diff options
author | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2021-08-16 15:50:31 +0200 |
---|---|---|
committer | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2021-09-09 14:53:31 +0100 |
commit | f9bcd5776d5a5582fc41ad19e633847e56fb46ba (patch) | |
tree | 2a801386ae3d3a0ad756ffa6e76cf876d582f4f1 | |
parent | 7472da7aa7ece624741dbc9190861f0882ef8705 (diff) | |
download | infrastructure-f9bcd5776d5a5582fc41ad19e633847e56fb46ba.tar.gz |
Deploy infrastructure servers using Terraform
-rw-r--r-- | terraform/base.tf | 33 | ||||
-rw-r--r-- | terraform/infra.tf | 230 | ||||
-rw-r--r-- | terraform/networking.tf | 211 |
3 files changed, 474 insertions, 0 deletions
diff --git a/terraform/base.tf b/terraform/base.tf new file mode 100644 index 00000000..54af2083 --- /dev/null +++ b/terraform/base.tf @@ -0,0 +1,33 @@ +# Define required providers +terraform { +required_version = ">= 0.14.0" + required_providers { + openstack = { + source = "terraform-provider-openstack/openstack" + version = "~> 1.35.0" + } + } +} + +# Configure the OpenStack Provider +provider "openstack" { + auth_url = "https://fra1.citycloud.com:5000" +} + + +locals { + username = "cloud" + image_name = "Ubuntu 20.04 Focal Fossa 20200423" + name_prefix = "bazel-poc" + flavor_name_frontend = "1C-1GB-20GB" + flavor_name_webserver = "1C-2GB-20GB" + flavor_name_gbo = "4C-8GB" + flavor_name_ostree = "2C-4GB-20GB" +} + + +# Create keypairs +resource "openstack_compute_keypair_v2" "pedro-keypair" { + name = "pedro-alvarez_latty" + public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDrfYhQAgqiwtcl37TfBR7N5Fq7ze17Cn4UUbz/Nuby/9qfypUp5Ir2x0P1otbQfozwWBOwmKCFRQMs+fZXFpWsvshNcmaw+rMI8wP1Bx2cqSuPusLPEYbvRbnfGo/E7aj/GvpSKRlBCGF3tORzGAmQsogUUXXcXP7PKIkPB3Jo04K8IeuSoRGd8cGfUWA6dcx9YuZHeJ3o/RzpV8UvU3Ge50mLf05cbrS2LlXgnG2PGbuBX5l87O6u3KUXq5zoafd0AtpSelNcVfAjpwdPokyuR1pXn+3q2w+l7ExmIAjwJV+QJeSSRMRfiHbk/+D3vYUlnqoarB0UrsTb2mY2tAPD" +} diff --git a/terraform/infra.tf b/terraform/infra.tf new file mode 100644 index 00000000..9b5b7ccf --- /dev/null +++ b/terraform/infra.tf @@ -0,0 +1,230 @@ +data "openstack_images_image_v2" "image_id" { + name = local.image_name + most_recent = true +} + +# Frontend +data "openstack_compute_flavor_v2" "flavor_frontend" { + name = local.flavor_name_frontend +} + +resource "openstack_networking_port_v2" "frontend_port" { + name = "port_1" + network_id = "${openstack_networking_network_v2.baserock_network.id}" + admin_state_up = "true" + + fixed_ip { + subnet_id = "${openstack_networking_subnet_v2.baserock_subnet.id}" + ip_address = "10.3.0.10" + } +} + +resource "openstack_networking_floatingip_v2" "floatip_frontend" { + pool = "ext-net" +} + +resource "openstack_networking_floatingip_associate_v2" "floatip_associate_frontend" { + floating_ip = "${openstack_networking_floatingip_v2.floatip_frontend.address}" + port_id = "${openstack_networking_port_v2.frontend_port.id}" +} + +resource "openstack_compute_instance_v2" "baserock_frontend" { + name = "frontend-haproxy" + image_id = data.openstack_images_image_v2.image_id.id + flavor_id = data.openstack_compute_flavor_v2.flavor_frontend.id + key_pair = "${openstack_compute_keypair_v2.pedro-keypair.name}" + + security_groups = [ + "${openstack_networking_secgroup_v2.sg_base.name}", + "${openstack_networking_secgroup_v2.sg_gitlab_bot.name}", + "${openstack_networking_secgroup_v2.sg_web_server.name}", + "${openstack_networking_secgroup_v2.sg_haste_server.name}", + "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.name}", + ] + network { + port = "${openstack_networking_port_v2.frontend_port.id}" + } + + lifecycle { + ignore_changes = [ + # Ignore changes to base image + image_id, + # Ignore changes to key_pairs + key_pair, + ] + } +} + + +# Webserver +data "openstack_compute_flavor_v2" "flavor_webserver" { + name = local.flavor_name_webserver +} + +resource "openstack_networking_port_v2" "webserver_port" { + name = "webserver_port" + network_id = "${openstack_networking_network_v2.baserock_network.id}" + admin_state_up = "true" + + fixed_ip { + subnet_id = "${openstack_networking_subnet_v2.baserock_subnet.id}" + ip_address = "10.3.0.13" + } +} + +resource "openstack_compute_instance_v2" "baserock_webserver" { + name = "webserver" + image_id = data.openstack_images_image_v2.image_id.id + flavor_id = data.openstack_compute_flavor_v2.flavor_webserver.id + key_pair = "${openstack_compute_keypair_v2.pedro-keypair.name}" + + security_groups = [ + "${openstack_networking_secgroup_v2.sg_base.name}", + "${openstack_networking_secgroup_v2.sg_gitlab_bot.name}", + "${openstack_networking_secgroup_v2.sg_web_server.name}", + "${openstack_networking_secgroup_v2.sg_haste_server.name}", + ] + network { + port = "${openstack_networking_port_v2.webserver_port.id}" + } + + lifecycle { + ignore_changes = [ + # Ignore changes to base image + image_id, + # Ignore changes to key_pairs + key_pair, + ] + } +} + +resource "openstack_blockstorage_volume_v2" "volume_webserver" { + name = "webserver-volume" + size = 150 +} + +resource "openstack_compute_volume_attach_v2" "volume_attach_webserver" { + instance_id = "${openstack_compute_instance_v2.baserock_webserver.id}" + volume_id = "${openstack_blockstorage_volume_v2.volume_webserver.id}" + device = "/dev/vdb" +} + +# g.b.o + +data "openstack_images_image_v2" "gbo_image_id" { + name = "Debian 10 Buster" + most_recent = true +} + +data "openstack_compute_flavor_v2" "flavor_gbo" { + name = local.flavor_name_gbo +} + +resource "openstack_networking_port_v2" "gbo_port" { + name = "gbo_port" + network_id = "${openstack_networking_network_v2.baserock_network.id}" + admin_state_up = "true" + + fixed_ip { + subnet_id = "${openstack_networking_subnet_v2.baserock_subnet.id}" + ip_address = "10.3.0.4" + } +} + + +resource "openstack_networking_floatingip_v2" "floatip_gbo" { + pool = "ext-net" +} + +resource "openstack_networking_floatingip_associate_v2" "floatip_associate_gbo" { + floating_ip = "${openstack_networking_floatingip_v2.floatip_gbo.address}" + port_id = "${openstack_networking_port_v2.gbo_port.id}" +} + +resource "openstack_compute_instance_v2" "baserock_gbo" { + name = "git.baserock.org-debian" + image_id = data.openstack_images_image_v2.gbo_image_id.id + flavor_id = data.openstack_compute_flavor_v2.flavor_gbo.id + key_pair = "${openstack_compute_keypair_v2.pedro-keypair.name}" + + security_groups = [ + "${openstack_networking_secgroup_v2.sg_base.name}", + "${openstack_networking_secgroup_v2.sg_git_server.name}", + ] + network { + port = "${openstack_networking_port_v2.gbo_port.id}" + } + + lifecycle { + ignore_changes = [ + # Ignore changes to base image + image_id, + # Ignore changes to key_pairs + key_pair, + ] + } +} + +resource "openstack_blockstorage_volume_v2" "volume_gbo" { + name = "git.baserock.org-srv" + size = 300 +} + +resource "openstack_compute_volume_attach_v2" "volume_attach_gbo" { + instance_id = "${openstack_compute_instance_v2.baserock_gbo.id}" + volume_id = "${openstack_blockstorage_volume_v2.volume_gbo.id}" + device = "/dev/vdb" +} + +# ostree + +data "openstack_compute_flavor_v2" "flavor_ostree" { + name = local.flavor_name_ostree +} + +resource "openstack_networking_port_v2" "ostree_port" { + name = "ostree_port" + network_id = "${openstack_networking_network_v2.baserock_network.id}" + admin_state_up = "true" + + fixed_ip { + subnet_id = "${openstack_networking_subnet_v2.baserock_subnet.id}" + ip_address = "10.3.0.12" + } +} + +resource "openstack_compute_instance_v2" "baserock_ostree" { + name = "ostree" + image_id = data.openstack_images_image_v2.image_id.id + flavor_id = data.openstack_compute_flavor_v2.flavor_ostree.id + key_pair = "${openstack_compute_keypair_v2.pedro-keypair.name}" + + security_groups = [ + "${openstack_networking_secgroup_v2.sg_base.name}", + "${openstack_networking_secgroup_v2.sg_web_server.name}", + "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.name}", + ] + network { + port = "${openstack_networking_port_v2.ostree_port.id}" + } + + lifecycle { + ignore_changes = [ + # Ignore changes to base image + image_id, + # Ignore changes to key_pairs + key_pair, + ] + } +} + +resource "openstack_blockstorage_volume_v2" "volume_ostree" { + name = "ostree-volume" + size = 100 +} + +resource "openstack_compute_volume_attach_v2" "volume_attach_ostree" { + instance_id = "${openstack_compute_instance_v2.baserock_ostree.id}" + volume_id = "${openstack_blockstorage_volume_v2.volume_ostree.id}" + device = "/dev/vdb" +} diff --git a/terraform/networking.tf b/terraform/networking.tf new file mode 100644 index 00000000..3293c8c8 --- /dev/null +++ b/terraform/networking.tf @@ -0,0 +1,211 @@ +resource "openstack_networking_network_v2" "baserock_network" { + name = "Baserock Network" + admin_state_up = "true" +} + +resource "openstack_networking_subnet_v2" "baserock_subnet" { + name = "Baserock Subnet" + network_id = "${openstack_networking_network_v2.baserock_network.id}" + cidr = "10.3.0.0/24" + ip_version = 4 +} + + +data "openstack_networking_network_v2" "external_network" { + name = "ext-net" +} + +resource "openstack_networking_router_v2" "baserock_router" { + name = "Baserock Router" + admin_state_up = true + external_network_id = data.openstack_networking_network_v2.external_network.id +} + +resource "openstack_networking_router_interface_v2" "baserock_router_interface" { + router_id = "${openstack_networking_router_v2.baserock_router.id}" + subnet_id = "${openstack_networking_subnet_v2.baserock_subnet.id}" +} + +# Security groups + +resource "openstack_networking_secgroup_v2" "sg_base" { + name = "base" + description = "Allow all outgoing traffic, and allow incoming ICMP (ping) and SSH connections" + delete_default_rules = "true" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_icmp" { + direction = "egress" + ethertype = "IPv4" + protocol = "icmp" + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_any" { + direction = "egress" + ethertype = "IPv4" + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_any_v6" { + direction = "egress" + ethertype = "IPv6" + remote_ip_prefix = "::/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_base_ingress_icmp" { + direction = "ingress" + ethertype = "IPv4" + protocol = "icmp" + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" +} + + +resource "openstack_networking_secgroup_rule_v2" "sg_base_ingress_ssh" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 22 + port_range_max = 22 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" +} + + + +resource "openstack_networking_secgroup_v2" "sg_haste_server" { + name = "haste-server" + description = "Allow incoming TCP requests for haste server" + delete_default_rules = "true" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_haste_server_main" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 7777 + port_range_max = 7777 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_haste_server.id}" +} + +resource "openstack_networking_secgroup_v2" "sg_gitlab_bot" { + name = "gitlab-bot" + description = "Allow incoming TCP requests for gitlab-bot" + delete_default_rules = "true" +} + + +resource "openstack_networking_secgroup_rule_v2" "sg_gitlab_bot_main" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 1337 + port_range_max = 1337 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_gitlab_bot.id}" +} + + +resource "openstack_networking_secgroup_v2" "sg_git_server" { + name = "git-server" + description = "Allow inbound SSH, HTTP, HTTPS and Git requests." + delete_default_rules = "true" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_git_server_http" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 80 + port_range_max = 80 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_git_server_https" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 443 + port_range_max = 443 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_git_server_git" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 9418 + port_range_max = 9418 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}" +} + + + +resource "openstack_networking_secgroup_v2" "sg_shared_artifact_cache" { + name = "shared-artifact-cache" + description = "Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)" + delete_default_rules = "true" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_http" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 80 + port_range_max = 80 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}" +} +resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_https" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 443 + port_range_max = 443 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}" +} +resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_ssh" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 22200 + port_range_max = 22200 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}" +} + + +resource "openstack_networking_secgroup_v2" "sg_web_server" { + name = "web-server" + description = "Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)" + delete_default_rules = "true" +} + + +resource "openstack_networking_secgroup_rule_v2" "sg_web_server_http" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 80 + port_range_max = 80 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_web_server.id}" +} +resource "openstack_networking_secgroup_rule_v2" "sg_web_server_https" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 443 + port_range_max = 443 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_web_server.id}" +} |