From fedecc79db200593ede980a2b054c5782abd985c Mon Sep 17 00:00:00 2001
From: Marc Meszaros <MarcMeszaros@users.noreply.github.com>
Date: Tue, 25 May 2021 13:50:58 -0700
Subject: [PATCH 1/5] Use empty string for template file variables for
 interpolation

fix vainkop/terraform-aws-wireguard#4
---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index fec5461..62e4e40 100644
--- a/main.tf
+++ b/main.tf
@@ -57,7 +57,7 @@ resource "aws_launch_configuration" "wireguard_launch_config" {
   iam_instance_profile = (var.use_eip ? aws_iam_instance_profile.wireguard_profile[0].name : null)
   user_data = templatefile("${path.module}/templates/user-data.txt", {
     wg_server_private_key              = var.use_ssm ? "AWS_SSM_PARAMETER" : var.wg_server_private_key,
-    wg_server_private_key_aws_ssm_name = var.use_ssm ? aws_ssm_parameter.wireguard_server_private_key[0].name : null,
+    wg_server_private_key_aws_ssm_name = var.use_ssm ? aws_ssm_parameter.wireguard_server_private_key[0].name : "",
     wg_server_net                      = var.wg_server_net,
     wg_server_port                     = var.wg_server_port,
     peers                              = join("\n", data.template_file.wg_client_data_json.*.rendered),

From e893c14cebb9cedc1caf59b0caf15e5ab0198dc7 Mon Sep 17 00:00:00 2001
From: Marc Meszaros <MarcMeszaros@users.noreply.github.com>
Date: Tue, 25 May 2021 12:24:11 -0700
Subject: [PATCH 2/5] Don't create eip if var.use_eip = false

Also make sure that var.use_eip is true when creating DNS record
---
 main.tf | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/main.tf b/main.tf
index 62e4e40..c53508d 100644
--- a/main.tf
+++ b/main.tf
@@ -1,4 +1,6 @@
 resource "aws_eip" "wireguard" {
+  count = var.use_eip ? 1 : 0
+
   vpc = true
   tags = {
     Name = "wireguard"
@@ -6,14 +8,14 @@ resource "aws_eip" "wireguard" {
 }
 
 resource "aws_route53_record" "wireguard" {
-  count           = var.use_route53 ? 1 : 0
+  count           = var.use_route53 && var.use_eip ? 1 : 0
   allow_overwrite = true
   set_identifier  = "wireguard-${var.region}"
   zone_id         = var.route53_hosted_zone_id
   name            = var.route53_record_name
   type            = "A"
   ttl             = "60"
-  records         = [aws_eip.wireguard.public_ip]
+  records         = [aws_eip.wireguard[0].public_ip]
 
   dynamic "geolocation_routing_policy" {
     for_each = try(length(var.route53_geo.policy) > 0 ? var.route53_geo.policy : tomap(false), {})
@@ -62,7 +64,7 @@ resource "aws_launch_configuration" "wireguard_launch_config" {
     wg_server_port                     = var.wg_server_port,
     peers                              = join("\n", data.template_file.wg_client_data_json.*.rendered),
     use_eip                            = var.use_eip ? "enabled" : "disabled",
-    eip_id                             = aws_eip.wireguard.id,
+    eip_id                             = var.use_eip ? aws_eip.wireguard[0].id : "",
     use_ssm                            = var.use_ssm ? "true" : "false",
     wg_server_interface                = var.wg_server_interface
   })

From 0c5b3195b97867168167c7330e400e03ddf24fa5 Mon Sep 17 00:00:00 2001
From: Marc Meszaros <MarcMeszaros@users.noreply.github.com>
Date: Tue, 25 May 2021 14:07:27 -0700
Subject: [PATCH 3/5] When use_eip is false skip creating the elastic IP
 resource

Also add the EIP id to module outputs in case `use_route53` is `false`
and user needs access to elastic IP details.
---
 README.md    | 17 ++++++++---------
 outputs.tf   |  4 ++++
 variables.tf |  2 +-
 3 files changed, 13 insertions(+), 10 deletions(-)
 create mode 100644 outputs.tf

diff --git a/README.md b/README.md
index b45cb76..c78ebe3 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,8 @@
 # terraform-aws-wireguard
 
-A Terraform module to deploy a WireGuard VPN server on AWS. It can also be used to run one or more servers behind a loadbalancer, for redundancy.  
+A Terraform module to deploy a WireGuard VPN server on AWS. It can also be used to run one or more servers behind a loadbalancer, for redundancy.
 
-The module is "Terragrunt ready" & supports multi region deployment & values in yaml format. Please see example here: [example/](example/)  
+The module is "Terragrunt ready" & supports multi region deployment & values in yaml format. Please see example here: [example/](example/)
 
 ## Prerequisites
 Before using this module, you'll need to generate a key pair for your server and client, which cloud-init will source and add to WireGuard's configuration.
@@ -21,9 +21,8 @@ Before using this module, you'll need to generate a key pair for your server and
 |`ssh_key_id`|`string`|Yes|A SSH public key ID to add to the VPN instance.|
 |`vpc_id`|`string`|Yes|The VPC ID in which Terraform will launch the resources.|
 |`env`|`string`|Optional - defaults to `prod`|The name of environment for WireGuard. Used to differentiate multiple deployments.|
-|`use_eip`|`bool`|Optional|Whether to attach an [Elastic IP](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html) address to the VPN server. Useful for avoiding changing IPs.|
-|`eip_id`|`string`|Optional|When `use_eip` is enabled, specify the ID of the Elastic IP to which the VPN server will attach.|
-|`use_ssm`|`bool`|Optional|Use SSM Parameter Store for the VPN server Private Key.|
+|`use_eip`|`bool`|Optional - defaults to `false`|Whether to create and attach an [Elastic IP](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html) address to the VPN server. Useful for avoiding changing IPs.|
+|`use_ssm`|`bool`|Optional - defaults to `false`|Use SSM Parameter Store for the VPN server Private Key.|
 |`wg_server_private_key`|`string`|Yes - defaults to static value in `/etc/wireguard/wg0.conf`| Static value or The Parameter Store key to use for the VPN server Private Key.|
 |`target_group_arns`|`string`|Optional|The Loadbalancer Target Group to which the vpn server ASG will attach.|
 |`additional_security_group_ids`|`list`|Optional|Used to allow added access to reach the WG servers or allow loadbalancer health checks.|
@@ -37,10 +36,10 @@ Before using this module, you'll need to generate a key pair for your server and
 |`wg_persistent_keepalive`|`integer`|Optional - defaults to `25`|Regularity of Keepalives, useful for NAT stability.|
 |`ami_id`|`string`|Optional - defaults to the newest Ubuntu 20.04 AMI|AMI to use for the VPN server.|
 |`wg_server_interface`|`string`|Optional - defaults to eth0|Server interface to route traffic to for installations forwarding traffic to private networks.|
-|`use_route53`|`bool`|Optional|Create Route53 record for Wireguard server.|
-|`route53_hosted_zone_id`|`string`|Optional - if use_route53 is not used.|Route53 Hosted zone ID for Wireguard server Route53 record.|
-|`route53_record_name`|`string`|Optional - if use_route53 is not used.|Route53 Record Name for Wireguard server.|  
-  
+|`use_route53`|`bool`|Optional - default to `false`|Create Route53 record for Wireguard server (requires `use_eip` to be `true`).|
+|`route53_hosted_zone_id`|`string`|Optional - if `use_route53` is not used.|Route53 Hosted zone ID for Wireguard server Route53 record.|
+|`route53_record_name`|`string`|Optional - if `use_route53` is not used.|Route53 Record Name for Wireguard server.|
+
 If the `wg_server_private_key` contains certain characters like slashes & etc then it needs additional pre-processing before entering it into `values.yaml`. Example:
 ```
 export ESCAPED_WG_SERVER_PRIVATE_KEY=$(printf '%s\n' "$WG_SERVER_PRIVATE_KEY" | sed -e 's/[\/&]/\\&/g')
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..a4a67fa
--- /dev/null
+++ b/outputs.tf
@@ -0,0 +1,4 @@
+output "eip_id" {
+  value       = var.use_eip ? aws_eip.wireguard[0].id : null
+  description = "The elastic IP id (if `use_eip` is enabled)"
+}
diff --git a/variables.tf b/variables.tf
index 3d5f4ab..1dd0202 100644
--- a/variables.tf
+++ b/variables.tf
@@ -58,7 +58,7 @@ variable "wg_persistent_keepalive" {
 variable "use_eip" {
   type        = bool
   default     = false
-  description = "Whether to enable Elastic IP switching code in user-data on wg server startup. If true, eip_id must also be set to the ID of the Elastic IP."
+  description = "Create and use an Elastic IP in user-data on wg server startup."
 }
 
 variable "use_ssm" {

From 40d9df94fcc9af181beea2f70a236bab13dd063e Mon Sep 17 00:00:00 2001
From: Marc Meszaros <MarcMeszaros@users.noreply.github.com>
Date: Mon, 24 May 2021 09:38:03 -0700
Subject: [PATCH 4/5] Make prometheus optional and omit all related resources
 and packages installed via the user data script

---
 README.md                        |  2 +
 example/eu-central-1/values.yaml |  1 +
 example/us-east-1/values.yaml    |  1 +
 main.tf                          |  1 +
 sg.tf                            | 21 ++++-----
 templates/user-data.txt          | 77 +++++++++++++++++---------------
 variables.tf                     | 10 ++++-
 7 files changed, 63 insertions(+), 50 deletions(-)

diff --git a/README.md b/README.md
index c78ebe3..c0d677d 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,8 @@ Before using this module, you'll need to generate a key pair for your server and
 |`use_route53`|`bool`|Optional - default to `false`|Create Route53 record for Wireguard server (requires `use_eip` to be `true`).|
 |`route53_hosted_zone_id`|`string`|Optional - if `use_route53` is not used.|Route53 Hosted zone ID for Wireguard server Route53 record.|
 |`route53_record_name`|`string`|Optional - if `use_route53` is not used.|Route53 Record Name for Wireguard server.|
+|`use_prometheus`|`bool`|Optional - defaults to `false`.|Install and use the promethus node exporting tools.|
+|`prometheus_server_ip`|`string`|Optional - defaults to `0.0.0.0/0`.|The CIDR block of the prometheus server.|
 
 If the `wg_server_private_key` contains certain characters like slashes & etc then it needs additional pre-processing before entering it into `values.yaml`. Example:
 ```
diff --git a/example/eu-central-1/values.yaml b/example/eu-central-1/values.yaml
index 8b25f61..455cfd6 100644
--- a/example/eu-central-1/values.yaml
+++ b/example/eu-central-1/values.yaml
@@ -12,6 +12,7 @@ route53_record_name: vpn.example.com
 route53_geo:
   policy:
   - continent: EU
+use_prometheus: true
 prometheus_server_ip: 0.0.0.0/0
 wg_server_net: 10.8.0.1/24
 wg_server_private_key: YOUR_SERVER_PRIVATE_KEY_HERE
diff --git a/example/us-east-1/values.yaml b/example/us-east-1/values.yaml
index dc5456d..1f05712 100644
--- a/example/us-east-1/values.yaml
+++ b/example/us-east-1/values.yaml
@@ -12,6 +12,7 @@ route53_record_name: vpn.example.com
 route53_geo:
   policy:
   - continent: NA
+use_prometheus: true
 prometheus_server_ip: 0.0.0.0/0
 wg_server_net: 10.8.0.1/24
 wg_server_private_key: YOUR_SERVER_PRIVATE_KEY_HERE
diff --git a/main.tf b/main.tf
index c53508d..0527e7d 100644
--- a/main.tf
+++ b/main.tf
@@ -66,6 +66,7 @@ resource "aws_launch_configuration" "wireguard_launch_config" {
     use_eip                            = var.use_eip ? "enabled" : "disabled",
     eip_id                             = var.use_eip ? aws_eip.wireguard[0].id : "",
     use_ssm                            = var.use_ssm ? "true" : "false",
+    use_prometheus                     = var.use_prometheus ? "true" : "false",
     wg_server_interface                = var.wg_server_interface
   })
   security_groups             = [aws_security_group.sg_wireguard.id]
diff --git a/sg.tf b/sg.tf
index 1efcf2a..3d07f2e 100644
--- a/sg.tf
+++ b/sg.tf
@@ -24,18 +24,15 @@ resource "aws_security_group" "sg_wireguard" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 
-  ingress {
-    from_port   = 9586
-    to_port     = 9586
-    protocol    = "tcp"
-    cidr_blocks = [var.prometheus_server_ip]
-  }
+  dynamic "ingress" {
+    for_each = var.use_prometheus ? [9586, 9100] : []
 
-  ingress {
-    from_port   = 9100
-    to_port     = 9100
-    protocol    = "tcp"
-    cidr_blocks = [var.prometheus_server_ip]
+    content {
+      from_port   = ingress.value
+      to_port     = ingress.value
+      protocol    = "tcp"
+      cidr_blocks = [var.prometheus_server_ip]
+    }
   }
 
   egress {
@@ -44,4 +41,4 @@ resource "aws_security_group" "sg_wireguard" {
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
-}
\ No newline at end of file
+}
diff --git a/templates/user-data.txt b/templates/user-data.txt
index d5a3343..0bf03da 100644
--- a/templates/user-data.txt
+++ b/templates/user-data.txt
@@ -74,14 +74,15 @@ do
   sleep 1
 done
 
-# Install prometheus_wireguard_exporter
-wget https://github.com/vainkop/terraform-aws-wireguard/releases/download/v1.3.0/prometheus_wireguard_exporter_v3.4.2.tar.gz && \
-tar -zxvf prometheus_wireguard_exporter_v3.4.2.tar.gz prometheus_wireguard_exporter && \
-rm -fv prometheus_wireguard_exporter_v3.4.2.tar.gz && \
-mv prometheus_wireguard_exporter /usr/local/bin/prometheus_wireguard_exporter && \
-chmod +x /usr/local/bin/prometheus_wireguard_exporter
-
-cat <<EOF | tee /etc/systemd/system/prometheus_wireguard_exporter.service
+if [[ "${use_prometheus}" == "true" ]]; then
+  # Install prometheus_wireguard_exporter
+  wget https://github.com/vainkop/terraform-aws-wireguard/releases/download/v1.3.0/prometheus_wireguard_exporter_v3.4.2.tar.gz && \
+  tar -zxvf prometheus_wireguard_exporter_v3.4.2.tar.gz prometheus_wireguard_exporter && \
+  rm -fv prometheus_wireguard_exporter_v3.4.2.tar.gz && \
+  mv prometheus_wireguard_exporter /usr/local/bin/prometheus_wireguard_exporter && \
+  chmod +x /usr/local/bin/prometheus_wireguard_exporter
+
+  cat <<EOF | tee /etc/systemd/system/prometheus_wireguard_exporter.service
 [Unit]
 Description=Prometheus WireGuard Exporter
 Wants=network-online.target
@@ -96,25 +97,26 @@ ExecStart=/usr/local/bin/prometheus_wireguard_exporter -a -n /etc/wireguard/wg0.
 [Install]
 WantedBy=multi-user.target
 EOF
-systemctl daemon-reload && \
-systemctl start prometheus_wireguard_exporter.service && \
-systemctl enable prometheus_wireguard_exporter.service
 
-until systemctl is-active --quiet prometheus_wireguard_exporter.service
-do
-  sleep 1
-done
-
-# Install node_exporter
-useradd -rs /bin/false node_exporter && \
-wget https://github.com/prometheus/node_exporter/releases/download/v1.1.2/node_exporter-1.1.2.linux-amd64.tar.gz && \
-tar -zxvf node_exporter-1.1.2.linux-amd64.tar.gz node_exporter-1.1.2.linux-amd64/node_exporter && \
-rm -fv node_exporter-1.1.2.linux-amd64.tar.gz && \
-mv node_exporter-1.1.2.linux-amd64/node_exporter /usr/local/bin/node_exporter && \
-chmod +x /usr/local/bin/node_exporter && \
-chown node_exporter:node_exporter /usr/local/bin/node_exporter
-
-cat <<EOF | tee /etc/systemd/system/node_exporter.service
+  systemctl daemon-reload && \
+  systemctl start prometheus_wireguard_exporter.service && \
+  systemctl enable prometheus_wireguard_exporter.service
+
+  until systemctl is-active --quiet prometheus_wireguard_exporter.service
+  do
+    sleep 1
+  done
+
+  # Install node_exporter
+  useradd -rs /bin/false node_exporter && \
+  wget https://github.com/prometheus/node_exporter/releases/download/v1.1.2/node_exporter-1.1.2.linux-amd64.tar.gz && \
+  tar -zxvf node_exporter-1.1.2.linux-amd64.tar.gz node_exporter-1.1.2.linux-amd64/node_exporter && \
+  rm -fv node_exporter-1.1.2.linux-amd64.tar.gz && \
+  mv node_exporter-1.1.2.linux-amd64/node_exporter /usr/local/bin/node_exporter && \
+  chmod +x /usr/local/bin/node_exporter && \
+  chown node_exporter:node_exporter /usr/local/bin/node_exporter
+
+  cat <<EOF | tee /etc/systemd/system/node_exporter.service
 [Unit]
 Description=Node Exporter
 Wants=network-online.target
@@ -130,17 +132,20 @@ ExecStart=/usr/local/bin/node_exporter --web.listen-address=":9100"
 WantedBy=multi-user.target
 EOF
 
-systemctl daemon-reload && \
-systemctl start node_exporter && \
-systemctl enable node_exporter
+  systemctl daemon-reload && \
+  systemctl start node_exporter && \
+  systemctl enable node_exporter
 
-until systemctl is-active --quiet node_exporter.service
-do
-  sleep 1
-done
+  until systemctl is-active --quiet node_exporter.service
+  do
+    sleep 1
+  done
+
+  # allow exporter through firewall
+  ufw allow 9586
+  ufw allow 9100
+fi
 
 ufw allow ssh
 ufw allow ${wg_server_port}/udp
-ufw allow 9586
-ufw allow 9100
-ufw --force enable
\ No newline at end of file
+ufw --force enable
diff --git a/variables.tf b/variables.tf
index 1dd0202..76afb67 100644
--- a/variables.tf
+++ b/variables.tf
@@ -94,10 +94,16 @@ variable "wg_server_interface" {
   description = "The default interface to forward network traffic to."
 }
 
+variable "use_prometheus" {
+  type        = bool
+  default     = false
+  description = "Whether to setup and use prometheus node metrics export or not."
+}
+
 variable "prometheus_server_ip" {
   type        = string
-  default     = null
-  description = "Prometheus server IP."
+  default     = "0.0.0.0/0"
+  description = "Prometheus server CIDR block."
 }
 
 variable "use_route53" {

From 4612affcd632d40ba58e1a709d1938329eca3569 Mon Sep 17 00:00:00 2001
From: Marc Meszaros <MarcMeszaros@users.noreply.github.com>
Date: Wed, 29 Dec 2021 16:11:44 -0800
Subject: [PATCH 5/5] Remove explicit provider region as variable and use
 inherited provider

---
 versions.tf | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/versions.tf b/versions.tf
index e747eb8..d1d856a 100644
--- a/versions.tf
+++ b/versions.tf
@@ -10,7 +10,3 @@ terraform {
     }
   }
 }
-
-provider "aws" {
-  region = var.region
-}