/terraform-aws-ecs-wireguard

Install a Wireguard service on ECS backed by EC2 autoscaling

Primary LanguageHCLOtherNOASSERTION

ECS Wireguard

Description

Install a Wireguard service on ECS backed by EC2 autoscaling

Usage

module "wireguard" {
  source = "../../modules/wireguard"

  server_url      = "wireguard.example.com"
  wireguard_peers = 2
}

Interacting with the server

https://aws.amazon.com/blogs/containers/new-using-amazon-ecs-exec-access-your-containers-fargate-ec2/

Testing

No tests currently exist for this module.

Terraform Version

Terraform 1.0. Pin module version to ~> 1.0.0 . Submit pull-requests to master branch.

Terraform prior to 1.0 are not supported.

License

This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. See LICENSE file for more information.

Developer Setup

This template is configured to use aws-vault, direnv, pre-commit, terraform-docs, and tfenv. If using Homebrew on macOS, you can install the dependencies using the following code.

brew install aws-vault direnv pre-commit terraform-docs tfenv
pre-commit install --install-hooks

If using direnv, add a .envrc.local that sets the default AWS region, e.g., export AWS_DEFAULT_REGION=us-west-2.

If using tfenv, then add a .terraform-version to the project root dir, with the version you would like to use.

Requirements

No requirements.

Providers

Name Version
aws n/a

Modules

Name Source Version
cloudwatch_kms_key dod-iac/cloudwatch-kms-key/aws ~> 1.0.0
ecs_cluster dod-iac/ecs-cluster/aws ~> 1.3
ecs_instance_role dod-iac/ec2-instance-role/aws ~> 1.0
ecs_task_execution_role dod-iac/ecs-task-execution-role/aws ~> 1.0
ecs_task_role dod-iac/ecs-task-role/aws ~> 1.0
efs_key dod-iac/efs-kms-key/aws ~> 1.0
vpc terraform-aws-modules/vpc/aws ~> 3.1
vpc_endpoints terraform-aws-modules/vpc/aws//modules/vpc-endpoints ~> 3.1

Resources

Name Type
aws_cloudwatch_log_group.logs resource
aws_ecs_service.wireguard resource
aws_ecs_task_definition.wireguard resource
aws_efs_access_point.config resource
aws_efs_backup_policy.policy resource
aws_efs_file_system.fs resource
aws_efs_file_system_policy.policy resource
aws_efs_mount_target.fs resource
aws_eip.nat resource
aws_eip.nlb resource
aws_iam_instance_profile.ecs_instance_role resource
aws_iam_policy.efs_policy resource
aws_iam_policy.exec_command_policy resource
aws_iam_role_policy_attachment.exec_command_task resource
aws_iam_role_policy_attachment.task resource
aws_key_pair.main resource
aws_lb.main resource
aws_lb_listener.main_wireguard resource
aws_lb_target_group.main_wireguard resource
aws_security_group.endpoints resource
aws_security_group.nfs resource
aws_security_group.ssh resource
aws_security_group.wireguard resource
aws_ami.vpn data source
aws_iam_policy_document.efs data source
aws_iam_policy_document.exec_command data source
aws_iam_policy_document.fs data source
aws_region.current data source

Inputs

Name Description Type Default Required
cloudwatch_log_retention_in_days The cloudwatch log description in days number 90 no
ec2_instance_type The EC2 instance type to launch for the cluster string "t2.small" no
key_name The AWS Key Pair Key Name string "wireguard" no
name A unique name for the module string "wireguard" no
server_tz The time zone for the server string "America/Los_Angeles" no
server_url The FQDN serving wireguard (ex: www.example.com) string n/a yes
ssh_public_key The public key to use for an AWS key pair. This will enable SSH access to the ECS cluster EC2 instance. Leaving this blank will disable access. string "" no
tags tags map(string) {} no
wireguard_peers The number of wireguard peers to configure. When using wireguard-ui set to 0 or leave as default. number 0 no

Outputs

Name Description
ecs_cluster_name n/a
efs_ap_id_config n/a
efs_fs n/a
elb_dns_name n/a
public_subnets n/a
vpc_id n/a