From 22718bb91d1291cf7472efd32ad72423d212c4ac Mon Sep 17 00:00:00 2001 From: Magnus Andersson Date: Tue, 28 May 2024 09:01:42 +0200 Subject: [PATCH] Make test and prod IaC two separate directories --- .gitignore | 12 +- {IaC => IaC-prod}/images.tf | 0 {IaC => IaC-prod}/main.tf | 0 {IaC => IaC-prod}/network.tf | 0 {IaC => IaC-prod}/nodes.tf | 0 {IaC => IaC-prod}/securitygroups.tf | 0 {IaC => IaC-prod}/servergroups.tf | 0 {IaC => IaC-prod}/vars.tf | 0 IaC-test/images.tf | 5 + IaC-test/main.tf | 15 +++ IaC-test/network.tf | 3 + IaC-test/nodes.tf | 109 +++++++++++++++ IaC-test/securitygroups.tf | 197 ++++++++++++++++++++++++++++ IaC-test/servergroups.tf | 9 ++ IaC-test/vars.tf | 40 ++++++ 15 files changed, 386 insertions(+), 4 deletions(-) rename {IaC => IaC-prod}/images.tf (100%) rename {IaC => IaC-prod}/main.tf (100%) rename {IaC => IaC-prod}/network.tf (100%) rename {IaC => IaC-prod}/nodes.tf (100%) rename {IaC => IaC-prod}/securitygroups.tf (100%) rename {IaC => IaC-prod}/servergroups.tf (100%) rename {IaC => IaC-prod}/vars.tf (100%) create mode 100644 IaC-test/images.tf create mode 100644 IaC-test/main.tf create mode 100644 IaC-test/network.tf create mode 100644 IaC-test/nodes.tf create mode 100644 IaC-test/securitygroups.tf create mode 100644 IaC-test/servergroups.tf create mode 100644 IaC-test/vars.tf diff --git a/.gitignore b/.gitignore index 070ccc1..4bc8d87 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,9 @@ *.pyc -/IaC/.terraform* -/IaC/.terraform*/** -/IaC/terraform.tfstate* -/IaC/*.tfvars +/IaC-test/.terraform* +/IaC-test/.terraform*/** +/IaC-test/terraform.tfstate* +/IaC-test/*.tfvars +/IaC-prod/.terraform* +/IaC-prod/.terraform*/** +/IaC-prod/terraform.tfstate* +/IaC-prod/*.tfvars diff --git a/IaC/images.tf b/IaC-prod/images.tf similarity index 100% rename from IaC/images.tf rename to IaC-prod/images.tf diff --git a/IaC/main.tf b/IaC-prod/main.tf similarity index 100% rename from IaC/main.tf rename to IaC-prod/main.tf diff --git a/IaC/network.tf b/IaC-prod/network.tf similarity index 100% rename from IaC/network.tf rename to IaC-prod/network.tf diff --git a/IaC/nodes.tf b/IaC-prod/nodes.tf similarity index 100% rename from IaC/nodes.tf rename to IaC-prod/nodes.tf diff --git a/IaC/securitygroups.tf b/IaC-prod/securitygroups.tf similarity index 100% rename from IaC/securitygroups.tf rename to IaC-prod/securitygroups.tf diff --git a/IaC/servergroups.tf b/IaC-prod/servergroups.tf similarity index 100% rename from IaC/servergroups.tf rename to IaC-prod/servergroups.tf diff --git a/IaC/vars.tf b/IaC-prod/vars.tf similarity index 100% rename from IaC/vars.tf rename to IaC-prod/vars.tf diff --git a/IaC-test/images.tf b/IaC-test/images.tf new file mode 100644 index 0000000..421aec9 --- /dev/null +++ b/IaC-test/images.tf @@ -0,0 +1,5 @@ +# Default os version +data "openstack_images_image_v2" "debian12image" { + name = "debian-12" # Name of image to be used + most_recent = true +} diff --git a/IaC-test/main.tf b/IaC-test/main.tf new file mode 100644 index 0000000..66db5b1 --- /dev/null +++ b/IaC-test/main.tf @@ -0,0 +1,15 @@ +# Define required providers +terraform { +required_version = ">= 0.14.0" + required_providers { + openstack = { + source = "terraform-provider-openstack/openstack" + version = "~> 1.53.0" + } + } +} + +# Configure the OpenStack Provider +provider "openstack" { + cloud = "${var.cloud_name}" +} diff --git a/IaC-test/network.tf b/IaC-test/network.tf new file mode 100644 index 0000000..30b4c0f --- /dev/null +++ b/IaC-test/network.tf @@ -0,0 +1,3 @@ +data "openstack_networking_network_v2" "public" { + name = "public" # Name of network to use. +} diff --git a/IaC-test/nodes.tf b/IaC-test/nodes.tf new file mode 100644 index 0000000..8073891 --- /dev/null +++ b/IaC-test/nodes.tf @@ -0,0 +1,109 @@ + +# +# Controller node resources +# + +resource "openstack_networking_port_v2" "kubecport" { + name = "${var.controller_name}${count.index+1}-${replace(var.dns_suffix,".","-")}-port" + # We create as many ports as there are instances created + count = var.controller_instance_count + network_id = data.openstack_networking_network_v2.public.id + # A list of security group ID + security_group_ids = [ + data.openstack_networking_secgroup_v2.sshfromjumphosts.id, + data.openstack_networking_secgroup_v2.allegress.id, + resource.openstack_networking_secgroup_v2.microk8s.id + ] + admin_state_up = "true" +} + +resource "openstack_blockstorage_volume_v3" "kubecvolumeboot" { + count = var.controller_instance_count # size of cluster + name = "${var.controller_name}${count.index+1}-${replace(var.dns_suffix,".","-")}-vol" + description = "OS volume for kubernetes control node ${count.index + 1}" + size = 100 + image_id = data.openstack_images_image_v2.debian12image.id + enable_online_resize = true # Allow us to resize volume while attached. +} + +resource "openstack_compute_instance_v2" "controller-nodes" { + count = var.controller_instance_count + name = "${var.controller_name}${count.index+1}.${var.dns_suffix}" + flavor_name = "${var.controller_instance_type}" + key_pair = "${var.keyname}" + security_groups = [ + data.openstack_networking_secgroup_v2.sshfromjumphosts.name, + data.openstack_networking_secgroup_v2.allegress.name, + resource.openstack_networking_secgroup_v2.microk8s.name + ] + block_device { + uuid = resource.openstack_blockstorage_volume_v3.kubecvolumeboot[count.index].id + source_type = "volume" + destination_type = "volume" + boot_index = 0 + } + scheduler_hints { + group = openstack_compute_servergroup_v2.controllers.id + } + network { + port = resource.openstack_networking_port_v2.kubecport[count.index].id + } +} + +# +# Worker node resources +# + + +# +# Controller node resources +# + +resource "openstack_networking_port_v2" "kubewport" { + name = "${var.worker_name}${count.index+1}-${replace(var.dns_suffix,".","-")}-port" + # We create as many ports as there are instances created + count = var.controller_instance_count + network_id = data.openstack_networking_network_v2.public.id + # A list of security group ID + security_group_ids = [ + data.openstack_networking_secgroup_v2.sshfromjumphosts.id, + data.openstack_networking_secgroup_v2.allegress.id, + resource.openstack_networking_secgroup_v2.microk8s.id + ] + admin_state_up = "true" +} + +resource "openstack_blockstorage_volume_v3" "kubewvolumeboot" { + count = var.controller_instance_count # size of cluster + name = "${var.worker_name}${count.index+1}-${replace(var.dns_suffix,".","-")}-vol" + description = "OS volume for kubernetes worker node ${count.index + 1}" + size = 100 + image_id = data.openstack_images_image_v2.debian12image.id + enable_online_resize = true # Allow us to resize volume while attached. +} + + +resource "openstack_compute_instance_v2" "worker-nodes" { + count = var.worker_instance_count + name = "${var.worker_name}${count.index+1}.${var.dns_suffix}" + flavor_name = "${var.worker_instance_type}" + key_pair = "${var.keyname}" + security_groups = [ + data.openstack_networking_secgroup_v2.sshfromjumphosts.name, + data.openstack_networking_secgroup_v2.allegress.name, + resource.openstack_networking_secgroup_v2.microk8s.name + ] + + block_device { + uuid = resource.openstack_blockstorage_volume_v3.kubewvolumeboot[count.index].id + source_type = "volume" + destination_type = "volume" + boot_index = 0 + } + scheduler_hints { + group = openstack_compute_servergroup_v2.workers.id + } + network { + port = resource.openstack_networking_port_v2.kubewport[count.index].id + } +} diff --git a/IaC-test/securitygroups.tf b/IaC-test/securitygroups.tf new file mode 100644 index 0000000..c9c3c56 --- /dev/null +++ b/IaC-test/securitygroups.tf @@ -0,0 +1,197 @@ +# Datasource of sunet ssh-from-jumphost security group. +data "openstack_networking_secgroup_v2" "sshfromjumphosts" { + name = "ssh-from-jumphost" +} + +data "openstack_networking_secgroup_v2" "allegress" { + name = "allegress" +} + +resource "openstack_networking_secgroup_v2" "microk8s" { + name = "microk8s" + description = "Traffic to allow between microk8s hosts" +} + +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule1" { + #We never know where Richard is, so allow from all of the known internet + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 16443 + port_range_max = 16443 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule2" { + #We never know where Richard is, so allow from all of the known internet + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 16443 + port_range_max = 16443 + remote_ip_prefix = "::/0" + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule3" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 10250 + port_range_max = 10250 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule4" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 10250 + port_range_max = 10250 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} + +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule5" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 10255 + port_range_max = 10255 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule6" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 10255 + port_range_max = 10255 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule7" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 25000 + port_range_max = 25000 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule8" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 25000 + port_range_max = 25000 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule9" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 12379 + port_range_max = 12379 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule10" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 12379 + port_range_max = 12379 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule11" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 10257 + port_range_max = 10257 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule12" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 10257 + port_range_max = 10257 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule13" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 10259 + port_range_max = 10259 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule14" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 10259 + port_range_max = 10259 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule15" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 19001 + port_range_max = 19001 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule16" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 19001 + port_range_max = 19001 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule17" { + direction = "ingress" + ethertype = "IPv4" + protocol = "udp" + port_range_min = 4789 + port_range_max = 4789 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule18" { + direction = "ingress" + ethertype = "IPv6" + protocol = "udp" + port_range_min = 4789 + port_range_max = 4789 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule19" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 16443 + port_range_max = 16443 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule20" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 16443 + port_range_max = 16443 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} diff --git a/IaC-test/servergroups.tf b/IaC-test/servergroups.tf new file mode 100644 index 0000000..9f94d71 --- /dev/null +++ b/IaC-test/servergroups.tf @@ -0,0 +1,9 @@ +resource "openstack_compute_servergroup_v2" "workers" { + name = "workers" + policies = ["anti-affinity"] +} +resource "openstack_compute_servergroup_v2" "controllers" { + name = "controllers" + policies = ["anti-affinity"] +} + diff --git a/IaC-test/vars.tf b/IaC-test/vars.tf new file mode 100644 index 0000000..bc5f172 --- /dev/null +++ b/IaC-test/vars.tf @@ -0,0 +1,40 @@ +variable "datacenter_name" { + type = string + default = "dco" +} + +variable "keyname" { + type = string + default = "manderssonpub" +} + +variable "worker_instance_count" { + default = "3" +} +variable "controller_instance_count" { + default = "3" +} + +variable "controller_instance_type" { + default = "b2.c2r4" +} + +variable "worker_instance_type" { + default = "b2.c4r16" +} + +variable "worker_name" { + default = "k8sw" +} + +variable "controller_name" { + default = "k8sc" +} + +variable "dns_suffix" { + default = "matrix.test.sunet.se" +} + +variable "cloud_name" { + default="dco-matrixtest" +}