Merge pull request #15 from yurymkomarov/master

[IaC] Terraform

Author: dan-v

.circleci/config.yml

@@ -9,4 +9,4 @@ jobs:
       - run: go get -u github.com/go-bindata/go-bindata/...
       - run: make
       - store_artifacts:
-          path: artifacts
+          path: artifacts

.gitignore

@@ -83,6 +83,39 @@ fabric.properties
 # .idea/misc.xml 
 # *.ipr
 
+### Terraform ###
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Ignore backend.tf files with Terraform backend configuration
+backend.tf
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+*tfplan*
+
+.awslambdaproxy
 bindata.go
 .DS_Store
 vendor/

Dockerfile

@@ -10,13 +10,17 @@ COPY --from=build-env /src/artifacts/server/linux/awslambdaproxy /app/
 
 ENV AWS_ACCESS_KEY_ID=
 ENV AWS_SECRET_ACCESS_KEY=
+ENV LAMBDA_NAME=
+ENV LAMBDA_IAM_ROLE_NAME=
 ENV REGIONS=
 ENV FREQUENCY=
 ENV MEMORY=
 ENV SSH_USER=
 ENV SSH_PORT=2222
 ENV LISTENERS=
+ENV DEBUG=
 ENV DEBUG_PROXY=
+ENV BYPASS=
 
 WORKDIR /app
 

Makefile

@@ -90,4 +90,4 @@ docker:
 
 docker-release:
 	docker push vdan/awslambdaproxy:$(VERSION)
-	docker push vdan/awslambdaproxy:latest
+	docker push vdan/awslambdaproxy:latest

README.md

@@ -18,54 +18,58 @@ At a high level, awslambdaproxy proxies TCP/UDP traffic through AWS Lambda regio
 ![](/assets/images/how-it-works.png?raw=true)
 
 ## Installation
+- [Terraform](#terraform)
+- [Manual](#manual)
 
-The easiest way is to download a pre-built binary from the [GitHub Releases](https://github.com/dan-v/awslambdaproxy/releases) page.
+## Terraform
 
-## Usage
+1. Clone repository and go to Terraform component folder:
+```sh
+git clone git@github.com:dan-v/awslambdaproxy.git && cd awslambdaproxy/deployment/terraform
+```
+
+2. Configure your Terrafom backend. Read more about Terraform backend [here](https://www.terraform.io/docs/backends/index.html).
+
+3. Create and fill variable defenitions file ([read more here](https://www.terraform.io/docs/configuration/variables.html#variable-definitions-tfvars-files)) if you don't want to use default variables values.
+
+4. Run those commands to init and apply configuration:
+```sh
+terraform init && terraform apply -auto-approve
+```
+
+It will create all dependent resources and run awslambdaproxy inside Docker container. EC2 instance SSH key can be found in AWS Secret Manager in your [AWS Management Console](https://console.aws.amazon.com/).
 
-1. Copy `awslambdaproxy` binary to a <b>publicly accessible</b> linux host (e.g. EC2 instance, VPS instance, etc). You will need to <b>open the following ports</b> on this host:
+NOTE: Some AWS regions have a big list of IP CIDR blocks and they can overhead default limits of security group ([read more](https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html#vpc-limits-security-groups)). Need to make limit increase request through the AWS Support Center by choosing Create Case and then choosing Service Limit Increase to prevent deployment issues.
+
+## Manual
+
+1. Download a pre-built binary from the [GitHub Releases](https://github.com/dan-v/awslambdaproxy/releases) page.
+
+2. Copy `awslambdaproxy` binary to a <b>publicly accessible</b> linux host (e.g. EC2 instance, VPS instance, etc). You will need to <b>open the following ports</b> on this host:
     * <b>Port 22</b> - functions executing in AWS Lambda will open SSH connections back to the host running `awslambdaproxy`, so this port needs to be open to the world. The SSH key used here is dynamically generated at startup and added to the running users authorized_keys file.
     * <b>Port 8080</b> - the default configuration will start a HTTP/SOCKS proxy listener on this port with default user/password authentication. If you don't want to publicly expose the proxy server, one option is to setup your own VPN server (e.g. [dosxvpn](https://github.com/dan-v/dosxvpn) or [algo](https://github.com/trailofbits/algo)), connect to it, and just run awslambdaproxy with the proxy listener only on localhost (-l localhost:8080).
 
-2. Optional, but I'd highly recommend taking a look at the Minimal IAM Policies section below. This will allow you to setup minimal permissions required to setup and run the project. Otherwise, if you don't care about security you can always use an access key with full administrator privileges. 
+3. Optional, but I'd highly recommend taking a look at the Minimal IAM Policies section below. This will allow you to setup minimal permissions required to setup and run the project. Otherwise, if you don't care about security you can always use an access key with full administrator privileges. 
 
-3. `awslambdaproxy` will need access to credentials for AWS in some form. This can be either through exporting environment variables (as shown below), shared credential file, or an IAM role if assigned to the instance you are running it on. See [this](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials) for more details.
+4. `awslambdaproxy` will need access to credentials for AWS in some form. This can be either through exporting environment variables (as shown below), shared credential file, or an IAM role if assigned to the instance you are running it on. See [this](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials) for more details.
 
     ```sh
     export AWS_ACCESS_KEY_ID=XXXXXXXXXX
     export AWS_SECRET_ACCESS_KEY=YYYYYYYYYYYYYYYYYYYYYY
     ```
-4. Run `awslambdaproxy setup`. 
+5. Run `awslambdaproxy setup`. 
 
     ```sh
     ./awslambdaproxy setup
     ```
 
-5. Run `awslambdaproxy run`. 
+6. Run `awslambdaproxy run`. 
 
     ```sh
     ./awslambdaproxy run -r us-west-2,us-west-1,us-east-1,us-east-2
     ```
 
-6. Configure your web browser (or OS) to use the HTTP/SOCKS5 proxy on the publicly accessible host running `awslambdaproxy` on port 8080.
-
-## Examples
-```
-# execute proxy in four different regions with rotation happening every 60 seconds
-./awslambdaproxy run -r us-west-2,us-west-1,us-east-1,us-east-2 -f 60s
-
-# choose a different port and username/password for proxy and add another listener on localhost with no auth
-./awslambdaproxy run -l "admin:admin@:8888,localhost:9090"
-
-# bypass certain domains from using lambda proxy
-./awslambdaproxy run -b "*.websocket.org,*.youtube.com"
-
-# specify a dns server for the proxy server to use for dns lookups
-./awslambdaproxy run -l "admin:awslambdaproxy@:8080?dns=1.1.1.1"
-
-# increase function memory size for better network performance
-./awslambdaproxy run -m 512
-```
+7. Configure your web browser (or OS) to use the HTTP/SOCKS5 proxy on the publicly accessible host running `awslambdaproxy` on port 8080.
 
 ## Minimal IAM Policies
 * This assumes you have the AWS CLI setup with an admin user
@@ -100,6 +104,24 @@ aws iam create-access-key --user-name awslambdaproxy-run
 }
 ```
 
+## Examples
+```
+# execute proxy in four different regions with rotation happening every 60 seconds
+./awslambdaproxy run -r us-west-2,us-west-1,us-east-1,us-east-2 -f 60s
+
+# choose a different port and username/password for proxy and add another listener on localhost with no auth
+./awslambdaproxy run -l "admin:admin@:8888,localhost:9090"
+
+# bypass certain domains from using lambda proxy
+./awslambdaproxy run -b "*.websocket.org,*.youtube.com"
+
+# specify a dns server for the proxy server to use for dns lookups
+./awslambdaproxy run -l "admin:awslambdaproxy@:8080?dns=1.1.1.1"
+
+# increase function memory size for better network performance
+./awslambdaproxy run -m 512
+```
+
 ## FAQ
 1. <b>Should I use awslambdaproxy?</b> That's up to you. Use at your own risk.
 2. <b>Why did you use AWS Lambda for this?</b> The primary reason for using AWS Lambda in this project is the vast pool of IP addresses available that automatically rotate.

cmd/awslambdaproxy/run.go

@@ -13,10 +13,10 @@ import (
 )
 
 var (
-	frequency                                    time.Duration
-	memory                                       int
-	debug, debugProxy                            bool
-	sshUser, sshPort, regions, listeners, bypass string
+	frequency                                                               time.Duration
+	memory                                                                  int
+	debug, debugProxy                                                       bool
+	lambdaName, lambdaIamRole, sshUser, sshPort, regions, listeners, bypass string
 )
 
 // runCmd represents the run command
@@ -50,12 +50,16 @@ var runCmd = &cobra.Command{
 		aFrequency := viper.GetDuration("frequency")
 		aListeners := strings.Split(viper.GetString("listeners"), ",")
 		aBypass := viper.GetString("bypass")
+		aLambdaName := viper.GetString("lambda-name")
+		aLambdaIamRoleName := viper.GetString("lambda-iam-role-name")
 
 		if _, err := server.GetSessionAWS(); err != nil {
 			log.Fatal("unable to find valid aws credentials")
 		}
 
 		s, err := server.New(server.Config{
+			LambdaName:               aLambdaName,
+			LambdaIamRoleName:        aLambdaIamRoleName,
 			LambdaRegions:            aRegions,
 			LambdaMemory:             aMemory,
 			LambdaExecutionFrequency: aFrequency,
@@ -84,6 +88,10 @@ func getCurrentUserName() string {
 func init() {
 	RootCmd.AddCommand(runCmd)
 
+	runCmd.Flags().StringVarP(&lambdaName, "lambda-name", "n", "awslambdaproxy",
+		fmt.Sprintf("name of lambda function"))
+	runCmd.Flags().StringVarP(&lambdaIamRole, "lambda-iam-role-name", "i", "awslambdaproxy-role",
+		fmt.Sprintf("name of lambda function"))
 	runCmd.Flags().StringVarP(&regions, "regions", "r", "us-west-2",
 		fmt.Sprintf("comma separted list of regions to run proxy (e.g. us-west-2,us-west-1,us-east-1). "+
 			"valid regions include %v", server.GetValidLambdaRegions()))
@@ -111,6 +119,8 @@ func init() {
 		"comma separated list of domains/ips to bypass lambda proxy (e.g. *.websocket.org,*.youtube.com). "+
 			"note that when using sock5 proxy mode you'll need to be remotely resolving dns for this to work.")
 
+	viper.BindPFlag("lambda-name", runCmd.Flags().Lookup("lambda-name"))
+	viper.BindPFlag("lambda-iam-role-name", runCmd.Flags().Lookup("lambda-iam-role-name"))
 	viper.BindPFlag("regions", runCmd.Flags().Lookup("regions"))
 	viper.BindPFlag("frequency", runCmd.Flags().Lookup("frequency"))
 	viper.BindPFlag("memory", runCmd.Flags().Lookup("memory"))

cmd/awslambdaproxy/setup.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/dan-v/awslambdaproxy/pkg/server"
 	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
 )
 
 // setupCmd represents the setup command
@@ -13,11 +14,14 @@ var setupCmd = &cobra.Command{
 	Short: "setup awslambdaproxy aws infrastructure",
 	Long:  `this will setup all required aws infrastructure to run awslambdaproxy.`,
 	Run: func(cmd *cobra.Command, args []string) {
+
+		aLambdaIamRoleName := viper.GetString("lambda-iam-role-name")
+
 		if _, err := server.GetSessionAWS(); err != nil {
 			log.Fatal("unable to find valid aws credentials")
 		}
 
-		err := server.SetupLambdaInfrastructure()
+		err := server.SetupLambdaInfrastructure(aLambdaIamRoleName)
 		if err != nil {
 			log.Fatal("failed to run setup for awslambdaproxy: ", err)
 		}

deployment/terraform/data.tf

@@ -0,0 +1,117 @@
+data "aws_ami" "this" {
+  most_recent = true
+  owners      = ["amazon"]
+
+  filter {
+    name   = "name"
+    values = ["amzn2-ami-hvm*"]
+  }
+}
+
+data "aws_availability_zones" "this" {
+  state = "available"
+}
+
+data "aws_vpc" "default" {
+  default = true
+}
+
+data "aws_subnet_ids" "default" {
+  vpc_id = data.aws_vpc.default.id
+}
+
+data "aws_subnet" "default" {
+  id = element(tolist(data.aws_subnet_ids.default.ids), 0)
+}
+
+data "aws_security_group" "default" {
+  vpc_id = data.aws_vpc.default.id
+
+  filter {
+    name   = "group-name"
+    values = ["default"]
+  }
+}
+
+data "aws_iam_policy_document" "role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+
+    principals {
+      identifiers = ["vpc-flow-logs.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "role_policy_cloudwatch" {
+  statement {
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+}
+
+data "aws_iam_policy_document" "profile_sts" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = ["ec2.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "lambda_sts" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = ["lambda.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "lambda" {
+  statement {
+    effect    = "Allow"
+    actions   = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"]
+    resources = ["arn:aws:logs:*:*:*"]
+  }
+}
+
+data "aws_iam_policy_document" "user" {
+  statement {
+    effect    = "Allow"
+    actions   = ["lambda:*"]
+    resources = ["arn:aws:lambda:*:*:function:${var.name}-*"]
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["iam:GetRole", "iam:PassRole"]
+    resources = ["arn:aws:iam::*:role/${var.name}-*"]
+  }
+}
+
+data "http" "current_ip" {
+  url = "http://ipv4.icanhazip.com"
+}
+
+data "aws_ip_ranges" "lambda" {
+  for_each = toset(var.lambda_regions)
+
+  regions  = [each.value]
+  services = ["ec2"]
+}