Skip to content

Commit

Permalink
Add support for CloudHSM codesigning machine
Browse files Browse the repository at this point in the history
  • Loading branch information
hellais committed Apr 23, 2024
1 parent 2d1a8c6 commit 8bd74da
Show file tree
Hide file tree
Showing 7 changed files with 141 additions and 3 deletions.
13 changes: 13 additions & 0 deletions tf/environments/prod/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,8 @@ module "network" {

aws_availability_zones_available = data.aws_availability_zones.available

enable_codesign_network = true

depends_on = [module.adm_iam_roles]
}

Expand Down Expand Up @@ -563,3 +565,14 @@ module "oonith_oohelperd" {
{ Name = "ooni-tier0-oohelperd" }
)
}

## Code signing setup

module "codesigning" {
source = "../../modules/cloudhsm"

vpc_id = module.network.vpc_id
subnet_id = module.network.vpc_subnet_cloudhsm[0].id
subnet_cidr_block = module.network.vpc_subnet_cloudhsm[0].cidr_block
key_name = module.adm_iam_roles.oonidevops_key_name
}
64 changes: 64 additions & 0 deletions tf/modules/cloudhsm/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
resource "aws_cloudhsm_v2_cluster" "hsm" {
hsm_type = "hsm1.medium"
subnet_ids = [var.subnet_id]

tags = var.tags
}

resource "aws_security_group" "hsm" {
vpc_id = var.vpc_id

ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}

ingress {
from_port = 2223 # Port for CloudHSM
to_port = 2225
protocol = "tcp"
cidr_blocks = [var.subnet_cidr_block]
}

egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}

data "aws_ami" "amazon_linux" {
most_recent = true

filter {
name = "name"
values = ["debian-12-amd64-*"]
}

filter {
name = "virtualization-type"
values = ["hvm"]
}

owners = ["136693071363"] # Debian's official AWS account ID
}

resource "aws_instance" "codesign_box" {
ami = data.aws_ami.amazon_linux.id

instance_type = "t3.micro"
subnet_id = var.subnet_id
security_groups = [aws_security_group.hsm.name]

user_data = <<-EOF
#!/bin/bash
sudo yum update -y
sudo yum install -y amazon-cloudhsm-cli
sudo amazon-linux-extras install -y epel
sudo yum install -y openssl
sudo yum install -y engine_pkcs11 opensc
EOF
}
3 changes: 3 additions & 0 deletions tf/modules/cloudhsm/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
output "cloudhsm_cluster_id" {
value = aws_cloudhsm_v2_cluster.hsm.id
}
28 changes: 28 additions & 0 deletions tf/modules/cloudhsm/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
variable "aws_region" {
description = "The AWS region to create things in."
default = "eu-central-1"
}

variable "key_name" {
description = "Name of AWS key pair"
}

variable "vpc_id" {
description = "the id of the VPC to deploy the instance into"
}

variable "subnet_id" {
description = "the id of the subnet for the HSM"
type = string
}

variable "subnet_cidr_block" {
description = "the ids of the subnet of the subnets to deploy the instance into"
type = string
}

variable "tags" {
description = "tags to apply to the resources"
default = {}
type = map(string)
}
22 changes: 21 additions & 1 deletion tf/modules/network/main.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
locals {
private_net_offset = 100
private_net_offset = 100
cloudhsm_net_offset = 200
}

resource "aws_vpc" "main" {
Expand Down Expand Up @@ -58,6 +59,25 @@ resource "aws_subnet" "private" {
}
}

resource "aws_subnet" "cloudhsm" {
count = var.enable_codesign_network ? 1 : 0
cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, local.cloudhsm_net_offset)

availability_zone = var.aws_availability_zones_available.names[0]
vpc_id = aws_vpc.main.id
map_public_ip_on_launch = false

depends_on = [aws_internet_gateway.gw]

lifecycle {
create_before_destroy = true
}

tags = {
Name = "ooni-cloudhsm-subnet-0"
}
}

resource "aws_eip" "nat" {
count = var.az_count
domain = "vpc"
Expand Down
9 changes: 7 additions & 2 deletions tf/modules/network/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,16 @@ output "vpc_id" {
}

output "vpc_subnet_public" {
description = "The value of the subnet associated to the VPC"
description = "The value of the public subnet associated to the VPC"
value = aws_subnet.public
}

output "vpc_subnet_private" {
description = "The value of the subnet associated to the VPC"
description = "The value of the private subnet associated to the VPC"
value = aws_subnet.private
}

output "vpc_subnet_cloudhsm" {
description = "The value of the cloudhsm subnet associated to the VPC"
value = aws_subnet.cloudhsm
}
5 changes: 5 additions & 0 deletions tf/modules/network/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,8 @@ variable "tags" {
type = map(string)
}

variable "enable_codesign_network" {
description = "Enable codesign network"
default = false
type = bool
}

0 comments on commit 8bd74da

Please sign in to comment.