diff --git a/IaC/main.tf b/IaC/main.tf new file mode 100644 index 0000000..b5d2a4e --- /dev/null +++ b/IaC/main.tf @@ -0,0 +1,15 @@ +# Define required providers +terraform { +required_version = ">= 0.14.0" + required_providers { + openstack = { + source = "terraform-provider-openstack/openstack" + version = "~> 1.53.0" + } + } +} + +# Configure the OpenStack Provider +provider "openstack" { + cloud = "dco-matrixtest" +} diff --git a/IaC/nodes.tf b/IaC/nodes.tf new file mode 100644 index 0000000..125cdec --- /dev/null +++ b/IaC/nodes.tf @@ -0,0 +1,45 @@ +resource "openstack_compute_instance_v2" "controller-nodes" { + count = var.controller_instance_count + name = "${var.controller_name}-${count.index}.${var.dns_suffix}" + flavor_name = "${var.controller_instance_type}" + key_pair = "${var.keyname}" + security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world"] + + + block_device { + uuid = "5d24aca9-11be-4de1-9770-4a097d68f361" + source_type = "image" + volume_size = 20 + boot_index = 0 + destination_type = "volume" + delete_on_termination = true + } + scheduler_hints { + group = openstack_compute_servergroup_v2.controllers.id + } + network { + name = "public" + } +} +resource "openstack_compute_instance_v2" "worker-nodes" { + count = var.worker_instance_count + name = "${var.worker_name}-${count.index}.${var.dns_suffix}" + flavor_name = "${var.worker_instance_type}" + key_pair = "${var.keyname}" + security_groups = ["microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world"] + + block_device { + uuid = "5d24aca9-11be-4de1-9770-4a097d68f361" + source_type = "image" + volume_size = 20 + boot_index = 0 + destination_type = "volume" + delete_on_termination = true + } + scheduler_hints { + group = openstack_compute_servergroup_v2.workers.id + } + network { + name = "public" + } +} diff --git a/IaC/securitygroups.tf b/IaC/securitygroups.tf new file mode 100644 index 0000000..e071626 --- /dev/null +++ b/IaC/securitygroups.tf @@ -0,0 +1,182 @@ +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule1" { + #We never know where Richard is, so allow from all of the known internet + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 16443 + port_range_max = 16443 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule2" { + #We never know where Richard is, so allow from all of the known internet + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 16443 + port_range_max = 16443 + remote_ip_prefix = "::/0" + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule3" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 10250 + port_range_max = 10250 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule4" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 10250 + port_range_max = 10250 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} + +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule5" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 10255 + port_range_max = 10255 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule6" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 10255 + port_range_max = 10255 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule7" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 25000 + port_range_max = 25000 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule8" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 25000 + port_range_max = 25000 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule9" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 12379 + port_range_max = 12379 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule10" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 12379 + port_range_max = 12379 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule11" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 10257 + port_range_max = 10257 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule12" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 10257 + port_range_max = 10257 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule13" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 10259 + port_range_max = 10259 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule14" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 10259 + port_range_max = 10259 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule15" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 19001 + port_range_max = 19001 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule16" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 19001 + port_range_max = 19001 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule17" { + direction = "ingress" + ethertype = "IPv4" + protocol = "udp" + port_range_min = 4789 + port_range_max = 4789 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule18" { + direction = "ingress" + ethertype = "IPv6" + protocol = "udp" + port_range_min = 4789 + port_range_max = 4789 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule19" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 16443 + port_range_max = 16443 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule20" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 16443 + port_range_max = 16443 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id diff --git a/IaC/servergroups.tf b/IaC/servergroups.tf new file mode 100644 index 0000000..11b49f3 --- /dev/null +++ b/IaC/servergroups.tf @@ -0,0 +1,13 @@ +resource "openstack_compute_servergroup_v2" "workers" { + name = "workers" + policies = ["anti-affinity"] +} +resource "openstack_compute_servergroup_v2" "controllers" { + name = "controllers" + policies = ["anti-affinity"] +} + +resource "openstack_networking_secgroup_v2" "microk8s" { + name = "microk8s" + description = "Traffic to allow between microk8s hosts" +} diff --git a/IaC/vars.tf b/IaC/vars.tf new file mode 100644 index 0000000..b4539d7 --- /dev/null +++ b/IaC/vars.tf @@ -0,0 +1,35 @@ +variable "datacenter_name" { + type = string + default = "dco" +} + +variable "keyname" { + type = string + default = "manderssonpub" +} + +variable "worker_instance_count" { + default = "3" +} +variable "controller_instance_count" { + default = "3" +} + +variable "controller_instance_type" { + default = "b2.c2r4" +} +variable "monitor_instance_type" { + default = "b2.c2r4" +} +variable "worker_instance_type" { + default = "b2.c4r16" +} +variable "worker_name" { + default = "internal-sto4-test-k8sw" +} +variable "controller_name" { + default = "internal-sto4-test-k8sc" +} +variable "dns_suffix" { + default = "rut.sunet.se" +}