mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-26 13:45:38 +02:00
4634357fb1
* fix: Add IPv6 support for WireGuard endpoint addresses
Fixes issue where IPv6 addresses in WireGuard configuration files were
not properly formatted with square brackets when used with port numbers.
The WireGuard client configuration template now detects IPv6 addresses
using the ansible.utils.ipv6 filter and wraps them in brackets as required
by the WireGuard configuration format.
Example outputs:
- IPv4: 192.168.1.1:51820
- IPv6: [2600:3c01::f03c:91ff:fedf:3b2a]:51820
- Hostname: vpn.example.com:51820
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: Correct Azure requirements file path to fix deployment failures
The previous fix in commit 7acdca0 updated to Azure collection v3.7.0 but
referenced the incorrect requirements file name. The file is now called
requirements.txt instead of requirements-azure.txt in v3.7.0.
This fixes the Azure deployment failure where pip cannot find the
requirements file, preventing users from deploying VPN servers on Azure.
Also added no_log: true to prevent potential credential leakage during
the pip installation process.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: resolve AWS CloudFormation linter warnings (#14294)
This commit addresses all the CloudFormation linting issues identified in issue #14294:
- Remove unused PublicSSHKeyParameter from CloudFormation template and task parameters
The SSH public key is now injected directly via cloud-init template instead of
being passed as a CloudFormation parameter
- Update ImageIdParameter type from String to AWS::EC2::Image::Id for better type safety
- Remove obsolete DependsOn attributes that are automatically enforced by CloudFormation
through Ref and GetAtt functions
All changes verified with cfn-lint which now passes without warnings.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: Replace ansible.utils.ipv6 filter with simple colon detection
The ansible.utils.ipv6 filter is not available in the test environment,
causing the Smart Test Selection workflow to fail. This change replaces
it with a simple string check for colons (':') which reliably detects
IPv6 addresses since they contain colons while IPv4 addresses do not.
The fix maintains the same functionality:
- IPv6 addresses: [2600:3c01::f03c:91ff:fedf:3b2a]:51820
- IPv4 addresses: 192.168.1.1:51820
This resolves the failing workflow tests in PR #14782.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
206 lines
5 KiB
YAML
206 lines
5 KiB
YAML
---
|
|
AWSTemplateFormatVersion: '2010-09-09'
|
|
Description: 'Algo VPN stack'
|
|
Parameters:
|
|
InstanceTypeParameter:
|
|
Type: String
|
|
Default: t2.micro
|
|
ImageIdParameter:
|
|
Type: AWS::EC2::Image::Id
|
|
WireGuardPort:
|
|
Type: String
|
|
UseThisElasticIP:
|
|
Type: String
|
|
Default: ''
|
|
EbsEncrypted:
|
|
Type: String
|
|
UserData:
|
|
Type: String
|
|
SshPort:
|
|
Type: String
|
|
InstanceMarketTypeParameter:
|
|
Description: Launch a Spot instance or standard on-demand instance
|
|
Type: String
|
|
Default: on-demand
|
|
AllowedValues:
|
|
- spot
|
|
- on-demand
|
|
Conditions:
|
|
AllocateNewEIP: !Equals [!Ref UseThisElasticIP, '']
|
|
AssociateExistingEIP: !Not [!Equals [!Ref UseThisElasticIP, '']]
|
|
InstanceIsSpot: !Equals [spot, !Ref InstanceMarketTypeParameter]
|
|
Resources:
|
|
VPC:
|
|
Type: AWS::EC2::VPC
|
|
Properties:
|
|
CidrBlock: 172.16.0.0/16
|
|
EnableDnsSupport: true
|
|
EnableDnsHostnames: true
|
|
InstanceTenancy: default
|
|
Tags:
|
|
- Key: Name
|
|
Value: !Ref AWS::StackName
|
|
|
|
VPCIPv6:
|
|
Type: AWS::EC2::VPCCidrBlock
|
|
Properties:
|
|
AmazonProvidedIpv6CidrBlock: true
|
|
VpcId: !Ref VPC
|
|
|
|
InternetGateway:
|
|
Type: AWS::EC2::InternetGateway
|
|
Properties:
|
|
Tags:
|
|
- Key: Name
|
|
Value: !Ref AWS::StackName
|
|
|
|
Subnet:
|
|
Type: AWS::EC2::Subnet
|
|
Properties:
|
|
CidrBlock: 172.16.254.0/23
|
|
MapPublicIpOnLaunch: false
|
|
VpcId: !Ref VPC
|
|
Tags:
|
|
- Key: Name
|
|
Value: !Ref AWS::StackName
|
|
|
|
VPCGatewayAttachment:
|
|
Type: AWS::EC2::VPCGatewayAttachment
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
InternetGatewayId: !Ref InternetGateway
|
|
|
|
RouteTable:
|
|
Type: AWS::EC2::RouteTable
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
Tags:
|
|
- Key: Name
|
|
Value: !Ref AWS::StackName
|
|
|
|
Route:
|
|
Type: AWS::EC2::Route
|
|
DependsOn:
|
|
- VPCGatewayAttachment
|
|
Properties:
|
|
RouteTableId: !Ref RouteTable
|
|
DestinationCidrBlock: 0.0.0.0/0
|
|
GatewayId: !Ref InternetGateway
|
|
|
|
RouteIPv6:
|
|
Type: AWS::EC2::Route
|
|
DependsOn:
|
|
- VPCGatewayAttachment
|
|
Properties:
|
|
RouteTableId: !Ref RouteTable
|
|
DestinationIpv6CidrBlock: "::/0"
|
|
GatewayId: !Ref InternetGateway
|
|
|
|
SubnetIPv6:
|
|
Type: AWS::EC2::SubnetCidrBlock
|
|
DependsOn:
|
|
- VPCIPv6
|
|
Properties:
|
|
Ipv6CidrBlock:
|
|
"Fn::Join":
|
|
- ""
|
|
- - !Select [0, !Split ["::", !Select [0, !GetAtt VPC.Ipv6CidrBlocks]]]
|
|
- "::dead:beef/64"
|
|
SubnetId: !Ref Subnet
|
|
|
|
RouteSubnet:
|
|
Type: "AWS::EC2::SubnetRouteTableAssociation"
|
|
Properties:
|
|
RouteTableId: !Ref RouteTable
|
|
SubnetId: !Ref Subnet
|
|
|
|
InstanceSecurityGroup:
|
|
Type: AWS::EC2::SecurityGroup
|
|
DependsOn:
|
|
- Subnet
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
GroupDescription: Enable SSH and IPsec
|
|
SecurityGroupIngress:
|
|
- IpProtocol: tcp
|
|
FromPort: !Ref SshPort
|
|
ToPort: !Ref SshPort
|
|
CidrIp: 0.0.0.0/0
|
|
- IpProtocol: udp
|
|
FromPort: '500'
|
|
ToPort: '500'
|
|
CidrIp: 0.0.0.0/0
|
|
- IpProtocol: udp
|
|
FromPort: '4500'
|
|
ToPort: '4500'
|
|
CidrIp: 0.0.0.0/0
|
|
- IpProtocol: udp
|
|
FromPort: !Ref WireGuardPort
|
|
ToPort: !Ref WireGuardPort
|
|
CidrIp: 0.0.0.0/0
|
|
Tags:
|
|
- Key: Name
|
|
Value: !Ref AWS::StackName
|
|
|
|
EC2LaunchTemplate:
|
|
Type: AWS::EC2::LaunchTemplate
|
|
Condition: InstanceIsSpot # Only create this template if requested
|
|
Properties: # a spot instance_market_type in config.cfg
|
|
LaunchTemplateName: !Ref AWS::StackName
|
|
LaunchTemplateData:
|
|
InstanceMarketOptions:
|
|
MarketType: spot
|
|
|
|
EC2Instance:
|
|
Type: AWS::EC2::Instance
|
|
DependsOn:
|
|
- SubnetIPv6
|
|
Properties:
|
|
InstanceType:
|
|
Ref: InstanceTypeParameter
|
|
BlockDeviceMappings:
|
|
- DeviceName: /dev/sda1
|
|
Ebs:
|
|
DeleteOnTermination: true
|
|
VolumeSize: 8
|
|
Encrypted: !Ref EbsEncrypted
|
|
InstanceInitiatedShutdownBehavior: terminate
|
|
SecurityGroupIds:
|
|
- Ref: InstanceSecurityGroup
|
|
ImageId:
|
|
Ref: ImageIdParameter
|
|
SubnetId: !Ref Subnet
|
|
Ipv6AddressCount: 1
|
|
UserData: !Ref UserData
|
|
LaunchTemplate:
|
|
!If # Only if Conditions created "EC2LaunchTemplate"
|
|
- InstanceIsSpot
|
|
-
|
|
LaunchTemplateId:
|
|
!Ref EC2LaunchTemplate
|
|
Version: 1
|
|
- !Ref AWS::NoValue # Else this LaunchTemplate not set
|
|
Tags:
|
|
- Key: Name
|
|
Value: !Ref AWS::StackName
|
|
|
|
ElasticIP:
|
|
Type: AWS::EC2::EIP
|
|
Condition: AllocateNewEIP
|
|
Properties:
|
|
Domain: vpc
|
|
InstanceId: !Ref EC2Instance
|
|
DependsOn:
|
|
- VPCGatewayAttachment
|
|
|
|
ElasticIPAssociation:
|
|
Type: AWS::EC2::EIPAssociation
|
|
Condition: AssociateExistingEIP
|
|
Properties:
|
|
AllocationId: !Ref UseThisElasticIP
|
|
InstanceId: !Ref EC2Instance
|
|
|
|
|
|
Outputs:
|
|
ElasticIP:
|
|
Value: !GetAtt [EC2Instance, PublicIp]
|