feat: add terraform module code with ci for versioning

Author: sgtoj

.editorconfig

@@ -0,0 +1,26 @@
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+charset = utf-8
+
+[{Dockerfile,Dockerfile.*}]
+indent_size = 4
+tab_width = 4
+
+[{Makefile,makefile,GNUmakefile}]
+indent_style = tab
+indent_size = 4
+
+[Makefile.*]
+indent_style = tab
+indent_size = 4
+
+[**/*.{go,mod,sum}]
+indent_style = tab
+indent_size = unset
+
+[**/*.py]
+indent_size = 4

.github/.dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/release.yml

@@ -0,0 +1,29 @@
+name: release
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+      - name: Bump Version
+        id: tag_version
+        uses: mathieudutour/[email protected]
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          default_bump: minor
+          custom_release_rules: bug:patch:Fixes,chore:patch:Chores,docs:patch:Documentation,feat:minor:Features,refactor:minor:Refactors,test:patch:Tests,ci:patch:Development,dev:patch:Development
+      - name: Create Release
+        uses: ncipollo/[email protected]
+        with:
+          tag: ${{ steps.tag_version.outputs.new_tag }}
+          name: ${{ steps.tag_version.outputs.new_tag }}
+          body: ${{ steps.tag_version.outputs.changelog }}

.github/workflows/semantic-check.yml

@@ -0,0 +1,26 @@
+name: semantic-check
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  main:
+    name: Semantic Commit Message Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+      - uses: amannn/[email protected]
+        name: Check PR for Semantic Commit Message
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          requireScope: false
+          validateSingleCommit: true

.github/workflows/test.yml

@@ -0,0 +1,21 @@
+name: test
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+      - name: Terraform Setup
+        run: |
+          terraform init
+      - name: Lint Terraform
+        uses: reviewdog/action-tflint@master
+        with:
+          github_token: ${{ secrets.github_token }}
+          filter_mode: "nofilter"

README.md

@@ -1 +1,73 @@
-# terraform-aws-network-protocol-proxy
+# terraform-aws-network-protocol-proxy
+
+This terraform module provisions a simple, scalable tcp proxy based on haproxy.
+It deploys an EC2 autoscaling group behind a network load balancer (NLB), sets
+up cloudwatch logging, optionally configures a vpc endpoint service, and
+provides a configurable way to forward tcp traffic to any specified backend
+target.
+
+## how it works
+
+- an ec2 autoscaling group is created, each instance running haproxy
+- a network load balancer routes incoming traffic on tcp ports you define
+- haproxy listens on the same ports and forwards traffic to your backend
+  target(s)
+- security group rules are created to allow ingress on the listener port from
+  allowed cidrs
+- optional vpc endpoint service can be created if you need a private service endpoint
+
+## usage
+
+```hcl
+module "network_protocol_proxy" {
+  source  = "cruxstack/network-protocol-proxy/aws"
+  version = "x.x.x"
+
+  name                   = "database-proxy"
+  vpc_id                 = "vpc-1234567890abcdef"
+  vpc_public_subnet_ids  = ["subnet-1234abcd", "subnet-5678efgh"]
+  vpc_private_subnet_ids = ["subnet-1234abcd", "subnet-5678efgh"]
+  vpc_pr
+
+  proxies = {
+    default = {
+      target                 = "10.0.1.10:5432"
+      listener_port          = 10432
+      listener_allowed_cidrs = [
+        {
+          cidr        = "0.0.0.0/0"
+          description = "allow all inbound for testing"
+        }
+      ]
+    }
+  }
+}
+```
+
+## inputs
+
+| name                     | type         | default | description                                                  |
+|--------------------------|--------------|---------|--------------------------------------------------------------|
+| `enabled`                | bool         | `true`  | enable or disable the module                                 |
+| `proxies`                | object(...)  | n/a     | configuration for one or more haproxy proxies                |
+| `capacity`               | object(...)  | `{}`    | autoscaling desired, min, max settings                       |
+| `logs_bucket_name`       | string       | `""`    | s3 bucket name for logs                                      |
+| `ssm_sessions`           | object(...)  | `{}`    | enable session manager logging                               |
+| `public_accessible`      | bool         | `false` | set to true to place the nlb in public subnets               |
+| `eip_allocation_ids`     | list(string) | `[]`    | list of eip allocation ids for the nlb                       |
+| `vpc_id`                 | string       | n/a     | id of the vpc                                                |
+| `vpc_private_subnet_ids` | list(string) | `[]`    | list of private subnet ids                                   |
+| `vpc_public_subnet_ids`  | list(string) | `[]`    | list of public subnet ids                                    |
+| `vpc_security_group_ids` | list(string) | `[]`    | additional security group ids to attach to the instances     |
+| `vpc_endpoint_service`   | object(...)  | `{}`    | configuration for optionally creating a vpc endpoint service |
+| `aws_account_id`         | string       | n/a     | your aws account id                                          |
+| `aws_kv_namespace`       | string       | n/a     | your aws k/v namespace                                       |
+| `aws_region_name`        | string       | n/a     | the aws region                                               |
+| `experimental_mode`      | bool         | n/a     | toggles extra debug or development settings                  |
+
+## outputs
+
+| name            | description                          |
+|-----------------|--------------------------------------|
+| `nlb_dns_name`  | the dns name of the network lb (nlb) |
+

assets/cloud-config.yaml

@@ -0,0 +1,15 @@
+#cloud-config
+packages:
+  - amazon-cloudwatch-agent
+package_update: true
+package_upgrade: true
+write_files:
+  - path: /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d/user.json
+    content: ${cloudwatch_agent_config_encoded}
+    encoding: base64
+    permissions: "0644"
+power_state:
+  delay: now
+  mode: reboot
+  timeout: 10
+

assets/cloudwatch-agent-config.json

@@ -0,0 +1,45 @@
+{
+  "agent": {
+    "run_as_user": "cwagent"
+  },
+  "logs": {
+    "logs_collected": {
+      "files": {
+        "collect_list": [
+          {
+            "file_path": "/opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log",
+            "log_group_name": "${log_group_name}",
+            "log_stream_name": "/ec2/instance/{instance_id}/amazon-cloudwatch-agent.log",
+            "timestamp_format": "%Y-%m-%dT%H:%M:%SZ"
+          },
+          {
+            "file_path": "/var/log/dmesg",
+            "log_group_name": "${log_group_name}",
+            "log_stream_name": "/ec2/instance/{instance_id}/dmesg"
+          },
+          {
+            "file_path": "/var/log/messages",
+            "log_group_name": "${log_group_name}",
+            "log_stream_name": "/ec2/instance/{instance_id}/messages",
+            "timestamp_format": "%b %d %H:%M:%S"
+          },
+          {
+            "file_path": "/var/log/cloud-init.log",
+            "log_group_name": "${log_group_name}",
+            "log_stream_name": "/ec2/instance/{instance_id}/cloud-init.log",
+            "multi_line_start_pattern": "\\w+ \\d{2} \\d{2}:\\d{2}:\\d{2} cloud-init\\[[\\w]+]:",
+            "timestamp_format": "%B %d %H:%M:%S",
+            "timezone": "UTC"
+          },
+          {
+            "file_path": "/var/log/cloud-init-output.log",
+            "log_group_name": "${log_group_name}",
+            "log_stream_name": "/ec2/instance/{instance_id}/cloud-init-output.log",
+            "multi_line_start_pattern": "Cloud-init v. \\d+.\\d+-\\d+"
+          }
+        ]
+      }
+    }
+  }
+}
+

assets/haproxy.cfg.tmplt

@@ -0,0 +1,34 @@
+global
+  log stdout format raw local0
+
+defaults
+  log global
+  mode tcp
+  option tcplog
+  timeout connect 5s
+  timeout client 1m
+  timeout server 1m
+
+resolvers vpcdns
+ nameserver dns2 ${resolver}:53
+ hold valid 10s
+
+%{ for proxy in proxies ~}
+
+frontend proxy_fe_${proxy.name}
+  bind *:${proxy.listener_port}
+  default_backend proxy_be_${proxy.name}
+
+backend proxy_be_${proxy.name}
+  server target ${proxy.target} check resolvers vpcdns resolve-prefer ipv4
+
+%{ endfor ~}
+
+frontend healthcheck_fe
+  bind *:8080
+  mode http
+  default_backend healthcheck_be
+
+backend healthcheck_be
+  mode http
+  http-request return status 200 content-type text/plain lf-string "ok"

assets/provision.sh

@@ -0,0 +1,18 @@
+#!/bin/bash -xe
+
+# ---------------------------------------------------------------------- fns ---
+
+function cwagent_ctl {
+  /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl "$@"
+}
+export -f cwagent_ctl
+
+# ------------------------------------------------------------------- script ---
+
+yum update -y
+
+chmod 644 /var/log/cloud-init-output.log
+chmod 644 /var/log/messages
+
+cwagent_ctl -a fetch-config -s -m ec2 \
+  -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d/user.json

assets/userdata.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# shellcheck disable=SC2034,2154
+
+# --------------------------------------------------------- terraform inputs ---
+
+HAPROXY_CONFIG_ENCODED=${haproxy_config_encoded}
+
+# ------------------------------------------------------------------- script ---
+#
+yum install -y haproxy
+echo "$HAPROXY_CONFIG_ENCODED" | base64 -d >/etc/haproxy/haproxy.cfg
+systemctl enable --now haproxy