Merge pull request #2 from timoa/develop

Author: timoa

.terraform.lock.hcl

@@ -18,11 +18,13 @@ Terraform project that deploys VSCode Server on Oracle Cloud Infrastructure usin
 - [x] Create the instance on free tier (4 vCPU, 24GB memory)
 - [x] Configure the instance and install VSCode Server with Cloud Init
 - [x] Create automatically the SSH key pair
-- [ ] Mount and format the block volume on `/data` (WIP)
+- [x] Mount and format the block volume on `/data`
+- [x] Restrict SSH and VS Code port access
 - [ ] Encrypt the block volume with a KMS key
 - [ ] Configure backups of the block volume only (WIP)
 - [ ] Configure Cloudflare Zero Trust to secure the instance access
-- [ ] Write the documentation for the manual steps (Oracle Cloud Infrastructure, Cloudflare, etc.)
+- [ ] Write the documentation for the manual steps (Oracle Cloud Infrastructure & Cloudflare accounts, etc.)
+- [ ] Explain how to avoid the "Out of Host capacity" error
 
 [github-badge]: https://github.com/timoa/terraform-oci-vscode-server/workflows/Terraform/badge.svg
 [github-url]: https://github.com/timoa/terraform-oci-vscode-server/actions?query=workflow%3ATerraform

README.md

@@ -4,10 +4,10 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_cloudinit"></a> [cloudinit](#requirement\_cloudinit) | 2.2.0 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | 2.2.2 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | 3.1.1 |
 | <a name="requirement_oci"></a> [oci](#requirement\_oci) | 4.72.0 |
-| <a name="requirement_template"></a> [template](#requirement\_template) | 2.2.0 |
 | <a name="requirement_tls"></a> [tls](#requirement\_tls) | 3.4.0 |
 
 ## Modules
@@ -22,20 +22,22 @@ No modules.
 | [local_file.public_key_openssh](https://registry.terraform.io/providers/hashicorp/local/2.2.2/docs/resources/file) | resource |
 | [null_resource.private_key_chmod](https://registry.terraform.io/providers/hashicorp/null/3.1.1/docs/resources/resource) | resource |
 | [null_resource.public_key_chmod](https://registry.terraform.io/providers/hashicorp/null/3.1.1/docs/resources/resource) | resource |
+| [null_resource.remote_exec](https://registry.terraform.io/providers/hashicorp/null/3.1.1/docs/resources/resource) | resource |
 | [oci_core_default_route_table.default_rt](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_default_route_table) | resource |
 | [oci_core_instance.instance](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_instance) | resource |
 | [oci_core_internet_gateway.igw](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_internet_gateway) | resource |
+| [oci_core_security_list.security_list_ssh](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_security_list) | resource |
+| [oci_core_security_list.security_list_vscode](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_security_list) | resource |
 | [oci_core_subnet.subnet](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_subnet) | resource |
 | [oci_core_vcn.vcn](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_vcn) | resource |
 | [oci_core_volume.volume](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_volume) | resource |
-| [oci_core_volume_attachment.volume_attach](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_volume_attachment) | resource |
+| [oci_core_volume_attachment.volume_attachment](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_volume_attachment) | resource |
 | [oci_core_volume_backup_policy_assignment.policy](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_volume_backup_policy_assignment) | resource |
 | [tls_private_key.default](https://registry.terraform.io/providers/hashicorp/tls/3.4.0/docs/resources/private_key) | resource |
+| [cloudinit_config.cloudinit](https://registry.terraform.io/providers/hashicorp/cloudinit/2.2.0/docs/data-sources/config) | data source |
 | [oci_core_images.ubuntu_20_04_aarch64](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/data-sources/core_images) | data source |
 | [oci_core_volume_backup_policies.predefined_volume_backup_policies](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/data-sources/core_volume_backup_policies) | data source |
-| [oci_identity_availability_domain.ad](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/data-sources/identity_availability_domain) | data source |
-| [template_cloudinit_config.cloudinit](https://registry.terraform.io/providers/hashicorp/template/2.2.0/docs/data-sources/cloudinit_config) | data source |
-| [template_file.template](https://registry.terraform.io/providers/hashicorp/template/2.2.0/docs/data-sources/file) | data source |
+| [oci_identity_availability_domains.ads](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/data-sources/identity_availability_domains) | data source |
 
 ## Inputs
 
@@ -49,12 +51,18 @@ No modules.
 | <a name="input_fingerprint"></a> [fingerprint](#input\_fingerprint) | Fingerprint | `string` | `null` | no |
 | <a name="input_private_key"></a> [private\_key](#input\_private\_key) | Private Key content | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | Default Region | `string` | `"uk-london-1"` | no |
+| <a name="input_allowed_ingress_ssh"></a> [allowed\_ingress\_ssh](#input\_allowed\_ingress\_ssh) | List of IPs allowed to SSH on the instance | `list(string)` | `[]` | no |
+| <a name="input_allowed_egress_ssh"></a> [allowed\_egress\_ssh](#input\_allowed\_egress\_ssh) | List of IPs the instance is allowed to connect | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_allowed_ingress_vscode"></a> [allowed\_ingress\_vscode](#input\_allowed\_ingress\_vscode) | List of IPs allowed to access to VS Code Server | `list(string)` | `[]` | no |
+| <a name="input_allowed_egress_vscode"></a> [allowed\_egress\_vscode](#input\_allowed\_egress\_vscode) | List of IPs the instance is allowed to connect | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_instance_shape"></a> [instance\_shape](#input\_instance\_shape) | Instance Shape | `string` | `"VM.Standard.A1.Flex"` | no |
 | <a name="input_instance_ocpus"></a> [instance\_ocpus](#input\_instance\_ocpus) | Number of OCPUS (CPU cores) | `string` | `4` | no |
 | <a name="input_instance_shape_config_memory_in_gbs"></a> [instance\_shape\_config\_memory\_in\_gbs](#input\_instance\_shape\_config\_memory\_in\_gbs) | Memory in GBs | `string` | `24` | no |
-| <a name="input_block_volume_size"></a> [block\_volume\_size](#input\_block\_volume\_size) | Block Volume size in GBs | `string` | `150` | no |
 | <a name="input_instance_os"></a> [instance\_os](#input\_instance\_os) | Instance OS | `string` | `"Canonical Ubuntu"` | no |
 | <a name="input_instance_os_version"></a> [instance\_os\_version](#input\_instance\_os\_version) | Instance OS Version | `string` | `"20.04"` | no |
+| <a name="input_instance_os_user"></a> [instance\_os\_user](#input\_instance\_os\_user) | Instance User | `string` | `"ubuntu"` | no |
+| <a name="input_block_volume_size"></a> [block\_volume\_size](#input\_block\_volume\_size) | Block Volume size in GBs (/data) | `string` | `100` | no |
+| <a name="input_block_volume_device_name"></a> [block\_volume\_device\_name](#input\_block\_volume\_device\_name) | Block Volume device name (/dev/oracleoci/oraclevdb) | `string` | `"/dev/oracleoci/oraclevdb"` | no |
 | <a name="input_vscode_version"></a> [vscode\_version](#input\_vscode\_version) | VS Code Server Version | `string` | `"4.4.0"` | no |
 | <a name="input_keypair_name"></a> [keypair\_name](#input\_keypair\_name) | Name of the Key Pair (instance or service for ex.) | `string` | `null` | no |
 | <a name="input_keypair_public_key"></a> [keypair\_public\_key](#input\_keypair\_public\_key) | A pregenerated OpenSSH-formatted public key. Changing this creates a new keypair. If a public key is not specified, then a public/private key pair will be automatically generated. If a pair is created, then destroying this resource means you will lose access to that keypair forever. | `string` | `null` | no |

USAGE.md

@@ -1,21 +1,17 @@
-# Update the Cloud Init template
-data "template_file" "template" {
-  template = file("./cloudinit/template.yml")
-
-  vars = {
+locals {
+  cloudinit = templatefile("${path.root}/cloudinit/template.tftpl", {
+    user           = var.instance_os_user
     vscode_version = var.vscode_version
-  }
+  })
 }
 
 # Generate the Cloud Init config file
-data "template_cloudinit_config" "cloudinit" {
-  gzip          = false
-  base64_encode = false
+data "cloudinit_config" "cloudinit" {
 
-  # Configure the instance & Instance VSCode Server
+  # Configure the instance + install VSCode Server
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.template.rendered
+    content      = local.cloudinit
   }
 }

cloudinit.tf

@@ -10,15 +10,10 @@ package_upgrade: true
 # timezone: set the timezone
 timezone: UTC
 
-# Test if Block volume is attached & format it if needed
-bootcmd:
-  - mkdir -p /data
-
 runcmd:
-  - chown opc:opc /data
-  - curl -fOL https://github.com/coder/code-server/releases/download/v${vscode_version}/code-server_${vscode_version}_arm64.deb
-  - dpkg -i code-server_${vscode_version}_arm64.deb
-  - systemctl enable --now code-server@opc
+  - curl -fOL https://github.com/coder/code-server/releases/download/v${vscode_version}/code-server_${vscode_version}_arm64.deb # Download the code-server package
+  - dpkg -i code-server_${vscode_version}_arm64.deb # Install the code-server package
+  - systemctl enable --now code-server@${user}
 
 final_message: "System boot (via cloud-init) is COMPLETE, after $UPTIME seconds. Finished at $TIMESTAMP"
 

cloudinit/template.yml renamed to cloudinit/template.tftpl

@@ -0,0 +1,76 @@
+locals {
+  security_list_ssh    = "${var.namespace}-seclist-ssh-${var.stage}"
+  security_list_vscode = "${var.namespace}-seclist-vscode-${var.stage}"
+}
+
+# Security List | SSH
+resource "oci_core_security_list" "security_list_ssh" {
+
+  # Global
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.vcn.id
+  display_name   = local.security_list_ssh
+
+  # Ingress
+  dynamic "ingress_security_rules" {
+    for_each = var.allowed_ingress_ssh
+
+    content {
+      description = "Allow traffic only from the SSH allowed IPs"
+      source      = ingress_security_rules.value
+      protocol    = "6" # TCP
+
+      tcp_options {
+        min = 22 # SSH
+        max = 22 # SSH
+      }
+    }
+  }
+
+  # Egress
+  dynamic "egress_security_rules" {
+    for_each = var.allowed_egress_ssh
+
+    content {
+      description = "Allow all outbound traffic from the SSH allowed IPs"
+      destination = egress_security_rules.value
+      protocol    = "all"
+    }
+  }
+}
+
+# Security List | VSCode
+resource "oci_core_security_list" "security_list_vscode" {
+
+  # Global
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.vcn.id
+  display_name   = local.security_list_vscode
+
+  # Ingress
+  dynamic "ingress_security_rules" {
+    for_each = var.allowed_ingress_vscode
+
+    content {
+      description = "Allow traffic only from the VSCode allowed IPs"
+      source      = ingress_security_rules.value
+      protocol    = "6" # TCP
+
+      tcp_options {
+        min = 443 # HTTPS
+        max = 443 # HTTPS
+      }
+    }
+  }
+
+  # Egress
+  dynamic "egress_security_rules" {
+    for_each = var.allowed_egress_vscode
+
+    content {
+      description = "Allow all outbound traffic from the VSCode allowed IPs"
+      destination = egress_security_rules.value
+      protocol    = "all"
+    }
+  }
+}

firewall.tf

@@ -26,7 +26,7 @@ resource "oci_core_instance" "instance" {
 
   # Global
   compartment_id      = var.compartment_ocid
-  availability_domain = data.oci_identity_availability_domain.ad.name
+  availability_domain = local.availability_domain
   display_name        = local.instance_name
 
   # Instance
@@ -54,7 +54,9 @@ resource "oci_core_instance" "instance" {
 
   # Launch Options
   launch_options {
-    is_pv_encryption_in_transit_enabled = true
+    #checkov:skip=CKV_OCI_4: Can't apply encryption in transit on preemptible instances
+    # is_pv_encryption_in_transit_enabled = true
+    network_type = "PARAVIRTUALIZED"
   }
 
   # Instance Options
@@ -64,7 +66,7 @@ resource "oci_core_instance" "instance" {
 
   metadata = {
     ssh_authorized_keys = tls_private_key.default[0].public_key_openssh
-    user_data           = base64encode(data.template_cloudinit_config.cloudinit.rendered)
+    user_data           = data.cloudinit_config.cloudinit.rendered
   }
 
   preemptible_instance_config {
@@ -81,37 +83,3 @@ resource "oci_core_instance" "instance" {
   # Labels
   freeform_tags = local.common_labels
 }
-
-# Block Volume
-resource "oci_core_volume" "volume" {
-
-  #checkov:skip=CKV_OCI_2: The 'backup_policy_id' field has been deprecated.
-
-  # Global
-  compartment_id      = var.compartment_ocid
-  availability_domain = data.oci_identity_availability_domain.ad.name
-  display_name        = local.block_volume_name
-
-  # Volume
-  size_in_gbs = var.block_volume_size
-
-  # Encryption
-  #checkov:skip=CKV_OCI_3: Volume Encryption with KMS will come in the next release
-
-  # Labels
-  freeform_tags = local.common_labels
-}
-
-# Volume attachment
-resource "oci_core_volume_attachment" "volume_attach" {
-
-  # Global
-  attachment_type = "iscsi"
-  instance_id     = oci_core_instance.instance.id
-  volume_id       = oci_core_volume.volume.id
-  device          = "/dev/oracleoci/oraclevdb"
-
-  # Set this to enable CHAP authentication for an ISCSI volume attachment. The oci_core_volume_attachment resource will
-  # contain the CHAP authentication details via the "chap_secret" and "chap_username" attributes.
-  use_chap = true
-}

instance.tf

@@ -0,0 +1,72 @@
+# Create the Block Volume
+resource "oci_core_volume" "volume" {
+
+  #checkov:skip=CKV_OCI_2: The 'backup_policy_id' field has been deprecated.
+
+  # Global
+  compartment_id      = var.compartment_ocid
+  availability_domain = local.availability_domain
+  display_name        = local.block_volume_name
+
+  # Volume
+  size_in_gbs = var.block_volume_size
+
+  # Encryption
+  #checkov:skip=CKV_OCI_3: Volume Encryption with KMS will come in the next release
+  # is_pv_encryption_in_transit_enabled = true
+
+  # Labels
+  freeform_tags = local.common_labels
+}
+
+# Volume attachment
+resource "oci_core_volume_attachment" "volume_attachment" {
+
+  # Global
+  attachment_type = "iscsi"
+  instance_id     = oci_core_instance.instance.id
+  volume_id       = oci_core_volume.volume.id
+  device          = var.block_volume_device_name
+
+  # Security
+  use_chap = true
+}
+
+# Mount the Block Volume
+resource "null_resource" "remote_exec" {
+  depends_on = [
+    oci_core_instance.instance,
+    oci_core_volume_attachment.volume_attachment,
+  ]
+
+  triggers = {
+    volume_attachment_id = oci_core_volume_attachment.volume_attachment.id # Trigger on volume attachment changes
+  }
+
+  provisioner "remote-exec" {
+    connection {
+      agent       = false
+      timeout     = "30m"
+      host        = oci_core_instance.instance.public_ip
+      user        = var.instance_os_user
+      private_key = tls_private_key.default[0].private_key_openssh
+    }
+
+    inline = [
+      "sudo mkdir -p /data",
+      "sudo chown ${var.instance_os_user}:${var.instance_os_user} /data", # Add user permission to /data
+      "sudo iscsiadm -m node -o new -T ${oci_core_volume_attachment.volume_attachment.iqn} -p ${oci_core_volume_attachment.volume_attachment.ipv4}:${oci_core_volume_attachment.volume_attachment.port}",
+      "sudo iscsiadm -m node -o update -T ${oci_core_volume_attachment.volume_attachment.iqn} -n node.startup -v automatic",
+      "sudo iscsiadm -m node -T ${oci_core_volume_attachment.volume_attachment.iqn} -p ${oci_core_volume_attachment.volume_attachment.ipv4}:${oci_core_volume_attachment.volume_attachment.port} -o update -n node.session.auth.authmethod -v CHAP",
+      "sudo iscsiadm -m node -T ${oci_core_volume_attachment.volume_attachment.iqn} -p ${oci_core_volume_attachment.volume_attachment.ipv4}:${oci_core_volume_attachment.volume_attachment.port} -o update -n node.session.auth.username -v ${oci_core_volume_attachment.volume_attachment.chap_username}",
+      "sudo iscsiadm -m node -T ${oci_core_volume_attachment.volume_attachment.iqn} -p ${oci_core_volume_attachment.volume_attachment.ipv4}:${oci_core_volume_attachment.volume_attachment.port} -o update -n node.session.auth.password -v ${oci_core_volume_attachment.volume_attachment.chap_secret}",
+      "sudo iscsiadm -m node -T ${oci_core_volume_attachment.volume_attachment.iqn} -p ${oci_core_volume_attachment.volume_attachment.ipv4}:${oci_core_volume_attachment.volume_attachment.port} -l",
+      "sleep 5",                                                                                                                            # Wait for the volume to be mounted
+      "sudo blkid $(readlink -f ${var.block_volume_device_name}) || sudo mkfs -t ext4 $(readlink -f ${var.block_volume_device_name})",      # Format the volume if needed
+      "sudo e2label $(readlink -f ${var.block_volume_device_name}) instance-data",                                                          # Set the label
+      "sudo sed  -i -e '/^[\\/][^ \t]*[ \t]*\\/data[ \t]/d' /etc/fstab",                                                                    # Remove the old entry
+      "sudo grep -q ^LABEL=instance-data /etc/fstab || echo 'LABEL=instance-data /data ext4 defaults' | sudo tee -a /etc/fstab >/dev/null", # Add the new entry
+      "sudo grep -q \"^$(readlink -f ${var.block_volume_device_name}) /data \" /proc/mounts || sudo mount /data",                           # Mount the volume
+    ]
+  }
+}