feat: prepare aws-client-vpn to EUSC AWS partition, migrate Terragrunt cli usage

matihost · matihost · commit db831199dd81 · 2026-02-08T12:23:30.000+01:00
diff --git a/terraform/aws/aws-client-vpn/Makefile b/terraform/aws/aws-client-vpn/Makefile
@@ -4,41 +4,48 @@ SHELL := /usr/bin/env bash
 DEBUG := false
 ifeq ($(strip $(DEBUG)),true)
 	TF_LOG := DEBUG
-	TG_FLAGS := --terragrunt-debug
+	TG_FLAGS := --inputs-debug
 endif
 
 MODE := apply
 ifeq ($(strip $(MODE)),apply)
-	MODE_STR := apply -auto-approve
+	MODE_STR := --non-interactive -- apply -auto-approve
 else ifeq ($(strip $(MODE)),destroy)
-	MODE_STR := destroy -auto-approve
+	MODE_STR := --non-interactive -- destroy -auto-approve
 else
-	MODE_STR := plan
+	MODE_STR := --non-interactive -- plan
 endif
 
+PARTITION := aws
+
 ENV := dev
 
-init:
-	cd stage/$(ENV) && terragrunt init -upgrade=true --backend-bootstrap --non-interactive
+ifeq ($(strip $(PARTITION)),eusc)
+	DEPLOY_PATH := stage/eusc/$(ENV)
+else
+	DEPLOY_PATH := $(DEPLOY_PATH)
+endif
 
+init:
+	cd $(DEPLOY_PATH) && terragrunt run -- init -upgrade=true
 
 run: init ## setup Client VPN: make run [ENV=dev] [MODE=apply]
-	@cd stage/$(ENV) && terragrunt validate && terragrunt $(MODE_STR) --non-interactive $(TG_FLAGS)
+	@cd $(DEPLOY_PATH) && terragrunt run validate && terragrunt run $(MODE_STR) $(TG_FLAGS)
 
 open-webconsole: ## open ARO web console
-	ARO_CONSOLE_URL="$(shell cd stage/$(ENV) && terragrunt output -raw console_url 2>/dev/null)" && \
+	ARO_CONSOLE_URL="$(shell cd $(DEPLOY_PATH) && terragrunt output -raw console_url 2>/dev/null)" && \
 	xdg-open "$${ARO_CONSOLE_URL}" || sensible-browser "$${ARO_CONSOLE_URL}" || x-www-browser "$${ARO_CONSOLE_URL}" || gnome-open "$${ARO_CONSOLE_URL}"
 
 
 
 get-client-ovpn: ## create target/client.ovpn file needed to connect to VPN
 	mkdir -p target && cd target && \
-	REGION="$(shell cd stage/$(ENV) && terragrunt output -raw region 2>/dev/null)" && \
-	CLIENT_VPN_ENDPOINT_ID="$(shell cd stage/$(ENV) && terragrunt output -raw client_vpn_endpoint_id 2>/dev/null)" && \
+	REGION="$(shell cd $(DEPLOY_PATH) && terragrunt output -raw region 2>/dev/null)" && \
+	CLIENT_VPN_ENDPOINT_ID="$(shell cd $(DEPLOY_PATH) && terragrunt output -raw client_vpn_endpoint_id 2>/dev/null)" && \
 	aws ec2 export-client-vpn-client-configuration --output text \
     --region "$${REGION}" \
     --client-vpn-endpoint-id "$${CLIENT_VPN_ENDPOINT_ID}" > client.ovpn
-	cd stage/$(ENV) && \
+	cd $(DEPLOY_PATH) && \
 		terragrunt output -raw client-ovpn-extension-config 2>/dev/null >> ../../target/client.ovpn
 
 connect-to-vpn: get-client-ovpn ## connect to Open VPN peer
@@ -47,7 +54,7 @@ connect-to-vpn: get-client-ovpn ## connect to Open VPN peer
 
 
 show-state: ## show state
-	cd stage/$(ENV) && terragrunt state list && terragrunt show
+	cd $(DEPLOY_PATH) && terragrunt state list && terragrunt show
 
 clean: ## clean cached plugins and data
 	find . -name ".terra*" -exec rm -rf {} +
diff --git a/terraform/aws/aws-client-vpn/README.md b/terraform/aws/aws-client-vpn/README.md
@@ -36,21 +36,18 @@ sudo apparmor_parser -r /etc/apparmor.d/openvpn
 
 ```bash
 # setup Client Side VPN
-make run ENV=dev MODE=apply
+make run MODE=apply [ENV=dev] [PARTITION=aws]
 
 # create target/client.ovpn file needed to connect to VPN
 # mode is either all (default), aka all trafic goes via VPN
-# or private - when only GCP VPC traffic routed via VPN
+# or private - when only VPC traffic routed via VPN
 make get-client-ovpn ENV=dev
 
 # connect to to VPN, press Ctrl+C to disconnect
 # mode is either all (default), aka all trafic goes via VPN
-# or private - when only GCP VPC traffic routed via VPN
+# or private - when only VPC traffic routed via VPN
 make connect-to-vpn
 
 # show Terraform state
 make show-state
-
-# terminates all AWS resource created with apply task
-make destroy
 ```
diff --git a/terraform/aws/aws-client-vpn/stage/eusc.hcl b/terraform/aws/aws-client-vpn/stage/eusc.hcl
@@ -0,0 +1,60 @@
+locals {
+  bucket  = "${local.account}-terraform-state"
+  account = "${run_cmd("--terragrunt-quiet", "aws", "sts", "get-caller-identity", "--query", "\"Account\"", "--output", "text")}"
+  region  = "eusc-de-east-1"
+  zone    = "eusc-de-east-1a"
+}
+
+remote_state {
+  backend = "s3"
+  generate = {
+    path      = "state.tf"
+    if_exists = "overwrite_terragrunt"
+  }
+  config = {
+    bucket = local.bucket
+    key    = "${basename(abspath("${get_parent_terragrunt_dir()}/.."))}/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/terraform.tfstate"
+    region = local.region
+    # TODO play with it... maybe not in free tier
+    # encrypt        = true
+    # dynamodb_table = "my-lock-table"
+  }
+}
+
+
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+variable "aws_tags" {
+   type = map
+}
+
+provider "aws" {
+  region  = var.region
+  default_tags {
+    tags = var.aws_tags
+  }
+}
+
+EOF
+}
+
+terraform {
+  extra_arguments "common_vars" {
+    commands = get_terraform_commands_that_need_vars()
+
+    env_vars = {
+      TF_VAR_terraform_state_bucket = local.bucket
+    }
+  }
+}
+
+inputs = {
+  account = local.account
+  region  = local.region
+  zone    = local.zone
+
+  partition = "aws-eusc"
+
+}
diff --git a/terraform/aws/aws-client-vpn/stage/eusc/dev/terragrunt.hcl b/terraform/aws/aws-client-vpn/stage/eusc/dev/terragrunt.hcl
@@ -0,0 +1,52 @@
+# TODO as of now EUSC does not support Client VPN, so this is just a placeholder for when it will be supported.
+#
+# Error: creating EC2 Client VPN Endpoint: operation error EC2: CreateClientVpnEndpoint,
+# https response error StatusCode: 400, RequestID: ...,
+# api error InvalidAction: The action CreateClientVpnEndpoint is not valid for this web service.
+
+locals {
+  pub_ssh = file("~/.ssh/id_rsa.aws.vm.pub")
+  ssh_key = file("~/.ssh/id_rsa.aws.vm")
+  # current_ip = "${run_cmd("--terragrunt-quiet", "dig", "+short", "myip.opendns.com", "@resolver1.opendns.com")}"
+  region = "eusc-de-east-1"
+  zone   = "eusc-de-east-1a"
+}
+
+include "root" {
+  path = find_in_parent_folders("eusc.hcl")
+}
+
+terraform {
+  # https://github.com/gruntwork-io/terragrunt/issues/1675
+  source = "${find_in_parent_folders("module")}///"
+}
+
+
+inputs = {
+  env    = "dev"
+  region = local.region
+  zone   = local.zone
+  # external_access_range                   = "${local.current_ip}/32"
+  security_group_names = ["dev-${local.region}-ssh-http-from-vpc", "dev-${local.region}-http-from-external-access-range"]
+  vpc                  = "dev-${local.region}"
+  # using internal VPC DNS resolver, TODO use Route53 internal endpoints
+  dns_servers = ["10.16.0.2"]
+  # configuration for Linux/Ubuntu to reconfigure client host DNS resolveconf configuration
+  vpn_additional_config = <<EOL
+script-security 2
+up /etc/openvpn/update-resolv-conf
+up-restart
+down /etc/openvpn/update-resolv-conf
+down-pre
+EOL
+  subnet                = "private"
+  zones = ["${local.region}a", "${local.region}b",
+    # TODO eusc does not have 3 AZs yet
+    # "${local.region}c"
+  ]
+  aws_tags = {
+    Env    = "dev"
+    Region = local.region
+  }
+
+}
