AlainODea · September 3, 2020 00:45
diff --git a/README.md b/README.md
diff --git a/main.tf b/main.tf
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 # CREATE A WEB PROXY SERVICE USING SQUID TO FILTER EXTERNAL WEB ACCESS
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 terraform {
  required_version = ">= 0.12"
  required_providers {
    aws = ">= 2.35.0"
  }
 }

 # ------------------------------------------------------------------------------
 # CREATE A SQUID SERVER
 # ------------------------------------------------------------------------------

 # The proxy instance with interface specified separately to make it easier to
 # associate with a route table

 resource "aws_network_interface" "squid_eni" {
  subnet_id = var.subnet_ids[0]

  # Important to disable this check to allow traffic not addressed to the
  # proxy to be received
  source_dest_check = false
  security_groups = [
    aws_security_group.squid.id,
  ]
 }

 resource "aws_eip" "squid" {
  instance = aws_instance.squid.id
  vpc      = true
 }

 resource "aws_instance" "squid" {
  ami                  = var.ami
  instance_type        = var.instance_type
  iam_instance_profile = aws_iam_instance_profile.squid.name
  key_name             = var.keypair_name
  user_data            = local.user_data

  network_interface {
    network_interface_id = aws_network_interface.squid_eni.id
    device_index         = 0
  }

  root_block_device {
    volume_size = var.volume_size
  }

  tags = {
    Name = var.server_name
  }
 }

 # ------------------------------------------------------------------------------
 # ALLOW ACCESS TO S3
 # ------------------------------------------------------------------------------

 resource "aws_iam_instance_profile" "squid" {
  name = var.server_name
  role = aws_iam_role.squid_instance.name
 }

 resource "aws_iam_role" "squid_instance" {
  name               = var.server_name
  assume_role_policy = data.aws_iam_policy_document.allow_ec2_assume_role.json
 }

 data "aws_iam_policy_document" "allow_ec2_assume_role" {
  version = "2012-10-17"

  statement {
    sid    = "AllowEC2"
    effect = "Allow"

    actions = [
      "sts:AssumeRole",
    ]

    principals {
      type = "Service"
      identifiers = [
        "ec2.amazonaws.com",
      ]
    }
  }
 }

 resource "aws_iam_role_policy" "allow_letsencrypt" {
  name   = "allow-letsencrypt"
  role   = aws_iam_role.squid_instance.name
  policy = data.aws_iam_policy_document.allow_letsencrypt.json
 }

 data "aws_iam_policy_document" "allow_letsencrypt" {
  statement {
    sid    = "AllowLetsEncryptRoute53Write"
    effect = "Allow"
    actions = [
      "route53:ChangeResourceRecordSets",
    ]
    resources = [
      "arn:aws:route53:::hostedzone/${aws_route53_zone.postfix.zone_id}",
    ]
  }

  statement {
    sid    = "AllowLetsEncryptRoute53Read"
    effect = "Allow"
    actions = [
      "route53:ListHostedZones",
      "route53:GetChange",
    ]
    resources = [
      "*",
    ]
  }
 }

 resource "aws_iam_role_policy" "allow_read_smtp_secret" {
  name   = "allow-read-smtp-secret"
  role   = aws_iam_role.squid_instance.name
  policy = data.aws_iam_policy_document.allow_read_smtp_secret.json
 }

 data "aws_iam_policy_document" "allow_read_smtp_secret" {
  statement {
    sid    = "AllowGetSmtpSecret"
    effect = "Allow"
    actions = [
      "secretsmanager:GetSecretValue",
    ]
    resources = [
      var.smtp_secret_arn
    ]
  }
 }

 resource "aws_iam_role_policy" "allow_config_downloads" {
  name   = "allow-config-downloads"
  role   = aws_iam_role.squid_instance.name
  policy = data.aws_iam_policy_document.allow_config_downloads.json
 }

 data "aws_iam_policy_document" "allow_config_downloads" {
  statement {
    sid    = "AllowListConfigFiles"
    effect = "Allow"
    actions = [
      "s3:ListBucket",
    ]
    resources = [
      "arn:aws:s3:::${var.squid_bucket_name}",
    ]
  }

  statement {
    sid    = "AllowDownloadConfigFiles"
    effect = "Allow"
    actions = [
      "s3:GetObject",
    ]
    resources = [
      "arn:aws:s3:::${var.squid_bucket_name}/*",
    ]
  }

  statement {
    sid    = "AllowDecryptConfigFiles"
    effect = "Allow"
    actions = [
      "kms:Decrypt",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:DescribeKey",
    ]
    resources = [
      var.squid_bucket_kms_key_arn,
    ]
  }
 }

 # ------------------------------------------------------------------------------
 # CREATE SUBDOMAIN FOR LETS ENCRYPT VALIDATION
 # ------------------------------------------------------------------------------

 resource "aws_route53_zone" "postfix" {
  name    = var.domain_name
  comment = "Delegated subdomain for Postfix."
 }

 resource "aws_route53_record" "postfix_subdomain" {
  name    = replace(var.domain_name, var.parent_public_domain_name, "")
  type    = "NS"
  zone_id = var.parent_public_hosted_zone_id

  ttl     = "300"
  records = aws_route53_zone.postfix.name_servers
 }

 resource "aws_route53_record" "postfix_internal" {
  name    = replace(var.domain_name, var.parent_public_domain_name, "")
  type    = "A"
  zone_id = var.client_hosted_zone_id

  ttl     = "300"
  records = aws_network_interface.squid_eni.private_ips
 }

 # ------------------------------------------------------------------------------
 # CONFIGURE SECURITY GROUPS FOR SQUID SERVER
 # ------------------------------------------------------------------------------

 locals {
  proxy_ports = {
    http  = 80
    https = 443
    smtps = 465
  }
 }

 resource "aws_security_group" "squid" {
  name   = var.server_name
  vpc_id = var.vpc_id
 }

 resource "aws_security_group_rule" "squid_from_openvpn_server" {
  description              = "Allow SSH from OpenVPN clients"
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 22
  to_port                  = 22
  source_security_group_id = var.openvpn_security_group_id
  security_group_id        = aws_security_group.squid.id
 }

 resource "aws_security_group_rule" "inbound_proxy" {
  for_each          = local.proxy_ports
  description       = "Allow ${each.key} from proxy clients"
  type              = "ingress"
  protocol          = "tcp"
  from_port         = each.value
  to_port           = each.value
  security_group_id = aws_security_group.squid.id
  cidr_blocks       = var.client_cidr_blocks
 }

 # ------------------------------------------------------------------------------
 # ALLOW ACCESS TO ENTIRE INTERNET
 # ------------------------------------------------------------------------------

 resource "aws_security_group_rule" "squid_to_entire_internet" {
  description       = "Allow all traffic to the Internet (Squid is the firewall)"
  type              = "egress"
  protocol          = "all"
  from_port         = 0
  to_port           = 0
  security_group_id = aws_security_group.squid.id
  cidr_blocks = [
    "0.0.0.0/0",
  ]
 }

 resource "aws_route" "private_subnet_default_gateway_squid" {
  for_each               = { for route_table_id in var.route_table_ids : route_table_id => route_table_id }
  route_table_id         = each.value
  destination_cidr_block = "0.0.0.0/0"
  network_interface_id   = aws_network_interface.squid_eni.id
 }

 # ------------------------------------------------------------------------------
 # Get IAM-SSH working
 # ------------------------------------------------------------------------------

 module "iam_policies" {
  source = "git::[email protected]:gruntwork-io/module-security.git//modules/iam-policies?ref=v0.31.0"

  aws_account_id = var.aws_account_id

  # We can't use MFA with ssh-iam, since it's an automated app
  trust_policy_should_require_mfa = false
  iam_policy_should_require_mfa   = false

  # Since our IAM users are defined in a separate AWS account, we need to give ssh-iam permission to make API calls to
  # that account.
  allow_access_to_other_account_arns = {
    group1 = [
      var.external_account_ssh_iam_role_arn,
    ]
  }
 }

 resource "aws_iam_role_policy" "ssh_iam_permissions" {
  name   = "ssh-iam-permissions"
  role   = aws_iam_role.squid_instance.name
  policy = module.iam_policies.allow_access_to_other_accounts["group1"]
 }

 # ------------------------------------------------------------------------------
 # Build user-data
 # ------------------------------------------------------------------------------

 locals {
  user_data = templatefile("${path.module}/user-data/user-data.sh", {
    aws_region                        = var.aws_region
    domain_name                       = var.domain_name
    external_account_ssh_iam_role_arn = var.external_account_ssh_iam_role_arn
    letsencrypt_bucket                = var.letsencrypt_bucket
    letsencrypt_subscriber_email      = var.letsencrypt_subscriber_email
    ses_smtp_address                  = var.ses_smtp_address
    postfix_mydomain                  = var.postfix_mydomain
    postfix_relay_domains             = var.postfix_relay_domains
    smtp_secret_name                  = var.smtp_secret_name
  })
 }
diff --git a/outputs.tf b/outputs.tf
 output "instance_id" {
  value = aws_instance.squid.id
 }

 output "eni_id" {
  value = aws_network_interface.squid_eni.id
 }

 output "iam_role_name" {
  value = aws_iam_role.squid_instance.name
 }

 output "iam_instance_profile_name" {
  value = aws_iam_instance_profile.squid.name
 }
 output "squid_sg" {
  value = aws_security_group.squid.id
 }
diff --git a/squid-server.json b/squid-server.json
 {
  "variables": {
    "aws_region": "ca-central-1",
    "vpc_id": "{{env `PACKER_VPC_ID`}}",
    "subnet_id": "{{env `PACKER_SUBNET_ID`}}",
    "ssh_grunt_iam_role_arn": "{{env `ssh_grunt_iam_role_arn`}}",
    "github_auth_token": "{{env `GITHUB_OAUTH_TOKEN`}}",
    "squid_bucket": "{{env `squid_bucket`}}"
  },
  "builders": [
    {
      "ami_name": "squid-server-{{isotime | clean_resource_name}}",
      "ami_description": "Squid + Postfix server built on Amazon Linux 2 {{isotime}}.",
      "instance_type": "t3.small",
      "region": "{{user `aws_region`}}",
      "vpc_id": "{{user `vpc_id`}}",
      "subnet_id": "{{user `subnet_id`}}",
      "associate_public_ip_address": "true",
      "type": "amazon-ebs",
      "source_ami_filter": {
        "filters": {
          "virtualization-type": "hvm",
          "architecture": "x86_64",
          "name": "amzn2-ami-hvm-*-x86_64-ebs",
          "root-device-type": "ebs"
        },
        "owners": [
          "amazon"
        ],
        "most_recent": true
      },
      "ssh_username": "ec2-user",
      "encrypt_boot": true
    }
  ],
  "provisioners": [
    {
      "type": "shell",
      "inline": [
        "echo 'OS packages... updating'",
        "sudo yum update --assumeyes",
        "echo 'OS packages... updated'"
      ]
    },
    {
      "type": "shell",
      "inline": [
        "echo 'Gruntwork installer... installing'",
        "curl -Ls https://raw.githubusercontent.com/gruntwork-io/gruntwork-installer/master/bootstrap-gruntwork-installer.sh | bash /dev/stdin --version v0.0.28",
        "echo 'Gruntwork installer... installed'"
      ],
      "environment_vars": [
        "GITHUB_OAUTH_TOKEN={{user `github_auth_token`}}"
      ]
    },
    {
      "type": "shell",
      "inline": [
        "gruntwork-install --module-name 'bash-commons'                                   --repo 'https://github.com/gruntwork-io/bash-commons'          --tag  'v0.1.2'",
        "gruntwork-install --module-name 'logs/cloudwatch-log-aggregation-scripts'        --repo 'https://github.com/gruntwork-io/module-aws-monitoring' --tag 'v0.21.1' --module-param aws-region={{user `aws_region`}}",
        "gruntwork-install --module-name 'metrics/cloudwatch-memory-disk-metrics-scripts' --repo 'https://github.com/gruntwork-io/module-aws-monitoring' --tag 'v0.21.1'",
        "gruntwork-install --module-name 'logs/syslog'                                    --repo 'https://github.com/gruntwork-io/module-aws-monitoring' --tag 'v0.21.1'",
        "gruntwork-install --module-name 'auto-update'                                    --repo 'https://github.com/gruntwork-io/module-security'       --tag 'v0.30.0'",
        "gruntwork-install --binary-name 'ssh-grunt'                                      --repo 'https://github.com/gruntwork-io/module-security'       --tag 'v0.28.7'",
        "gruntwork-install --binary-name 'gruntkms'                                       --repo 'https://github.com/gruntwork-io/gruntkms'              --tag  'v0.0.8'",
        "sudo /usr/local/bin/ssh-grunt iam install --iam-group ssh-iam-users --iam-group-sudo ssh-iam-sudo-users --role-arn '{{user `ssh_grunt_iam_role_arn`}}'"
      ],
      "environment_vars": [
        "GITHUB_OAUTH_TOKEN={{user `github_auth_token`}}"
      ]
    },
    {
      "type": "shell",
      "script": "./squid-server.sh",
      "environment_vars": [
        "squid_bucket={{user `squid_bucket`}}"
      ]
    }
  ]
 }
diff --git a/squid-server.sh b/squid-server.sh
 #!/bin/bash
 set -Eeuxo pipefail

 # Required environment Variables
 declare -r squid_bucket="${squid_bucket}"

 echo ------------------------------------------------------------------------
 echo Installing and configuring the necessary dependencies
 echo ------------------------------------------------------------------------
 sudo yum update -y
 # - policycoreutils-python is needed for certbot
 # - jq is needed to parse JSON-formatted Secrets Manager secrets, to avoid
 #   death by 1,000 $0.40/month paper cuts (that's the fee per secret)
 sudo yum install -y policycoreutils-python jq

 # Install certbot on Amazon Linux 2.
 # Modified to do Route53 challenges since the server is on a private network.
 # SOURCE: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#letsencrypt
 wget -r --no-parent -A 'epel-release-*.rpm' http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
 sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
 sudo yum-config-manager --enable epel*
 sudo yum install -y certbot python2-certbot-dns-route53 python2-pip

 # BUG: certbot will fail due to conflicting boto3 packages, so fix it
 # SOURCE: https://unix.stackexchange.com/a/456362
 sudo pip uninstall --yes botocore boto3 || true
 sudo pip install boto3

 echo ------------------------------------------------------------------------
 echo Installing Squid and Dovecot
 echo ------------------------------------------------------------------------
 sudo yum install --assumeyes squid dovecot

 # Create original allowlist for Squid
 # Note: put a proper allowlist in your squid-config S3 bucket (this is bad)
 cat | sudo tee /etc/squid/allowlist.txt >/dev/null <<EOF
 .*
 EOF

 # Create certificates for SSL peek
 sudo mkdir /etc/squid/ssl && cd /etc/squid/ssl
 sudo openssl genrsa -out squid.key 2048
 sudo openssl req -new -key squid.key -out squid.csr -subj "/C=XX/ST=XX/L=squid/O=squid/CN=squid"
 sudo openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt
 sudo cat squid.key squid.crt | sudo tee squid.pem >/dev/null

 # Create squid.conf file
 cat | sudo tee /etc/squid/squid.conf >/dev/null <<EOF
 visible_hostname squid

 acl https_logs port 443
 logformat https %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ssl::>sni %[un %Sh/%<a %mt
 access_log stdio:/var/log/squid/access.log  logformat=https https_logs
 access_log daemon:/var/log/squid/access.log all

 http_port 3128

 #Handling HTTP requests
 http_port 3129 intercept
 acl allowed_http_sites dstdom_regex "/etc/squid/allowlist.txt"
 http_access allow allowed_http_sites

 #Handling HTTPS requests
 https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept

 acl SSL_port port 443
 acl allowed_https_sites ssl::server_name_regex "/etc/squid/allowlist.txt"

 acl step1 at_step SslBump1
 acl step2 at_step SslBump2
 acl step3 at_step SslBump3

 # at step 1 we're peeking at client TLS-request in order to find the SNI
 ssl_bump peek step1 all
 # here we're peeking at server certificate
 ssl_bump peek step2 allowed_https_sites
 ssl_bump terminate step2 !allowed_https_sites
 # here we're splicing connections which match the allowlist
 ssl_bump splice step3 allowed_https_sites
 # finally we're terminating all other SSL connections
 ssl_bump terminate

 http_access allow SSL_port
 http_access deny all
 EOF

 # Allow Windows Updates
 # Microsoft uses cert trusted only by Windows for Microsoft reasons
 tmp_cert=$(mktemp)
 curl -L 'http://go.microsoft.com/fwlink/?linkid=747875&clcid=0x409' > "$tmp_cert"
 sudo mv "$tmp_cert" '/etc/pki/ca-trust/source/anchors/Microsoft_Root_Certificate_Authority_2011.cer'
 sudo update-ca-trust enable
 sudo update-ca-trust extract

 # Configure NAT port forwarding from HTTP and HTTPS to Squid ports
 sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
 sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130
 sudo iptables-save | sudo tee /etc/sysconfig/iptables >/dev/null

 # Set up allowlist updater
 sudo mkdir /etc/squid/old/
 cat | sudo tee /etc/squid/squid-conf-refresh >/dev/null <<EOF
 cp /etc/squid/* /etc/squid/old/
 aws s3 sync s3://"${squid_bucket}" /etc/squid
 /usr/sbin/squid -k parse && /usr/sbin/squid -k reconfigure || (cp /etc/squid/old/* /etc/squid/; exit 1)
 EOF
 sudo chmod +x /etc/squid/squid-conf-refresh

 # On boot: load NAT port forwarding
 # Every minute: Refresh configuration
 # Daily: rotate squid log files
 # Use workaround for appending to cron: https://stackoverflow.com/a/13355743
 set +o pipefail
 (
  sudo crontab -l || true
  echo -n "
 @reboot /etc/squid/nat > /var/log/squid/nat.log 2>&1
 * * * * * /etc/squid/squid-conf-refresh
 0 0 * * * /usr/sbin/squid -k rotate
 "
 ) | sort | uniq | sudo crontab -
 set -o pipefail

 cat | sudo tee /etc/dovecot/conf.d/10-auth.conf >/dev/null <<EOF
 auth_mechanisms = plain login
 !include auth-system.conf.ext
 EOF

 cat | sudo tee /etc/dovecot/conf.d/10-master.conf >/dev/null <<EOF
 service auth {
  unix_listener /var/spool/postfix/private/auth  {
    mode = 0666
    user = postfix
    group = postfix
  }
 }
 EOF

 # Create dummy credentials for SMTP relay client
 # user-data must overwrite /etc/postfix/sasl_passwd with real content
 # and run `sudo postmap hash:/etc/postfix/sasl_passwd`
 cat | sudo tee /etc/postfix/sasl_passwd >/dev/null <<EOF
 [email-smtp.eu-west-1.amazonaws.com]:587 SMTPUSERNAME:SMTPPASSWORD
 EOF
 sudo postmap hash:/etc/postfix/sasl_passwd

 # Configure SMTP server for internal clients
 # user-data will need to set ses-relay-user's password
 # ex: `echo 'dont-use-this-password' | sudo passwd "ses-relay-user" --stdin`
 # user-data will need to set smtpd_tls_cert_file and smtpd_tls_key_file
 # ```
 # sudo postconf 'smtpd_tls_cert_file=/etc/letsencrypt/live/yourhostname.com/fullchain.pem
 # sudo postconf 'smtpd_tls_key_file=/etc/letsencrypt/live/youthostname.com/privkey.pem
 # ```
 sudo postconf \
  'inet_interfaces = all' \
  'smtpd_sender_login_maps = hash:/etc/postfix/sasl_passwd' \
  'smtpd_recipient_restrictions = permit_sasl_authenticated, reject' \
  'smtpd_relay_restrictions = permit_sasl_authenticated, reject' \
  'smtpd_sasl_type = dovecot' \
  'smtpd_sasl_path = private/auth' \
  'smtpd_sasl_auth_enable = yes' \
  'smtpd_sasl_security_options = noanonymous' \
  'smtpd_sasl_local_domain= $myhostname' \
  'smtpd_sasl_authenticated_header = yes' \
  'smtpd_tls_wrappermode=yes' \
  'smtpd_tls_security_level = encrypt' \
  'smtpd_tls_loglevel = 1' \
  'smtpd_tls_received_header=yes' \
  'broken_sasl_auth_clients=yes'

 # Configure SMTP client for relaying
 # user-data must supply **relayhost** parameter
 # ex: `sudo postconf "relayhost = [email-smtp.us-west-2.amazonaws.com]:587"`
 sudo postconf \
  "smtp_sasl_auth_enable = yes" \
  "smtp_sasl_security_options = noanonymous" \
  "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd" \
  "smtp_use_tls = yes" \
  "smtp_tls_security_level = secure" \
  "smtp_tls_note_starttls_offer = yes" \
  'smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt'

 # Disable plain SMTP and enable Implicit TLS for SMTP Submisssion
 # https://tools.ietf.org/html/rfc8314#section-3.3
 sudo sed -in-place=.bak --regexp-extended \
  's/^smtp /\#smtp / ; s/^\#smtps /smtps /' /etc/postfix/master.cf

 sudo systemctl enable squid.service
 sudo systemctl enable dovecot
diff --git a/user-data.sh b/user-data.sh
 #!/bin/bash
 set -Eeuxo pipefail

 # Template Variables
 declare -r aws_region="${aws_region}"
 declare -r domain_name="${domain_name}"
 declare -r external_account_ssh_iam_role_arn="${external_account_ssh_iam_role_arn}"
 declare -r letsencrypt_bucket="${letsencrypt_bucket}"
 declare -r letsencrypt_subscriber_email="${letsencrypt_subscriber_email}"
 declare -r ses_smtp_address="${ses_smtp_address}"
 declare -r postfix_mydomain="${postfix_mydomain}"
 declare -r postfix_relay_domains="${postfix_relay_domains}"
 declare -r smtp_secret_name="${smtp_secret_name}"

 function main() {
  echo "$(date) - user-data - Started"

  set_hostname
  sync_ssh_iam_users
  update_squid_allowlist
  install_updates_since_ami
  get_signed_tls_certs
  configure_postfix_ses_relay

  echo "$(date) - user-data - Finished"
 }

 function set_hostname() {
  hostnamectl set-hostname "$domain_name"
 }

 function update_squid_allowlist() {
  /etc/squid/squid-conf-refresh
 }

 function install_updates_since_ami() {
  yum update --assumeyes
 }

 function get_signed_tls_certs() {
  # Accept agreement, provide cert email
  certbot certonly --non-interactive -m "$letsencrypt_subscriber_email" \
    --dns-route53 -d "$domain_name" --agree-tos
 }

 function configure_postfix_ses_relay() {
  # Load secret from AWS Secrets Manager
  local -r smtp_secret_json="$(
    aws secretsmanager get-secret-value --region "$aws_region" \
        --secret-id "$smtp_secret_name" --query 'SecretString' --output text
  )"
  # {
  #   "ses_smtp_username": "...",
  #   "ses_smtp_password": "...",
  #   "smtp_relay_username": "...",
  #   "smtp_relay_password": "..."
  # }
  local -r ses_smtp_username="$(
    jq --raw-output '.ses_smtp_username' <<< "$smtp_secret_json"
  )"
  local -r ses_smtp_password="$(
    jq --raw-output '.ses_smtp_password' <<< "$smtp_secret_json"
  )"
  local -r smtp_relay_username="$(
    jq --raw-output '.smtp_relay_username' <<< "$smtp_secret_json"
  )"
  local -r smtp_relay_password="$(
    jq --raw-output '.smtp_relay_password' <<< "$smtp_secret_json"
  )"

  # Set up credentials for relaying to SES
  echo "[$ses_smtp_address]:587 $ses_smtp_username:$ses_smtp_password" > /etc/postfix/sasl_passwd
  postmap hash:/etc/postfix/sasl_passwd

  # Set up user for internal SMTP clients
  useradd "$smtp_relay_username"
  echo "$smtp_relay_password" | passwd "$smtp_relay_username" --stdin

  # Use this domain name as the hostname
  postconf "myhostname = $domain_name"

  # Relay all email through SES
  # NOTE: even though Implicit TLS on TCP/465 is preferred we use
  #       TCP/587 because the Postfix 2.x SMTP client does not support
  #       Implicit TLS for SMTP Submission
  # Once we have Postfix 3.0+ the SMTP client can use Implicit TLS
  # `smtp_tls_wrappermode = yes`
  postconf "relayhost = [$ses_smtp_address]:587"

  # Only MAIL FROM (sender) addresses with this domain
  postconf "mydomain = $postfix_mydomain"

  # Only RCPT-TO (recipient) addresses with this domain
  postconf "relay_domains = $postfix_relay_domains"

  # Set up TLS for SMTP server
  postconf "smtpd_tls_cert_file=/etc/letsencrypt/live/$domain_name/fullchain.pem"
  postconf "smtpd_tls_key_file=/etc/letsencrypt/live/$domain_name/privkey.pem"

  systemctl restart postfix
  systemctl restart dovecot
 }

 function sync_ssh_iam_users() {
  /usr/local/bin/ssh-grunt iam sync-users \
      --iam-group ssh-iam-users \
      --iam-group-sudo ssh-iam-sudo-users \
      --role-arn "${external_account_ssh_iam_role_arn}"
 }

 main
diff --git a/variables.tf b/variables.tf
 # ------------------------------------------------------------------------------
 # REQUIRED PARAMETERS
 # These must be passed in.
 # ------------------------------------------------------------------------------

 variable "squid_bucket_name" {
  description = "Name of the S3 bucket where the Squid domain allow list is stored."
  type        = string
 }

 variable "squid_bucket_kms_key_arn" {
  description = "ARN of the KMS Key ID that encrypts objects in the S3 bucket where the Squid domain allow list is stored."
  type        = string
 }

 variable "vpc_id" {
  description = "ID of the VPC in which the Squid server will be deployed."
  type        = string
 }

 variable "subnet_ids" {
  description = "IDs of the subnets in which the Squid server can be deployed."
  type        = list(string)
 }

 variable "client_cidr_blocks" {
  description = "CIDRs of the proxy clients. (ex: [\"10.0.0.0/8\"])"
  type        = list(string)
 }

 variable "openvpn_security_group_id" {
  description = "Security group ID for the OpenVPN server."
  type        = string
 }

 variable "route_table_ids" {
  description = "IDs of route tables for which Squid will become the default route."
  type        = list(string)
 }

 variable "external_account_ssh_iam_role_arn" {
  description = "Since our IAM users are defined in a separate AWS account, this variable is used to specify the ARN of an IAM role that allows ssh-iam to retrieve IAM group and public SSH key info from that account."
  type        = string
 }

 variable "ami" {
  description = "The AMI to run on the Squid Server. This should be built from the Packer template under packer/squid-server.json."
  type        = string
 }

 variable "keypair_name" {
  description = "The name of the Key Pair that can be used to SSH to the Data Intake server."
  type        = string
 }

 variable "server_name" {
  description = "The name of the new Squid server."
  type        = string
 }

 variable "domain_name" {
  description = "The domain name of the new Postfix server."
  type        = string
 }

 variable "parent_public_domain_name" {
  description = "The domain name of the parent public DNS zone."
  type        = string
 }

 variable "parent_public_hosted_zone_id" {
  description = "The hosted zone ID of the parent public DNS zone."
  type        = string
 }

 variable "client_hosted_zone_id" {
  description = "The hosted zone ID of the private DNS zone internal clients will use (should be the same zone as parent_public_hosted_zone_id or should be a private hosted zone with the same domain name)."
  type        = string
 }

 variable "letsencrypt_bucket" {
  description = "Name of the bucket that stores Let's Encrypt."
  type        = string
 }

 variable "letsencrypt_subscriber_email" {
  description = "Email address for the Let's Encrypt subscription and notifications."
  type        = string
 }

 variable "ses_smtp_address" {
  description = "Hostname of the SES SMTP endpoint. (ex: email-smtp.eu-west-1.amazonaws.com)"
  type        = string
 }

 variable "postfix_mydomain" {
  description = "Allowed domain name for MAIL FROM sender addresses (ex: example.com)"
  type        = string
 }

 variable "postfix_relay_domains" {
  description = "Allowed domain name for MAIL FROM sender addresses (ex: example.com)"
  type        = string
 }

 variable "smtp_secret_name" {
  description = "Name of the AWS Secrets Manager secret with the SMTP details (ex: ses/dev-smtp)"
  # This AWS Secrets Manager secret referred to here must take this form:
  # {
  #   "ses_smtp_username": "...",
  #   "ses_smtp_password": "...",
  #   "smtp_relay_username": "...",
  #   "smtp_relay_password": "..."
  # }
  type = string
 }

 variable "smtp_secret_arn" {
  description = "ARN of the AWS Secrets Manager secret with the SMTP details (ex: arn:aws:secretsmanager:ca-central-1:446693630893:secret:ses/dev-smtp-PFXzIa)"
  # This AWS Secrets Manager secret referred to here must take this form:
  # {
  #   "ses_smtp_username": "...",
  #   "ses_smtp_password": "...",
  #   "smtp_relay_username": "...",
  #   "smtp_relay_password": "..."
  # }
  type = string
 }

 # ------------------------------------------------------------------------------
 # OPTIONAL PARAMETERS
 # ------------------------------------------------------------------------------

 variable "volume_size" {
  description = "The size of the root volume."
  type        = number
  default     = 300
 }

 variable "instance_type" {
  description = "The instance type used."
  type        = string
  default     = "t2.micro"
 }

 # ------------------------------------------------------------------------------
 # STANDARD MODULE PARAMETERS
 # ------------------------------------------------------------------------------

 variable "aws_region" {
  description = "The AWS region in which all resources will be created."
  type        = string
 }

 variable "aws_account_id" {
  description = "The ID of the AWS Account in which to create resources."
  type        = string
 }
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	# CREATE A WEB PROXY SERVICE USING SQUID TO FILTER EXTERNAL WEB ACCESS
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	terraform {
	required_version = ">= 0.12"
	required_providers {
	aws = ">= 2.35.0"
	}
	}

	# ------------------------------------------------------------------------------
	# CREATE A SQUID SERVER
	# ------------------------------------------------------------------------------

	# The proxy instance with interface specified separately to make it easier to
	# associate with a route table

	resource "aws_network_interface" "squid_eni" {
	subnet_id = var.subnet_ids[0]

	# Important to disable this check to allow traffic not addressed to the
	# proxy to be received
	source_dest_check = false
	security_groups = [
	aws_security_group.squid.id,
	]
	}

	resource "aws_eip" "squid" {
	instance = aws_instance.squid.id
	vpc = true
	}

	resource "aws_instance" "squid" {
	ami = var.ami
	instance_type = var.instance_type
	iam_instance_profile = aws_iam_instance_profile.squid.name
	key_name = var.keypair_name
	user_data = local.user_data

	network_interface {
	network_interface_id = aws_network_interface.squid_eni.id
	device_index = 0
	}

	root_block_device {
	volume_size = var.volume_size
	}

	tags = {
	Name = var.server_name
	}
	}

	# ------------------------------------------------------------------------------
	# ALLOW ACCESS TO S3
	# ------------------------------------------------------------------------------

	resource "aws_iam_instance_profile" "squid" {
	name = var.server_name
	role = aws_iam_role.squid_instance.name
	}

	resource "aws_iam_role" "squid_instance" {
	name = var.server_name
	assume_role_policy = data.aws_iam_policy_document.allow_ec2_assume_role.json
	}

	data "aws_iam_policy_document" "allow_ec2_assume_role" {
	version = "2012-10-17"

	statement {
	sid = "AllowEC2"
	effect = "Allow"

	actions = [
	"sts:AssumeRole",
	]

	principals {
	type = "Service"
	identifiers = [
	"ec2.amazonaws.com",
	]
	}
	}
	}

	resource "aws_iam_role_policy" "allow_letsencrypt" {
	name = "allow-letsencrypt"
	role = aws_iam_role.squid_instance.name
	policy = data.aws_iam_policy_document.allow_letsencrypt.json
	}

	data "aws_iam_policy_document" "allow_letsencrypt" {
	statement {
	sid = "AllowLetsEncryptRoute53Write"
	effect = "Allow"
	actions = [
	"route53:ChangeResourceRecordSets",
	]
	resources = [
	"arn:aws:route53:::hostedzone/${aws_route53_zone.postfix.zone_id}",
	]
	}

	statement {
	sid = "AllowLetsEncryptRoute53Read"
	effect = "Allow"
	actions = [
	"route53:ListHostedZones",
	"route53:GetChange",
	]
	resources = [
	"*",
	]
	}
	}

	resource "aws_iam_role_policy" "allow_read_smtp_secret" {
	name = "allow-read-smtp-secret"
	role = aws_iam_role.squid_instance.name
	policy = data.aws_iam_policy_document.allow_read_smtp_secret.json
	}

	data "aws_iam_policy_document" "allow_read_smtp_secret" {
	statement {
	sid = "AllowGetSmtpSecret"
	effect = "Allow"
	actions = [
	"secretsmanager:GetSecretValue",
	]
	resources = [
	var.smtp_secret_arn
	]
	}
	}

	resource "aws_iam_role_policy" "allow_config_downloads" {
	name = "allow-config-downloads"
	role = aws_iam_role.squid_instance.name
	policy = data.aws_iam_policy_document.allow_config_downloads.json
	}

	data "aws_iam_policy_document" "allow_config_downloads" {
	statement {
	sid = "AllowListConfigFiles"
	effect = "Allow"
	actions = [
	"s3:ListBucket",
	]
	resources = [
	"arn:aws:s3:::${var.squid_bucket_name}",
	]
	}

	statement {
	sid = "AllowDownloadConfigFiles"
	effect = "Allow"
	actions = [
	"s3:GetObject",
	]
	resources = [
	"arn:aws:s3:::${var.squid_bucket_name}/*",
	]
	}

	statement {
	sid = "AllowDecryptConfigFiles"
	effect = "Allow"
	actions = [
	"kms:Decrypt",
	"kms:ReEncrypt*",
	"kms:GenerateDataKey*",
	"kms:DescribeKey",
	]
	resources = [
	var.squid_bucket_kms_key_arn,
	]
	}
	}

	# ------------------------------------------------------------------------------
	# CREATE SUBDOMAIN FOR LETS ENCRYPT VALIDATION
	# ------------------------------------------------------------------------------

	resource "aws_route53_zone" "postfix" {
	name = var.domain_name
	comment = "Delegated subdomain for Postfix."
	}

	resource "aws_route53_record" "postfix_subdomain" {
	name = replace(var.domain_name, var.parent_public_domain_name, "")
	type = "NS"
	zone_id = var.parent_public_hosted_zone_id

	ttl = "300"
	records = aws_route53_zone.postfix.name_servers
	}

	resource "aws_route53_record" "postfix_internal" {
	name = replace(var.domain_name, var.parent_public_domain_name, "")
	type = "A"
	zone_id = var.client_hosted_zone_id

	ttl = "300"
	records = aws_network_interface.squid_eni.private_ips
	}

	# ------------------------------------------------------------------------------
	# CONFIGURE SECURITY GROUPS FOR SQUID SERVER
	# ------------------------------------------------------------------------------

	locals {
	proxy_ports = {
	http = 80
	https = 443
	smtps = 465
	}
	}

	resource "aws_security_group" "squid" {
	name = var.server_name
	vpc_id = var.vpc_id
	}

	resource "aws_security_group_rule" "squid_from_openvpn_server" {
	description = "Allow SSH from OpenVPN clients"
	type = "ingress"
	protocol = "tcp"
	from_port = 22
	to_port = 22
	source_security_group_id = var.openvpn_security_group_id
	security_group_id = aws_security_group.squid.id
	}

	resource "aws_security_group_rule" "inbound_proxy" {
	for_each = local.proxy_ports
	description = "Allow ${each.key} from proxy clients"
	type = "ingress"
	protocol = "tcp"
	from_port = each.value
	to_port = each.value
	security_group_id = aws_security_group.squid.id
	cidr_blocks = var.client_cidr_blocks
	}

	# ------------------------------------------------------------------------------
	# ALLOW ACCESS TO ENTIRE INTERNET
	# ------------------------------------------------------------------------------

	resource "aws_security_group_rule" "squid_to_entire_internet" {
	description = "Allow all traffic to the Internet (Squid is the firewall)"
	type = "egress"
	protocol = "all"
	from_port = 0
	to_port = 0
	security_group_id = aws_security_group.squid.id
	cidr_blocks = [
	"0.0.0.0/0",
	]
	}

	resource "aws_route" "private_subnet_default_gateway_squid" {
	for_each = { for route_table_id in var.route_table_ids : route_table_id => route_table_id }
	route_table_id = each.value
	destination_cidr_block = "0.0.0.0/0"
	network_interface_id = aws_network_interface.squid_eni.id
	}

	# ------------------------------------------------------------------------------
	# Get IAM-SSH working
	# ------------------------------------------------------------------------------

	module "iam_policies" {
	source = "git::[email protected]:gruntwork-io/module-security.git//modules/iam-policies?ref=v0.31.0"

	aws_account_id = var.aws_account_id

	# We can't use MFA with ssh-iam, since it's an automated app
	trust_policy_should_require_mfa = false
	iam_policy_should_require_mfa = false

	# Since our IAM users are defined in a separate AWS account, we need to give ssh-iam permission to make API calls to
	# that account.
	allow_access_to_other_account_arns = {
	group1 = [
	var.external_account_ssh_iam_role_arn,
	]
	}
	}

	resource "aws_iam_role_policy" "ssh_iam_permissions" {
	name = "ssh-iam-permissions"
	role = aws_iam_role.squid_instance.name
	policy = module.iam_policies.allow_access_to_other_accounts["group1"]
	}

	# ------------------------------------------------------------------------------
	# Build user-data
	# ------------------------------------------------------------------------------

	locals {
	user_data = templatefile("${path.module}/user-data/user-data.sh", {
	aws_region = var.aws_region
	domain_name = var.domain_name
	external_account_ssh_iam_role_arn = var.external_account_ssh_iam_role_arn
	letsencrypt_bucket = var.letsencrypt_bucket
	letsencrypt_subscriber_email = var.letsencrypt_subscriber_email
	ses_smtp_address = var.ses_smtp_address
	postfix_mydomain = var.postfix_mydomain
	postfix_relay_domains = var.postfix_relay_domains
	smtp_secret_name = var.smtp_secret_name
	})
	}
	output "instance_id" {
	value = aws_instance.squid.id
	}

	output "eni_id" {
	value = aws_network_interface.squid_eni.id
	}

	output "iam_role_name" {
	value = aws_iam_role.squid_instance.name
	}

	output "iam_instance_profile_name" {
	value = aws_iam_instance_profile.squid.name
	}
	output "squid_sg" {
	value = aws_security_group.squid.id
	}
	{
	"variables": {
	"aws_region": "ca-central-1",
	"vpc_id": "{{env `PACKER_VPC_ID`}}",
	"subnet_id": "{{env `PACKER_SUBNET_ID`}}",
	"ssh_grunt_iam_role_arn": "{{env `ssh_grunt_iam_role_arn`}}",
	"github_auth_token": "{{env `GITHUB_OAUTH_TOKEN`}}",
	"squid_bucket": "{{env `squid_bucket`}}"
	},
	"builders": [
	{
	"ami_name": "squid-server-{{isotime \| clean_resource_name}}",
	"ami_description": "Squid + Postfix server built on Amazon Linux 2 {{isotime}}.",
	"instance_type": "t3.small",
	"region": "{{user `aws_region`}}",
	"vpc_id": "{{user `vpc_id`}}",
	"subnet_id": "{{user `subnet_id`}}",
	"associate_public_ip_address": "true",
	"type": "amazon-ebs",
	"source_ami_filter": {
	"filters": {
	"virtualization-type": "hvm",
	"architecture": "x86_64",
	"name": "amzn2-ami-hvm-*-x86_64-ebs",
	"root-device-type": "ebs"
	},
	"owners": [
	"amazon"
	],
	"most_recent": true
	},
	"ssh_username": "ec2-user",
	"encrypt_boot": true
	}
	],
	"provisioners": [
	{
	"type": "shell",
	"inline": [
	"echo 'OS packages... updating'",
	"sudo yum update --assumeyes",
	"echo 'OS packages... updated'"
	]
	},
	{
	"type": "shell",
	"inline": [
	"echo 'Gruntwork installer... installing'",
	"curl -Ls https://raw.githubusercontent.com/gruntwork-io/gruntwork-installer/master/bootstrap-gruntwork-installer.sh \| bash /dev/stdin --version v0.0.28",
	"echo 'Gruntwork installer... installed'"
	],
	"environment_vars": [
	"GITHUB_OAUTH_TOKEN={{user `github_auth_token`}}"
	]
	},
	{
	"type": "shell",
	"inline": [
	"gruntwork-install --module-name 'bash-commons' --repo 'https://github.com/gruntwork-io/bash-commons' --tag 'v0.1.2'",
	"gruntwork-install --module-name 'logs/cloudwatch-log-aggregation-scripts' --repo 'https://github.com/gruntwork-io/module-aws-monitoring' --tag 'v0.21.1' --module-param aws-region={{user `aws_region`}}",
	"gruntwork-install --module-name 'metrics/cloudwatch-memory-disk-metrics-scripts' --repo 'https://github.com/gruntwork-io/module-aws-monitoring' --tag 'v0.21.1'",
	"gruntwork-install --module-name 'logs/syslog' --repo 'https://github.com/gruntwork-io/module-aws-monitoring' --tag 'v0.21.1'",
	"gruntwork-install --module-name 'auto-update' --repo 'https://github.com/gruntwork-io/module-security' --tag 'v0.30.0'",
	"gruntwork-install --binary-name 'ssh-grunt' --repo 'https://github.com/gruntwork-io/module-security' --tag 'v0.28.7'",
	"gruntwork-install --binary-name 'gruntkms' --repo 'https://github.com/gruntwork-io/gruntkms' --tag 'v0.0.8'",
	"sudo /usr/local/bin/ssh-grunt iam install --iam-group ssh-iam-users --iam-group-sudo ssh-iam-sudo-users --role-arn '{{user `ssh_grunt_iam_role_arn`}}'"
	],
	"environment_vars": [
	"GITHUB_OAUTH_TOKEN={{user `github_auth_token`}}"
	]
	},
	{
	"type": "shell",
	"script": "./squid-server.sh",
	"environment_vars": [
	"squid_bucket={{user `squid_bucket`}}"
	]
	}
	]
	}
	#!/bin/bash
	set -Eeuxo pipefail

	# Required environment Variables
	declare -r squid_bucket="${squid_bucket}"

	echo ------------------------------------------------------------------------
	echo Installing and configuring the necessary dependencies
	echo ------------------------------------------------------------------------
	sudo yum update -y
	# - policycoreutils-python is needed for certbot
	# - jq is needed to parse JSON-formatted Secrets Manager secrets, to avoid
	# death by 1,000 $0.40/month paper cuts (that's the fee per secret)
	sudo yum install -y policycoreutils-python jq

	# Install certbot on Amazon Linux 2.
	# Modified to do Route53 challenges since the server is on a private network.
	# SOURCE: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#letsencrypt
	wget -r --no-parent -A 'epel-release-*.rpm' http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
	sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
	sudo yum-config-manager --enable epel*
	sudo yum install -y certbot python2-certbot-dns-route53 python2-pip

	# BUG: certbot will fail due to conflicting boto3 packages, so fix it
	# SOURCE: https://unix.stackexchange.com/a/456362
	sudo pip uninstall --yes botocore boto3 \|\| true
	sudo pip install boto3

	echo ------------------------------------------------------------------------
	echo Installing Squid and Dovecot
	echo ------------------------------------------------------------------------
	sudo yum install --assumeyes squid dovecot

	# Create original allowlist for Squid
	# Note: put a proper allowlist in your squid-config S3 bucket (this is bad)
	cat \| sudo tee /etc/squid/allowlist.txt >/dev/null <<EOF
	.*
	EOF

	# Create certificates for SSL peek
	sudo mkdir /etc/squid/ssl && cd /etc/squid/ssl
	sudo openssl genrsa -out squid.key 2048
	sudo openssl req -new -key squid.key -out squid.csr -subj "/C=XX/ST=XX/L=squid/O=squid/CN=squid"
	sudo openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt
	sudo cat squid.key squid.crt \| sudo tee squid.pem >/dev/null

	# Create squid.conf file
	cat \| sudo tee /etc/squid/squid.conf >/dev/null <<EOF
	visible_hostname squid

	acl https_logs port 443
	logformat https %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ssl::>sni %[un %Sh/%<a %mt
	access_log stdio:/var/log/squid/access.log logformat=https https_logs
	access_log daemon:/var/log/squid/access.log all

	http_port 3128

	#Handling HTTP requests
	http_port 3129 intercept
	acl allowed_http_sites dstdom_regex "/etc/squid/allowlist.txt"
	http_access allow allowed_http_sites

	#Handling HTTPS requests
	https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept

	acl SSL_port port 443
	acl allowed_https_sites ssl::server_name_regex "/etc/squid/allowlist.txt"

	acl step1 at_step SslBump1
	acl step2 at_step SslBump2
	acl step3 at_step SslBump3

	# at step 1 we're peeking at client TLS-request in order to find the SNI
	ssl_bump peek step1 all
	# here we're peeking at server certificate
	ssl_bump peek step2 allowed_https_sites
	ssl_bump terminate step2 !allowed_https_sites
	# here we're splicing connections which match the allowlist
	ssl_bump splice step3 allowed_https_sites
	# finally we're terminating all other SSL connections
	ssl_bump terminate

	http_access allow SSL_port
	http_access deny all
	EOF

	# Allow Windows Updates
	# Microsoft uses cert trusted only by Windows for Microsoft reasons
	tmp_cert=$(mktemp)
	curl -L 'http://go.microsoft.com/fwlink/?linkid=747875&clcid=0x409' > "$tmp_cert"
	sudo mv "$tmp_cert" '/etc/pki/ca-trust/source/anchors/Microsoft_Root_Certificate_Authority_2011.cer'
	sudo update-ca-trust enable
	sudo update-ca-trust extract

	# Configure NAT port forwarding from HTTP and HTTPS to Squid ports
	sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
	sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130
	sudo iptables-save \| sudo tee /etc/sysconfig/iptables >/dev/null

	# Set up allowlist updater
	sudo mkdir /etc/squid/old/
	cat \| sudo tee /etc/squid/squid-conf-refresh >/dev/null <<EOF
	cp /etc/squid/* /etc/squid/old/
	aws s3 sync s3://"${squid_bucket}" /etc/squid
	/usr/sbin/squid -k parse && /usr/sbin/squid -k reconfigure \|\| (cp /etc/squid/old/* /etc/squid/; exit 1)
	EOF
	sudo chmod +x /etc/squid/squid-conf-refresh

	# On boot: load NAT port forwarding
	# Every minute: Refresh configuration
	# Daily: rotate squid log files
	# Use workaround for appending to cron: https://stackoverflow.com/a/13355743
	set +o pipefail
	(
	sudo crontab -l \|\| true
	echo -n "
	@reboot /etc/squid/nat > /var/log/squid/nat.log 2>&1
	* * * * * /etc/squid/squid-conf-refresh
	0 0 * * * /usr/sbin/squid -k rotate
	"
	) \| sort \| uniq \| sudo crontab -
	set -o pipefail

	cat \| sudo tee /etc/dovecot/conf.d/10-auth.conf >/dev/null <<EOF
	auth_mechanisms = plain login
	!include auth-system.conf.ext
	EOF

	cat \| sudo tee /etc/dovecot/conf.d/10-master.conf >/dev/null <<EOF
	service auth {
	unix_listener /var/spool/postfix/private/auth {
	mode = 0666
	user = postfix
	group = postfix
	}
	}
	EOF

	# Create dummy credentials for SMTP relay client
	# user-data must overwrite /etc/postfix/sasl_passwd with real content
	# and run `sudo postmap hash:/etc/postfix/sasl_passwd`
	cat \| sudo tee /etc/postfix/sasl_passwd >/dev/null <<EOF
	[email-smtp.eu-west-1.amazonaws.com]:587 SMTPUSERNAME:SMTPPASSWORD
	EOF
	sudo postmap hash:/etc/postfix/sasl_passwd

	# Configure SMTP server for internal clients
	# user-data will need to set ses-relay-user's password
	# ex: `echo 'dont-use-this-password' \| sudo passwd "ses-relay-user" --stdin`
	# user-data will need to set smtpd_tls_cert_file and smtpd_tls_key_file
	# ```
	# sudo postconf 'smtpd_tls_cert_file=/etc/letsencrypt/live/yourhostname.com/fullchain.pem
	# sudo postconf 'smtpd_tls_key_file=/etc/letsencrypt/live/youthostname.com/privkey.pem
	# ```
	sudo postconf \
	'inet_interfaces = all' \
	'smtpd_sender_login_maps = hash:/etc/postfix/sasl_passwd' \
	'smtpd_recipient_restrictions = permit_sasl_authenticated, reject' \
	'smtpd_relay_restrictions = permit_sasl_authenticated, reject' \
	'smtpd_sasl_type = dovecot' \
	'smtpd_sasl_path = private/auth' \
	'smtpd_sasl_auth_enable = yes' \
	'smtpd_sasl_security_options = noanonymous' \
	'smtpd_sasl_local_domain= $myhostname' \
	'smtpd_sasl_authenticated_header = yes' \
	'smtpd_tls_wrappermode=yes' \
	'smtpd_tls_security_level = encrypt' \
	'smtpd_tls_loglevel = 1' \
	'smtpd_tls_received_header=yes' \
	'broken_sasl_auth_clients=yes'

	# Configure SMTP client for relaying
	# user-data must supply relayhost parameter
	# ex: `sudo postconf "relayhost = [email-smtp.us-west-2.amazonaws.com]:587"`
	sudo postconf \
	"smtp_sasl_auth_enable = yes" \
	"smtp_sasl_security_options = noanonymous" \
	"smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd" \
	"smtp_use_tls = yes" \
	"smtp_tls_security_level = secure" \
	"smtp_tls_note_starttls_offer = yes" \
	'smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt'

	# Disable plain SMTP and enable Implicit TLS for SMTP Submisssion
	# https://tools.ietf.org/html/rfc8314#section-3.3
	sudo sed -in-place=.bak --regexp-extended \
	's/^smtp /\#smtp / ; s/^\#smtps /smtps /' /etc/postfix/master.cf

	sudo systemctl enable squid.service
	sudo systemctl enable dovecot
	#!/bin/bash
	set -Eeuxo pipefail

	# Template Variables
	declare -r aws_region="${aws_region}"
	declare -r domain_name="${domain_name}"
	declare -r external_account_ssh_iam_role_arn="${external_account_ssh_iam_role_arn}"
	declare -r letsencrypt_bucket="${letsencrypt_bucket}"
	declare -r letsencrypt_subscriber_email="${letsencrypt_subscriber_email}"
	declare -r ses_smtp_address="${ses_smtp_address}"
	declare -r postfix_mydomain="${postfix_mydomain}"
	declare -r postfix_relay_domains="${postfix_relay_domains}"
	declare -r smtp_secret_name="${smtp_secret_name}"

	function main() {
	echo "$(date) - user-data - Started"

	set_hostname
	sync_ssh_iam_users
	update_squid_allowlist
	install_updates_since_ami
	get_signed_tls_certs
	configure_postfix_ses_relay

	echo "$(date) - user-data - Finished"
	}

	function set_hostname() {
	hostnamectl set-hostname "$domain_name"
	}

	function update_squid_allowlist() {
	/etc/squid/squid-conf-refresh
	}

	function install_updates_since_ami() {
	yum update --assumeyes
	}

	function get_signed_tls_certs() {
	# Accept agreement, provide cert email
	certbot certonly --non-interactive -m "$letsencrypt_subscriber_email" \
	--dns-route53 -d "$domain_name" --agree-tos
	}

	function configure_postfix_ses_relay() {
	# Load secret from AWS Secrets Manager
	local -r smtp_secret_json="$(
	aws secretsmanager get-secret-value --region "$aws_region" \
	--secret-id "$smtp_secret_name" --query 'SecretString' --output text
	)"
	# {
	# "ses_smtp_username": "...",
	# "ses_smtp_password": "...",
	# "smtp_relay_username": "...",
	# "smtp_relay_password": "..."
	# }
	local -r ses_smtp_username="$(
	jq --raw-output '.ses_smtp_username' <<< "$smtp_secret_json"
	)"
	local -r ses_smtp_password="$(
	jq --raw-output '.ses_smtp_password' <<< "$smtp_secret_json"
	)"
	local -r smtp_relay_username="$(
	jq --raw-output '.smtp_relay_username' <<< "$smtp_secret_json"
	)"
	local -r smtp_relay_password="$(
	jq --raw-output '.smtp_relay_password' <<< "$smtp_secret_json"
	)"

	# Set up credentials for relaying to SES
	echo "[$ses_smtp_address]:587 $ses_smtp_username:$ses_smtp_password" > /etc/postfix/sasl_passwd
	postmap hash:/etc/postfix/sasl_passwd

	# Set up user for internal SMTP clients
	useradd "$smtp_relay_username"
	echo "$smtp_relay_password" \| passwd "$smtp_relay_username" --stdin

	# Use this domain name as the hostname
	postconf "myhostname = $domain_name"

	# Relay all email through SES
	# NOTE: even though Implicit TLS on TCP/465 is preferred we use
	# TCP/587 because the Postfix 2.x SMTP client does not support
	# Implicit TLS for SMTP Submission
	# Once we have Postfix 3.0+ the SMTP client can use Implicit TLS
	# `smtp_tls_wrappermode = yes`
	postconf "relayhost = [$ses_smtp_address]:587"

	# Only MAIL FROM (sender) addresses with this domain
	postconf "mydomain = $postfix_mydomain"

	# Only RCPT-TO (recipient) addresses with this domain
	postconf "relay_domains = $postfix_relay_domains"

	# Set up TLS for SMTP server
	postconf "smtpd_tls_cert_file=/etc/letsencrypt/live/$domain_name/fullchain.pem"
	postconf "smtpd_tls_key_file=/etc/letsencrypt/live/$domain_name/privkey.pem"

	systemctl restart postfix
	systemctl restart dovecot
	}

	function sync_ssh_iam_users() {
	/usr/local/bin/ssh-grunt iam sync-users \
	--iam-group ssh-iam-users \
	--iam-group-sudo ssh-iam-sudo-users \
	--role-arn "${external_account_ssh_iam_role_arn}"
	}

	main
	# ------------------------------------------------------------------------------
	# REQUIRED PARAMETERS
	# These must be passed in.
	# ------------------------------------------------------------------------------

	variable "squid_bucket_name" {
	description = "Name of the S3 bucket where the Squid domain allow list is stored."
	type = string
	}

	variable "squid_bucket_kms_key_arn" {
	description = "ARN of the KMS Key ID that encrypts objects in the S3 bucket where the Squid domain allow list is stored."
	type = string
	}

	variable "vpc_id" {
	description = "ID of the VPC in which the Squid server will be deployed."
	type = string
	}

	variable "subnet_ids" {
	description = "IDs of the subnets in which the Squid server can be deployed."
	type = list(string)
	}

	variable "client_cidr_blocks" {
	description = "CIDRs of the proxy clients. (ex: [\"10.0.0.0/8\"])"
	type = list(string)
	}

	variable "openvpn_security_group_id" {
	description = "Security group ID for the OpenVPN server."
	type = string
	}

	variable "route_table_ids" {
	description = "IDs of route tables for which Squid will become the default route."
	type = list(string)
	}

	variable "external_account_ssh_iam_role_arn" {
	description = "Since our IAM users are defined in a separate AWS account, this variable is used to specify the ARN of an IAM role that allows ssh-iam to retrieve IAM group and public SSH key info from that account."
	type = string
	}

	variable "ami" {
	description = "The AMI to run on the Squid Server. This should be built from the Packer template under packer/squid-server.json."
	type = string
	}

	variable "keypair_name" {
	description = "The name of the Key Pair that can be used to SSH to the Data Intake server."
	type = string
	}

	variable "server_name" {
	description = "The name of the new Squid server."
	type = string
	}

	variable "domain_name" {
	description = "The domain name of the new Postfix server."
	type = string
	}

	variable "parent_public_domain_name" {
	description = "The domain name of the parent public DNS zone."
	type = string
	}

	variable "parent_public_hosted_zone_id" {
	description = "The hosted zone ID of the parent public DNS zone."
	type = string
	}

	variable "client_hosted_zone_id" {
	description = "The hosted zone ID of the private DNS zone internal clients will use (should be the same zone as parent_public_hosted_zone_id or should be a private hosted zone with the same domain name)."
	type = string
	}

	variable "letsencrypt_bucket" {
	description = "Name of the bucket that stores Let's Encrypt."
	type = string
	}

	variable "letsencrypt_subscriber_email" {
	description = "Email address for the Let's Encrypt subscription and notifications."
	type = string
	}

	variable "ses_smtp_address" {
	description = "Hostname of the SES SMTP endpoint. (ex: email-smtp.eu-west-1.amazonaws.com)"
	type = string
	}

	variable "postfix_mydomain" {
	description = "Allowed domain name for MAIL FROM sender addresses (ex: example.com)"
	type = string
	}

	variable "postfix_relay_domains" {
	description = "Allowed domain name for MAIL FROM sender addresses (ex: example.com)"
	type = string
	}

	variable "smtp_secret_name" {
	description = "Name of the AWS Secrets Manager secret with the SMTP details (ex: ses/dev-smtp)"
	# This AWS Secrets Manager secret referred to here must take this form:
	# {
	# "ses_smtp_username": "...",
	# "ses_smtp_password": "...",
	# "smtp_relay_username": "...",
	# "smtp_relay_password": "..."
	# }
	type = string
	}

	variable "smtp_secret_arn" {
	description = "ARN of the AWS Secrets Manager secret with the SMTP details (ex: arn:aws:secretsmanager:ca-central-1:446693630893:secret:ses/dev-smtp-PFXzIa)"
	# This AWS Secrets Manager secret referred to here must take this form:
	# {
	# "ses_smtp_username": "...",
	# "ses_smtp_password": "...",
	# "smtp_relay_username": "...",
	# "smtp_relay_password": "..."
	# }
	type = string
	}

	# ------------------------------------------------------------------------------
	# OPTIONAL PARAMETERS
	# ------------------------------------------------------------------------------

	variable "volume_size" {
	description = "The size of the root volume."
	type = number
	default = 300
	}

	variable "instance_type" {
	description = "The instance type used."
	type = string
	default = "t2.micro"
	}

	# ------------------------------------------------------------------------------
	# STANDARD MODULE PARAMETERS
	# ------------------------------------------------------------------------------

	variable "aws_region" {
	description = "The AWS region in which all resources will be created."
	type = string
	}

	variable "aws_account_id" {
	description = "The ID of the AWS Account in which to create resources."
	type = string
	}