nginx on windows

Author: LamSut

.terraform.lock.hcl

@@ -26,7 +26,7 @@ resource "aws_instance" "amazon" {
   }
 
   provisioner "local-exec" {
-    command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ec2-user --key-file ${var.private_key_path} -T 300 -i '${self.public_ip},' playbooks/nginx.yaml"
+    command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ec2-user --key-file ${var.private_key_path} -T 300 -i '${self.public_ip},' playbooks/nginx/nginx-linux.yaml"
   }
 
   tags = {
@@ -61,7 +61,7 @@ resource "aws_instance" "ubuntu" {
   }
 
   provisioner "local-exec" {
-    command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --key-file ${var.private_key_path} -T 300 -i '${self.public_ip},' playbooks/nginx.yaml"
+    command = "ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u ubuntu --key-file ${var.private_key_path} -T 300 -i '${self.public_ip},' playbooks/nginx/nginx-linux.yaml"
   }
 
   tags = {
@@ -74,13 +74,70 @@ resource "aws_instance" "windows" {
 
   ami           = var.ami_free_windows
   instance_type = var.instance_type_free
+  key_name      = var.private_key_name
 
-  key_name = var.private_key_name
-
-  subnet_id              = var.public_subnet[2]
+  subnet_id              = var.public_subnet[0]
   vpc_security_group_ids = [var.security_group["sg_windows"]]
 
+  user_data = <<EOF
+  <powershell>
+  New-NetFirewallRule -DisplayName "WinRM HTTPS" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5986
+  New-NetFirewallRule -DisplayName "Allow HTTP" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 80
+  New-NetFirewallRule -DisplayName "Allow HTTPS" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 443
+  winrm quickconfig -q
+  winrm set winrm/config/service '@{AllowUnencrypted="true"}'
+  winrm set winrm/config/service/auth '@{Basic="true"}'
+  winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'
+  $cert = New-SelfSignedCertificate -DnsName (hostname) -CertStoreLocation Cert:\LocalMachine\My
+  winrm create winrm/config/Listener?Address=*+Transport=HTTPS "@{Hostname=`"$(hostname)`"; CertificateThumbprint=`"$($cert.Thumbprint)`"}"
+  net localgroup "Remote Management Users" Administrator /add
+  Restart-Service winrm
+  </powershell>
+  EOF
+
   tags = {
     Name = "B2111933 Windows"
   }
 }
+
+resource "null_resource" "wait_for_windows" {
+  count      = length(aws_instance.windows)
+  depends_on = [aws_instance.windows]
+
+  provisioner "local-exec" {
+    command = <<EOT
+      echo "Waiting for Windows startup (60s)..."
+      sleep 60
+      while ! nc -z ${aws_instance.windows[count.index].public_ip} 5986; do
+        echo "Waiting for Windows to be ready..."
+        sleep 10
+      done
+      echo "Windows is ready!"
+    EOT
+  }
+}
+
+resource "null_resource" "get_windows_password" {
+  count      = length(aws_instance.windows)
+  depends_on = [null_resource.wait_for_windows]
+
+  provisioner "local-exec" {
+    command = "aws ec2 get-password-data --instance-id ${aws_instance.windows[count.index].id} --priv-launch-key ${var.private_key_path} --output text | tr -d '\r\n' > ./keys/${aws_instance.windows[count.index].id}.txt"
+  }
+}
+
+resource "null_resource" "ansible_windows" {
+  count      = length(aws_instance.windows)
+  depends_on = [null_resource.get_windows_password]
+
+  provisioner "local-exec" {
+    interpreter = ["/bin/bash", "-c"]
+    command     = <<EOT
+    echo "Running Ansible with password: $(awk '{print $2}' ./keys/${aws_instance.windows[count.index].id}.txt | tr -d '\r')"
+    ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook \
+      -u Administrator --connection=winrm \
+      --extra-vars "ansible_winrm_server_cert_validation=ignore ansible_winrm_password=$(awk '{print $2}' ./keys/${aws_instance.windows[count.index].id}.txt | tr -d '\r')" \
+      -T 600 -i '${aws_instance.windows[count.index].public_ip},' playbooks/nginx/nginx-windows.yaml
+  EOT
+  }
+}

ec2/main.tf

@@ -2,13 +2,13 @@
 <html>
 <style>
     body {
-        background-color: black;
+        background-color: darkblue;
         color: white;
     }
 </style>
 
 <body>
-    <h1>Ansible</h1>
+    <h1>B2111933</h1>
 </body>
 
 </html>

playbooks/index.html playbooks/nginx/index.html

@@ -55,4 +55,4 @@
       service:
         name: nginx
         state: started
-        enabled: true
+        enabled: true

playbooks/nginx.yaml playbooks/nginx/nginx-linux.yaml

@@ -0,0 +1,26 @@
+- name: Install Nginx on Windows
+  hosts: all
+  gather_facts: yes
+  vars:
+    nginx_version: "1.27.4"
+  tasks:
+    - name: Install Nginx via Chocolatey
+      win_chocolatey:
+        name: nginx
+        state: present
+
+    - name: Ensure the document root directory exists
+      win_file:
+        path: C:\tools\nginx-{{ nginx_version }}\html
+        state: directory
+
+    - name: Copy index.html to the document root
+      win_template:
+        src: index.html
+        dest: C:\tools\nginx-{{ nginx_version }}\html\index.html
+
+    - name: Start the Nginx service and set it to auto start
+      win_service:
+        name: nginx
+        state: started
+        start_mode: auto

playbooks/nginx/nginx-windows.yaml

@@ -106,26 +106,54 @@ resource "aws_security_group" "security_groups" {
   name        = each.key
   description = each.value.description
   vpc_id      = aws_vpc.b2111933_vpc.id
+}
 
-  dynamic "ingress" {
-    for_each = each.value.ingress
-    content {
-      from_port   = ingress.value.from_port
-      to_port     = ingress.value.to_port
-      protocol    = ingress.value.protocol
-      cidr_blocks = ingress.value.cidr_blocks
-    }
-  }
+locals {
+  sg_ingress = flatten([
+    for sg_name, sg in var.security_groups_config : [
+      for rule in sg.ingress : {
+        sg_name     = sg_name
+        from_port   = rule.from_port
+        to_port     = rule.to_port
+        protocol    = rule.protocol
+        cidr_blocks = rule.cidr_blocks
+      }
+    ]
+  ])
+
+  sg_egress = flatten([
+    for sg_name, sg in var.security_groups_config : [
+      for rule in sg.egress : {
+        sg_name     = sg_name
+        from_port   = rule.from_port
+        to_port     = rule.to_port
+        protocol    = rule.protocol
+        cidr_blocks = rule.cidr_blocks
+      }
+    ]
+  ])
+}
 
-  dynamic "egress" {
-    for_each = each.value.egress
-    content {
-      from_port   = egress.value.from_port
-      to_port     = egress.value.to_port
-      protocol    = egress.value.protocol
-      cidr_blocks = egress.value.cidr_blocks
-    }
-  }
+resource "aws_security_group_rule" "ingress_rules" {
+  for_each = { for idx, rule in local.sg_ingress : "${rule.sg_name}-ingress-${idx}" => rule }
+
+  type              = "ingress"
+  security_group_id = aws_security_group.security_groups[each.value.sg_name].id
+  from_port         = each.value.from_port
+  to_port           = each.value.to_port
+  protocol          = each.value.protocol
+  cidr_blocks       = each.value.cidr_blocks
+}
+
+resource "aws_security_group_rule" "egress_rules" {
+  for_each = { for idx, rule in local.sg_egress : "${rule.sg_name}-egress-${idx}" => rule }
+
+  type              = "egress"
+  security_group_id = aws_security_group.security_groups[each.value.sg_name].id
+  from_port         = each.value.from_port
+  to_port           = each.value.to_port
+  protocol          = each.value.protocol
+  cidr_blocks       = each.value.cidr_blocks
 }
 
 resource "aws_security_group_rule" "sg_icmp" {

vpc/main.tf

@@ -22,14 +22,14 @@ variable "subnets" {
       cidr_block        = "10.0.2.0/24"
       availability_zone = "us-east-1a"
     },
-    {
-      cidr_block        = "10.0.3.0/24"
-      availability_zone = "us-east-1a"
-    },
-    {
-      cidr_block        = "10.0.4.0/24"
-      availability_zone = "us-east-1a"
-    }
+    # {
+    #   cidr_block        = "10.0.3.0/24"
+    #   availability_zone = "us-east-1a"
+    # },
+    # {
+    #   cidr_block        = "10.0.4.0/24"
+    #   availability_zone = "us-east-1a"
+    # }
   ]
 }
 
@@ -47,14 +47,14 @@ variable "private_subnets" {
       cidr_block        = "10.0.102.0/24"
       availability_zone = "us-east-1a"
     },
-    {
-      cidr_block        = "10.0.103.0/24"
-      availability_zone = "us-east-1a"
-    },
-    {
-      cidr_block        = "10.0.104.0/24"
-      availability_zone = "us-east-1a"
-    }
+    # {
+    #   cidr_block        = "10.0.103.0/24"
+    #   availability_zone = "us-east-1a"
+    # },
+    # {
+    #   cidr_block        = "10.0.104.0/24"
+    #   availability_zone = "us-east-1a"
+    # }
   ]
 }
 
@@ -75,7 +75,7 @@ variable "security_groups_config" {
     }))
   }))
   default = {
-    "sg_linux" = {
+    sg_linux = {
       description = "Security Group for Linux"
       ingress = [
         {
@@ -95,6 +95,12 @@ variable "security_groups_config" {
           to_port     = 443
           protocol    = "tcp"
           cidr_blocks = ["0.0.0.0/0"]
+        },
+        {
+          from_port   = -1
+          to_port     = -1
+          protocol    = "icmp"
+          cidr_blocks = ["0.0.0.0/0"]
         }
       ]
       egress = [
@@ -106,7 +112,7 @@ variable "security_groups_config" {
         }
       ]
     },
-    "sg_windows" = {
+    sg_windows = {
       description = "Security Group for Windows"
       ingress = [
         {
@@ -126,6 +132,18 @@ variable "security_groups_config" {
           to_port     = 3389
           protocol    = "tcp"
           cidr_blocks = ["0.0.0.0/0"]
+        },
+        {
+          from_port   = 5986
+          to_port     = 5986
+          protocol    = "tcp"
+          cidr_blocks = ["0.0.0.0/0"]
+        },
+        {
+          from_port   = -1
+          to_port     = -1
+          protocol    = "icmp"
+          cidr_blocks = ["0.0.0.0/0"]
         }
       ]
       egress = [