **/.terraform/*
 3 | 
 4 | # Terraform lock file
 5 | .terraform.lock.hcl
 6 | # .tfstate files
 7 | *.tfstate
 8 | *.tfstate.*
 9 | 
10 | # Crash log files
11 | crash.log
12 | 
13 | # Exclude all .tfvars files, which are likely to contain sentitive data, such as
14 | # password, private keys, and other secrets. These should not be part of version 
15 | # control as they are data points which are potentially sensitive and subject 
16 | # to change depending on the environment.
17 | #
18 | *.tfvars
19 | 
20 | # Ignore override files as they are usually used to override resources locally and so
21 | # are not checked in
22 | override.tf
23 | override.tf.json
24 | *_override.tf
25 | *_override.tf.json
26 | 
27 | # Include override files you do wish to add to version control using negated pattern
28 | #
29 | # !example_override.tf
30 | 
31 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
32 | # example: *tfplan*
33 | 
34 | # Ignore CLI configuration files
35 | .terraformrc
36 | terraform.rc
37 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2020 Phillip Andrew Hocking
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # netbox-aws
 2 | ## This repository is intended to facilitate installation of the popular NetBox DCIM/IPAM on an AWS EC2 instance using Terraform. 
 3 | 
 4 | 
 5 | This repo is pinned to Ubuntu 18.04-amd64-server-20201211.1 and verified to work with Terraform 0.14.6. The [netbox-docker](https://github.com/netbox-community/netbox-docker) image is pinned to [1.0.2](https://github.com/netbox-community/netbox-docker/releases/tag/1.0.2) which was the latest release as of this writing. 
 6 | 
 7 | To summarize, this instantiates the Ubuntu EC2 instance, installs all the Docker dependencies (which all are pinned), pulls the [netbox-docker](https://github.com/netbox-community/netbox-docker) release via git, creates a `docker-compose.override.yml` file which exposes the Docker internal port `8080` on the worker container to port `80` to the internet, and then execute `docker-compose` resulting in a functioning NetBox IPAM  after several minutes of fetching the depends and setting up the various images called by `docker-compose`.
 8 | 
 9 | 
10 | Variables to define in your Terraform workspace are: 
11 | 
12 | ```hcl 
13 | variable "access_key" {}
14 | variable "secret_key" {}
15 | variable "management_cidr_block" {}
16 | variable "key_name" {
17 |   default = "terraform"
18 | }
19 | 
20 | variable "aws_region" {
21 |   default = "us-west-2"
22 | }
23 | ```
24 | The `management_cidr_block` is just an IP address range to allow SSH connections from either your premise location, bastion host, VPC subnet, etc. Obviously you would want to be utilizing SSL and have a Security Group and/or NACL and probably have it behind an ALB or CloudFront deployment to provide more limited access, however, that is beyond the scope of this project.
25 | 
26 | The default login is `admin/admin`, and the default API key is:
27 | 
28 | `0123456789abcdef0123456789abcdef01234567`
29 | 
30 | Please, dear God, don't just run this public on the internet without SSL/firewall and change these defaults!
31 | 
32 | Pull requests are welcome, shoot me a message with any questions, complaints, or thanks! 


--------------------------------------------------------------------------------
/cloudinit.yml:
--------------------------------------------------------------------------------
 1 | #cloud-config
 2 | packages:
 3 |   - apt-transport-https
 4 |   - ca-certificates
 5 |   - curl
 6 |   - gnupg-agent
 7 |   - software-properties-common
 8 |   - git
 9 | 
10 | # create the docker group
11 | groups:
12 |   - docker
13 | 
14 | # Install Docker, for production, consider pinning to stable versions
15 | runcmd:
16 |   - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
17 |   - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
18 |   - apt-get update -y
19 |   - apt-get install -y docker-ce=5:20.10.1~3-0~ubuntu-bionic docker-ce-cli=5:20.10.1~3-0~ubuntu-bionic containerd.io=1.4.3-1 docker-compose=1.17.1-2
20 |   - systemctl start docker
21 |   - systemctl enable docker
22 |   - chown -R ubuntu:ubuntu /home/ubuntu
23 |   - bash /home/ubuntu/netbox.sh
24 |   
25 | # Add default auto created user to docker group
26 | system_info:
27 |   default_user:
28 |     name: ubuntu
29 |     groups: [docker]
30 | 
31 | # Enable ipv4 forwarding, required on CIS hardened machines
32 | # Install netbox-docker and render docker-compose.override.yml
33 | write_files:
34 |   - path: /etc/sysctl.d/enabled_ipv4_forwarding.conf
35 |     content: |
36 |       net.ipv4.conf.all.forwarding=1
37 |   - path: /home/ubuntu/netbox.sh
38 |     permissions: '0755'
39 |     owner: ubuntu:ubuntu
40 |     content: |
41 |       #!/bin/bash
42 | 
43 |       git clone -b release https://github.com/netbox-community/netbox-docker.git
44 |       cd netbox-docker
45 |       git checkout tags/1.0.2 -b 1.0.2-branch
46 |       tee docker-compose.override.yml <<EOF
47 |       version: '3.4'
48 |       services:
49 |         netbox:
50 |           ports:
51 |             - 80:8080
52 |       EOF
53 |       docker-compose pull
54 |       docker-compose up -d


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
 1 | provider "aws" {
 2 |   region     = var.aws_region
 3 |   access_key = var.access_key
 4 |   secret_key = var.secret_key
 5 | }
 6 | 
 7 | data "aws_ami" "ubuntu" {
 8 |   most_recent = true
 9 | 
10 |   filter {
11 |     name   = "name"
12 |     values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-20201211.1"]
13 |   }
14 | 
15 |   filter {
16 |     name   = "virtualization-type"
17 |     values = ["hvm"]
18 |   }
19 | 
20 |   owners = ["099720109477"] # Canonical
21 | }
22 | 
23 | data "template_file" "deploy" {
24 |   template = file("cloudinit.yml")
25 | 
26 | }
27 | 
28 | resource "aws_instance" "netbox_prod" {
29 |   ami                    = data.aws_ami.ubuntu.id
30 |   instance_type          = "t2.micro"
31 |   key_name               = var.key_name
32 |   vpc_security_group_ids = [aws_security_group.netbox_prod.id]
33 |   user_data              = data.template_file.deploy.rendered
34 |   tags = {
35 |     Name = "netbox-prod"
36 |   }  
37 | }


--------------------------------------------------------------------------------
/netbox.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # This shell script is just for reference to ensure it works outside of the cloud-init process and so it can be formatted into the cloudinit.yml
 3 | sudo apt update
 4 | sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common -y
 5 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
 6 | sudo add-apt-repository \
 7 |    "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
 8 |    $(lsb_release -cs) \
 9 |    stable"
10 | sudo apt update && sudo apt install docker-ce docker-ce-cli containerd.io docker-compose -y
11 | git clone -b release https://github.com/netbox-community/netbox-docker.git
12 | cd netbox-docker
13 | tee docker-compose.override.yml <<EOF
14 | version: '3.4'
15 | services:
16 |   netbox:
17 |     ports:
18 |       - 80:8080
19 | EOF
20 | sudo docker-compose pull
21 | sudo docker-compose up -d


--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
1 | output "public_ip" {
2 |   description = "List of public IP addresses assigned to the instances, if applicable"
3 |   value       = aws_instance.netbox_prod.public_ip
4 | }


--------------------------------------------------------------------------------
/security_groups.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_security_group" "netbox_prod" {
 2 |   name        = "netbox-prod"
 3 |   description = "Allow SSH inbound , all HTTP inbound, and all outbound traffic"
 4 | 
 5 |   ingress {
 6 |     from_port   = 22
 7 |     to_port     = 22
 8 |     protocol    = "tcp"
 9 |     cidr_blocks = [var.management_cidr_block]
10 |   }
11 | 
12 |   # These hardcoded values come from the Terraform Cloud API described at https://www.terraform.io/docs/cloud/api/ip-ranges.html so the provisioner blocks can run
13 |   # These may be subject to change
14 | 
15 |   ingress {
16 |     from_port   = 80
17 |     to_port     = 80
18 |     protocol    = "tcp"
19 |     cidr_blocks = ["0.0.0.0/0"]
20 |   }
21 | 
22 |   egress {
23 |     from_port   = 0
24 |     to_port     = 0
25 |     protocol    = "-1"
26 |     cidr_blocks = ["0.0.0.0/0"]
27 |   }
28 | }


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "access_key" {}
 2 | variable "secret_key" {}
 3 | variable "management_cidr_block" {}
 4 | variable "key_name" {
 5 |   default = "terraform"
 6 | }
 7 | 
 8 | variable "aws_region" {
 9 |   default = "us-west-2"
10 | }
11 | 


--------------------------------------------------------------------------------