Make prometheus optional and omit all related resources and

packages installed via the user data script
vainkop · May 25, 2021 · 696efc9 · 696efc9
1 parent 97b6198
commit 696efc9
Show file tree

Hide file tree

Showing 7 changed files with 63 additions and 50 deletions.
diff --git a/README.md b/README.md
@@ -39,6 +39,8 @@ Before using this module, you'll need to generate a key pair for your server and
 |`use_route53`|`bool`|Optional - default to `false`|Create Route53 record for Wireguard server (requires `use_eip` to be `true`).|
 |`route53_hosted_zone_id`|`string`|Optional - if `use_route53` is not used.|Route53 Hosted zone ID for Wireguard server Route53 record.|
 |`route53_record_name`|`string`|Optional - if `use_route53` is not used.|Route53 Record Name for Wireguard server.|
+|`use_prometheus`|`bool`|Optional - defaults to `false`.|Install and use the promethus node exporting tools.|
+|`prometheus_server_ip`|`string`|Optional - defaults to `0.0.0.0/0`.|The CIDR block of the prometheus server.|
 
 If the `wg_server_private_key` contains certain characters like slashes & etc then it needs additional pre-processing before entering it into `values.yaml`. Example:
 ```

diff --git a/example/eu-central-1/values.yaml b/example/eu-central-1/values.yaml
@@ -12,6 +12,7 @@ route53_record_name: vpn.example.com
 route53_geo:
   policy:
   - continent: EU
+use_prometheus: true
 prometheus_server_ip: 0.0.0.0/0
 wg_server_net: 10.8.0.1/24
 wg_server_private_key: YOUR_SERVER_PRIVATE_KEY_HERE

diff --git a/example/us-east-1/values.yaml b/example/us-east-1/values.yaml
@@ -12,6 +12,7 @@ route53_record_name: vpn.example.com
 route53_geo:
   policy:
   - continent: NA
+use_prometheus: true
 prometheus_server_ip: 0.0.0.0/0
 wg_server_net: 10.8.0.1/24
 wg_server_private_key: YOUR_SERVER_PRIVATE_KEY_HERE

diff --git a/main.tf b/main.tf
@@ -66,6 +66,7 @@ resource "aws_launch_configuration" "wireguard_launch_config" {
     use_eip                            = var.use_eip ? "enabled" : "disabled",
     eip_id                             = var.use_eip ? aws_eip.wireguard[0].id : "",
     use_ssm                            = var.use_ssm ? "true" : "false",
+    use_prometheus                     = var.use_prometheus ? "true" : "false",
     wg_server_interface                = var.wg_server_interface
   })
   security_groups             = [aws_security_group.sg_wireguard.id]

diff --git a/sg.tf b/sg.tf
@@ -24,18 +24,15 @@ resource "aws_security_group" "sg_wireguard" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 
-  ingress {
-    from_port   = 9586
-    to_port     = 9586
-    protocol    = "tcp"
-    cidr_blocks = [var.prometheus_server_ip]
-  }
+  dynamic "ingress" {
+    for_each = var.use_prometheus ? [9586, 9100] : []
 
-  ingress {
-    from_port   = 9100
-    to_port     = 9100
-    protocol    = "tcp"
-    cidr_blocks = [var.prometheus_server_ip]
+    content {
+      from_port   = ingress.value
+      to_port     = ingress.value
+      protocol    = "tcp"
+      cidr_blocks = [var.prometheus_server_ip]
+    }
   }
 
   egress {
@@ -44,4 +41,4 @@ resource "aws_security_group" "sg_wireguard" {
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
-}
+}
diff --git a/templates/user-data.txt b/templates/user-data.txt
@@ -74,14 +74,15 @@ do
   sleep 1
 done
 
-# Install prometheus_wireguard_exporter
-wget https://github.com/vainkop/terraform-aws-wireguard/releases/download/v1.3.0/prometheus_wireguard_exporter_v3.4.2.tar.gz && \
-tar -zxvf prometheus_wireguard_exporter_v3.4.2.tar.gz prometheus_wireguard_exporter && \
-rm -fv prometheus_wireguard_exporter_v3.4.2.tar.gz && \
-mv prometheus_wireguard_exporter /usr/local/bin/prometheus_wireguard_exporter && \
-chmod +x /usr/local/bin/prometheus_wireguard_exporter
-
-cat <<EOF | tee /etc/systemd/system/prometheus_wireguard_exporter.service
+if [[ "${use_prometheus}" == "true" ]]; then
+  # Install prometheus_wireguard_exporter
+  wget https://github.com/vainkop/terraform-aws-wireguard/releases/download/v1.3.0/prometheus_wireguard_exporter_v3.4.2.tar.gz && \
+  tar -zxvf prometheus_wireguard_exporter_v3.4.2.tar.gz prometheus_wireguard_exporter && \
+  rm -fv prometheus_wireguard_exporter_v3.4.2.tar.gz && \
+  mv prometheus_wireguard_exporter /usr/local/bin/prometheus_wireguard_exporter && \
+  chmod +x /usr/local/bin/prometheus_wireguard_exporter
+
+  cat <<EOF | tee /etc/systemd/system/prometheus_wireguard_exporter.service
 [Unit]
 Description=Prometheus WireGuard Exporter
 Wants=network-online.target
@@ -96,25 +97,26 @@ ExecStart=/usr/local/bin/prometheus_wireguard_exporter -a -n /etc/wireguard/wg0.
 [Install]
 WantedBy=multi-user.target
 EOF
-systemctl daemon-reload && \
-systemctl start prometheus_wireguard_exporter.service && \
-systemctl enable prometheus_wireguard_exporter.service
 
-until systemctl is-active --quiet prometheus_wireguard_exporter.service
-do
-  sleep 1
-done
-
-# Install node_exporter
-useradd -rs /bin/false node_exporter && \
-wget https://github.com/prometheus/node_exporter/releases/download/v1.1.2/node_exporter-1.1.2.linux-amd64.tar.gz && \
-tar -zxvf node_exporter-1.1.2.linux-amd64.tar.gz node_exporter-1.1.2.linux-amd64/node_exporter && \
-rm -fv node_exporter-1.1.2.linux-amd64.tar.gz && \
-mv node_exporter-1.1.2.linux-amd64/node_exporter /usr/local/bin/node_exporter && \
-chmod +x /usr/local/bin/node_exporter && \
-chown node_exporter:node_exporter /usr/local/bin/node_exporter
-
-cat <<EOF | tee /etc/systemd/system/node_exporter.service
+  systemctl daemon-reload && \
+  systemctl start prometheus_wireguard_exporter.service && \
+  systemctl enable prometheus_wireguard_exporter.service
+
+  until systemctl is-active --quiet prometheus_wireguard_exporter.service
+  do
+    sleep 1
+  done
+
+  # Install node_exporter
+  useradd -rs /bin/false node_exporter && \
+  wget https://github.com/prometheus/node_exporter/releases/download/v1.1.2/node_exporter-1.1.2.linux-amd64.tar.gz && \
+  tar -zxvf node_exporter-1.1.2.linux-amd64.tar.gz node_exporter-1.1.2.linux-amd64/node_exporter && \
+  rm -fv node_exporter-1.1.2.linux-amd64.tar.gz && \
+  mv node_exporter-1.1.2.linux-amd64/node_exporter /usr/local/bin/node_exporter && \
+  chmod +x /usr/local/bin/node_exporter && \
+  chown node_exporter:node_exporter /usr/local/bin/node_exporter
+
+  cat <<EOF | tee /etc/systemd/system/node_exporter.service
 [Unit]
 Description=Node Exporter
 Wants=network-online.target
@@ -130,17 +132,20 @@ ExecStart=/usr/local/bin/node_exporter --web.listen-address=":9100"
 WantedBy=multi-user.target
 EOF
 
-systemctl daemon-reload && \
-systemctl start node_exporter && \
-systemctl enable node_exporter
+  systemctl daemon-reload && \
+  systemctl start node_exporter && \
+  systemctl enable node_exporter
 
-until systemctl is-active --quiet node_exporter.service
-do
-  sleep 1
-done
+  until systemctl is-active --quiet node_exporter.service
+  do
+    sleep 1
+  done
+
+  # allow exporter through firewall
+  ufw allow 9586
+  ufw allow 9100
+fi
 
 ufw allow ssh
 ufw allow ${wg_server_port}/udp
-ufw allow 9586
-ufw allow 9100
-ufw --force enable
+ufw --force enable
diff --git a/variables.tf b/variables.tf
@@ -94,10 +94,16 @@ variable "wg_server_interface" {
   description = "The default interface to forward network traffic to."
 }
 
+variable "use_prometheus" {
+  type        = bool
+  default     = false
+  description = "Whether to setup and use prometheus node metrics export or not."
+}
+
 variable "prometheus_server_ip" {
   type        = string
-  default     = null
-  description = "Prometheus server IP."
+  default     = "0.0.0.0/0"
+  description = "Prometheus server CIDR block."
 }
 
 variable "use_route53" {