Web server access improvements on VM-Series examples

seanyoungberg commented 3 months ago

Is your feature request related to a problem?

When running the examples for POC, there is no obvious way to access the example spoke webserver instances to test traffic.

We must install SSM agent and permissions on the instances, or otherwise setup a jump host.

Describe the solution you'd like

Use an AMI that has SSM agent pre-installed and instance profile with SSM permissions. Similar to what is done in the cloudngfw_isolated_design example.

One improvement from the cloudngfw example is to set the web server install script userdata to retry, as it won't have outbound connectivity until the FW setup is complete.

Example:

locals {
  web_user_data = <<EOF
#!/bin/bash
sleep 120;
until sudo yum update -y; do echo "Retrying"; sleep 5; done
until sudo yum install -y php; do echo "Retrying"; sleep 5; done
until sudo yum install -y httpd; do echo "Retrying"; sleep 5; done
until sudo rm -f /var/www/html/index.html; do echo "Retrying"; sleep 5; done
until sudo wget -O /var/www/html/index.php https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv_peering_2fw_2spoke_common/scripts/showheaders.php; do echo "Retrying"; sleep 2; done
until sudo systemctl start httpd; do echo "Retrying"; sleep 5; done
until sudo systemctl enable httpd; do echo "Retrying"; sleep 5; done
EOF
}

It would also be nice to describe in the example how to access the machines and validate traffic flows, etc.

Describe alternatives you've considered.

Manually installing ssm agent

Additional context

No response

sebastianczech commented 3 months ago

This feature request in some parts covers #34, in which spoke VM needs to be improved about with SSM agent.

lstadnik commented 2 months ago

Duplicate - PR #57 was merged.

PaloAltoNetworks / terraform-aws-swfw-modules