summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPedro Alvarez <pedro.alvarez@codethink.co.uk>2021-08-16 15:50:31 +0200
committerPedro Alvarez <pedro.alvarez@codethink.co.uk>2021-09-09 14:53:31 +0100
commitf9bcd5776d5a5582fc41ad19e633847e56fb46ba (patch)
tree2a801386ae3d3a0ad756ffa6e76cf876d582f4f1
parent7472da7aa7ece624741dbc9190861f0882ef8705 (diff)
downloadinfrastructure-f9bcd5776d5a5582fc41ad19e633847e56fb46ba.tar.gz
Deploy infrastructure servers using Terraform
-rw-r--r--terraform/base.tf33
-rw-r--r--terraform/infra.tf230
-rw-r--r--terraform/networking.tf211
3 files changed, 474 insertions, 0 deletions
diff --git a/terraform/base.tf b/terraform/base.tf
new file mode 100644
index 00000000..54af2083
--- /dev/null
+++ b/terraform/base.tf
@@ -0,0 +1,33 @@
+# Define required providers
+terraform {
+required_version = ">= 0.14.0"
+ required_providers {
+ openstack = {
+ source = "terraform-provider-openstack/openstack"
+ version = "~> 1.35.0"
+ }
+ }
+}
+
+# Configure the OpenStack Provider
+provider "openstack" {
+ auth_url = "https://fra1.citycloud.com:5000"
+}
+
+
+locals {
+ username = "cloud"
+ image_name = "Ubuntu 20.04 Focal Fossa 20200423"
+ name_prefix = "bazel-poc"
+ flavor_name_frontend = "1C-1GB-20GB"
+ flavor_name_webserver = "1C-2GB-20GB"
+ flavor_name_gbo = "4C-8GB"
+ flavor_name_ostree = "2C-4GB-20GB"
+}
+
+
+# Create keypairs
+resource "openstack_compute_keypair_v2" "pedro-keypair" {
+ name = "pedro-alvarez_latty"
+ public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDrfYhQAgqiwtcl37TfBR7N5Fq7ze17Cn4UUbz/Nuby/9qfypUp5Ir2x0P1otbQfozwWBOwmKCFRQMs+fZXFpWsvshNcmaw+rMI8wP1Bx2cqSuPusLPEYbvRbnfGo/E7aj/GvpSKRlBCGF3tORzGAmQsogUUXXcXP7PKIkPB3Jo04K8IeuSoRGd8cGfUWA6dcx9YuZHeJ3o/RzpV8UvU3Ge50mLf05cbrS2LlXgnG2PGbuBX5l87O6u3KUXq5zoafd0AtpSelNcVfAjpwdPokyuR1pXn+3q2w+l7ExmIAjwJV+QJeSSRMRfiHbk/+D3vYUlnqoarB0UrsTb2mY2tAPD"
+}
diff --git a/terraform/infra.tf b/terraform/infra.tf
new file mode 100644
index 00000000..9b5b7ccf
--- /dev/null
+++ b/terraform/infra.tf
@@ -0,0 +1,230 @@
+data "openstack_images_image_v2" "image_id" {
+ name = local.image_name
+ most_recent = true
+}
+
+# Frontend
+data "openstack_compute_flavor_v2" "flavor_frontend" {
+ name = local.flavor_name_frontend
+}
+
+resource "openstack_networking_port_v2" "frontend_port" {
+ name = "port_1"
+ network_id = "${openstack_networking_network_v2.baserock_network.id}"
+ admin_state_up = "true"
+
+ fixed_ip {
+ subnet_id = "${openstack_networking_subnet_v2.baserock_subnet.id}"
+ ip_address = "10.3.0.10"
+ }
+}
+
+resource "openstack_networking_floatingip_v2" "floatip_frontend" {
+ pool = "ext-net"
+}
+
+resource "openstack_networking_floatingip_associate_v2" "floatip_associate_frontend" {
+ floating_ip = "${openstack_networking_floatingip_v2.floatip_frontend.address}"
+ port_id = "${openstack_networking_port_v2.frontend_port.id}"
+}
+
+resource "openstack_compute_instance_v2" "baserock_frontend" {
+ name = "frontend-haproxy"
+ image_id = data.openstack_images_image_v2.image_id.id
+ flavor_id = data.openstack_compute_flavor_v2.flavor_frontend.id
+ key_pair = "${openstack_compute_keypair_v2.pedro-keypair.name}"
+
+ security_groups = [
+ "${openstack_networking_secgroup_v2.sg_base.name}",
+ "${openstack_networking_secgroup_v2.sg_gitlab_bot.name}",
+ "${openstack_networking_secgroup_v2.sg_web_server.name}",
+ "${openstack_networking_secgroup_v2.sg_haste_server.name}",
+ "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.name}",
+ ]
+ network {
+ port = "${openstack_networking_port_v2.frontend_port.id}"
+ }
+
+ lifecycle {
+ ignore_changes = [
+ # Ignore changes to base image
+ image_id,
+ # Ignore changes to key_pairs
+ key_pair,
+ ]
+ }
+}
+
+
+# Webserver
+data "openstack_compute_flavor_v2" "flavor_webserver" {
+ name = local.flavor_name_webserver
+}
+
+resource "openstack_networking_port_v2" "webserver_port" {
+ name = "webserver_port"
+ network_id = "${openstack_networking_network_v2.baserock_network.id}"
+ admin_state_up = "true"
+
+ fixed_ip {
+ subnet_id = "${openstack_networking_subnet_v2.baserock_subnet.id}"
+ ip_address = "10.3.0.13"
+ }
+}
+
+resource "openstack_compute_instance_v2" "baserock_webserver" {
+ name = "webserver"
+ image_id = data.openstack_images_image_v2.image_id.id
+ flavor_id = data.openstack_compute_flavor_v2.flavor_webserver.id
+ key_pair = "${openstack_compute_keypair_v2.pedro-keypair.name}"
+
+ security_groups = [
+ "${openstack_networking_secgroup_v2.sg_base.name}",
+ "${openstack_networking_secgroup_v2.sg_gitlab_bot.name}",
+ "${openstack_networking_secgroup_v2.sg_web_server.name}",
+ "${openstack_networking_secgroup_v2.sg_haste_server.name}",
+ ]
+ network {
+ port = "${openstack_networking_port_v2.webserver_port.id}"
+ }
+
+ lifecycle {
+ ignore_changes = [
+ # Ignore changes to base image
+ image_id,
+ # Ignore changes to key_pairs
+ key_pair,
+ ]
+ }
+}
+
+resource "openstack_blockstorage_volume_v2" "volume_webserver" {
+ name = "webserver-volume"
+ size = 150
+}
+
+resource "openstack_compute_volume_attach_v2" "volume_attach_webserver" {
+ instance_id = "${openstack_compute_instance_v2.baserock_webserver.id}"
+ volume_id = "${openstack_blockstorage_volume_v2.volume_webserver.id}"
+ device = "/dev/vdb"
+}
+
+# g.b.o
+
+data "openstack_images_image_v2" "gbo_image_id" {
+ name = "Debian 10 Buster"
+ most_recent = true
+}
+
+data "openstack_compute_flavor_v2" "flavor_gbo" {
+ name = local.flavor_name_gbo
+}
+
+resource "openstack_networking_port_v2" "gbo_port" {
+ name = "gbo_port"
+ network_id = "${openstack_networking_network_v2.baserock_network.id}"
+ admin_state_up = "true"
+
+ fixed_ip {
+ subnet_id = "${openstack_networking_subnet_v2.baserock_subnet.id}"
+ ip_address = "10.3.0.4"
+ }
+}
+
+
+resource "openstack_networking_floatingip_v2" "floatip_gbo" {
+ pool = "ext-net"
+}
+
+resource "openstack_networking_floatingip_associate_v2" "floatip_associate_gbo" {
+ floating_ip = "${openstack_networking_floatingip_v2.floatip_gbo.address}"
+ port_id = "${openstack_networking_port_v2.gbo_port.id}"
+}
+
+resource "openstack_compute_instance_v2" "baserock_gbo" {
+ name = "git.baserock.org-debian"
+ image_id = data.openstack_images_image_v2.gbo_image_id.id
+ flavor_id = data.openstack_compute_flavor_v2.flavor_gbo.id
+ key_pair = "${openstack_compute_keypair_v2.pedro-keypair.name}"
+
+ security_groups = [
+ "${openstack_networking_secgroup_v2.sg_base.name}",
+ "${openstack_networking_secgroup_v2.sg_git_server.name}",
+ ]
+ network {
+ port = "${openstack_networking_port_v2.gbo_port.id}"
+ }
+
+ lifecycle {
+ ignore_changes = [
+ # Ignore changes to base image
+ image_id,
+ # Ignore changes to key_pairs
+ key_pair,
+ ]
+ }
+}
+
+resource "openstack_blockstorage_volume_v2" "volume_gbo" {
+ name = "git.baserock.org-srv"
+ size = 300
+}
+
+resource "openstack_compute_volume_attach_v2" "volume_attach_gbo" {
+ instance_id = "${openstack_compute_instance_v2.baserock_gbo.id}"
+ volume_id = "${openstack_blockstorage_volume_v2.volume_gbo.id}"
+ device = "/dev/vdb"
+}
+
+# ostree
+
+data "openstack_compute_flavor_v2" "flavor_ostree" {
+ name = local.flavor_name_ostree
+}
+
+resource "openstack_networking_port_v2" "ostree_port" {
+ name = "ostree_port"
+ network_id = "${openstack_networking_network_v2.baserock_network.id}"
+ admin_state_up = "true"
+
+ fixed_ip {
+ subnet_id = "${openstack_networking_subnet_v2.baserock_subnet.id}"
+ ip_address = "10.3.0.12"
+ }
+}
+
+resource "openstack_compute_instance_v2" "baserock_ostree" {
+ name = "ostree"
+ image_id = data.openstack_images_image_v2.image_id.id
+ flavor_id = data.openstack_compute_flavor_v2.flavor_ostree.id
+ key_pair = "${openstack_compute_keypair_v2.pedro-keypair.name}"
+
+ security_groups = [
+ "${openstack_networking_secgroup_v2.sg_base.name}",
+ "${openstack_networking_secgroup_v2.sg_web_server.name}",
+ "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.name}",
+ ]
+ network {
+ port = "${openstack_networking_port_v2.ostree_port.id}"
+ }
+
+ lifecycle {
+ ignore_changes = [
+ # Ignore changes to base image
+ image_id,
+ # Ignore changes to key_pairs
+ key_pair,
+ ]
+ }
+}
+
+resource "openstack_blockstorage_volume_v2" "volume_ostree" {
+ name = "ostree-volume"
+ size = 100
+}
+
+resource "openstack_compute_volume_attach_v2" "volume_attach_ostree" {
+ instance_id = "${openstack_compute_instance_v2.baserock_ostree.id}"
+ volume_id = "${openstack_blockstorage_volume_v2.volume_ostree.id}"
+ device = "/dev/vdb"
+}
diff --git a/terraform/networking.tf b/terraform/networking.tf
new file mode 100644
index 00000000..3293c8c8
--- /dev/null
+++ b/terraform/networking.tf
@@ -0,0 +1,211 @@
+resource "openstack_networking_network_v2" "baserock_network" {
+ name = "Baserock Network"
+ admin_state_up = "true"
+}
+
+resource "openstack_networking_subnet_v2" "baserock_subnet" {
+ name = "Baserock Subnet"
+ network_id = "${openstack_networking_network_v2.baserock_network.id}"
+ cidr = "10.3.0.0/24"
+ ip_version = 4
+}
+
+
+data "openstack_networking_network_v2" "external_network" {
+ name = "ext-net"
+}
+
+resource "openstack_networking_router_v2" "baserock_router" {
+ name = "Baserock Router"
+ admin_state_up = true
+ external_network_id = data.openstack_networking_network_v2.external_network.id
+}
+
+resource "openstack_networking_router_interface_v2" "baserock_router_interface" {
+ router_id = "${openstack_networking_router_v2.baserock_router.id}"
+ subnet_id = "${openstack_networking_subnet_v2.baserock_subnet.id}"
+}
+
+# Security groups
+
+resource "openstack_networking_secgroup_v2" "sg_base" {
+ name = "base"
+ description = "Allow all outgoing traffic, and allow incoming ICMP (ping) and SSH connections"
+ delete_default_rules = "true"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_icmp" {
+ direction = "egress"
+ ethertype = "IPv4"
+ protocol = "icmp"
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_any" {
+ direction = "egress"
+ ethertype = "IPv4"
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_any_v6" {
+ direction = "egress"
+ ethertype = "IPv6"
+ remote_ip_prefix = "::/0"
+ security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_base_ingress_icmp" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "icmp"
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}"
+}
+
+
+resource "openstack_networking_secgroup_rule_v2" "sg_base_ingress_ssh" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = 22
+ port_range_max = 22
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}"
+}
+
+
+
+resource "openstack_networking_secgroup_v2" "sg_haste_server" {
+ name = "haste-server"
+ description = "Allow incoming TCP requests for haste server"
+ delete_default_rules = "true"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_haste_server_main" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = 7777
+ port_range_max = 7777
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = "${openstack_networking_secgroup_v2.sg_haste_server.id}"
+}
+
+resource "openstack_networking_secgroup_v2" "sg_gitlab_bot" {
+ name = "gitlab-bot"
+ description = "Allow incoming TCP requests for gitlab-bot"
+ delete_default_rules = "true"
+}
+
+
+resource "openstack_networking_secgroup_rule_v2" "sg_gitlab_bot_main" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = 1337
+ port_range_max = 1337
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = "${openstack_networking_secgroup_v2.sg_gitlab_bot.id}"
+}
+
+
+resource "openstack_networking_secgroup_v2" "sg_git_server" {
+ name = "git-server"
+ description = "Allow inbound SSH, HTTP, HTTPS and Git requests."
+ delete_default_rules = "true"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_git_server_http" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = 80
+ port_range_max = 80
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_git_server_https" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = 443
+ port_range_max = 443
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_git_server_git" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = 9418
+ port_range_max = 9418
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}"
+}
+
+
+
+resource "openstack_networking_secgroup_v2" "sg_shared_artifact_cache" {
+ name = "shared-artifact-cache"
+ description = "Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)"
+ delete_default_rules = "true"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_http" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = 80
+ port_range_max = 80
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}"
+}
+resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_https" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = 443
+ port_range_max = 443
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}"
+}
+resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_ssh" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = 22200
+ port_range_max = 22200
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}"
+}
+
+
+resource "openstack_networking_secgroup_v2" "sg_web_server" {
+ name = "web-server"
+ description = "Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)"
+ delete_default_rules = "true"
+}
+
+
+resource "openstack_networking_secgroup_rule_v2" "sg_web_server_http" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = 80
+ port_range_max = 80
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = "${openstack_networking_secgroup_v2.sg_web_server.id}"
+}
+resource "openstack_networking_secgroup_rule_v2" "sg_web_server_https" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = 443
+ port_range_max = 443
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = "${openstack_networking_secgroup_v2.sg_web_server.id}"
+}