Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 12 additions & 15 deletions terraform2.0/examples/basic/main.tf.example
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,9 @@ locals {
# are using HTTP to access the Defguard Core web UI.
core_cookie_insecure = false

# The deb package version of the Defguard Core that will be installed on the instance.
# Must be a valid, released 2.x version of Defguard Core.
core_package_version = "2.0.1"
# Pin the Defguard Core deb package version (e.g. "2.0.1"). Leave empty ("") to install the
# latest version available in the Defguard APT repository.
core_package_version = ""

# The architecture of the Defguard Core server instance.
# Supported values: "x86_64", "aarch64"
Expand All @@ -58,9 +58,9 @@ locals {
# The HTTPS port the Defguard Edge listens on (used after Core provisions TLS).
edge_https_port = 443

# The deb package version of the edge that will be installed on the instance.
# Must be a valid, released 2.x version of Defguard Proxy (edge).
edge_package_version = "2.0.1"
# Pin the edge deb package version (e.g. "2.0.1"). Leave empty ("") to install the
# latest version available in the Defguard APT repository.
edge_package_version = ""

# The architecture of the Defguard Edge server instance.
# Supported values: "x86_64", "aarch64"
Expand All @@ -83,9 +83,9 @@ locals {
# internet and other resources through the gateway.
gateway_nat = true

# The gateway deb package version that will be installed on the instance.
# Must be a valid, released 2.x version of Defguard Gateway.
gateway_package_version = "2.0.1"
# Pin the gateway deb package version (e.g. "2.0.1"). Leave empty ("") to install the
# latest version available in the Defguard APT repository.
gateway_package_version = ""

# The architecture of the Defguard Gateway server instance.
# Supported values: "x86_64", "aarch64"
Expand Down Expand Up @@ -158,7 +158,7 @@ terraform {
}

# Maps the deb package architecture (x86_64/aarch64) to the Ubuntu AMI name token
# (amd64/arm64), so the AMI a component boots matches the package its setup.sh downloads.
# (amd64/arm64), so the AMI a component boots matches the package apt installs.
locals {
ubuntu_ami_arch = {
x86_64 = "amd64"
Expand Down Expand Up @@ -193,10 +193,9 @@ provider "aws" {

module "defguard_core" {
# source = "../../modules/core"
source = "github.com/DefGuard/deployment//terraform2.0/modules/core?ref=main"
source = "github.com/DefGuard/deployment//terraform2.0/modules/core?ref=main"
instance_type = local.core_instance_type
package_version = local.core_package_version
arch = local.core_arch
ami = data.aws_ami.ubuntu[local.core_arch].id

grpc_port = local.core_grpc_port
Expand Down Expand Up @@ -227,7 +226,6 @@ module "defguard_edge" {

instance_type = local.edge_instance_type
package_version = local.edge_package_version
arch = local.edge_arch
grpc_port = local.edge_grpc_port
http_port = local.edge_http_port
https_port = local.edge_https_port
Expand All @@ -245,7 +243,6 @@ module "defguard_gateway" {
ami = data.aws_ami.ubuntu[local.gateway_arch].id
instance_type = local.gateway_instance_type
package_version = local.gateway_package_version
arch = local.gateway_arch

grpc_port = local.gateway_grpc_port
nat = local.gateway_nat
Expand All @@ -266,7 +263,7 @@ module "vpc" {

enable_dns_hostnames = true

# Private Core needs NAT for outbound (deb download at boot, license checks). Gateway/Edge
# Private Core needs NAT for outbound (apt package install at boot, license checks). Gateway/Edge
# are public and egress via their own EIPs.
enable_nat_gateway = true
single_nat_gateway = true
Expand Down
18 changes: 8 additions & 10 deletions terraform2.0/examples/existing-vpc/main.tf.example
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@
#
# Your network must satisfy these requirements:
# - core_subnet_id : a PRIVATE subnet with outbound internet (a NAT gateway/instance).
# Core has no public IP and must download its deb + reach the license
# server on first boot.
# Core has no public IP and must reach the Defguard APT repo +
# the license server on first boot.
# - public_subnet_id : a PUBLIC subnet (internet gateway route) so the Gateway and Edge
# EIPs work. Gateway needs inbound UDP; Edge needs inbound HTTPS. To put
# them in separate subnets, also set gateway_subnet_id / edge_subnet_id.
Expand All @@ -20,23 +20,24 @@ locals {
core_grpc_port = 50055
core_http_port = 8000
core_cookie_insecure = false
core_package_version = "2.0.1"
# Pin a version (e.g. "2.0.1") or leave empty ("") to install the latest from the APT repo.
core_package_version = ""
core_arch = "x86_64"
core_instance_type = "t3.micro"

############################ Edge configuration ###########################
edge_grpc_port = 50051
edge_http_port = 8080
edge_https_port = 443
edge_package_version = "2.0.1"
edge_package_version = ""
edge_arch = "x86_64"
edge_instance_type = "t3.micro"

###################### VPN and Gateway configuration ######################
gateway_grpc_port = 50066
wireguard_port = 51820
gateway_nat = true
gateway_package_version = "2.0.1"
gateway_package_version = ""
gateway_arch = "x86_64"
gateway_instance_type = "t3.micro"

Expand Down Expand Up @@ -123,7 +124,7 @@ data "aws_vpc" "selected" {
}

# Maps the deb package architecture (x86_64/aarch64) to the Ubuntu AMI name token
# (amd64/arm64), so the AMI a component boots matches the package its setup.sh downloads.
# (amd64/arm64), so the AMI a component boots matches the package apt installs.
locals {
ubuntu_ami_arch = {
x86_64 = "amd64"
Expand Down Expand Up @@ -184,10 +185,9 @@ module "network" {

module "defguard_core" {
# source = "../../modules/core"
source = "github.com/DefGuard/deployment//terraform2.0/modules/core?ref=main"
source = "github.com/DefGuard/deployment//terraform2.0/modules/core?ref=main"
instance_type = local.core_instance_type
package_version = local.core_package_version
arch = local.core_arch
ami = data.aws_ami.ubuntu[local.core_arch].id

grpc_port = local.core_grpc_port
Expand Down Expand Up @@ -216,7 +216,6 @@ module "defguard_edge" {

instance_type = local.edge_instance_type
package_version = local.edge_package_version
arch = local.edge_arch
grpc_port = local.edge_grpc_port
http_port = local.edge_http_port
https_port = local.edge_https_port
Expand All @@ -233,7 +232,6 @@ module "defguard_gateway" {
ami = data.aws_ami.ubuntu[local.gateway_arch].id
instance_type = local.gateway_instance_type
package_version = local.gateway_package_version
arch = local.gateway_arch

grpc_port = local.gateway_grpc_port
nat = local.gateway_nat
Expand Down
1 change: 0 additions & 1 deletion terraform2.0/modules/core/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ resource "aws_instance" "defguard_core" {
edge_address = var.edge_address
edge_grpc_port = var.edge_grpc_port
package_version = var.package_version
arch = var.arch
cookie_insecure = var.cookie_insecure
log_level = var.log_level
})
Expand Down
34 changes: 22 additions & 12 deletions terraform2.0/modules/core/setup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -28,18 +28,31 @@ wait_for_port() {
}

(
log "Updating apt repositories..."
log "Installing prerequisites..."
apt update
apt install -y ca-certificates curl

log "Adding the Defguard APT repository..."
# The repo serves two suites: trixie (glibc >= 2.39, e.g. Ubuntu 24.04 / Debian 13) and
# bookworm (older glibc, e.g. Ubuntu 22.04 / Debian 12). Pick the one matching this host to
# avoid the known GLIBC_2.39 incompatibility.
. /etc/os-release
case "$VERSION_CODENAME" in
noble | trixie) apt_dist="trixie" ;;
*) apt_dist="bookworm" ;;
esac
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://apt.defguard.net/defguard.asc -o /etc/apt/keyrings/defguard.asc
chmod a+r /etc/apt/keyrings/defguard.asc
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/defguard.asc] https://apt.defguard.net/ $apt_dist release-2.0" >/etc/apt/sources.list.d/defguard.list
apt update

log "Installing curl..."
apt install -y curl

log "Downloading defguard-core package..."
curl -fsSL -o /tmp/defguard-core.deb https://github.com/DefGuard/defguard/releases/download/v${package_version}/defguard-${package_version}-${arch}-unknown-linux-gnu.deb

log "Installing defguard-core package..."
# apt-get resolves the deb's dependencies (dpkg -i would not).
apt-get install -y /tmp/defguard-core.deb
%{ if package_version != "" ~}
apt install -y defguard=${package_version}
%{ else ~}
apt install -y defguard
%{ endif ~}

log "Writing Core configuration to /etc/defguard/core.conf..."
tee /etc/defguard/core.conf <<EOF
Expand Down Expand Up @@ -78,8 +91,5 @@ systemctl enable defguard
log "Starting Defguard service..."
systemctl start defguard

log "Cleaning up after installing Defguard Core..."
rm -f /tmp/defguard-core.deb

log "Setup completed."
) 2>&1 | tee -a "$LOG_FILE"
8 changes: 2 additions & 6 deletions terraform2.0/modules/core/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -61,13 +61,9 @@ variable "network_interface_id" {
}

variable "package_version" {
description = "Version of the Defguard Core package to be installed"
type = string
}

variable "arch" {
description = "Architecture of the Defguard Core package to be installed"
description = "Version of the Defguard Core package to install (e.g. \"2.0.1\"). Leave empty to install the latest version available in the APT repository."
type = string
default = ""
}

variable "cookie_insecure" {
Expand Down
3 changes: 1 addition & 2 deletions terraform2.0/modules/edge/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,9 @@ resource "aws_instance" "defguard_edge" {

user_data = templatefile("${path.module}/setup.sh", {
grpc_port = var.grpc_port
arch = var.arch
package_version = var.package_version
http_port = var.http_port
https_port = var.https_port
package_version = var.package_version
log_level = var.log_level
})
user_data_replace_on_change = true
Expand Down
32 changes: 21 additions & 11 deletions terraform2.0/modules/edge/setup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,18 +8,31 @@ log() {
}

(
log "Updating apt repositories..."
log "Installing prerequisites..."
apt update
apt install -y ca-certificates curl

log "Installing curl..."
apt install -y curl

log "Downloading defguard-proxy package..."
curl -fsSL -o /tmp/defguard-proxy.deb https://github.com/DefGuard/proxy/releases/download/v${package_version}/defguard-proxy-${package_version}-${arch}-unknown-linux-gnu.deb
log "Adding the Defguard APT repository..."
# The repo serves two suites: trixie (glibc >= 2.39, e.g. Ubuntu 24.04 / Debian 13) and
# bookworm (older glibc, e.g. Ubuntu 22.04 / Debian 12). Pick the one matching this host to
# avoid the known GLIBC_2.39 incompatibility.
. /etc/os-release
case "$VERSION_CODENAME" in
noble | trixie) apt_dist="trixie" ;;
*) apt_dist="bookworm" ;;
esac
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://apt.defguard.net/defguard.asc -o /etc/apt/keyrings/defguard.asc
chmod a+r /etc/apt/keyrings/defguard.asc
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/defguard.asc] https://apt.defguard.net/ $apt_dist release-2.0" >/etc/apt/sources.list.d/defguard.list
apt update

log "Installing defguard-proxy package..."
# apt-get resolves the deb's dependencies (dpkg -i would not).
apt-get install -y /tmp/defguard-proxy.deb
%{ if package_version != "" ~}
apt install -y defguard-proxy=${package_version}
%{ else ~}
apt install -y defguard-proxy
%{ endif ~}

# The edge runs as the 'defguard' user, so the cert dir must be writable by it.
log "Ensuring certificate directory exists..."
Expand Down Expand Up @@ -53,8 +66,5 @@ systemctl enable defguard-proxy
log "Starting defguard-proxy service..."
systemctl start defguard-proxy

log "Cleaning up after installing Defguard Edge..."
rm -f /tmp/defguard-proxy.deb

log "Setup completed."
) 2>&1 | tee -a "$LOG_FILE"
8 changes: 2 additions & 6 deletions terraform2.0/modules/edge/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -32,14 +32,10 @@ variable "network_interface_id" {
type = string
}

variable "arch" {
description = "Architecture of the Defguard Edge package to be installed"
type = string
}

variable "package_version" {
description = "Version of the Defguard Edge package to be installed"
description = "Version of the Defguard Edge package to install (e.g. \"2.0.1\"). Leave empty to install the latest version available in the APT repository."
type = string
default = ""
}

variable "log_level" {
Expand Down
3 changes: 1 addition & 2 deletions terraform2.0/modules/gateway/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,8 @@ resource "aws_instance" "defguard_gateway" {

user_data = templatefile("${path.module}/setup.sh", {
grpc_port = var.grpc_port
package_version = var.package_version
nat = var.nat
arch = var.arch
package_version = var.package_version
log_level = var.log_level
})
user_data_replace_on_change = true
Expand Down
34 changes: 22 additions & 12 deletions terraform2.0/modules/gateway/setup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,18 +8,31 @@ log() {
}

(
log "Updating apt repositories..."
log "Installing prerequisites..."
apt update
apt install -y ca-certificates curl

log "Adding the Defguard APT repository..."
# The repo serves two suites: trixie (glibc >= 2.39, e.g. Ubuntu 24.04 / Debian 13) and
# bookworm (older glibc, e.g. Ubuntu 22.04 / Debian 12). Pick the one matching this host to
# avoid the known GLIBC_2.39 incompatibility.
. /etc/os-release
case "$VERSION_CODENAME" in
noble | trixie) apt_dist="trixie" ;;
*) apt_dist="bookworm" ;;
esac
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://apt.defguard.net/defguard.asc -o /etc/apt/keyrings/defguard.asc
chmod a+r /etc/apt/keyrings/defguard.asc
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/defguard.asc] https://apt.defguard.net/ $apt_dist release-2.0" >/etc/apt/sources.list.d/defguard.list
apt update

log "Installing curl..."
apt install -y curl

log "Downloading defguard-gateway package..."
curl -fsSL -o /tmp/defguard-gateway.deb https://github.com/DefGuard/gateway/releases/download/v${package_version}/defguard-gateway-${package_version}-${arch}-unknown-linux-gnu.deb

log "Installing defguard-gateway package..."
# apt-get resolves the deb's dependencies (dpkg -i would not).
apt-get install -y /tmp/defguard-gateway.deb
%{ if package_version != "" ~}
apt install -y defguard-gateway=${package_version}
%{ else ~}
apt install -y defguard-gateway
%{ endif ~}

log "Ensuring certificate directory exists..."
mkdir -p /etc/defguard/certs
Expand Down Expand Up @@ -65,8 +78,5 @@ systemctl enable defguard-gateway
log "Starting defguard-gateway service..."
systemctl start defguard-gateway

log "Cleaning up after installing Defguard Gateway..."
rm -f /tmp/defguard-gateway.deb

log "Setup completed."
) 2>&1 | tee -a "$LOG_FILE"
8 changes: 2 additions & 6 deletions terraform2.0/modules/gateway/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,9 @@ variable "network_interface_id" {
}

variable "package_version" {
description = "Version of the Defguard Gateway package to be installed"
type = string
}

variable "arch" {
description = "Architecture of the Defguard Gateway package to be installed"
description = "Version of the Defguard Gateway package to install (e.g. \"2.0.1\"). Leave empty to install the latest version available in the APT repository."
type = string
default = ""
}

variable "nat" {
Expand Down
Loading