Refactoring VPN to use AWS private certificate authority #1522
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| } | ||
| } | ||
|
|
||
| resource "aws_acmpca_certificate_authority_certificate" "client_vpn" { |
There was a problem hiding this comment.
The resource aws_acmpca_certificate_authority_certificate is not necessary. The aws_acm_certificate resource already handles the certificate issuance and management. Consider removing this resource to avoid redundancy.
There was a problem hiding this comment.
Not according to all documentation!
| private_key = tls_private_key.client_vpn.private_key_pem | ||
| certificate_body = tls_self_signed_cert.client_vpn.cert_pem | ||
| resource "aws_acmpca_certificate" "client_vpn" { | ||
| certificate_authority_arn = aws_acmpca_certificate_authority.client_vpn.arn |
There was a problem hiding this comment.
The aws_acmpca_certificate resource is redundant. The aws_acm_certificate resource should be sufficient for managing the certificate. Consider removing this resource to simplify the configuration.
| lifecycle { | ||
| create_before_destroy = true | ||
| resource "aws_acmpca_certificate_authority" "client_vpn" { | ||
| type = "ROOT" |
There was a problem hiding this comment.
The aws_acmpca_certificate_authority resource should have a permanent_deletion_time_in_days attribute to specify the retention period before permanent deletion. Consider adding this attribute for better resource management.
P0NDER0SA
approved these changes
Sep 10, 2024
| @@ -51,45 +51,53 @@ module "gha_vpn" { | |||
| billing_tag_value = "notification-canada-ca-${var.env}" | |||
| } | |||
|
|
|||
| resource "aws_acm_certificate" "client_vpn" { | |||
| certificate_authority_arn = aws_acmpca_certificate_authority.client_vpn.arn | |||
There was a problem hiding this comment.
The alignment of the equal signs for the certificate_authority_arn and domain_name properties is inconsistent. Please ensure proper alignment for better readability.
Staging: eks✅ Terraform Init: Plan: 4 to add, 3 to change, 3 to destroyShow summary
Show planResource actions are indicated with the following symbols:
+ create
~ update in-place
- destroy
+/- create replacement and then destroy
Terraform will perform the following actions:
# aws_acm_certificate.client_vpn must be replaced
+/- resource "aws_acm_certificate" "client_vpn" {
~ arn = "arn:aws:acm:ca-central-1:239043911459:certificate/4a2d1268-b54e-4643-9fac-cc6a241d963b" -> (known after apply)
+ certificate_authority_arn = (known after apply) # forces replacement
- certificate_body = <<-EOT
-----BEGIN CERTIFICATE-----
MIIDNDCCAhygAwIBAgIRAPNJVVYqgxJFRPxWO/PRza0wDQYJKoZIhvcNAQELBQAw
LTErMCkGA1UEAxMidnBuLnN0YWdpbmcubm90aWZpY2F0aW9uLmNhbmFkYS5jYTAe
Fw0yNDAxMTAxNDE1NTZaFw0yOTAxMDgxNDE1NTZaMC0xKzApBgNVBAMTInZwbi5z
dGFnaW5nLm5vdGlmaWNhdGlvbi5jYW5hZGEuY2EwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDR9rB9AqpWHh5qc8gLYzi5wqLqANfSsvF+ldYMqm4pj01U
1XDgq9yZXLmJTY/U4bJ8bPyg5GOtsK78YlpgvGlQ44pGDIV+1zKhQ7KwiBun2uPm
pTDYba9N/4l5jmk51ZZHzDJKwJAUz5N4fNTOt8OlQd4keTPzbScOtJzCp6JRiIr0
0ZZHcmBXVIRaQUjEwl+lUxkIK6Pvsq6COxhAsNf9LhXoN3pSbfwm5+kGsKfSnytx
WNLYVzXhJGAZlOgmpGDKGjdIfpf1mH8UnANINn9BUKgSMZ2gjqbdcBL219jH5raY
iy4AnzGQmvpd3QyS6jobSNafsaJoCwyVl2BenTt5AgMBAAGjTzBNMA4GA1UdDwEB
/wQEAwICpDAtBgNVHSUEJjAkBggrBgEFBQcDAQYIKwYBBQUHAwUGCCsGAQUFBwMG
BgRVHSUAMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAFbZAlivYFin
FzcrTHX9G7GXzNqXQdoI4iOAsAtYrxnZh/oLUnl7fhuAsph1C74ZBRoNiVNfjpWO
/jQcvg4MPHus2H9Of/oz2HwL0frXQ24Rh1RUnH201qS4LOPhCoA2dHrPsrplDV7H
Z5gjyGnxsRxTIaWb9Pv/VYnnZd88TWj5Ds3cH1vInv8Y4nq8d5CY7xR1txGyASf5
lpDm+JfugwDRPlJQEJ9ST2xIAAP+GCOJk+59PefylI2dH3EGwgRh7831Bsine64l
blDP2vMM4oA+ocAR422QE2xv22NpZDss1ZJmEunm946Jw/YpKihXFunID4r4sdWg
TFrv5DzvP7w=
-----END CERTIFICATE-----
EOT -> null
~ domain_name = "vpn.staging.notification.canada.ca" -> "staging.notification.canada.ca" # forces replacement
~ domain_validation_options = [] -> (known after apply)
~ id = "arn:aws:acm:ca-central-1:239043911459:certificate/4a2d1268-b54e-4643-9fac-cc6a241d963b" -> (known after apply)
~ key_algorithm = "RSA_2048" -> (known after apply)
~ not_after = "2029-01-08T14:15:56Z" -> (known after apply)
~ not_before = "2024-01-10T14:15:56Z" -> (known after apply)
~ pending_renewal = false -> (known after apply)
- private_key = (sensitive value) -> null
~ renewal_eligibility = "INELIGIBLE" -> (known after apply)
~ renewal_summary = [] -> (known after apply)
~ status = "ISSUED" -> (known after apply)
~ subject_alternative_names = [ # forces replacement
- "vpn.staging.notification.canada.ca",
+ "staging.notification.canada.ca",
]
~ tags = {
- "CostCenter" = "notification-canada-ca-staging" -> null
+ "Environment" = "staging"
- "Name" = "notification-canada-ca" -> null
}
~ tags_all = {
- "CostCenter" = "notification-canada-ca-staging" -> null
+ "Environment" = "staging"
- "Name" = "notification-canada-ca" -> null
}
~ type = "IMPORTED" -> (known after apply)
~ validation_emails = [] -> (known after apply)
~ validation_method = "NONE" -> (known after apply)
- options {
- certificate_transparency_logging_preference = "DISABLED" -> null
}
}
# aws_acmpca_certificate.client_vpn will be created
+ resource "aws_acmpca_certificate" "client_vpn" {
+ arn = (known after apply)
+ certificate = (known after apply)
+ certificate_authority_arn = (known after apply)
+ certificate_chain = (known after apply)
+ certificate_signing_request = (known after apply)
+ id = (known after apply)
+ signing_algorithm = "SHA512WITHRSA"
+ template_arn = "arn:aws:acm-pca:::template/RootCACertificate/V1"
+ validity {
+ type = "YEARS"
+ value = "5"
}
}
# aws_acmpca_certificate_authority.client_vpn will be created
+ resource "aws_acmpca_certificate_authority" "client_vpn" {
+ arn = (known after apply)
+ certificate = (known after apply)
+ certificate_chain = (known after apply)
+ certificate_signing_request = (known after apply)
+ enabled = true
+ id = (known after apply)
+ key_storage_security_standard = (known after apply)
+ not_after = (known after apply)
+ not_before = (known after apply)
+ permanent_deletion_time_in_days = 7
+ serial = (known after apply)
+ tags_all = (known after apply)
+ type = "ROOT"
+ usage_mode = (known after apply)
+ certificate_authority_configuration {
+ key_algorithm = "RSA_4096"
+ signing_algorithm = "SHA512WITHRSA"
+ subject {
+ common_name = "notification.canada.ca"
}
}
}
# aws_acmpca_certificate_authority_certificate.client_vpn will be created
+ resource "aws_acmpca_certificate_authority_certificate" "client_vpn" {
+ certificate = (known after apply)
+ certificate_authority_arn = (known after apply)
+ certificate_chain = (known after apply)
+ id = (known after apply)
}
# aws_cloudwatch_metric_alarm.service-callback-too-many-failures-warning[0] will be updated in-place
~ resource "aws_cloudwatch_metric_alarm" "service-callback-too-many-failures-warning" {
~ alarm_actions = [
- "arn:aws:sns:ca-central-1:239043911459:alert-critical",
+ "arn:aws:sns:ca-central-1:239043911459:alert-warning",
]
~ alarm_description = "Service reached the max number of callback retries 100 times in 10 minutes" -> "Service reached the max number of callback retries 25 times in 5 minutes"
id = "service-callback-too-many-failures-warning"
~ period = 600 -> 300
tags = {}
~ threshold = 100 -> 25
# (14 unchanged attributes hidden)
}
# tls_private_key.client_vpn will be destroyed
# (because tls_private_key.client_vpn is not in configuration)
- resource "tls_private_key" "client_vpn" {
- algorithm = "RSA" -> null
- ecdsa_curve = "P224" -> null
- id = "38efaed91d8861d9881ea9199f77a26dc796fa96" -> null
- private_key_openssh = (sensitive value) -> null
- private_key_pem = (sensitive value) -> null
- private_key_pem_pkcs8 = (sensitive value) -> null
- public_key_fingerprint_md5 = "0c:93:bf:d6:23:e6:15:43:ae:d8:72:26:6a:7b:92:91" -> null
- public_key_fingerprint_sha256 = "SHA256:oV0t0wNoWdcCWBJBsOMYlZ+yGyTF1Zw+hZLgQou6Fto" -> null
- public_key_openssh = <<-EOT
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDR9rB9AqpWHh5qc8gLYzi5wqLqANfSsvF+ldYMqm4pj01U1XDgq9yZXLmJTY/U4bJ8bPyg5GOtsK78YlpgvGlQ44pGDIV+1zKhQ7KwiBun2uPmpTDYba9N/4l5jmk51ZZHzDJKwJAUz5N4fNTOt8OlQd4keTPzbScOtJzCp6JRiIr00ZZHcmBXVIRaQUjEwl+lUxkIK6Pvsq6COxhAsNf9LhXoN3pSbfwm5+kGsKfSnytxWNLYVzXhJGAZlOgmpGDKGjdIfpf1mH8UnANINn9BUKgSMZ2gjqbdcBL219jH5raYiy4AnzGQmvpd3QyS6jobSNafsaJoCwyVl2BenTt5
EOT -> null
- public_key_pem = <<-EOT
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0fawfQKqVh4eanPIC2M4
ucKi6gDX0rLxfpXWDKpuKY9NVNVw4KvcmVy5iU2P1OGyfGz8oORjrbCu/GJaYLxp
UOOKRgyFftcyoUOysIgbp9rj5qUw2G2vTf+JeY5pOdWWR8wySsCQFM+TeHzUzrfD
pUHeJHkz820nDrScwqeiUYiK9NGWR3JgV1SEWkFIxMJfpVMZCCuj77KugjsYQLDX
/S4V6Dd6Um38JufpBrCn0p8rcVjS2Fc14SRgGZToJqRgyho3SH6X9Zh/FJwDSDZ/
QVCoEjGdoI6m3XAS9tfYx+a2mIsuAJ8xkJr6Xd0Mkuo6G0jWn7GiaAsMlZdgXp07
eQIDAQAB
-----END PUBLIC KEY-----
EOT -> null
- rsa_bits = 2048 -> null
}
# tls_self_signed_cert.client_vpn will be destroyed
# (because tls_self_signed_cert.client_vpn is not in configuration)
- resource "tls_self_signed_cert" "client_vpn" {
- allowed_uses = [
- "key_encipherment",
- "digital_signature",
- "server_auth",
- "ipsec_end_system",
- "ipsec_tunnel",
- "any_extended",
- "cert_signing",
] -> null
- cert_pem = <<-EOT
-----BEGIN CERTIFICATE-----
MIIDNDCCAhygAwIBAgIRAPNJVVYqgxJFRPxWO/PRza0wDQYJKoZIhvcNAQELBQAw
LTErMCkGA1UEAxMidnBuLnN0YWdpbmcubm90aWZpY2F0aW9uLmNhbmFkYS5jYTAe
Fw0yNDAxMTAxNDE1NTZaFw0yOTAxMDgxNDE1NTZaMC0xKzApBgNVBAMTInZwbi5z
dGFnaW5nLm5vdGlmaWNhdGlvbi5jYW5hZGEuY2EwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDR9rB9AqpWHh5qc8gLYzi5wqLqANfSsvF+ldYMqm4pj01U
1XDgq9yZXLmJTY/U4bJ8bPyg5GOtsK78YlpgvGlQ44pGDIV+1zKhQ7KwiBun2uPm
pTDYba9N/4l5jmk51ZZHzDJKwJAUz5N4fNTOt8OlQd4keTPzbScOtJzCp6JRiIr0
0ZZHcmBXVIRaQUjEwl+lUxkIK6Pvsq6COxhAsNf9LhXoN3pSbfwm5+kGsKfSnytx
WNLYVzXhJGAZlOgmpGDKGjdIfpf1mH8UnANINn9BUKgSMZ2gjqbdcBL219jH5raY
iy4AnzGQmvpd3QyS6jobSNafsaJoCwyVl2BenTt5AgMBAAGjTzBNMA4GA1UdDwEB
/wQEAwICpDAtBgNVHSUEJjAkBggrBgEFBQcDAQYIKwYBBQUHAwUGCCsGAQUFBwMG
BgRVHSUAMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAFbZAlivYFin
FzcrTHX9G7GXzNqXQdoI4iOAsAtYrxnZh/oLUnl7fhuAsph1C74ZBRoNiVNfjpWO
/jQcvg4MPHus2H9Of/oz2HwL0frXQ24Rh1RUnH201qS4LOPhCoA2dHrPsrplDV7H
Z5gjyGnxsRxTIaWb9Pv/VYnnZd88TWj5Ds3cH1vInv8Y4nq8d5CY7xR1txGyASf5
lpDm+JfugwDRPlJQEJ9ST2xIAAP+GCOJk+59PefylI2dH3EGwgRh7831Bsine64l
blDP2vMM4oA+ocAR422QE2xv22NpZDss1ZJmEunm946Jw/YpKihXFunID4r4sdWg
TFrv5DzvP7w=
-----END CERTIFICATE-----
EOT -> null
- early_renewal_hours = 672 -> null
- id = "323383171478002712126485895393399917997" -> null
- is_ca_certificate = false -> null
- key_algorithm = "RSA" -> null
- private_key_pem = (sensitive value) -> null
- ready_for_renewal = false -> null
- set_authority_key_id = false -> null
- set_subject_key_id = false -> null
- validity_end_time = "2029-01-08T14:15:56.516415877Z" -> null
- validity_period_hours = 43800 -> null
- validity_start_time = "2024-01-10T14:15:56.516415877Z" -> null
- subject {
- common_name = "vpn.staging.notification.canada.ca" -> null
}
}
# module.gha_vpn.aws_ec2_client_vpn_endpoint.this will be updated in-place
~ resource "aws_ec2_client_vpn_endpoint" "this" {
id = "cvpn-endpoint-00372575183626903"
~ server_certificate_arn = "arn:aws:acm:ca-central-1:239043911459:certificate/4a2d1268-b54e-4643-9fac-cc6a241d963b" -> (known after apply)
tags = {
"CostCentre" = "notification-canada-ca-staging"
"Source" = "cds-snc/terraform-modules/client_vpn"
"Terraform" = "true"
}
# (13 unchanged attributes hidden)
# (4 unchanged blocks hidden)
}
# module.vpn.aws_ec2_client_vpn_endpoint.this will be updated in-place
~ resource "aws_ec2_client_vpn_endpoint" "this" {
id = "cvpn-endpoint-09a79e8845a82dbf3"
~ server_certificate_arn = "arn:aws:acm:ca-central-1:239043911459:certificate/4a2d1268-b54e-4643-9fac-cc6a241d963b" -> (known after apply)
tags = {
"CostCentre" = "notification-canada-ca-staging"
"Source" = "cds-snc/terraform-modules/client_vpn"
"Terraform" = "true"
}
# (13 unchanged attributes hidden)
# (4 unchanged blocks hidden)
}
Plan: 4 to add, 3 to change, 3 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Cloudwatch log metric pattern is invalid: ["aws_cloudwatch_log_metric_filter.celery-error[0]"]
WARN - plan.json - main - Cloudwatch log metric pattern is invalid: ["aws_cloudwatch_log_metric_filter.scanfiles-timeout[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.client_vpn"]
WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.notification-canada-ca"]
WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.notification-canada-ca-alt[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_acmpca_certificate_authority.client_vpn"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb.notification-canada-ca"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb_listener.internal_alb_tls"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb_listener.notification-canada-ca"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.internal_nginx_http"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.notification-canada-ca-admin"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.notification-canada-ca-api"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.notification-canada-ca-document"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.notification-canada-ca-document-api"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.notification-canada-ca-documentation"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.notification-canada-ca-eks-application-logs[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.notification-canada-ca-eks-cluster-logs[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.notification-canada-ca-eks-prometheus-logs[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.admin-evicted-pods[0]"]
WARN - plan.json - main - Missing Common... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary | Résumé
AWS is making changes to the VPN configuration that requires us to regenerate the VPN certificates using a private certificate authority instead of a self signed one. This will apply those changes.
NOTE:
We will have to redownload the VPN config once these changes are done.
In addition to redownloading the SAML provided VPN, we will also have to update the following secrets in 1Password:
Staging Github Actions VPN
Production Github Actions VPN
Related Issues | Cartes liées
Test instructions | Instructions pour tester la modification
TF Apply works
Connect to AWS VPN in staging and prod
Release Instructions | Instructions pour le déploiement
None.
Reviewer checklist | Liste de vérification du réviseur