Skip to content

Commit

Permalink
Remove useless variables and add Goggle IAP (EXPERIMENTAL)
Browse files Browse the repository at this point in the history
  • Loading branch information
Francois Laupretre committed Jul 21, 2023
1 parent fb78001 commit 9da504a
Show file tree
Hide file tree
Showing 7 changed files with 286 additions and 206 deletions.
239 changes: 144 additions & 95 deletions README.md

Large diffs are not rendered by default.

22 changes: 22 additions & 0 deletions gateways/iap.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Google IAP Gateway
#
#------WARNING--WARNING--WARNING--WARNING--WARNING--WARNING--WARNING--
#
# The code below is purely EXPERIMENTAL. I wrote it
# from information I got on the Internet and I could not
# test it as I don't have access to a GCP platform.
#
# If you have access to a GCP platform and can test this, your return will be
# warmly appreciated.
#----------------------------------------------------------------------------

gw="$GATEWAY_HOST"
[ "X$GATEWAY_USER" = X ] || gw="$GATEWAY_USER@$GATEWAY_HOST"

$GCLOUD_CMD compute ssh \
--tunnel-through-iap \
--ssh-key-expire-after $TIMEOUT \
--ssh-flag="-N -L $LOCAL_HOST:$LOCAL_PORT:$TARGET_HOST:$TARGET_PORT -p $GATEWAY_PORT" \
$gw &

CPID=$!
9 changes: 4 additions & 5 deletions gateways/kubectl.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,12 @@
# KUBECTL_CMD: Alternate command to run kubectl (default: 'kubectl')
# KUBECTL_CONTEXT: Context name (as defined in kubectl config file, default: current context)
# KUBECTL_NAMESPACE: Kubernetes namespace (default: current namespace)
# KUBECTL_OPTIONS: Other options (default: empty)
#----------------------------------------------------------------------------

opts="$KUBECTL_OPTIONS"
[ -n "$KUBECTL_CONTEXT" ] && opts="$opts --context=$KUBECTL_CONTEXT"
[ -n "$KUBECTL_NAMESPACE" ] && opts="$opts --namespace=$KUBECTL_NAMESPACE"
cmd="$KUBECTL_CMD"
[ -n "$KUBECTL_CONTEXT" ] && cmd="$cmd --context=$KUBECTL_CONTEXT"
[ -n "$KUBECTL_NAMESPACE" ] && cmd="$cmd --namespace=$KUBECTL_NAMESPACE"

$KUBECTL_CMD port-forward $opts "$GATEWAY_HOST" $LOCAL_PORT:$TARGET_PORT &
$cmd port-forward "$GATEWAY_HOST" $LOCAL_PORT:$TARGET_PORT &

CPID=$!
2 changes: 1 addition & 1 deletion gateways/ssm.sh
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ gw="$GATEWAY_HOST"
[ "X$GATEWAY_USER" = X ] || gw="$GATEWAY_USER@$GATEWAY_HOST"

$SSH_CMD \
-o ProxyCommand "aws ssm start-session --target %h --document-name $SSM_DOCUMENT_NAME --parameters 'portNumber=%p'" \
-o ProxyCommand "aws ssm start-session $SSM_OPTIONS --target %h --document-name $SSM_DOCUMENT_NAME --parameters 'portNumber=%p'" \
-N \
-L $LOCAL_HOST:$LOCAL_PORT:$TARGET_HOST:$TARGET_PORT \
-p $GATEWAY_PORT \
Expand Down
31 changes: 16 additions & 15 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,26 +11,27 @@ data external ssh_tunnel {
"${path.module}/tunnel.sh"
]
query = {
type = var.type
timeout = var.timeout
ssh_cmd = var.ssh_cmd
local_host = var.local_host
local_port = data.external.free_port.result.port
target_host = var.target_host
target_port = var.target_port
aws_profile = var.aws_profile
create = ((var.create && var.putin_khuylo) ? "y" : "")
env = join("\n", [ for n,v in var.env : "export ${n}=\"${replace("\"", "\\\"", v)}\""])
external_script = var.external_script
gateway_host = var.gateway_host
gateway_port = var.gateway_port
gateway_user = var.gateway_user
shell_cmd = var.shell_cmd
ssh_tunnel_check_sleep = var.ssh_tunnel_check_sleep
ssh_parent_wait_sleep = var.ssh_parent_wait_sleep
create = ((var.create && var.putin_khuylo) ? "y" : "")
env = var.env
ssm_document_name = var.ssm_document_name
external_script = var.external_script
kubectl_cmd = var.kubectl_cmd
kubectl_context = var.kubectl_context
kubectl_namespace = var.kubectl_namespace
kubectl_options = var.kubectl_options
local_host = var.local_host
local_port = data.external.free_port.result.port
parent_wait_sleep = var.parent_wait_sleep
shell_cmd = var.shell_cmd
ssh_cmd = var.ssh_cmd
ssm_document_name = var.ssm_document_name
ssm_options = var.ssm_options
target_host = var.target_host
target_port = var.target_port
timeout = var.timeout
tunnel_check_sleep = var.tunnel_check_sleep
type = var.type
}
}
50 changes: 26 additions & 24 deletions tunnel.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ ret=0

if [ -z "$MPID" ] ; then
if [ -n "$TUNNEL_DEBUG" ] ; then
exec 2>/tmp/t1
exec 2>/tmp/t1.$$
set -x
env >&2
fi
Expand All @@ -16,27 +16,31 @@ if [ -z "$MPID" ] ; then
query="`dd 2>/dev/null`"
[ -n "$TUNNEL_DEBUG" ] && echo "query: <$query>" >&2

export TYPE="`echo $query | sed -e 's/^.*\"type\": *\"//' -e 's/\".*$//g'`"
export TIMEOUT="`echo $query | sed -e 's/^.*\"timeout\": *\"//' -e 's/\".*$//g'`"
export SSH_CMD="`echo $query | sed -e 's/^.*\"ssh_cmd\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export LOCAL_HOST="`echo $query | sed -e 's/^.*\"local_host\": *\"//' -e 's/\".*$//g'`"
export LOCAL_PORT="`echo $query | sed -e 's/^.*\"local_port\": *\"//' -e 's/\".*$//g'`"
export TARGET_HOST="`echo $query | sed -e 's/^.*\"target_host\": *\"//' -e 's/\".*$//g'`"
export TARGET_PORT="`echo $query | sed -e 's/^.*\"target_port\": *\"//' -e 's/\".*$//g'`"
export GATEWAY_HOST="`echo $query | sed -e 's/^.*\"gateway_host\": *\"//' -e 's/\".*$//g'`"
export GATEWAY_PORT="`echo $query | sed -e 's/^.*\"gateway_port\": *\"//' -e 's/\".*$//g'`"
export GATEWAY_USER="`echo $query | sed -e 's/^.*\"gateway_user\": *\"//' -e 's/\".*$//g'`"
export SHELL_CMD="`echo $query | sed -e 's/^.*\"shell_cmd\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export SSH_TUNNEL_CHECK_SLEEP="`echo $query | sed -e 's/^.*\"ssh_tunnel_check_sleep\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export SSH_PARENT_WAIT_SLEEP="`echo $query | sed -e 's/^.*\"ssh_parent_wait_sleep\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export CREATE="`echo $query | sed -e 's/^.*\"create\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export ENV="`echo $query | sed -e 's/^.*\"env\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export SSM_DOCUMENT_NAME="`echo $query | sed -e 's/^.*\"ssm_document_name\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export EXTERNAL_SCRIPT="`echo $query | sed -e 's/^.*\"external_script\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export GATEWAY_HOST="`echo $query | sed -e 's/^.*\"gateway_host\": *\"//' -e 's/\".*$//g'`"
export GATEWAY_PORT="`echo $query | sed -e 's/^.*\"gateway_port\": *\"//' -e 's/\".*$//g'`"
export GATEWAY_USER="`echo $query | sed -e 's/^.*\"gateway_user\": *\"//' -e 's/\".*$//g'`"
export KUBECTL_CMD="`echo $query | sed -e 's/^.*\"kubectl_cmd\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export KUBECTL_CONTEXT="`echo $query | sed -e 's/^.*\"kubectl_context\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export KUBECTL_NAMESPACE="`echo $query | sed -e 's/^.*\"kubectl_namespace\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export KUBECTL_OPTIONS="`echo $query | sed -e 's/^.*\"kubectl_options\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export LOCAL_HOST="`echo $query | sed -e 's/^.*\"local_host\": *\"//' -e 's/\".*$//g'`"
export LOCAL_PORT="`echo $query | sed -e 's/^.*\"local_port\": *\"//' -e 's/\".*$//g'`"
export PARENT_WAIT_SLEEP="`echo $query | sed -e 's/^.*\"parent_wait_sleep\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export SHELL_CMD="`echo $query | sed -e 's/^.*\"shell_cmd\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export SSH_CMD="`echo $query | sed -e 's/^.*\"ssh_cmd\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export SSM_DOCUMENT_NAME="`echo $query | sed -e 's/^.*\"ssm_document_name\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export SSM_OPTIONS="`echo $query | sed -e 's/^.*\"ssm_options\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export TARGET_HOST="`echo $query | sed -e 's/^.*\"target_host\": *\"//' -e 's/\".*$//g'`"
export TARGET_PORT="`echo $query | sed -e 's/^.*\"target_port\": *\"//' -e 's/\".*$//g'`"
export TIMEOUT="`echo $query | sed -e 's/^.*\"timeout\": *\"//' -e 's/\".*$//g'`"
export TUNNEL_CHECK_SLEEP="`echo $query | sed -e 's/^.*\"tunnel_check_sleep\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
export TYPE="`echo $query | sed -e 's/^.*\"type\": *\"//' -e 's/\".*$//g'`"

# Set AWS_PROFILE only if var is not empty
profile="`echo $query | sed -e 's/^.*\"aws_profile\": *\"//' -e 's/\",.*$//g' -e 's/\\\"/\"/g'`"
[ -n "$profile" ] && export AWS_PROFILE="$profile"

if [ "X$CREATE" = X -o "X$GATEWAY_HOST" = X ] ; then
# No tunnel - connect directly to target host
Expand All @@ -57,7 +61,7 @@ if [ -z "$MPID" ] ; then
nohup timeout $TIMEOUT $SHELL_CMD "$ABSPATH/tunnel.sh" $p <&- >&- 2>$clog &
CPID=$!
# A little time for the SSH tunnel process to start or fail
sleep $SSH_PARENT_WAIT_SLEEP
sleep $PARENT_WAIT_SLEEP
# If the child process does not exist anymore after this delay, report failure
if ! ps -p $CPID >/dev/null 2>&1 ; then
echo "Child process ($CPID) failure - Aborting" >&2
Expand All @@ -71,42 +75,40 @@ if [ -z "$MPID" ] ; then
else
#------ Child
if [ -n "$TUNNEL_DEBUG" ] ; then
exec 2>/tmp/t2
exec 2>/tmp/t2.$$
set -x
env >&2
fi

CPID=""
TMPFILE=""
TODELETE=""

script="$ABSPATH/gateways/$TYPE.sh"
if [ ! -f "$script" ]; then
echo "$script: file not found"
fi

if [ -n "$ENV" ]; then
set -a
eval $ENV
set +a
fi

# Script must set $CPID
source "$script"

sleep $SSH_TUNNEL_CHECK_SLEEP
sleep $TUNNEL_CHECK_SLEEP

while true ; do
if ! ps -p $CPID >/dev/null 2>&1 ; then
echo "SSH process ($CPID) failure - Aborting" >&2
[ -n "$TMPFILE" ] && /bin/rm -rf $TMPFILE
[ -n "$TODELETE" ] && /bin/rm -rf $TODELETE
exit 1
fi
ps -p $MPID >/dev/null 2>&1 || break
sleep 1
done

kill $CPID
[ -n "$TMPFILE" ] && /bin/rm -rf $TMPFILE
[ -n "$TODELETE" ] && /bin/rm -rf $TODELETE
fi

exit $ret
Loading

0 comments on commit 9da504a

Please sign in to comment.