support local ~.ssh/config update

simonrho · Sep 10, 2023 · 9fcba17 · 9fcba17
1 parent 3ab67a8
commit 9fcba17
Show file tree

Hide file tree

Showing 11 changed files with 97 additions and 20 deletions.
diff --git a/README.md b/README.md
@@ -18,6 +18,7 @@ This repository provides Terraform scripts and configuration files to set up a d
  - EBS CSI driver for Kubernetes.
  - DPDK environment setup DaemonSet in the worker node.
  - Kube config updated to incorporate the newly created EKS cluster.
+ - Local `~/.ssh/config` updated for direct SSH access to EC2 instances running a CE workload.
 
 ## Directory Structure
 
@@ -441,10 +442,12 @@ kubectl get pods -n contrail
  Ensuring consistency across these configurations guarantees that the DPDK environment setup and JCNR installation target the intended EKS worker nodes. Inconsistencies can lead to deployment errors or undesired behavior.
 
 
-## Cleanup or Teardown
-To safely remove all AWS resources and the JCNR deployment:
+## Resource Cleanup
+To securely dismantle all AWS components and the JCNR deployment, follow these steps:
 
 ```bash
 cd tf-aws/
 terraform destroy
-```
+```
+
+Should you encounter the Error: context deadline exceeded while removing AWS resources, simply execute `terraform destroy` once more to ensure complete resource removal.
diff --git a/config-east/config/jcnr.conf b/config-east/config/jcnr.conf
@@ -20,3 +20,4 @@ set routing-options dynamic-tunnels dyn-tunnels destination-networks 172.16.255.
 
 set policy-options policy-statement udp-export then community add udp
 set policy-options community udp members encapsulation:0L:13
+
diff --git a/config-east/config/red2.conf b/config-east/config/red2.conf
@@ -2,4 +2,5 @@ set interfaces eth3 unit 0 family inet address 10.1.0.100/24
 set routing-instances red2 instance-type vrf
 set routing-instances red2 routing-options static route 10.1.0.200/32 qualified-next-hop 10.1.0.200 interface eth3
 set routing-instances red2 interface eth3
-set routing-instances red2 vrf-target target:65000:200
+set routing-instances red2 vrf-target target:65000:200
+
diff --git a/config-east/config/red3.conf b/config-east/config/red3.conf
@@ -3,3 +3,4 @@ set routing-instances red3 instance-type vrf
 set routing-instances red3 routing-options static route 10.1.1.200/32 qualified-next-hop 10.1.1.200 interface eth3
 set routing-instances red3 interface eth4
 set routing-instances red3 vrf-target target:65000:300
+
diff --git a/config-west/config/blue2.conf b/config-west/config/blue2.conf
@@ -2,4 +2,5 @@ set interfaces eth3 unit 0 family inet address 172.17.0.100/24
 set routing-instances blue2 instance-type vrf
 set routing-instances blue2 routing-options static route 172.17.0.200/32 qualified-next-hop 172.17.0.200 interface eth3
 set routing-instances blue2 interface eth3
-set routing-instances blue2 vrf-target target:65000:200
+set routing-instances blue2 vrf-target target:65000:200
+
diff --git a/tf-aws/eks-node-group.tf b/tf-aws/eks-node-group.tf
@@ -1,7 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
-# SPDX-License-Identifier: MPL-2.0
-
-#
+# 
 # EKS Worker Nodes Resources
 #  * IAM role allowing Kubernetes actions to access other AWS services
 #  * EKS Node Group to launch worker nodes
@@ -58,7 +55,7 @@ resource "aws_eks_node_group" "demo1" {
   scaling_config {
     desired_size = 1
     max_size     = 1
-    min_size     = 1
+    min_size     = 0
   }
 
   remote_access {

diff --git a/tf-aws/outputs.tf b/tf-aws/outputs.tf
@@ -6,8 +6,7 @@ output "cluster_name" {
   value = var.cluster_name
 }
 
-output "ce_instance_public_ips" {
-  value       = aws_instance.ce_instance[*].public_ip
-  description = "The public IPs of the CE instances"
+output "ces" {
+  value       = aws_instance.ce_instance[*].public_dns
+  description = "The public DNS of the CE instances"
 }
-
diff --git a/tf-aws/providers.tf b/tf-aws/providers.tf
@@ -1,8 +1,6 @@
-# Copyright (c) HashiCorp, Inc.
-# SPDX-License-Identifier: MPL-2.0
-
 terraform {
   required_version = ">= 0.12"
+  region           = var.aws_region
 }
 
 
@@ -11,7 +9,7 @@ provider "aws" {
 }
 
 provider "aws" {
-  alias = "peer"
+  alias  = "peer"
   region = var.peer_region
 }
 

diff --git a/tf-aws/ssh_config_update.sh b/tf-aws/ssh_config_update.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+LOCK_FILE="/tmp/update_ssh_config.lock"
+
+while [ -e $LOCK_FILE ]; do
+    sleep 1
+done
+
+touch $LOCK_FILE
+
+SSH_DIR="$HOME/.ssh"
+SSH_CONFIG="$SSH_DIR/config"
+ALIAS=$1
+HOSTNAME=$2
+SSH_KEY_PATH=$3
+
+# Check if the .ssh directory exists
+if [ ! -d "$SSH_DIR" ]; then
+    mkdir -p $SSH_DIR
+    chmod 700 $SSH_DIR
+fi
+
+# Create the .ssh/config file if it doesn't exist
+touch $SSH_CONFIG
+chmod 600 $SSH_CONFIG
+
+# Prepare the updated entry with sub-parameters
+ENTRY="Host $ALIAS
+  HostName $HOSTNAME
+  HostKeyAlgorithms=+ssh-rsa
+  StrictHostKeyChecking no
+  UserKnownHostsFile=/dev/null
+  Port 22
+  User ec2-user
+  ServerAliveInterval 300
+  ServerAliveCountMax 2
+  IdentityFile $SSH_KEY_PATH"
+
+# If the entry exists, delete the full entry and its sub-parameters
+if grep -q "Host $ALIAS" $SSH_CONFIG; then
+    awk -v alias="$ALIAS" '
+        $1 == "Host" && $2 == alias { skip = 1; next }
+        $1 == "Host" && $2 != alias { skip = 0 }
+        skip { next }
+        1' $SSH_CONFIG > ${SSH_CONFIG}.tmp && mv ${SSH_CONFIG}.tmp $SSH_CONFIG
+fi
+
+# Append the new (or updated) entry with an additional newline for separation
+echo -e "\n$ENTRY\n" >> $SSH_CONFIG
+
+rm -f $LOCK_FILE
+
diff --git a/tf-aws/ssh_config_update.tf b/tf-aws/ssh_config_update.tf
@@ -0,0 +1,25 @@
+resource "null_resource" "update_ssh_config" {
+  count = length(var.vpc_secondary_subnets)
+
+  # This ensures that the provisioner will run again if the instance or key path changes
+  triggers = {
+    # always_run = "${timestamp()}"
+    instance_public_dns = aws_instance.ce_instance[count.index].public_dns
+    ssh_key_path        = local_sensitive_file.my_private_key_file.filename
+    hostname_alias      = var.vpc_secondary_subnets[count.index].hostname
+  }
+
+  provisioner "local-exec" {
+    command = <<-EOT
+      ./ssh_config_update.sh \
+      ${var.vpc_secondary_subnets[count.index].hostname} \
+      ${aws_instance.ce_instance[count.index].public_dns} \
+      ${local_sensitive_file.my_private_key_file.filename}
+    EOT
+    on_failure = continue
+  }
+
+  # Ensure this runs after the EC2 instance is fully created.
+  depends_on = [aws_instance.ce_instance]
+}
+
diff --git a/tf-aws/variables.tf b/tf-aws/variables.tf
@@ -65,8 +65,7 @@ variable "vpc_secondary_cidr_block" {
 
 variable "vpc_secondary_subnets" {
   default = [
-    { name = "subnet1", cidr = "172.17.0.0/24", peer_cidr = "10.1.0.0/24", hostname = "Sunnyvale" },
-    { name = "subnet2", cidr = "172.17.1.0/24", peer_cidr = "10.1.1.0/24", hostname = "SFO" }
+    { name = "subnet1", cidr = "172.17.0.0/24", peer_cidr = "10.1.0.0/24", hostname = "blue2" }
   ]
   type = list(object({
     name = string