From 9b87c6f243635cf930c8fd02adcad672c2ce2e3f Mon Sep 17 00:00:00 2001 From: Aleksander <170264518+t-aleksander@users.noreply.github.com> Date: Tue, 30 Jun 2026 11:31:58 +0200 Subject: [PATCH] use apt for terraform --- terraform2.0/examples/basic/main.tf.example | 27 +++++++-------- .../examples/existing-vpc/main.tf.example | 18 +++++----- terraform2.0/modules/core/main.tf | 1 - terraform2.0/modules/core/setup.sh | 34 ++++++++++++------- terraform2.0/modules/core/variables.tf | 8 ++--- terraform2.0/modules/edge/main.tf | 3 +- terraform2.0/modules/edge/setup.sh | 32 +++++++++++------ terraform2.0/modules/edge/variables.tf | 8 ++--- terraform2.0/modules/gateway/main.tf | 3 +- terraform2.0/modules/gateway/setup.sh | 34 ++++++++++++------- terraform2.0/modules/gateway/variables.tf | 8 ++--- 11 files changed, 93 insertions(+), 83 deletions(-) diff --git a/terraform2.0/examples/basic/main.tf.example b/terraform2.0/examples/basic/main.tf.example index c9f03b0..985deea 100644 --- a/terraform2.0/examples/basic/main.tf.example +++ b/terraform2.0/examples/basic/main.tf.example @@ -36,9 +36,9 @@ locals { # are using HTTP to access the Defguard Core web UI. core_cookie_insecure = false - # The deb package version of the Defguard Core that will be installed on the instance. - # Must be a valid, released 2.x version of Defguard Core. - core_package_version = "2.0.1" + # Pin the Defguard Core deb package version (e.g. "2.0.1"). Leave empty ("") to install the + # latest version available in the Defguard APT repository. + core_package_version = "" # The architecture of the Defguard Core server instance. # Supported values: "x86_64", "aarch64" @@ -58,9 +58,9 @@ locals { # The HTTPS port the Defguard Edge listens on (used after Core provisions TLS). edge_https_port = 443 - # The deb package version of the edge that will be installed on the instance. - # Must be a valid, released 2.x version of Defguard Proxy (edge). - edge_package_version = "2.0.1" + # Pin the edge deb package version (e.g. "2.0.1"). Leave empty ("") to install the + # latest version available in the Defguard APT repository. + edge_package_version = "" # The architecture of the Defguard Edge server instance. # Supported values: "x86_64", "aarch64" @@ -83,9 +83,9 @@ locals { # internet and other resources through the gateway. gateway_nat = true - # The gateway deb package version that will be installed on the instance. - # Must be a valid, released 2.x version of Defguard Gateway. - gateway_package_version = "2.0.1" + # Pin the gateway deb package version (e.g. "2.0.1"). Leave empty ("") to install the + # latest version available in the Defguard APT repository. + gateway_package_version = "" # The architecture of the Defguard Gateway server instance. # Supported values: "x86_64", "aarch64" @@ -158,7 +158,7 @@ terraform { } # Maps the deb package architecture (x86_64/aarch64) to the Ubuntu AMI name token -# (amd64/arm64), so the AMI a component boots matches the package its setup.sh downloads. +# (amd64/arm64), so the AMI a component boots matches the package apt installs. locals { ubuntu_ami_arch = { x86_64 = "amd64" @@ -193,10 +193,9 @@ provider "aws" { module "defguard_core" { # source = "../../modules/core" - source = "github.com/DefGuard/deployment//terraform2.0/modules/core?ref=main" + source = "github.com/DefGuard/deployment//terraform2.0/modules/core?ref=main" instance_type = local.core_instance_type package_version = local.core_package_version - arch = local.core_arch ami = data.aws_ami.ubuntu[local.core_arch].id grpc_port = local.core_grpc_port @@ -227,7 +226,6 @@ module "defguard_edge" { instance_type = local.edge_instance_type package_version = local.edge_package_version - arch = local.edge_arch grpc_port = local.edge_grpc_port http_port = local.edge_http_port https_port = local.edge_https_port @@ -245,7 +243,6 @@ module "defguard_gateway" { ami = data.aws_ami.ubuntu[local.gateway_arch].id instance_type = local.gateway_instance_type package_version = local.gateway_package_version - arch = local.gateway_arch grpc_port = local.gateway_grpc_port nat = local.gateway_nat @@ -266,7 +263,7 @@ module "vpc" { enable_dns_hostnames = true - # Private Core needs NAT for outbound (deb download at boot, license checks). Gateway/Edge + # Private Core needs NAT for outbound (apt package install at boot, license checks). Gateway/Edge # are public and egress via their own EIPs. enable_nat_gateway = true single_nat_gateway = true diff --git a/terraform2.0/examples/existing-vpc/main.tf.example b/terraform2.0/examples/existing-vpc/main.tf.example index 23acd4a..5970a18 100644 --- a/terraform2.0/examples/existing-vpc/main.tf.example +++ b/terraform2.0/examples/existing-vpc/main.tf.example @@ -7,8 +7,8 @@ # # Your network must satisfy these requirements: # - core_subnet_id : a PRIVATE subnet with outbound internet (a NAT gateway/instance). -# Core has no public IP and must download its deb + reach the license -# server on first boot. +# Core has no public IP and must reach the Defguard APT repo + +# the license server on first boot. # - public_subnet_id : a PUBLIC subnet (internet gateway route) so the Gateway and Edge # EIPs work. Gateway needs inbound UDP; Edge needs inbound HTTPS. To put # them in separate subnets, also set gateway_subnet_id / edge_subnet_id. @@ -20,7 +20,8 @@ locals { core_grpc_port = 50055 core_http_port = 8000 core_cookie_insecure = false - core_package_version = "2.0.1" + # Pin a version (e.g. "2.0.1") or leave empty ("") to install the latest from the APT repo. + core_package_version = "" core_arch = "x86_64" core_instance_type = "t3.micro" @@ -28,7 +29,7 @@ locals { edge_grpc_port = 50051 edge_http_port = 8080 edge_https_port = 443 - edge_package_version = "2.0.1" + edge_package_version = "" edge_arch = "x86_64" edge_instance_type = "t3.micro" @@ -36,7 +37,7 @@ locals { gateway_grpc_port = 50066 wireguard_port = 51820 gateway_nat = true - gateway_package_version = "2.0.1" + gateway_package_version = "" gateway_arch = "x86_64" gateway_instance_type = "t3.micro" @@ -123,7 +124,7 @@ data "aws_vpc" "selected" { } # Maps the deb package architecture (x86_64/aarch64) to the Ubuntu AMI name token -# (amd64/arm64), so the AMI a component boots matches the package its setup.sh downloads. +# (amd64/arm64), so the AMI a component boots matches the package apt installs. locals { ubuntu_ami_arch = { x86_64 = "amd64" @@ -184,10 +185,9 @@ module "network" { module "defguard_core" { # source = "../../modules/core" - source = "github.com/DefGuard/deployment//terraform2.0/modules/core?ref=main" + source = "github.com/DefGuard/deployment//terraform2.0/modules/core?ref=main" instance_type = local.core_instance_type package_version = local.core_package_version - arch = local.core_arch ami = data.aws_ami.ubuntu[local.core_arch].id grpc_port = local.core_grpc_port @@ -216,7 +216,6 @@ module "defguard_edge" { instance_type = local.edge_instance_type package_version = local.edge_package_version - arch = local.edge_arch grpc_port = local.edge_grpc_port http_port = local.edge_http_port https_port = local.edge_https_port @@ -233,7 +232,6 @@ module "defguard_gateway" { ami = data.aws_ami.ubuntu[local.gateway_arch].id instance_type = local.gateway_instance_type package_version = local.gateway_package_version - arch = local.gateway_arch grpc_port = local.gateway_grpc_port nat = local.gateway_nat diff --git a/terraform2.0/modules/core/main.tf b/terraform2.0/modules/core/main.tf index 1f407d6..1fa52a7 100644 --- a/terraform2.0/modules/core/main.tf +++ b/terraform2.0/modules/core/main.tf @@ -16,7 +16,6 @@ resource "aws_instance" "defguard_core" { edge_address = var.edge_address edge_grpc_port = var.edge_grpc_port package_version = var.package_version - arch = var.arch cookie_insecure = var.cookie_insecure log_level = var.log_level }) diff --git a/terraform2.0/modules/core/setup.sh b/terraform2.0/modules/core/setup.sh index b7996df..a39b0bc 100755 --- a/terraform2.0/modules/core/setup.sh +++ b/terraform2.0/modules/core/setup.sh @@ -28,18 +28,31 @@ wait_for_port() { } ( -log "Updating apt repositories..." +log "Installing prerequisites..." +apt update +apt install -y ca-certificates curl + +log "Adding the Defguard APT repository..." +# The repo serves two suites: trixie (glibc >= 2.39, e.g. Ubuntu 24.04 / Debian 13) and +# bookworm (older glibc, e.g. Ubuntu 22.04 / Debian 12). Pick the one matching this host to +# avoid the known GLIBC_2.39 incompatibility. +. /etc/os-release +case "$VERSION_CODENAME" in + noble | trixie) apt_dist="trixie" ;; + *) apt_dist="bookworm" ;; +esac +install -m 0755 -d /etc/apt/keyrings +curl -fsSL https://apt.defguard.net/defguard.asc -o /etc/apt/keyrings/defguard.asc +chmod a+r /etc/apt/keyrings/defguard.asc +echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/defguard.asc] https://apt.defguard.net/ $apt_dist release-2.0" >/etc/apt/sources.list.d/defguard.list apt update - -log "Installing curl..." -apt install -y curl - -log "Downloading defguard-core package..." -curl -fsSL -o /tmp/defguard-core.deb https://github.com/DefGuard/defguard/releases/download/v${package_version}/defguard-${package_version}-${arch}-unknown-linux-gnu.deb log "Installing defguard-core package..." -# apt-get resolves the deb's dependencies (dpkg -i would not). -apt-get install -y /tmp/defguard-core.deb +%{ if package_version != "" ~} +apt install -y defguard=${package_version} +%{ else ~} +apt install -y defguard +%{ endif ~} log "Writing Core configuration to /etc/defguard/core.conf..." tee /etc/defguard/core.conf <&1 | tee -a "$LOG_FILE" diff --git a/terraform2.0/modules/core/variables.tf b/terraform2.0/modules/core/variables.tf index 9dd2139..58397e7 100644 --- a/terraform2.0/modules/core/variables.tf +++ b/terraform2.0/modules/core/variables.tf @@ -61,13 +61,9 @@ variable "network_interface_id" { } variable "package_version" { - description = "Version of the Defguard Core package to be installed" - type = string -} - -variable "arch" { - description = "Architecture of the Defguard Core package to be installed" + description = "Version of the Defguard Core package to install (e.g. \"2.0.1\"). Leave empty to install the latest version available in the APT repository." type = string + default = "" } variable "cookie_insecure" { diff --git a/terraform2.0/modules/edge/main.tf b/terraform2.0/modules/edge/main.tf index 763a4bf..202ad12 100644 --- a/terraform2.0/modules/edge/main.tf +++ b/terraform2.0/modules/edge/main.tf @@ -5,10 +5,9 @@ resource "aws_instance" "defguard_edge" { user_data = templatefile("${path.module}/setup.sh", { grpc_port = var.grpc_port - arch = var.arch - package_version = var.package_version http_port = var.http_port https_port = var.https_port + package_version = var.package_version log_level = var.log_level }) user_data_replace_on_change = true diff --git a/terraform2.0/modules/edge/setup.sh b/terraform2.0/modules/edge/setup.sh index 53f2bde..e3ea2b1 100644 --- a/terraform2.0/modules/edge/setup.sh +++ b/terraform2.0/modules/edge/setup.sh @@ -8,18 +8,31 @@ log() { } ( -log "Updating apt repositories..." +log "Installing prerequisites..." apt update +apt install -y ca-certificates curl -log "Installing curl..." -apt install -y curl - -log "Downloading defguard-proxy package..." -curl -fsSL -o /tmp/defguard-proxy.deb https://github.com/DefGuard/proxy/releases/download/v${package_version}/defguard-proxy-${package_version}-${arch}-unknown-linux-gnu.deb +log "Adding the Defguard APT repository..." +# The repo serves two suites: trixie (glibc >= 2.39, e.g. Ubuntu 24.04 / Debian 13) and +# bookworm (older glibc, e.g. Ubuntu 22.04 / Debian 12). Pick the one matching this host to +# avoid the known GLIBC_2.39 incompatibility. +. /etc/os-release +case "$VERSION_CODENAME" in + noble | trixie) apt_dist="trixie" ;; + *) apt_dist="bookworm" ;; +esac +install -m 0755 -d /etc/apt/keyrings +curl -fsSL https://apt.defguard.net/defguard.asc -o /etc/apt/keyrings/defguard.asc +chmod a+r /etc/apt/keyrings/defguard.asc +echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/defguard.asc] https://apt.defguard.net/ $apt_dist release-2.0" >/etc/apt/sources.list.d/defguard.list +apt update log "Installing defguard-proxy package..." -# apt-get resolves the deb's dependencies (dpkg -i would not). -apt-get install -y /tmp/defguard-proxy.deb +%{ if package_version != "" ~} +apt install -y defguard-proxy=${package_version} +%{ else ~} +apt install -y defguard-proxy +%{ endif ~} # The edge runs as the 'defguard' user, so the cert dir must be writable by it. log "Ensuring certificate directory exists..." @@ -53,8 +66,5 @@ systemctl enable defguard-proxy log "Starting defguard-proxy service..." systemctl start defguard-proxy -log "Cleaning up after installing Defguard Edge..." -rm -f /tmp/defguard-proxy.deb - log "Setup completed." ) 2>&1 | tee -a "$LOG_FILE" diff --git a/terraform2.0/modules/edge/variables.tf b/terraform2.0/modules/edge/variables.tf index 5185163..c3107e2 100644 --- a/terraform2.0/modules/edge/variables.tf +++ b/terraform2.0/modules/edge/variables.tf @@ -32,14 +32,10 @@ variable "network_interface_id" { type = string } -variable "arch" { - description = "Architecture of the Defguard Edge package to be installed" - type = string -} - variable "package_version" { - description = "Version of the Defguard Edge package to be installed" + description = "Version of the Defguard Edge package to install (e.g. \"2.0.1\"). Leave empty to install the latest version available in the APT repository." type = string + default = "" } variable "log_level" { diff --git a/terraform2.0/modules/gateway/main.tf b/terraform2.0/modules/gateway/main.tf index 418394c..51aae80 100644 --- a/terraform2.0/modules/gateway/main.tf +++ b/terraform2.0/modules/gateway/main.tf @@ -5,9 +5,8 @@ resource "aws_instance" "defguard_gateway" { user_data = templatefile("${path.module}/setup.sh", { grpc_port = var.grpc_port - package_version = var.package_version nat = var.nat - arch = var.arch + package_version = var.package_version log_level = var.log_level }) user_data_replace_on_change = true diff --git a/terraform2.0/modules/gateway/setup.sh b/terraform2.0/modules/gateway/setup.sh index 1dce883..9b28de0 100644 --- a/terraform2.0/modules/gateway/setup.sh +++ b/terraform2.0/modules/gateway/setup.sh @@ -8,18 +8,31 @@ log() { } ( -log "Updating apt repositories..." +log "Installing prerequisites..." +apt update +apt install -y ca-certificates curl + +log "Adding the Defguard APT repository..." +# The repo serves two suites: trixie (glibc >= 2.39, e.g. Ubuntu 24.04 / Debian 13) and +# bookworm (older glibc, e.g. Ubuntu 22.04 / Debian 12). Pick the one matching this host to +# avoid the known GLIBC_2.39 incompatibility. +. /etc/os-release +case "$VERSION_CODENAME" in + noble | trixie) apt_dist="trixie" ;; + *) apt_dist="bookworm" ;; +esac +install -m 0755 -d /etc/apt/keyrings +curl -fsSL https://apt.defguard.net/defguard.asc -o /etc/apt/keyrings/defguard.asc +chmod a+r /etc/apt/keyrings/defguard.asc +echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/defguard.asc] https://apt.defguard.net/ $apt_dist release-2.0" >/etc/apt/sources.list.d/defguard.list apt update - -log "Installing curl..." -apt install -y curl - -log "Downloading defguard-gateway package..." -curl -fsSL -o /tmp/defguard-gateway.deb https://github.com/DefGuard/gateway/releases/download/v${package_version}/defguard-gateway-${package_version}-${arch}-unknown-linux-gnu.deb log "Installing defguard-gateway package..." -# apt-get resolves the deb's dependencies (dpkg -i would not). -apt-get install -y /tmp/defguard-gateway.deb +%{ if package_version != "" ~} +apt install -y defguard-gateway=${package_version} +%{ else ~} +apt install -y defguard-gateway +%{ endif ~} log "Ensuring certificate directory exists..." mkdir -p /etc/defguard/certs @@ -65,8 +78,5 @@ systemctl enable defguard-gateway log "Starting defguard-gateway service..." systemctl start defguard-gateway -log "Cleaning up after installing Defguard Gateway..." -rm -f /tmp/defguard-gateway.deb - log "Setup completed." ) 2>&1 | tee -a "$LOG_FILE" diff --git a/terraform2.0/modules/gateway/variables.tf b/terraform2.0/modules/gateway/variables.tf index ac8fb8d..3333ff8 100644 --- a/terraform2.0/modules/gateway/variables.tf +++ b/terraform2.0/modules/gateway/variables.tf @@ -21,13 +21,9 @@ variable "network_interface_id" { } variable "package_version" { - description = "Version of the Defguard Gateway package to be installed" - type = string -} - -variable "arch" { - description = "Architecture of the Defguard Gateway package to be installed" + description = "Version of the Defguard Gateway package to install (e.g. \"2.0.1\"). Leave empty to install the latest version available in the APT repository." type = string + default = "" } variable "nat" {