functional!

data.tf

@@ -1,5 +1,5 @@
 data "aws_vpc" "default" {
-  default = var.vpc_id == null ? true : false
+  default = false
   id      = var.vpc_id
 }
 
@@ -37,11 +37,6 @@ data "aws_ami" "ubuntu" {
   }
 }
 
-data "rancher2_user" "admin" {
-  username   = "admin"
-  depends_on = [rancher2_bootstrap.admin]
-}
-
 data "template_cloudinit_config" "k3s_server" {
   gzip          = true
   base64_encode = true
@@ -60,7 +55,7 @@ data "template_cloudinit_config" "k3s_server" {
 
   part {
     content_type = "text/x-shellscript"
-    content      = file("${path.module}/files/ingress-install.sh")
+    content      = templatefile("${path.module}/files/ingress-install.sh", { install_nginx_ingress = local.install_nginx_ingress })
   }
 
   part {

examples/default/main.tf

@@ -0,0 +1,127 @@
+provider "aws" {
+  region  = "us-west-2"
+  profile = "rancher-eng"
+}
+
+provider "aws" {
+  alias   = "r53"
+  region  = "us-west-2"
+  profile = "rancher-eng"
+}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "2.17.0"
+
+  name = "example"
+  cidr = "10.105.0.0/16"
+
+  azs             = ["us-west-2a", "us-west-2b", "us-west-2c"]
+  public_subnets  = ["10.105.1.0/24", "10.105.2.0/24", "10.105.3.0/24"]
+  private_subnets = ["10.105.4.0/24", "10.105.5.0/24", "10.105.6.0/24"]
+
+  create_database_subnet_group = false
+
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+  enable_nat_gateway   = true
+
+  tags = {
+    "Name" = "example"
+  }
+}
+
+data "aws_ami" "ubuntu" {
+  most_recent = true
+  owners      = ["099720109477"]
+
+  filter {
+    name   = "name"
+    values = ["ubuntu-minimal/images/*/ubuntu-bionic-18.04-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+}
+
+resource "aws_security_group" "bastion" {
+  name   = "example-bastion"
+  vpc_id = module.vpc.vpc_id
+}
+
+resource "aws_security_group_rule" "bastion_ssh" {
+  type              = "ingress"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "TCP"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.bastion.id
+}
+
+resource "aws_security_group_rule" "bastion_egress_all" {
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.bastion.id
+}
+
+resource "aws_instance" "bastion" {
+  ami           = "${data.aws_ami.ubuntu.id}"
+  instance_type = "t2.micro"
+  subnet_id     = element(module.vpc.public_subnets, 0)
+  user_data     = templatefile("${path.module}/bastion.tmpl", { ssh_keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5O7k6gRYCU7YPkCH6dyXVW10izMAkDAQtQxNxdRE22 drpebcak"] })
+
+  vpc_security_group_ids = [aws_security_group.bastion.id, module.vpc.default_security_group_id]
+
+  tags = {
+    Name = "example-bastion"
+  }
+}
+
+provider "rancher2" {
+  api_url   = "https://example.eng.rancher.space"
+  token_key = "token-4hdgv:zsgmrtqhzf4rf5l7tp6vv6fpxv8jwdxntwsk2bq7mwgmbv8kcg5lsf"
+}
+
+resource "rancher2_cluster" "k3s" {
+  name = "example-imported"
+}
+
+module "k3s_rancher" {
+  source                       = "../../"
+  vpc_id                       = module.vpc.vpc_id
+  aws_region                   = "us-west-2"
+  aws_profile                  = "rancher-eng"
+  private_subnets              = module.vpc.private_subnets
+  public_subnets               = module.vpc.public_subnets
+  ssh_keys                     = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5O7k6gRYCU7YPkCH6dyXVW10izMAkDAQtQxNxdRE22 drpebcak"]
+  name                         = "example"
+  k3s_cluster_secret           = "secretvaluechangeme"
+  domain                       = "eng.rancher.space"
+  aws_azs                      = ["us-west-2a", "us-west-2b", "us-west-2c"]
+  k3s_storage_endpoint         = "postgres"
+  db_user                      = "exampleuser"
+  db_pass                      = "mD,50cbf5597fd320b6a732ce778082a0359"
+  extra_server_security_groups = [module.vpc.default_security_group_id]
+  extra_agent_security_groups  = [module.vpc.default_security_group_id]
+  private_subnets_cidr_blocks  = module.vpc.private_subnets_cidr_blocks
+  registration_command         = rancher2_cluster.k3s.cluster_registration_token[0].command
+  providers = {
+    aws     = "aws"
+    aws.r53 = "aws.r53"
+  }
+}

examples/rancher/bastion.tmpl

@@ -0,0 +1,11 @@
+#cloud-config
+%{ if length(ssh_keys) > 0 }
+ssh_authorized_keys:
+%{ for ssh_key in ssh_keys }
+- ${ssh_key}
+%{ endfor }
+%{ endif }
+runcmd:
+- apt-get update
+- apt-get install -y software-properties-common
+- DEBIAN_FRONTEND=noninteractive apt-get upgrade -y

examples/main.tf → examples/rancher/main.tf

@@ -93,10 +93,15 @@ resource "aws_instance" "bastion" {
 }
 
 module "k3s_rancher" {
-  source                       = "../"
+  source                       = "../../"
   vpc_id                       = module.vpc.vpc_id
   aws_region                   = "us-west-2"
   aws_profile                  = "rancher-eng"
+  rancher_password             = "u7qmyhm3wbgujjuijs3rqfpm2e"
+  install_rancher              = true
+  install_certmanager          = true
+  install_nginx_ingress        = true
+  k3s_deploy_traefik           = false
   private_subnets              = module.vpc.private_subnets
   public_subnets               = module.vpc.public_subnets
   ssh_keys                     = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5O7k6gRYCU7YPkCH6dyXVW10izMAkDAQtQxNxdRE22 drpebcak"]

files/k3s-install.sh

@@ -6,18 +6,15 @@ curl -o ${k3s_storage_cafile} https://s3.amazonaws.com/rds-downloads/rds-combine
   %{ endif }
 %{ endif }
 
-until (curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION='v${install_k3s_version}' \
-INSTALL_K3S_EXEC='${k3s_tls_san} ${k3s_disable_agent} ${k3s_deploy_traefik} ${k3s_exec}' \
-K3S_CLUSTER_SECRET='${k3s_cluster_secret}' \
-%{ if k3s_storage_endpoint != "sqlite" }K3S_STORAGE_CAFILE='${k3s_storage_cafile}'%{ endif } \
-%{ if k3s_storage_endpoint != "sqlite" }K3S_STORAGE_ENDPOINT='${k3s_storage_endpoint}'%{ endif } \
-%{ if !is_k3s_server } K3S_URL='https://${k3s_url}:6443'%{ endif } sh -); do
+until (curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION='v${install_k3s_version}' INSTALL_K3S_EXEC='%{ if is_k3s_server }${k3s_tls_san} ${k3s_disable_agent} ${k3s_deploy_traefik} %{ endif}${k3s_exec}' K3S_CLUSTER_SECRET='${k3s_cluster_secret}' %{ if is_k3s_server }%{ if k3s_storage_endpoint != "sqlite" }K3S_STORAGE_CAFILE='${k3s_storage_cafile}'%{ endif } %{ if k3s_storage_endpoint != "sqlite" }K3S_STORAGE_ENDPOINT='${k3s_storage_endpoint}'%{ endif } %{ endif }%{ if !is_k3s_server } K3S_URL='https://${k3s_url}:6443'%{ endif } sh -); do
   echo 'k3s did not install correctly'
   sleep 2
 done
 
+%{ if is_k3s_server }
 until kubectl get pods -A | grep 'Running';
 do
   echo 'Waiting for k3s startup'
   sleep 5
 done
+%{ endif }

infra.tf

@@ -217,12 +217,6 @@ resource "aws_rds_cluster_parameter_group" "k3s" {
     value        = "1"
     apply_method = "pending-reboot"
   }
-
-  parameter {
-    name         = "ssl"
-    value        = "1"
-    apply_method = "pending-reboot"
-  }
 }
 
 resource "aws_rds_cluster" "k3s" {
@@ -262,7 +256,7 @@ resource "aws_rds_cluster_instance" "k3s" {
 ### Create Public Rancher DNS
 #############################
 resource "aws_route53_record" "rancher" {
-  count    = local.create_external_nlb
+  count    = local.install_rancher ? local.create_external_nlb : 0
   zone_id  = data.aws_route53_zone.dns_zone.zone_id
   name     = "${local.name}.${local.domain}"
   type     = "CNAME"

loadbalancer.tf

@@ -1,5 +1,7 @@
+resource "random_pet" "lb" {}
+
 resource "aws_lb" "server-lb" {
-  name               = "${local.name}-server-lb"
+  name               = "${local.name}-int-${random_pet.lb.id}"
   internal           = true
   load_balancer_type = "network"
   subnets            = local.private_subnets
@@ -17,7 +19,7 @@ resource "aws_lb_listener" "server-port_6443" {
 }
 
 resource "aws_lb_target_group" "server-6443" {
-  name     = "${local.name}-6443-server"
+  name     = "${local.name}-6443-${random_pet.lb.id}"
   port     = 6443
   protocol = "TCP"
   vpc_id   = data.aws_vpc.default.id
@@ -26,7 +28,7 @@ resource "aws_lb_target_group" "server-6443" {
 
 resource "aws_lb" "lb" {
   count              = local.create_external_nlb
-  name               = "${local.name}-lb"
+  name               = "${local.name}-ext-${random_pet.lb.id}"
   internal           = false
   load_balancer_type = "network"
   subnets            = local.public_subnets
@@ -62,7 +64,7 @@ resource "aws_lb_listener" "port_80" {
 
 resource "aws_lb_target_group" "agent-443" {
   count    = local.create_external_nlb
-  name     = "${local.name}-443-agent"
+  name     = "${local.name}-443-${random_pet.lb.id}"
   port     = 443
   protocol = "TCP"
   vpc_id   = data.aws_vpc.default.id
@@ -85,7 +87,7 @@ resource "aws_lb_target_group" "agent-443" {
 
 resource "aws_lb_target_group" "agent-80" {
   count    = local.create_external_nlb
-  name     = "${local.name}-80-agent"
+  name     = "${local.name}-80-${random_pet.lb.id}"
   port     = 80
   protocol = "TCP"
   vpc_id   = data.aws_vpc.default.id

main.tf

@@ -37,7 +37,7 @@ locals {
   db_name                     = var.db_name != null ? var.db_name : var.name
   db_node_count               = var.k3s_storage_endpoint != "sqlite" ? var.db_node_count : 0
   k3s_storage_cafile          = var.k3s_storage_cafile
-  k3s_storage_endpoint        = var.k3s_storage_endpoint == "sqlite" ? null : "--storage-endpoint postgres://${local.db_user}:${local.db_pass}@${aws_rds_cluster.k3s.0.endpoint}/${local.db_name}"
+  k3s_storage_endpoint        = var.k3s_storage_endpoint == "sqlite" ? null : "postgres://${local.db_user}:${local.db_pass}@${aws_rds_cluster.k3s.0.endpoint}/${local.db_name}"
   k3s_disable_agent           = var.k3s_disable_agent ? "--disable-agent" : ""
   k3s_tls_san                 = var.k3s_tls_san != null ? var.k3s_tls_san : "--tls-san ${aws_lb.server-lb.dns_name}"
   k3s_deploy_traefik          = var.k3s_deploy_traefik ? "" : "--no-deploy traefik"
@@ -70,11 +70,6 @@ provider "rancher2" {
   bootstrap = true
 }
 
-provider "rancher2" {
-  api_url   = "https://${local.name}.${local.domain}"
-  token_key = rancher2_bootstrap.admin.0.token
-}
-
 resource "null_resource" "wait_for_rancher" {
   count = local.install_rancher ? 1 : 0
   provisioner "local-exec" {

variables.tf

@@ -103,16 +103,10 @@ variable "certmanager_version" {
   description = "Version of cert-manager to install"
 }
 
-variable "use_default_vpc" {
-  type        = bool
-  default     = false
-  description = "Should the default VPC for the region selected be used for Rancher"
-}
-
 variable "vpc_id" {
   type        = string
   default     = null
-  description = "If use_default_vpc is false, the vpc id that Rancher should use"
+  description = "The vpc id that Rancher should use"
 }
 
 variable "aws_region" {
@@ -249,7 +243,7 @@ variable "k3s_storage_endpoint" {
 }
 
 variable "k3s_disable_agent" {
-  default     = true
+  default     = false
   type        = bool
   description = "Whether to run the k3s agent on the same host as the k3s server"
 }
@@ -265,3 +259,9 @@ variable "k3s_deploy_traefik" {
   type        = bool
   description = "Configures whether to deploy traefik ingress or not"
 }
+
+variable "rancher2_token_key" {
+  default     = null
+  type        = string
+  description = "Rancher2 API token for authentication"
+}