feat: init commit

Author: sgtoj

.github/.dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/release.yml

@@ -0,0 +1,29 @@
+name: release
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+      - name: Bump Version
+        id: tag_version
+        uses: mathieudutour/github-tag-action@v6.1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          default_bump: minor
+          custom_release_rules: bug:patch:Fixes,chore:patch:Chores,docs:patch:Documentation,feat:minor:Features,refactor:minor:Refactors,test:patch:Tests,ci:patch:Development,dev:patch:Development
+      - name: Create Release
+        uses: ncipollo/release-action@v1.12.0
+        with:
+          tag: ${{ steps.tag_version.outputs.new_tag }}
+          name: ${{ steps.tag_version.outputs.new_tag }}
+          body: ${{ steps.tag_version.outputs.changelog }}

.github/workflows/semantic-check.yml

@@ -0,0 +1,26 @@
+name: semantic-check
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  main:
+    name: Semantic Commit Message Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+      - uses: amannn/action-semantic-pull-request@v5.2.0
+        name: Check PR for Semantic Commit Message
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          requireScope: false
+          validateSingleCommit: true

.github/workflows/test.yml

@@ -0,0 +1,21 @@
+name: test
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+      - name: Terraform Setup
+        run: |
+          terraform init
+      - name: Lint Terraform
+        uses: reviewdog/action-tflint@master
+        with:
+          github_token: ${{ secrets.github_token }}
+          filter_mode: "nofilter"

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 CruxStack LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,79 @@
+# terraform-aws-teleport-node
+
+Provision a small, self-healing fleet of EC2 instances that automatically join
+an **existing Teleport Cloud** cluster. The nodes can run the Teleport **Node,
+App, or Database** services and implements AWS EC2 best practices.
+
+---
+
+## Features
+
+* **One-Command Deploy** – Launches an Auto Scaling Group behind the scenes;
+  nodes bootstrap themselves via cloud-init and join Teleport Cloud
+  automatically.
+* **Always-latest Build** – Each instance queries the Teleport download
+  endpoint and installs the newest stable Cloud release at boot.
+* **Spot-friendly** – Supports mixed-instance/spot policies for cost savings.
+* **Integrated Observability** – System, cloud-init and Teleport logs are
+  streamed to a dedicated CloudWatch Log Group; optional SSM session
+  transcripts to S3.
+* **Database Service Ready** – IAM & RDS/Redshift permissions wired in when
+  `tp_config.db_service.enabled = true`, enabling discovery and IAM auth.
+* **Hygienic Networking & IAM** – No public IPs, IMDSv2 enforced, least-priv
+  policies, single inbound rule limited to the SG itself for Teleport gossip.
+
+---
+
+## Usage
+
+```hcl
+module "teleport_nodes" {
+  source  = "github.com/cruxstack/terraform-aws-teleport-node"
+  version = "x.x.x"
+
+  tp_domain = "acme.teleport.sh"
+  tp_join_config = {
+    token_name = "iam-role"
+  }
+
+  vpc_id              = "vpc-1234567890abcdef"
+  vpc_subnet_ids      = ["subnet-1234abcd", "subnet-5678efgh"]
+}
+```
+
+---
+
+## Inputs
+In addition to the variables documented below, this module includes several
+other optional variables (e.g., `name`, `tags`, etc.) provided by the
+`cloudposse/label/null` module. Please refer to its [documentation](https://registry.terraform.io/modules/cloudposse/label/null/latest)
+for more details on these variables.
+
+| Name                                     | Description                                                                             |          Type         |         Default        | Required |
+| ---------------------------------------- | --------------------------------------------------------------------------------------- | :-------------------: | :--------------------: | :------: |
+| `tp_domain`                              | Teleport Cloud cluster FQDN (e.g. `example.teleport.sh`).                               |        `string`       |            —           |  **yes** |
+| `tp_join_config`                         | Join token config.<br>`token_name` (required) and optional `method` (`iam` \| `token`). |    `object({...})`    |            —           |  **yes** |
+| `tp_edition`                             | Teleport edition (`cloud`, `ent`, …).                                                   |        `string`       |        `"cloud"`       |    no    |
+| `tp_config`                              | Extra Teleport service configuration (enable DB/App/SSH, label rules, etc.).            |    `object({...})`    |          `{}`          |    no    |
+| `instance_capacity`                      | ASG desired/min/max.                                                                    |    `object({...})`    | `{ min = 1, max = 3 }` |    no    |
+| `instance_types`                         | List of allowed instance types & weights.                                               | `list(object({...}))` |   see `variables.tf`   |    no    |
+| `instance_key_name`                      | Existing EC2 key-pair name (ssh access).                                                |        `string`       |          `""`          |    no    |
+| `instance_spot`                          | Spot settings (`enabled`, `allocation_strategy`).                                       |    `object({...})`    |  `{ enabled = true }`  |    no    |
+| `logs_bucket_name`                       | S3 bucket for generic logs (unused by SSM).                                             |        `string`       |          `""`          |    no    |
+| `ssm_sessions`                           | Toggle SSM logging and target bucket.                                                   |    `object({...})`    |  `{ enabled = false }` |    no    |
+| `vpc_id`                                 | Target VPC ID.                                                                          |        `string`       |            —           |  **yes** |
+| `vpc_subnet_ids`                         | Subnet IDs for the ASG.                                                                 |     `list(string)`    |          `[]`          |  **yes** |
+| `vpc_security_group_ids`                 | Extra SGs to attach.                                                                    |     `list(string)`    |          `[]`          |    no    |
+| `experimental_mode`                      | Shorter CW log retention & zero-health refresh for dev.                                 |         `bool`        |         `false`        |    no    |
+
+---
+
+## Outputs
+
+| Name                  | Description                                     |
+| --------------------- | ----------------------------------------------- |
+| `teleport_version`    | The Teleport version installed on the nodes.    |
+| `teleport_config`     | Fully-rendered Teleport YAML that was injected. |
+| `security_group_id`   | ID of the generated node SG.                    |
+| `security_group_name` | Name of the generated node SG.                  |
+

assets/cloud-config.yaml

@@ -0,0 +1,10 @@
+#cloud-config
+packages:
+  - amazon-cloudwatch-agent
+package_update: true
+package_upgrade: true
+write_files:
+  - path: /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d/user.json
+    content: ${cloudwatch_agent_config_encoded}
+    encoding: base64
+    permissions: "0644"

assets/cloudwatch-agent-config.json

@@ -0,0 +1,52 @@
+{
+  "agent": {
+    "run_as_user": "cwagent"
+  },
+  "logs": {
+    "logs_collected": {
+      "files": {
+        "collect_list": [
+          {
+            "file_path": "/opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log",
+            "log_group_name": "${log_group_name}",
+            "log_stream_name": "/ec2/instance/{instance_id}/amazon-cloudwatch-agent.log",
+            "timestamp_format": "%Y-%m-%dT%H:%M:%SZ"
+          },
+          {
+            "file_path": "/var/log/dmesg",
+            "log_group_name": "${log_group_name}",
+            "log_stream_name": "/ec2/instance/{instance_id}/dmesg"
+          },
+          {
+            "file_path": "/var/log/messages",
+            "log_group_name": "${log_group_name}",
+            "log_stream_name": "/ec2/instance/{instance_id}/messages",
+            "timestamp_format": "%b %d %H:%M:%S"
+          },
+          {
+            "file_path": "/var/log/cloud-init.log",
+            "log_group_name": "${log_group_name}",
+            "log_stream_name": "/ec2/instance/{instance_id}/cloud-init.log",
+            "multi_line_start_pattern": "\\w+ \\d{2} \\d{2}:\\d{2}:\\d{2} cloud-init\\[[\\w]+]:",
+            "timestamp_format": "%B %d %H:%M:%S",
+            "timezone": "UTC"
+          },
+          {
+            "file_path": "/var/log/cloud-init-output.log",
+            "log_group_name": "${log_group_name}",
+            "log_stream_name": "/ec2/instance/{instance_id}/cloud-init-output.log",
+            "multi_line_start_pattern": "Cloud-init v. \\d+.\\d+-\\d+"
+          },
+          {
+            "file_path": "/var/lib/teleport/teleport.log",
+            "log_group_name": "${log_group_name}",
+            "log_stream_name": "/ec2/instance/{instance_id}/teleport",
+            "timestamp_format": "%Y-%m-%dT%H:%M:%S.%fZ",
+            "multi_line_start_pattern": "^[0-9]{4}-[0-9]{2}-[0-9]{2}T"
+          }
+        ]
+      }
+    }
+  }
+}
+

assets/provision.sh

@@ -0,0 +1,18 @@
+#!/bin/bash -xe
+
+# ---------------------------------------------------------------------- fns ---
+
+function cwagent_ctl {
+  /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl "$@"
+}
+export -f cwagent_ctl
+
+# ------------------------------------------------------------------- script ---
+
+yum update -y
+
+chmod 644 /var/log/cloud-init-output.log
+chmod 644 /var/log/messages
+
+cwagent_ctl -a fetch-config -s -m ec2 \
+  -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d/user.json

assets/userdata.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+# shellcheck disable=SC2034,2154
+
+# --------------------------------------------------------- terraform inputs ---
+
+TELEPORT_EDITION=${tp_edition}
+TELEPORT_DOMAIN=${tp_domain}
+TELEPORT_CONFIG_ENCODED=${tp_config_encoded}
+
+# ------------------------------------------------------------------- script ---
+
+echo "AWS_DEFAULT_REGION=us-east-1" >>/etc/default/teleport
+
+TELEPORT_VERSION="$(curl "https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/stable/cloud/version" | sed 's/v//')"
+
+echo "$TELEPORT_CONFIG_ENCODED" | base64 -d >/etc/teleport.yaml
+curl https://cdn.teleport.dev/install.sh | bash -s $TELEPORT_VERSION $TELEPORT_EDITION
+
+sudo systemctl enable teleport
+sudo systemctl start teleport