From a8887edb74304158778965bf47c3b7aafe390908 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20M=C3=A4rkle?= Date: Sat, 9 Jan 2021 18:28:58 +0100 Subject: [PATCH] create vpc/subnet/route/... and switch to community module for ec2_instance reboot server to enable wireguard kernel modules ... --- roles/aws_graviton_nano_spot/tasks/main.yml | 54 +++++++++++++++++---- roles/wireguard_server/tasks/main.yml | 3 ++ 2 files changed, 48 insertions(+), 9 deletions(-) diff --git a/roles/aws_graviton_nano_spot/tasks/main.yml b/roles/aws_graviton_nano_spot/tasks/main.yml index a7ea098..83bd650 100644 --- a/roles/aws_graviton_nano_spot/tasks/main.yml +++ b/roles/aws_graviton_nano_spot/tasks/main.yml @@ -4,11 +4,47 @@ key_material: "{{ lookup('file', '{{ ssh_pub_key_file }}') }}" region: "{{ aws_region }}" +- name: create a VPC and request an IPv6 CIDR + amazon.aws.ec2_vpc_net: + name: wg-aws-net + cidr_block: 10.10.0.0/16 + ipv6_cidr: True + region: "{{ aws_region }}" + register: vpc_net + +- name: Create subnet with IPv6 block assigned + amazon.aws.ec2_vpc_subnet: + state: present + assign_instances_ipv6: true + map_public: true + vpc_id: "{{ vpc_net.vpc.id }}" + cidr: 10.10.0.0/24 + ipv6_cidr: "{{ vpc_net.vpc.ipv6_cidr_block_association_set[0].ipv6_cidr_block | replace('/56','/64') }}" + register: vpc_subnet + +- name: create an internet gateway for vpc + ec2_vpc_igw: + vpc_id: "{{ vpc_net.vpc.id }}" + state: present + register: igw + +- name: Set up public subnet route table + ec2_vpc_route_table: + vpc_id: "{{ vpc_net.vpc.id }}" + region: "{{ aws_region }}" + subnets: + - "{{ vpc_subnet.subnet.id }}" + routes: + - dest: 0.0.0.0/0 + gateway_id: "{{ igw.gateway_id }}" + register: route + - name: network security policy that allows all traffic incoming and outgoing amazon.aws.ec2_group: region: "{{ aws_region }}" name: "vpn allow all" description: allow all traffic/protocol/ports + vpc_id: "{{ vpc_net.vpc.id }}" rules: - proto: all cidr_ip: 0.0.0.0/0 @@ -18,20 +54,20 @@ - proto: all cidr_ip: 0.0.0.0/0 register: security_group - + - name: create graviton spot instance - amazon.aws.ec2: + community.aws.ec2_instance: region: "{{ aws_region }}" - spot_type: persistent - spot_wait_timeout: 120 key_name: vpn_key - group_id: "{{ security_group.group_id }}" + security_group: "{{ security_group.group_id }}" instance_type: "{{ aws_type }}" - image: "{{ aws_ami }}" + image_id: "{{ aws_ami }}" + vpc_subnet_id: "{{ vpc_subnet.subnet.id }}" + network: + assign_public_ip: yes wait: yes - instance_initiated_shutdown_behavior: terminate - vpc_subnet_id: "subnet-3df70f5a" - assign_public_ip: yes + tags: + Environment: Testing register: graviton - name: generate route53 dns entry for the instance diff --git a/roles/wireguard_server/tasks/main.yml b/roles/wireguard_server/tasks/main.yml index 932cef2..02fdc29 100644 --- a/roles/wireguard_server/tasks/main.yml +++ b/roles/wireguard_server/tasks/main.yml @@ -20,6 +20,9 @@ name: "qrencode" state: present +- name: Reboot to make shure wireguard kernel module is loadable + reboot: + - name: ensure wireguard services are stopped command: "systemctl stop wg-quick@wg0"