v271 (#17)

README.md

@@ -130,23 +130,12 @@ resource "aws_security_group_rule" "sftp_banks" {
 
 ## Automated System Health Reporting
 
-10 minutes after boot and then at 0200 UTC every day, each instance of DiscrimiNAT will collect its OS internals & system logs since instance creation, config changes & traffic flow information from last two hours and upload it to a Chaser-owned cloud bucket. This information is encrypted at rest with a certain public key so only relevant individuals with access to the corresponding private key can decrypt it. The transfer is encrypted over TLS.
+10 minutes after boot, at 0200 UTC every day and once at shutdown, each instance of DiscrimiNAT will collect its OS internals & system logs since instance creation, config changes & traffic flow information from last two hours and upload it to a Chaser-owned cloud bucket. This information is encrypted at rest with a certain public key so only relevant individuals with access to the corresponding private key can decrypt it. The transfer is encrypted over TLS.
 
 Access to this information is immensely useful to create a faster and more reliable DiscrimiNAT as we add new features. We also aim to learn about how users are interacting with the product in order to further improve the usability of it as they embark on a very ambitious journey of fully accounted for and effective egress controls.
 
-We understand if certain environments within your deployment would rather not have this turned on. **To disable it,** a file at the path `/etc/chaser/disable_automated-system-health-reporting` should exist. From our Terraform module v2.7.0 onwards, this can be accomplished by including the following statement:
+We understand if certain environments within your deployment would rather not have this turned on. **To disable it,** a file at the path `/etc/chaser/disable_automated-system-health-reporting` should exist. From our Terraform module v2.7.1 onwards, this can be accomplished by setting the variable `ashr` to `false`:
 
 ```
-user_data_base64 = "I2Nsb3VkLWNvbmZpZwp3cml0ZV9maWxlczoKLSBwYXRoOiAvZXRjL2NoYXNlci9kaXNhYmxlX2F1dG9tYXRlZC1zeXN0ZW0taGVhbHRoLXJlcG9ydGluZwo="
+ashr = false
 ```
-
-The _base64_ value above decodes to:
-
-```
-#cloud-config
-write_files:
-- path: /etc/chaser/disable_automated-system-health-reporting
-```
-
-Which is a [cloud-init](https://cloudinit.readthedocs.io/en/latest/reference/examples.html) way of creating that file in the instance.
-

discriminat.tf

@@ -45,6 +45,19 @@ variable "ami_name" {
   default     = null
 }
 
+variable "byol" {
+  type        = string
+  sensitive   = true
+  default     = null
+  description = "If using the BYOL version from the marketplace, supply the licence key as supplied by Chaser Systems here."
+}
+
+variable "ashr" {
+  type        = bool
+  default     = true
+  description = "Automated System Health Reporting. See note in README to learn more. Set to false to disable. Default is true and hence enabled."
+}
+
 ##
 
 ## Lookups
@@ -70,7 +83,7 @@ data "aws_ami" "discriminat" {
 
   filter {
     name   = var.ami_owner == null ? "product-code" : "owner-id"
-    values = [var.ami_owner == null ? "bz1yq0sc5ta99w5j7jjwzym8g" : var.ami_owner]
+    values = [var.ami_owner == null ? var.byol == null ? "bz1yq0sc5ta99w5j7jjwzym8g" : "a7z5gi2mkpzvo93r2e8csl2ld" : var.ami_owner]
   }
 
   filter {
@@ -164,7 +177,7 @@ resource "aws_launch_template" "discriminat" {
   }
 
   key_name  = var.key_pair_name
-  user_data = var.user_data_base64
+  user_data = var.user_data_base64 != null ? var.user_data_base64 : local.cloud_config == "" ? null : base64encode(local.cloud_config)
 
   tags = local.tags
 }
@@ -323,6 +336,19 @@ locals {
   zones = [for z in data.aws_subnet.public_subnet : substr(z.availability_zone, -1, 1)]
 }
 
+locals {
+  cc_byol = var.byol == null ? "" : "- encoding: base64\n  path: /etc/chaser/licence-key.der\n  permissions: 0404\n  content: ${var.byol}\n"
+  cc_ashr = var.ashr == true ? "" : "- path: /etc/chaser/disable_automated-system-health-reporting\n  permissions: 0404\n"
+}
+
+locals {
+  cc_write_files = "${local.cc_byol}${local.cc_ashr}"
+}
+
+locals {
+  cloud_config = local.cc_write_files == "" ? "" : "#cloud-config\nwrite_files:\n${local.cc_write_files}"
+}
+
 ##
 
 ## Constraints