Mirrors/kasm-terraform
1
0
Fork 0
mirror of https://github.com/kasmtech/terraform.git synced 2026-01-23 02:24:11 +00:00
Code Issues Projects Releases Wiki Activity

Updated docs formatting and added tf/tofu validation note

Browse source
This commit is contained in:
Bryan Scarbrough 2024-04-30 14:15:53 +00:00
parent 472d029742
commit 619ff1d420
No known key found for this signature in database
8 changed files with 53 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -3,6 +3,7 @@
These projects are intended to be starting examples and for automating Kasm Workspaces deployments via terraform.
Administators should review the projects and add additional customizations and security enhancements as desired.
> ***NOTE:*** All of these deployments have been tested and validated with both [Terraform](https://www.terraform.io/) and [OpenTofu](https://opentofu.org/)
# AWS
- [Multi-Server Single Region](aws/standard/README.md)
@ -13,4 +14,9 @@ Administators should review the projects and add additional customizations and s
- [Multi-Server Single Region](oci/standard/README.md)
# DigitalOcean
- [Single Server](digitalocean/single_server/README.md)
- [Single Server](digitalocean/single_server/README.md)
# GCP
- [GCP Requirements](gcp/README.md)
- [Multi-Server Single Region](gcp/MULTI_SERVER.md)
- [Multi-Region](gcp/MULTI_REGION.md)

8
aws/multi_region/README.md
View file

@ -1,4 +1,5 @@
# AWS Multi-Region Deploy
This project will deploy Kasm Workspaces within multiple AWS regions of your choice. Multiple [Deployment Zones](https://kasmweb.com/docs/latest/guide/zones/deployment_zones.html) will be configured for the
deployment that correspond to the desired AWS regions.
@ -16,20 +17,21 @@ is deployed.
[Image_Diagram]: https://5856039.fs1.hubspotusercontent-na1.net/hubfs/5856039/terraform/diagrams/aws-multi-region-new.jpg "Diagram"
> ***NOTE:*** This deployment has been tested and validated with both [Terraform](https://www.terraform.io/) and [OpenTofu](https://opentofu.org/)
# Pre-Configuration
Consider creating a special sub account for the Kasm deployment.
### DNS Zone
In your AWS account create a DNS Public zone that matches the desired domain name for the deployment. e.g `kasm.contoso.com`
### SSH Key Pair
In the each AWS region where you will deploy Kasm, create an aws Key pair with the same name. The key name will be value used in the `aws_key_pair` variable and it will be configured as the SSH key for the deployed EC2 machines.
### AWS API Keys
Create a user via the IAM console that will be used for the terraform deployment. Give the user **Programatic Access** and attach the existing policy **AdministratorAccess**. Save the key and key secret.
Create a user via the IAM console that will be used for the terraform deployment. Give the user **Programatic Access** and attach the existing policy **AdministratorAccess**. Save the key and key secret.
# Terraform Configuration

9
aws/standard/README.md
View file

@ -1,4 +1,5 @@
# AWS Multi-Server Single Region
This project will deploy Kasm Workspaces in a multi-server deployment in AWS within a single region of your choice.
Each role is placed in a separate subnet and traffic from user sessions on the Agent egresses out of a Nat Gateway.
@ -6,21 +7,21 @@ Each role is placed in a separate subnet and traffic from user sessions on the A
[Image_Diagram]: https://5856039.fs1.hubspotusercontent-na1.net/hubfs/5856039/terraform/diagrams/aws-multi-server-new.jpg "Diagram"
> ***NOTE:*** This deployment has been tested and validated with both [Terraform](https://www.terraform.io/) and [OpenTofu](https://opentofu.org/)
# Pre-Configuration
Consider creating a special sub account for the Kasm deployment.
### DNS Zone
In your AWS account create a DNS Public zone that matches the desired domain name for the deployment. e.g `kasm.contoso.com`
### SSH Key Pair
In the desired AWS region create an aws Key pair. The key name will be value used in the `aws_key_pair` variable and it will be configured as the SSH key for the deployed EC2 machines.
### AWS API Keys
Create a user via the IAM console that will be used for the terraform deployment. Give the user **Programatic Access** and attach the existing policy **AdministratorAccess**. Save the key and key secret
Create a user via the IAM console that will be used for the terraform deployment. Give the user **Programatic Access** and attach the existing policy **AdministratorAccess**. Save the key and key secret
# Terraform Configuration

5
digitalocean/single_server/README.md
View file

@ -1,6 +1,6 @@
# DigitalOcean Single Server
This project will deploy Kasm Workspaces in a single-server deployment on DigitalOcean.
This project will deploy Kasm Workspaces in a single-server deployment on DigitalOcean.
![Diagram][Image_Diagram]
@ -9,12 +9,15 @@ This project will deploy Kasm Workspaces in a single-server deployment on Digita
# Pre-Configuration
### Domain Configuration
If digitalocean is not already managing your domain you will need to have your registrar point to the DigitalOcean nameservers: https://www.digitalocean.com/community/tutorials/how-to-point-to-digitalocean-nameservers-from-common-domain-registrars
### API Tokens
Create a personal access token with read/write permissions at https://cloud.digitalocean.com/account/api/tokens
### SSH Authorized Keys
This project will launch a droplet and allow connections using the ssh keys defined by `ssh_key_fingerprints`. You can copy the fingerprint from the desired ssh keys from https://cloud.digitalocean.com/account/security
# Terraform Configuration

6
gcp/MULTI_REGION.md
View file

@ -1,6 +1,8 @@
# GCP Multi-Server Single Region
This project will deploy Kasm Workspaces in a multi-server deployment in GCP within multiple regions of your choice. Each Kasm server role is placed in a separate subnet and you can optionally forward traffic from user sessions on the Kasm Agent through a NAT Gateway.
> **NOTE:** Make sure you read and understand the [GCP requirements](./README.md) before continuing!
![Diagram][Image_Diagram]
@ -8,9 +10,11 @@ This project will deploy Kasm Workspaces in a multi-server deployment in GCP wit
# Pre-Configuration
Consider creating a separate GCP Project for the Kasm deployment.
### DNS Zone
There are a couple of DNS options available with this GCP Terraform. Regardless of method, Terraform will:
- Add a DNS record for the load balancer
- Add a private DNS zone and add records for the private load balancer used by Agents to communicate with the webapps
@ -22,6 +26,7 @@ There are a couple of DNS options available with this GCP Terraform. Regardless
- Using this method, Terraform will create a public DNS zone using the values you provide, and you must manually add the name server (NS) records to the parent DNS zone so queries are forwarded correctly
### Create Terraform service account and generate an API key
Create a GCP Service Account to use with Terraform (https://cloud.google.com/iam/docs/service-accounts-create), and generate an API key. Once the API Key credential file is downloaded, copy it's contents into the `gcp_credentials.json` file in this directory, and Terraform will use these credentials to perform all operations.
Recommended Service Account roles:
@ -31,6 +36,7 @@ Recommended Service Account roles:
- Service Account Admin
### GCP APIs to enable before running Terraform
There are several GCP service APIs that must be enabled before this Terraform can build successfully. In your GCP project, navigate to each of these and ensure they are enabled before running the Terraform configuration stage below.
GCP APIs:

5
gcp/MULTI_SERVER.md
View file

@ -1,6 +1,7 @@
# GCP Multi-Server Single Region
This project will deploy Kasm Workspaces in a multi-server deployment in GCP within a single region of your choice. Each Kasm server role is placed in a separate subnet and you can optionally forward traffic from user sessions on the Kasm Agent through a NAT Gateway.
> **NOTE:** Make sure you read and understand the [GCP requirements](./README.md) before continuing!
![Diagram][Image_Diagram]
@ -8,9 +9,11 @@ This project will deploy Kasm Workspaces in a multi-server deployment in GCP wit
# Pre-Configuration
Consider creating a separate GCP Project for the Kasm deployment.
### DNS Zone
There are a couple of DNS options available with this GCP Terraform. Regardless of method, Terraform will:
- Add a DNS record for the load balancer
- Add a private DNS zone and add records for the private load balancer used by Agents to communicate with the webapps
@ -22,6 +25,7 @@ There are a couple of DNS options available with this GCP Terraform. Regardless
- Using this method, Terraform will create a public DNS zone using the values you provide, and you must manually add the name server (NS) records to the parent DNS zone so queries are forwarded correctly
### Create Terraform service account and generate an API key
Create a GCP Service Account to use with Terraform (https://cloud.google.com/iam/docs/service-accounts-create), and generate an API key. Once the API Key credential file is downloaded, copy it's contents into the `gcp_credentials.json` file in this directory, and Terraform will use these credentials to perform all operations.
Recommended Service Account roles:
@ -31,6 +35,7 @@ Recommended Service Account roles:
- Service Account Admin
### GCP APIs to enable before running Terraform
There are several GCP service APIs that must be enabled before this Terraform can build successfully. In your GCP project, navigate to each of these and ensure they are enabled before running the Terraform configuration stage below.
GCP APIs:

14
oci/single_server/README.md
View file

@ -9,26 +9,34 @@ This project will deploy Kasm Workspaces in a single-server deployment in OCI.
# Pre-Configuration
Consider creating a new Compartment for the Kasm Workspaces deployment.
### DNS Zone
In OCI create a public DNS zone that matches the desired domain name for the deployment. e.g `kasm.contoso.com`.
### API Keys
Create an administative user in the OCI console that will be used for the terraform deployment. Add the user to the **Administrators** Group. Generate an API Key for the user. The API Key Fingerprint will be used as a variable in the deployment configuration. Save the private key to the local directory replacing `oci-private-key.pem`.
### SSL Certificate Options
#### Terraform-generated Let's Encrypt Certificate
To use Terraform to generate a Let's Encrypt certificate automatically, set the `letsencrypt_cert_support_email` to a valid email address and set the `letsencrypt_server_type` to either "staging" or "prod" and leave the `kasm_ssl_crt_path` and `kasm_ssl_key_path` variables empty.
***NOTE:***
- Staging generates certificates that a browser will not trust, but are formatted correctly and are designed for testing and validating the system configuraiton and deployment and has a limit of hundreds of certificates per domain per week.
- Prod generates valid Let's Encrypt certificates but is limited to 5 certificates per week per domain.
> ***NOTE:***
> - Staging generates certificates that a browser will not trust, but are formatted correctly and are designed for testing and validating the system configuraiton and deployment and has a limit of hundreds of certificates per domain per week.
> - Prod generates trusted Let's Encrypt certificates but is limited to 5 certificates per week per domain.
#### Bring Your Own Certificates
Create an SSL certificate that matches the desired domain for the deployment. e.g (kasm.contoso.com). Place the pem encoded cert and key in this directory overwriting `kasm_ssl.crt` and `kasm_ssl.key`.
# Terraform Configuration
1. Initialize the project
terraform init

13
oci/standard/README.md
View file

@ -9,22 +9,29 @@ This project will deploy Kasm Workspaces in a multi-server deployment in OCI.
# Pre-Configuration
Consider creating a new Compartment for the Kasm Workspaces deployment.
### DNS Zone
In OCI create a public DNS zone that matches the desired domain name for the deployment. e.g `kasm.contoso.com`.
### API Keys
Create an administative user in the OCI console that will be used for the terraform deployment. Add the user to the **Administrators** Group. Generate an API Key for the user. The API Key Fingerprint will be used as a variable in the deployment configuration. Save the private key to the local directory replacing `oci-private-key.pem`.
### SSL Certificate Options
#### Terraform-generated Let's Encrypt Certificate
To use Terraform to generate a Let's Encrypt certificate automatically, set the `letsencrypt_cert_support_email` to a valid email address and set the `letsencrypt_server_type` to either "staging" or "prod" and leave the `kasm_ssl_crt_path` and `kasm_ssl_key_path` variables empty.
***NOTE:***
- Staging generates certificates that a browser will not trust, but are formatted correctly and are designed for testing and validating the system configuraiton and deployment and has a limit of hundreds of certificates per domain per week.
- Prod generates valid Let's Encrypt certificates but is limited to 5 certificates per week per domain.
> ***NOTE:***
> - Staging generates certificates that a browser will not trust, but are formatted correctly and are designed for testing and validating the system configuraiton and deployment and has a limit of hundreds of certificates per domain per week.
> - Prod generates trusted Let's Encrypt certificates but is limited to 5 certificates per week per domain.
#### Bring Your Own Certificates
Create an SSL certificate that matches the desired domain for the deployment. e.g (kasm.contoso.com). Place the pem encoded cert and key in this directory overwriting `kasm_ssl.crt` and `kasm_ssl.key`.