wireguard-manager icon indicating copy to clipboard operation
wireguard-manager copied to clipboard
verified publisher icon complexorganizations

Add Terraform Module to Deploy WireGuard VPN with Cloud Provider Selection and Key Configuration

Open Strong-Foundation opened this issue 1 year ago • 0 comments

Certainly! Here's a more detailed and comprehensive version of the GitHub issue, including more technical details, context, and expanded explanations for each section:

Feature Request: Add Terraform Module to Deploy WireGuard VPN with Cloud Provider Selection and Key Configuration

Description:

We would like to enhance the existing Terraform module for WireGuard VPN deployment by allowing users to choose between different cloud providers (AWS, GCP, and Azure) and pass in their WireGuard private and public keys as input. This would automate the deployment of WireGuard VPN servers to the selected cloud platform, making it easier for users to provision, configure, and manage WireGuard VPNs across various cloud environments using Terraform.

Currently, users may need to manually configure VPN servers or use ad-hoc methods to configure WireGuard across cloud providers. By providing a Terraform-based solution, we can simplify the process, enabling reproducible and automated deployments.

Goals:

  • Enable users to select their cloud provider (AWS, GCP, Azure) using boolean flags.
  • Allow users to pass in their WireGuard private_key and public_key for server configuration.
  • Automatically deploy a .sh script to configure WireGuard with the provided keys.
  • Handle cloud-specific provisioning such as VM creation, firewall rules, and network configuration.

Features and Requirements:

  1. Cloud Provider Selection:

    • Users should be able to specify the target cloud provider using boolean flags (aws, gcp, azure). The selected cloud provider's infrastructure (e.g., EC2 for AWS, Compute Engine for GCP, and Azure VM for Azure) will be created and configured automatically.

  2. WireGuard Key Configuration:

    • Users must provide the WireGuard private_key and public_key as input variables.
    • The private and public keys will be passed into the .sh installation script, which will configure the WireGuard server with the provided keys.

  3. Automatic Script Deployment:

    • The module should deploy a custom .sh script to the selected cloud provider's instance to install and configure WireGuard. This script should configure the VPN interface, set up peer configurations, and ensure firewall rules are applied for UDP 51820.

  4. Conditional Cloud Provider Support:

    • The Terraform configuration should use the provided aws, gcp, and azure flags to determine which cloud provider's resources should be provisioned.

  5. Security:

    • Ensure that sensitive information like keys is handled securely, including using Terraform's sensitive = true flag for key variables.

  6. Cross-cloud Compatibility:

    • The module should be flexible and allow for future expansion to support additional cloud providers if needed.

Proposed Implementation:

  1. Cloud Provider Flags:

    • Use boolean flags (aws, gcp, azure) for selecting the target cloud provider.
    • Based on the selected provider, the Terraform configuration should conditionally create resources for that provider.

  2. WireGuard Key Inputs:

    • Users will provide their WireGuard private_key and public_key as input variables for Terraform. These keys will be passed into the .sh script deployed to the cloud instances.

  3. Cloud-Specific Resource Blocks:

    • Use count and conditional logic (count = var.aws ? 1 : 0) to ensure that only the selected cloud provider's resources are created.

  4. Script Deployment:

    • The .sh script will be uploaded and executed as part of the instance's startup process. This script will install WireGuard and configure it using the provided keys and other variables.

  5. Terraform Example Usage:

variable "aws" {
  description = "Set to true to deploy to AWS."
  type        = bool
  default     = true
}

variable "gcp" {
  description = "Set to true to deploy to GCP."
  type        = bool
  default     = false
}

variable "azure" {
  description = "Set to true to deploy to Azure."
  type        = bool
  default     = false
}

variable "private_key" {
  description = "WireGuard private key for the server."
  type        = string
}

variable "public_key" {
  description = "WireGuard public key for the server."
  type        = string
}

resource "aws_instance" "wireguard_vpn" {
  count         = var.aws ? 1 : 0
  ami           = "ami-xxxxxxxxxxxxx"
  instance_type = "t2.micro"

  user_data = templatefile("wireguard-install.sh", {
    private_key = var.private_key
    public_key  = var.public_key
  })

  tags = {
    Name = "WireGuard VPN Server"
  }
}

resource "google_compute_instance" "wireguard_vpn" {
  count         = var.gcp ? 1 : 0
  name          = "wireguard-vpn-server"
  machine_type  = "f1-micro"
  zone          = "us-central1-a"
  image         = "projects/debian-cloud/global/images/debian-10-buster-v20210916"

  metadata_startup_script = templatefile("wireguard-install.sh", {
    private_key = var.private_key
    public_key  = var.public_key
  })

  tags = ["wireguard-vpn"]
}

resource "azurerm_linux_virtual_machine" "wireguard_vpn" {
  count                = var.azure ? 1 : 0
  name                 = "wireguard-vpn-server"
  resource_group_name  = "my-resource-group"
  location             = "East US"
  size                 = "Standard_B1ls"
  admin_username       = "adminuser"
  admin_password       = "Password1234!"

  network_interface_ids = [azurerm_network_interface.wireguard_vpn.id]

  custom_data = templatefile("wireguard-install.sh", {
    private_key = var.private_key
    public_key  = var.public_key
  })
}

resource "azurerm_network_interface" "wireguard_vpn" {
  count                = var.azure ? 1 : 0
  name                 = "wireguard-vpn-nic"
  location             = "East US"
  resource_group_name  = "my-resource-group"
  ip_configuration {
    name                                   = "internal"
    subnet_id                              = azurerm_subnet.main.id
    private_ip_address_allocation          = "Dynamic"
  }
}

Key Implementation Details:

  • user_data and metadata_startup_script: The templatefile function is used to pass the private_key and public_key as arguments to the .sh script. This ensures that the script can dynamically configure the WireGuard server based on the keys provided by the user.

  • Conditional Resource Creation (count): The count parameter is used to conditionally create the resources based on the selected cloud provider flag (aws, gcp, azure). Only the resources for the selected cloud provider will be created, avoiding unnecessary infrastructure provisioning.

  • Script Logic: The .sh script should:

    • Install WireGuard on the selected cloud instance.
    • Configure the VPN server using the passed private_key and public_key.
    • Configure firewall rules to allow UDP traffic on port 51820 for WireGuard.
    • Optionally, set up automatic start for the WireGuard service on boot.

  • Security: Ensure that sensitive data such as the private_key is handled securely. You can mark these variables as sensitive in Terraform (sensitive = true) to prevent their display in output logs.

Why This Feature?

  • Simplified Cross-Cloud Deployment: Terraform already provides a unified approach to managing infrastructure. By adding support for WireGuard VPN deployment across multiple cloud providers, this feature allows users to easily deploy a consistent VPN service regardless of the underlying cloud infrastructure.

  • Security and Key Management: Providing users the ability to specify their own WireGuard keys ensures that they maintain control over their VPN security. This approach also allows for easier integration into existing workflows where keys are managed securely (e.g., using Vault, encrypted files, etc.).

  • Reproducibility and Automation: With the ability to specify cloud providers and configuration settings, this module will enable organizations to easily reproduce WireGuard VPN setups in different environments or regions without manual intervention.

Additional Considerations:

  • Cross-Cloud Compatibility: The script must be tested on all three cloud platforms to ensure that the WireGuard configuration works as expected. Minor adjustments may be needed for platform-specific networking or VM configuration.
  • Firewall Rules: Each cloud provider will need firewall rules or security groups to ensure proper VPN traffic is allowed. These rules should be added as part of the Terraform provisioning process.

Next Steps:

  • Implementation: Once this request is accepted, the module can be implemented with the outlined features. The .sh script should also be developed to handle key configuration and installation tasks for WireGuard.
  • Testing: The module should be tested for all supported cloud providers to ensure proper deployment and WireGuard configuration.

Let me know if you'd like further details or modifications to the request! This version is now much more comprehensive and should clearly convey the full scope of the feature request.

Strong-Foundation avatar Dec 25 '24 17:12 Strong-Foundation