From 1b9d95ac845f69f02383dc337190a09339bda8de Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Fri, 27 Sep 2024 16:01:03 +0300 Subject: [PATCH 01/20] Add deployment configuration for Stun server (#87) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add deployment configuration for Stun server * Update stun_server/main.tf Co-authored-by: Joakim Sørensen * Migrate to using service module, support multiple regions * PR review fixes * Add required Terraform version * Started using AWS region variable, fixed missing AWS provider issue * Fix image URL, make subdomain be constructed from region * TF config fixes * Add region tag to resources * Code improvements based on PR suggestions * Change stun server IP output key * More PR improvements * Upgrade AWS provider version * Add dependencies between ECS service, network interface filter and Cloudflare DNS --------- Co-authored-by: Joakim Sørensen --- stun_server/main.tf | 37 +++++++++++++++++++++++++++++ stun_server/outputs.tf | 8 +++++++ stun_server/region/dns.tf | 12 ++++++++++ stun_server/region/ecs.tf | 32 +++++++++++++++++++++++++ stun_server/region/module.tf | 41 +++++++++++++++++++++++++++++++++ stun_server/region/network.tf | 30 ++++++++++++++++++++++++ stun_server/region/outputs.tf | 4 ++++ stun_server/region/variables.tf | 14 +++++++++++ stun_server/region/versions.tf | 19 +++++++++++++++ stun_server/variables.tf | 9 ++++++++ stun_server/versions.tf | 10 ++++++++ 11 files changed, 216 insertions(+) create mode 100644 stun_server/main.tf create mode 100644 stun_server/outputs.tf create mode 100644 stun_server/region/dns.tf create mode 100644 stun_server/region/ecs.tf create mode 100644 stun_server/region/module.tf create mode 100644 stun_server/region/network.tf create mode 100644 stun_server/region/outputs.tf create mode 100644 stun_server/region/variables.tf create mode 100644 stun_server/region/versions.tf create mode 100644 stun_server/variables.tf create mode 100644 stun_server/versions.tf diff --git a/stun_server/main.tf b/stun_server/main.tf new file mode 100644 index 0000000..f524393 --- /dev/null +++ b/stun_server/main.tf @@ -0,0 +1,37 @@ +terraform { + cloud { + organization = "home_assistant" + + workspaces { + name = "stun_server" + } + } +} + +provider "aws" { + region = "us-east-1" +} + +module "us_east_1" { + source = "./region" + + region = "us-east-1" + domain_name = var.domain_name + image_tag = var.image_tag +} + +module "eu_central_1" { + source = "./region" + + region = "eu-central-1" + domain_name = var.domain_name + image_tag = var.image_tag +} + +module "ap_southeast_1" { + source = "./region" + + region = "ap-southeast-1" + domain_name = var.domain_name + image_tag = var.image_tag +} diff --git a/stun_server/outputs.tf b/stun_server/outputs.tf new file mode 100644 index 0000000..916ea9a --- /dev/null +++ b/stun_server/outputs.tf @@ -0,0 +1,8 @@ +output "ip" { + description = "The public IP address of the stun server" + value = { + "us-east-1" = module.us_east_1.stun_server_ip + "eu-central-1" = module.eu_central_1.stun_server_ip + "ap-southeast-1" = module.ap_southeast_1.stun_server_ip + } +} diff --git a/stun_server/region/dns.tf b/stun_server/region/dns.tf new file mode 100644 index 0000000..e832e2d --- /dev/null +++ b/stun_server/region/dns.tf @@ -0,0 +1,12 @@ +data "cloudflare_zone" "dns_zone" { + name = var.domain_name +} + +resource "cloudflare_record" "instance_dns" { + zone_id = data.cloudflare_zone.dns_zone.id + name = join("-", ["stun", data.aws_region.current.name]) + content = data.aws_network_interface.stun_server_interface.association[0].public_ip + type = "A" + proxied = true + depends_on = [data.aws_network_interface.stun_server_interface] +} diff --git a/stun_server/region/ecs.tf b/stun_server/region/ecs.tf new file mode 100644 index 0000000..760a9ff --- /dev/null +++ b/stun_server/region/ecs.tf @@ -0,0 +1,32 @@ +resource "aws_ecs_service" "stun-server" { + name = local.service_name + cluster = local.infrastructure_region_outputs.ecs_cluster + task_definition = module.stun_server.task_definition + desired_count = 1 + deployment_minimum_healthy_percent = 100 + deployment_maximum_percent = 200 + health_check_grace_period_seconds = 90 + launch_type = "FARGATE" + + # Required to fetch the public IP address of the ECS service + enable_ecs_managed_tags = true + wait_for_steady_state = true + + network_configuration { + assign_public_ip = true + security_groups = [aws_security_group.stun_sg.id] + subnets = local.infrastructure_region_outputs.public_subnets + } + + tags = { + region = data.aws_region.current.name + } +} + +data "aws_network_interface" "stun_server_interface" { + filter { + name = "tag:aws:ecs:serviceName" + values = [aws_ecs_service.stun-server.name] + } + depends_on = [aws_ecs_service.stun-server] +} diff --git a/stun_server/region/module.tf b/stun_server/region/module.tf new file mode 100644 index 0000000..c6e56f1 --- /dev/null +++ b/stun_server/region/module.tf @@ -0,0 +1,41 @@ +locals { + service_name = "stun-server" + infrastructure_region_outputs = data.tfe_outputs.infrastructure.values[data.aws_region.current.name] +} + +provider "aws" { + region = var.region +} + +data "tfe_outputs" "infrastructure" { + organization = "home_assistant" + workspace = "infrastructure" +} + +data "aws_region" "current" {} + +module "stun_server" { + source = "../../.modules/service" + + service_name = local.service_name + container_image = "ghcr.io/home-assistant/stun" + container_version = var.image_tag + region = data.aws_region.current.name + ecs_cpu = 512 + ecs_memory = 1024 + container_definitions = { + portMappings = [ + { + containerPort = 3478 + hostPort = 3478 + protocol = "tcp" + }, + { + containerPort = 3478 + hostPort = 3478 + protocol = "udp" + } + ], + } + webservice = true +} diff --git a/stun_server/region/network.tf b/stun_server/region/network.tf new file mode 100644 index 0000000..2caa5c5 --- /dev/null +++ b/stun_server/region/network.tf @@ -0,0 +1,30 @@ +resource "aws_security_group" "stun_sg" { + vpc_id = local.infrastructure_region_outputs.network_id + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + description = "Allow STUN traffic TCP" + from_port = 3478 + to_port = 3478 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + description = "Allow STUN traffic UDF" + from_port = 3478 + to_port = 3478 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + region = data.aws_region.current.name + } +} diff --git a/stun_server/region/outputs.tf b/stun_server/region/outputs.tf new file mode 100644 index 0000000..e32a571 --- /dev/null +++ b/stun_server/region/outputs.tf @@ -0,0 +1,4 @@ +output "stun_server_ip" { + description = "The public IP address of the stun server" + value = data.aws_network_interface.stun_server_interface.association[0].public_ip +} diff --git a/stun_server/region/variables.tf b/stun_server/region/variables.tf new file mode 100644 index 0000000..ec10294 --- /dev/null +++ b/stun_server/region/variables.tf @@ -0,0 +1,14 @@ +variable "region" { + description = "The region to deploy the STUN server to" + type = string +} + +variable "domain_name" { + description = "The base domain name" + type = string +} + +variable "image_tag" { + description = "Version of the Stun server to deploy" + type = string +} diff --git a/stun_server/region/versions.tf b/stun_server/region/versions.tf new file mode 100644 index 0000000..d704bc8 --- /dev/null +++ b/stun_server/region/versions.tf @@ -0,0 +1,19 @@ +terraform { + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + + tfe = { + source = "hashicorp/tfe" + version = "~> 0.58.0" + } + + cloudflare = { + source = "cloudflare/cloudflare" + version = "~> 4.0" + } + } +} diff --git a/stun_server/variables.tf b/stun_server/variables.tf new file mode 100644 index 0000000..9f49cbe --- /dev/null +++ b/stun_server/variables.tf @@ -0,0 +1,9 @@ +variable "domain_name" { + description = "The base domain name" + type = string +} + +variable "image_tag" { + description = "Version of the Stun server to deploy" + type = string +} diff --git a/stun_server/versions.tf b/stun_server/versions.tf new file mode 100644 index 0000000..a1b2c49 --- /dev/null +++ b/stun_server/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "= 1.9.6" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} From 23f5a8c93a918e19ce365c7e5d77aa82cdaa2519 Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Fri, 27 Sep 2024 17:43:58 +0300 Subject: [PATCH 02/20] Update os_builds versions (#101) --- os-builds/main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/os-builds/main.tf b/os-builds/main.tf index 88c48a7..b928965 100644 --- a/os-builds/main.tf +++ b/os-builds/main.tf @@ -7,11 +7,12 @@ terraform { } } + required_version = "= 1.9.6" required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 4" + version = "~> 4.0" } } } From 144a93bd2ccf2fe32dc72b1c40cc97b66591a650 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 08:39:28 +0200 Subject: [PATCH 03/20] Bump actions/checkout from 4.1.7 to 4.2.0 (#107) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 0b8690c..9ed1aa3 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4.1.7 + uses: actions/checkout@v4.2.0 - name: Setup Terraform uses: hashicorp/setup-terraform@v3.1.2 From 3fb6b0f41cd5a00bac59eb3dd2ab77a3791cf4c7 Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Mon, 30 Sep 2024 10:57:05 +0300 Subject: [PATCH 04/20] Update static_dns versions (#104) --- static_dns/main.tf | 4 +++- static_dns/record._checkdns.tf | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/static_dns/main.tf b/static_dns/main.tf index a0d8d20..0d0a340 100644 --- a/static_dns/main.tf +++ b/static_dns/main.tf @@ -7,10 +7,12 @@ terraform { } } + required_version = "= 1.9.6" + required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.0" + version = "~> 4.0" } } } diff --git a/static_dns/record._checkdns.tf b/static_dns/record._checkdns.tf index ddb4823..555fd13 100644 --- a/static_dns/record._checkdns.tf +++ b/static_dns/record._checkdns.tf @@ -2,7 +2,7 @@ resource "cloudflare_record" "_checkdns" { zone_id = data.cloudflare_zone.dns_zone.id name = "_checkdns" - value = "1.1.1.1" + content = "1.1.1.1" type = "A" ttl = 1 proxied = false From 6ba5554c6b0d9ca4ea8d72d54599d86aa7042b72 Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Tue, 1 Oct 2024 14:10:12 +0300 Subject: [PATCH 05/20] Create service module policies based on regions they are used in (#108) --- .modules/service/module.tf | 4 +++- .modules/service/policy.tf | 6 +++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.modules/service/module.tf b/.modules/service/module.tf index 6759f5e..98a4f36 100644 --- a/.modules/service/module.tf +++ b/.modules/service/module.tf @@ -1,4 +1,6 @@ data "tfe_outputs" "infrastructure" { organization = "home_assistant" workspace = "infrastructure" -} \ No newline at end of file +} + +data "aws_region" "current" {} diff --git a/.modules/service/policy.tf b/.modules/service/policy.tf index cdbf186..4728dc0 100644 --- a/.modules/service/policy.tf +++ b/.modules/service/policy.tf @@ -10,7 +10,7 @@ data "aws_iam_policy_document" "ecs-role-policy" { } resource "aws_iam_role" "ecs-execution" { - name = "${var.service_name}-ExecutionRole-role" + name = "${var.service_name}-${data.aws_region.current.name}-ExecutionRole-role" assume_role_policy = data.aws_iam_policy_document.ecs-role-policy.json } @@ -46,11 +46,11 @@ data "aws_iam_policy_document" "task-assume-role" { } resource "aws_iam_role" "task-execution" { - name = "${var.service_name}-TaskRole-role" + name = "${var.service_name}-${data.aws_region.current.name}-TaskRole-role" assume_role_policy = data.aws_iam_policy_document.task-assume-role.json } resource "aws_iam_role_policy" "task-role" { policy = data.aws_iam_policy_document.task-policy.json role = aws_iam_role.task-execution.id -} \ No newline at end of file +} From 35fa3c0d5728a8fd0ec43a9c9f13c2e4e0d45441 Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Tue, 1 Oct 2024 14:34:35 +0300 Subject: [PATCH 06/20] Remove health check grace period from Stun server ECS config (#109) --- stun_server/region/ecs.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/stun_server/region/ecs.tf b/stun_server/region/ecs.tf index 760a9ff..36b382c 100644 --- a/stun_server/region/ecs.tf +++ b/stun_server/region/ecs.tf @@ -5,7 +5,6 @@ resource "aws_ecs_service" "stun-server" { desired_count = 1 deployment_minimum_healthy_percent = 100 deployment_maximum_percent = 200 - health_check_grace_period_seconds = 90 launch_type = "FARGATE" # Required to fetch the public IP address of the ECS service From 712da65b09591c0ba566c0969e5d041408b99542 Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Tue, 1 Oct 2024 16:55:08 +0300 Subject: [PATCH 07/20] Disable Cloudflare proxy for Stun server (#110) * Disable Cloudflare proxy for Stun server * Change Stun TTL to 300 --- stun_server/region/dns.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/stun_server/region/dns.tf b/stun_server/region/dns.tf index e832e2d..b2204c2 100644 --- a/stun_server/region/dns.tf +++ b/stun_server/region/dns.tf @@ -7,6 +7,7 @@ resource "cloudflare_record" "instance_dns" { name = join("-", ["stun", data.aws_region.current.name]) content = data.aws_network_interface.stun_server_interface.association[0].public_ip type = "A" - proxied = true + ttl = 300 + proxied = false depends_on = [data.aws_network_interface.stun_server_interface] } From 168955b7ec66190a5c966f2cf3e0bda335fbfe90 Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Tue, 1 Oct 2024 16:55:27 +0300 Subject: [PATCH 08/20] Remove CAS Validator (#105) --- cas_validator/main.tf | 37 ------------------------------------- cas_validator/variables.tf | 4 ---- 2 files changed, 41 deletions(-) delete mode 100644 cas_validator/variables.tf diff --git a/cas_validator/main.tf b/cas_validator/main.tf index adb6e0d..718eb08 100644 --- a/cas_validator/main.tf +++ b/cas_validator/main.tf @@ -6,41 +6,4 @@ terraform { name = "cas_validator" } } - - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 4.0" - } - - cloudflare = { - source = "cloudflare/cloudflare" - version = "~> 3.0" - } - } -} - -provider "aws" { - region = "us-east-1" -} - -module "webservice_cas_validator" { - source = "../.modules/webservice" - - service_name = "CAS-Validator" - subdomain = "cas-validator" - container_image = "codenotary/immuproof" - container_version = "v0.0.11" - port = 8091 - - container_definitions = { - environment : [ - { name : "IMMUPROOF_HOST", value : "cas.codenotary.com" }, - { name : "IMMUPROOF_PORT", value : "443" }, - { name : "IMMUPROOF_API_KEY", value : var.cas_api_key }, - { name : "IMMUPROOF_WEB_TITLE_TEXT", value : "Home Assistant service validator" }, - { name : "IMMUPROOF_WEB_HOSTED_BY_TEXT", value : "Home Assistant Community" }, - { name : "IMMUPROOF_WEB_HOSTED_BY_LOGO_URL", value : "https://www.home-assistant.io/images/home-assistant-logo.svg" } - ] - } } diff --git a/cas_validator/variables.tf b/cas_validator/variables.tf deleted file mode 100644 index 879e5e2..0000000 --- a/cas_validator/variables.tf +++ /dev/null @@ -1,4 +0,0 @@ -variable "cas_api_key" { - description = "CAS Key for monitoring the immodb" - type = string -} From 02713bc75b69009687e281b7268cbbda87aef1a0 Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Wed, 2 Oct 2024 16:51:27 +0300 Subject: [PATCH 09/20] Delete CAS Validator entirely (#111) --- cas_validator/main.tf | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 cas_validator/main.tf diff --git a/cas_validator/main.tf b/cas_validator/main.tf deleted file mode 100644 index 718eb08..0000000 --- a/cas_validator/main.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - cloud { - organization = "home_assistant" - - workspaces { - name = "cas_validator" - } - } -} From 0a99298af4e2d071fd5c4d70e6b3f973a0446d82 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Oct 2024 08:44:02 +0200 Subject: [PATCH 10/20] Bump actions/checkout from 4.2.0 to 4.2.1 (#114) --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 9ed1aa3..f9b3937 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4.2.0 + uses: actions/checkout@v4.2.1 - name: Setup Terraform uses: hashicorp/setup-terraform@v3.1.2 From 9755d08b7bd5e0f37add79a1b6822cad53a5691c Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Mon, 14 Oct 2024 16:51:05 +0300 Subject: [PATCH 11/20] Migrate to using a network load balancer in front of Stun ECS service (#112) * Migrate to using a network load balancer in front of Stun ECS service * Removed separate LB config for UDP and merged it to TCP * Use separate services for TCP and UDP requests --- stun_server/main.tf | 15 +++--- stun_server/outputs.tf | 10 ++-- stun_server/region/dns.tf | 13 ----- stun_server/region/ecs.tf | 50 +++++++++++++------ stun_server/region/module.tf | 22 +++++++-- stun_server/region/network.tf | 88 ++++++++++++++++++++++++++------- stun_server/region/outputs.tf | 6 +-- stun_server/region/variables.tf | 5 -- stun_server/variables.tf | 5 -- 9 files changed, 138 insertions(+), 76 deletions(-) delete mode 100644 stun_server/region/dns.tf diff --git a/stun_server/main.tf b/stun_server/main.tf index f524393..d96ff0e 100644 --- a/stun_server/main.tf +++ b/stun_server/main.tf @@ -15,23 +15,20 @@ provider "aws" { module "us_east_1" { source = "./region" - region = "us-east-1" - domain_name = var.domain_name - image_tag = var.image_tag + region = "us-east-1" + image_tag = var.image_tag } module "eu_central_1" { source = "./region" - region = "eu-central-1" - domain_name = var.domain_name - image_tag = var.image_tag + region = "eu-central-1" + image_tag = var.image_tag } module "ap_southeast_1" { source = "./region" - region = "ap-southeast-1" - domain_name = var.domain_name - image_tag = var.image_tag + region = "ap-southeast-1" + image_tag = var.image_tag } diff --git a/stun_server/outputs.tf b/stun_server/outputs.tf index 916ea9a..89e85a6 100644 --- a/stun_server/outputs.tf +++ b/stun_server/outputs.tf @@ -1,8 +1,8 @@ -output "ip" { - description = "The public IP address of the stun server" +output "endpoints" { + description = "Endpoints of the Stun server" value = { - "us-east-1" = module.us_east_1.stun_server_ip - "eu-central-1" = module.eu_central_1.stun_server_ip - "ap-southeast-1" = module.ap_southeast_1.stun_server_ip + "us-east-1" = module.us_east_1.stun_server_endpoint + "eu-central-1" = module.eu_central_1.stun_server_endpoint + "ap-southeast-1" = module.ap_southeast_1.stun_server_endpoint } } diff --git a/stun_server/region/dns.tf b/stun_server/region/dns.tf deleted file mode 100644 index b2204c2..0000000 --- a/stun_server/region/dns.tf +++ /dev/null @@ -1,13 +0,0 @@ -data "cloudflare_zone" "dns_zone" { - name = var.domain_name -} - -resource "cloudflare_record" "instance_dns" { - zone_id = data.cloudflare_zone.dns_zone.id - name = join("-", ["stun", data.aws_region.current.name]) - content = data.aws_network_interface.stun_server_interface.association[0].public_ip - type = "A" - ttl = 300 - proxied = false - depends_on = [data.aws_network_interface.stun_server_interface] -} diff --git a/stun_server/region/ecs.tf b/stun_server/region/ecs.tf index 36b382c..ad1546d 100644 --- a/stun_server/region/ecs.tf +++ b/stun_server/region/ecs.tf @@ -1,20 +1,22 @@ -resource "aws_ecs_service" "stun-server" { - name = local.service_name +resource "aws_ecs_service" "stun-server-tcp" { + name = "${local.service_name}-tcp" cluster = local.infrastructure_region_outputs.ecs_cluster - task_definition = module.stun_server.task_definition + task_definition = module.stun_server_tcp.task_definition desired_count = 1 deployment_minimum_healthy_percent = 100 deployment_maximum_percent = 200 launch_type = "FARGATE" - - # Required to fetch the public IP address of the ECS service - enable_ecs_managed_tags = true - wait_for_steady_state = true + depends_on = [aws_lb_listener.stun] network_configuration { - assign_public_ip = true - security_groups = [aws_security_group.stun_sg.id] - subnets = local.infrastructure_region_outputs.public_subnets + security_groups = [aws_security_group.stun_sg.id] + subnets = local.infrastructure_region_outputs.private_subnets + } + + load_balancer { + container_name = "${local.service_name}-tcp" + container_port = "3478" + target_group_arn = aws_lb_target_group.stun.arn } tags = { @@ -22,10 +24,28 @@ resource "aws_ecs_service" "stun-server" { } } -data "aws_network_interface" "stun_server_interface" { - filter { - name = "tag:aws:ecs:serviceName" - values = [aws_ecs_service.stun-server.name] +resource "aws_ecs_service" "stun-server-udp" { + name = "${local.service_name}-udp" + cluster = local.infrastructure_region_outputs.ecs_cluster + task_definition = module.stun_server_udp.task_definition + desired_count = 1 + deployment_minimum_healthy_percent = 100 + deployment_maximum_percent = 200 + launch_type = "FARGATE" + depends_on = [aws_lb_listener.stun] + + network_configuration { + security_groups = [aws_security_group.stun_sg.id] + subnets = local.infrastructure_region_outputs.private_subnets + } + + load_balancer { + container_name = "${local.service_name}-udp" + container_port = "3478" + target_group_arn = aws_lb_target_group.stun.arn + } + + tags = { + region = data.aws_region.current.name } - depends_on = [aws_ecs_service.stun-server] } diff --git a/stun_server/region/module.tf b/stun_server/region/module.tf index c6e56f1..dcf42bd 100644 --- a/stun_server/region/module.tf +++ b/stun_server/region/module.tf @@ -14,10 +14,10 @@ data "tfe_outputs" "infrastructure" { data "aws_region" "current" {} -module "stun_server" { +module "stun_server_tcp" { source = "../../.modules/service" - service_name = local.service_name + service_name = "${local.service_name}-tcp" container_image = "ghcr.io/home-assistant/stun" container_version = var.image_tag region = data.aws_region.current.name @@ -29,7 +29,23 @@ module "stun_server" { containerPort = 3478 hostPort = 3478 protocol = "tcp" - }, + } + ], + } + webservice = true +} + +module "stun_server_udp" { + source = "../../.modules/service" + + service_name = "${local.service_name}-udp" + container_image = "ghcr.io/home-assistant/stun" + container_version = var.image_tag + region = data.aws_region.current.name + ecs_cpu = 512 + ecs_memory = 1024 + container_definitions = { + portMappings = [ { containerPort = 3478 hostPort = 3478 diff --git a/stun_server/region/network.tf b/stun_server/region/network.tf index 2caa5c5..24ca700 100644 --- a/stun_server/region/network.tf +++ b/stun_server/region/network.tf @@ -1,30 +1,82 @@ resource "aws_security_group" "stun_sg" { vpc_id = local.infrastructure_region_outputs.network_id - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + tags = { + Region = data.aws_region.current.name + Zone = "public" } +} + +resource "aws_vpc_security_group_egress_rule" "stun_sg_egress" { + security_group_id = aws_security_group.stun_sg.id + + ip_protocol = "-1" + cidr_ipv4 = "0.0.0.0/0" +} + +resource "aws_vpc_security_group_ingress_rule" "stun_sg_ingress_tcp" { + security_group_id = aws_security_group.stun_sg.id + + from_port = 3478 + to_port = 3478 + ip_protocol = "tcp" + cidr_ipv4 = "0.0.0.0/0" +} + +resource "aws_vpc_security_group_ingress_rule" "stun_sg_ingress_udp" { + security_group_id = aws_security_group.stun_sg.id + + from_port = 3478 + to_port = 3478 + ip_protocol = "udp" + cidr_ipv4 = "0.0.0.0/0" +} - ingress { - description = "Allow STUN traffic TCP" - from_port = 3478 - to_port = 3478 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] +resource "aws_lb" "main" { + name = local.service_name + internal = false + load_balancer_type = "network" + + subnets = local.infrastructure_region_outputs.public_subnets + + tags = { + Region = data.aws_region.current.name + Zone = "public" + } +} + +resource "aws_lb_listener" "stun" { + load_balancer_arn = aws_lb.main.arn + port = 3478 + protocol = "TCP_UDP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.stun.arn } - ingress { - description = "Allow STUN traffic UDF" - from_port = 3478 - to_port = 3478 - protocol = "udp" - cidr_blocks = ["0.0.0.0/0"] + depends_on = [ + aws_lb_target_group.stun, + aws_lb.main, + ] +} + +resource "aws_lb_target_group" "stun" { + port = 3478 + protocol = "TCP_UDP" + vpc_id = local.infrastructure_region_outputs.network_id + target_type = "ip" + deregistration_delay = 60 + + health_check { + protocol = "TCP" + interval = 10 + unhealthy_threshold = 2 + healthy_threshold = 2 } tags = { - region = data.aws_region.current.name + Region = data.aws_region.current.name + Zone = "public" } } diff --git a/stun_server/region/outputs.tf b/stun_server/region/outputs.tf index e32a571..4b8a672 100644 --- a/stun_server/region/outputs.tf +++ b/stun_server/region/outputs.tf @@ -1,4 +1,4 @@ -output "stun_server_ip" { - description = "The public IP address of the stun server" - value = data.aws_network_interface.stun_server_interface.association[0].public_ip +output "stun_server_endpoint" { + description = "Endpoint of the Stun server" + value = aws_lb.main.dns_name } diff --git a/stun_server/region/variables.tf b/stun_server/region/variables.tf index ec10294..fe4d51d 100644 --- a/stun_server/region/variables.tf +++ b/stun_server/region/variables.tf @@ -3,11 +3,6 @@ variable "region" { type = string } -variable "domain_name" { - description = "The base domain name" - type = string -} - variable "image_tag" { description = "Version of the Stun server to deploy" type = string diff --git a/stun_server/variables.tf b/stun_server/variables.tf index 9f49cbe..f229e66 100644 --- a/stun_server/variables.tf +++ b/stun_server/variables.tf @@ -1,8 +1,3 @@ -variable "domain_name" { - description = "The base domain name" - type = string -} - variable "image_tag" { description = "Version of the Stun server to deploy" type = string From 3025b195b440171fda859df0346c56ae32238b2c Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Mon, 21 Oct 2024 16:16:59 +0300 Subject: [PATCH 12/20] Change Stun load balancer port to 80 (#115) --- stun_server/region/network.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stun_server/region/network.tf b/stun_server/region/network.tf index 24ca700..14f7566 100644 --- a/stun_server/region/network.tf +++ b/stun_server/region/network.tf @@ -47,7 +47,7 @@ resource "aws_lb" "main" { resource "aws_lb_listener" "stun" { load_balancer_arn = aws_lb.main.arn - port = 3478 + port = 80 protocol = "TCP_UDP" default_action { From 3a3173b2f4a8e90967ba20734054a87a4db3c00f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joakim=20S=C3=B8rensen?= Date: Wed, 23 Oct 2024 13:25:49 +0200 Subject: [PATCH 13/20] Add TLS listener for STUN on port 443 (#116) --- stun_server/region/network.tf | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/stun_server/region/network.tf b/stun_server/region/network.tf index 14f7566..099e3df 100644 --- a/stun_server/region/network.tf +++ b/stun_server/region/network.tf @@ -61,6 +61,23 @@ resource "aws_lb_listener" "stun" { ] } +resource "aws_lb_listener" "stun_tls" { + load_balancer_arn = aws_lb.main.arn + port = 443 + protocol = "TLS" + certificate_arn = data.tfe_outputs.infrastructure.values.certification_arn + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.stun.arn + } + + depends_on = [ + aws_lb_target_group.stun, + aws_lb.main, + ] +} + resource "aws_lb_target_group" "stun" { port = 3478 protocol = "TCP_UDP" From 10f266f7f56f64bd950248a0565f1b6293b9ddd5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joakim=20S=C3=B8rensen?= Date: Fri, 25 Oct 2024 09:46:16 +0200 Subject: [PATCH 14/20] Revert "Add TLS listener for STUN on port 443 (#116)" (#117) This reverts commit 3a3173b2f4a8e90967ba20734054a87a4db3c00f. --- stun_server/region/network.tf | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/stun_server/region/network.tf b/stun_server/region/network.tf index 099e3df..14f7566 100644 --- a/stun_server/region/network.tf +++ b/stun_server/region/network.tf @@ -61,23 +61,6 @@ resource "aws_lb_listener" "stun" { ] } -resource "aws_lb_listener" "stun_tls" { - load_balancer_arn = aws_lb.main.arn - port = 443 - protocol = "TLS" - certificate_arn = data.tfe_outputs.infrastructure.values.certification_arn - - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.stun.arn - } - - depends_on = [ - aws_lb_target_group.stun, - aws_lb.main, - ] -} - resource "aws_lb_target_group" "stun" { port = 3478 protocol = "TCP_UDP" From c274d13d359edc16a536e59aa791788546dcaaa5 Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Wed, 30 Oct 2024 16:15:08 +0200 Subject: [PATCH 15/20] Add port 3478 listener for Stun server (#119) * Add port 3478 listener for Stun server * Fix ECS dependencies --- stun_server/region/ecs.tf | 4 ++-- stun_server/region/network.tf | 18 +++++++++++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/stun_server/region/ecs.tf b/stun_server/region/ecs.tf index ad1546d..ac771ff 100644 --- a/stun_server/region/ecs.tf +++ b/stun_server/region/ecs.tf @@ -6,7 +6,7 @@ resource "aws_ecs_service" "stun-server-tcp" { deployment_minimum_healthy_percent = 100 deployment_maximum_percent = 200 launch_type = "FARGATE" - depends_on = [aws_lb_listener.stun] + depends_on = [aws_lb_listener.stun_80, aws_lb_listener.stun_3478] network_configuration { security_groups = [aws_security_group.stun_sg.id] @@ -32,7 +32,7 @@ resource "aws_ecs_service" "stun-server-udp" { deployment_minimum_healthy_percent = 100 deployment_maximum_percent = 200 launch_type = "FARGATE" - depends_on = [aws_lb_listener.stun] + depends_on = [aws_lb_listener.stun_80, aws_lb_listener.stun_3478] network_configuration { security_groups = [aws_security_group.stun_sg.id] diff --git a/stun_server/region/network.tf b/stun_server/region/network.tf index 14f7566..5e76d4b 100644 --- a/stun_server/region/network.tf +++ b/stun_server/region/network.tf @@ -45,7 +45,7 @@ resource "aws_lb" "main" { } } -resource "aws_lb_listener" "stun" { +resource "aws_lb_listener" "stun_80" { load_balancer_arn = aws_lb.main.arn port = 80 protocol = "TCP_UDP" @@ -61,6 +61,22 @@ resource "aws_lb_listener" "stun" { ] } +resource "aws_lb_listener" "stun_3478" { + load_balancer_arn = aws_lb.main.arn + port = 3478 + protocol = "TCP_UDP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.stun.arn + } + + depends_on = [ + aws_lb_target_group.stun, + aws_lb.main, + ] +} + resource "aws_lb_target_group" "stun" { port = 3478 protocol = "TCP_UDP" From f96e76bd4180c0ea573ccfe513d2f917122dca5e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 2 Nov 2024 17:19:56 +0100 Subject: [PATCH 16/20] Bump actions/checkout from 4.2.1 to 4.2.2 (#118) --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index f9b3937..13779cf 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4.2.1 + uses: actions/checkout@v4.2.2 - name: Setup Terraform uses: hashicorp/setup-terraform@v3.1.2 From b77a2a03dd1ee92c9bae30d51d5e2c963ba8797a Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Fri, 15 Nov 2024 10:45:44 +0200 Subject: [PATCH 17/20] Update infrastructure versions (#99) --- infrastructure/certificate.tf | 2 +- infrastructure/region/network.tf | 2 +- infrastructure/versions.tf | 7 ++++--- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/infrastructure/certificate.tf b/infrastructure/certificate.tf index c77cb2e..e616c2f 100644 --- a/infrastructure/certificate.tf +++ b/infrastructure/certificate.tf @@ -22,7 +22,7 @@ resource "cloudflare_record" "dns_instance_validation" { zone_id = data.cloudflare_zone.dns_zone.id name = each.value.name - value = trimsuffix(each.value.record, ".") + content = trimsuffix(each.value.record, ".") type = each.value.type ttl = 1 proxied = false diff --git a/infrastructure/region/network.tf b/infrastructure/region/network.tf index 0508b39..a4a97cc 100644 --- a/infrastructure/region/network.tf +++ b/infrastructure/region/network.tf @@ -32,7 +32,7 @@ resource "aws_route_table" "public" { resource "aws_eip" "nat" { count = 2 - vpc = true + domain = "vpc" tags = { Region = data.aws_region.current.name diff --git a/infrastructure/versions.tf b/infrastructure/versions.tf index c238c02..5337068 100644 --- a/infrastructure/versions.tf +++ b/infrastructure/versions.tf @@ -1,14 +1,15 @@ terraform { - required_version = "= 1.7.5" + required_version = "= 1.9.8" + required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = "~> 5.0" } cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.0" + version = "~> 4.0" } } } From 01334370ea7db5983185bedb51ad90b670245bb2 Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Fri, 15 Nov 2024 10:54:05 +0200 Subject: [PATCH 18/20] Update community versions (#98) --- community/dns.tf | 2 +- community/ec2.tf | 2 +- community/main.tf | 6 ++++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/community/dns.tf b/community/dns.tf index 137e53b..1f45d03 100644 --- a/community/dns.tf +++ b/community/dns.tf @@ -5,7 +5,7 @@ data "cloudflare_zone" "dns_zone" { resource "cloudflare_record" "community" { zone_id = data.cloudflare_zone.dns_zone.id name = "community" - value = aws_eip.discourse.public_ip + content = aws_eip.discourse.public_ip type = "A" proxied = true } diff --git a/community/ec2.tf b/community/ec2.tf index 622f618..fd7a805 100644 --- a/community/ec2.tf +++ b/community/ec2.tf @@ -9,5 +9,5 @@ resource "aws_instance" "discourse" { resource "aws_eip" "discourse" { instance = aws_instance.discourse.id - vpc = true + domain = "vpc" } diff --git a/community/main.tf b/community/main.tf index 2b8e605..270242e 100644 --- a/community/main.tf +++ b/community/main.tf @@ -7,15 +7,17 @@ terraform { } } + required_version = "= 1.9.8" + required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = "~> 5.0" } cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.0" + version = "~> 4.0" } } } From 865782ad81c6934f84754ef42a8686edac7d2396 Mon Sep 17 00:00:00 2001 From: Krisjanis Lejejs Date: Fri, 15 Nov 2024 11:19:58 +0200 Subject: [PATCH 19/20] Update assist versions (#96) --- assist/main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/assist/main.tf b/assist/main.tf index 226618b..b6a380e 100644 --- a/assist/main.tf +++ b/assist/main.tf @@ -7,11 +7,12 @@ terraform { } } + required_version = "= 1.9.8" required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 4" + version = "~> 4.0" } } } From abf6980db81652150bc138dc40909c71034b1372 Mon Sep 17 00:00:00 2001 From: Pierre <397503+bemble@users.noreply.github.com> Date: Tue, 3 Dec 2024 16:28:09 +0100 Subject: [PATCH 20/20] OHF public assets (#120) * feat: add ohf-public-assets bucket * fix resource name * bump TF and typo --- ohf-public-assets/bucket.tf | 5 +++++ ohf-public-assets/main.tf | 18 ++++++++++++++++++ ohf-public-assets/variables.tf | 4 ++++ 3 files changed, 27 insertions(+) create mode 100644 ohf-public-assets/bucket.tf create mode 100644 ohf-public-assets/main.tf create mode 100644 ohf-public-assets/variables.tf diff --git a/ohf-public-assets/bucket.tf b/ohf-public-assets/bucket.tf new file mode 100644 index 0000000..ba506bc --- /dev/null +++ b/ohf-public-assets/bucket.tf @@ -0,0 +1,5 @@ +resource "cloudflare_r2_bucket" "ohf_public_assets" { + account_id = var.CLOUDFLARE_ACCOUNT_ID + name = "ohf-public-assets" + location = "ENAM" +} diff --git a/ohf-public-assets/main.tf b/ohf-public-assets/main.tf new file mode 100644 index 0000000..d39edc6 --- /dev/null +++ b/ohf-public-assets/main.tf @@ -0,0 +1,18 @@ +terraform { + cloud { + organization = "home_assistant" + + workspaces { + name = "ohf-public-assets" + } + } + + required_version = "= 1.10.0" + + required_providers { + cloudflare = { + source = "cloudflare/cloudflare" + version = "~> 4.0" + } + } +} diff --git a/ohf-public-assets/variables.tf b/ohf-public-assets/variables.tf new file mode 100644 index 0000000..29eee8e --- /dev/null +++ b/ohf-public-assets/variables.tf @@ -0,0 +1,4 @@ +variable "CLOUDFLARE_ACCOUNT_ID" { + description = "Cloudflare Account Id" + type = string +}