initial commit

rancher · Oct 22, 2019 · f103a32 · f103a32
commit f103a32
Show file tree

Hide file tree

Showing 14 changed files with 1,379 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,11 @@
+*.swp
+*.tfstate*
+**/.terraform
+**/*.plan
+**/secret_files
+**/*.tfenvs
+**/aws_accounts/iam
+.DS_Store
+outputs/
+terraform.d/
+**/terraform.tfvars
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,5 @@
+- repo: git://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.19.0
+  hooks:
+    - id: terraform_fmt
+    - id: terraform_docs
diff --git a/README.md b/README.md
@@ -0,0 +1,52 @@
+### Terraform K3S AWS Cluster
+
+This module supports creating a k3s cluster with a postgres backend in AWS. By default it will also install Rancher Server.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| agent\_image\_id | AMI to use for k3s agent instances | string | `"null"` | no |
+| agent\_instance\_ssh\_user | Username for sshing into instances | string | `"ubuntu"` | no |
+| agent\_instance\_type |  | string | `"m5.large"` | no |
+| agent\_node\_count | Number of agent nodes to launch | number | `"3"` | no |
+| aws\_azs | List of AWS Availability Zones in the VPC | list | `"null"` | no |
+| aws\_profile | Name of the AWS Profile to use for authentication | string | `"null"` | no |
+| aws\_region |  | string | `"null"` | no |
+| certmanager\_version | Version of cert-manager to install | string | `"0.9.1"` | no |
+| create\_external\_nlb | Boolean that defines whether or not to create an external load balancer | bool | `"true"` | no |
+| db\_instance\_type |  | string | `"db.r5.large"` | no |
+| db\_name | Name of database to create in RDS | string | `"null"` | no |
+| db\_node\_count | Number of RDS database instances to launch | number | `"1"` | no |
+| db\_pass | Password for RDS user | string | n/a | yes |
+| db\_user | Username for RDS database | string | n/a | yes |
+| domain |  | string | `"eng.rancher.space"` | no |
+| extra\_agent\_security\_groups | Additional security groups to attach to k3s agent instances | list | `[]` | no |
+| extra\_server\_security\_groups | Additional security groups to attach to k3s server instances | list | `[]` | no |
+| install\_certmanager | Boolean that defines whether or not to install Cert-Manager | bool | `"true"` | no |
+| install\_ingress | Boolean that defines whether or not to install nginx-ingress | bool | `"true"` | no |
+| install\_k3s\_version | Version of K3S to install | string | `"0.9.1"` | no |
+| install\_rancher | Boolean that defines whether or not to install Rancher | bool | `"true"` | no |
+| k3s\_cluster\_secret | Override to set k3s cluster registration secret | string | `"null"` | no |
+| letsencrypt\_email | LetsEncrypt email address to use | string | `"[email protected]"` | no |
+| name | Name for deployment | string | `"rancher-demo"` | no |
+| private\_subnets | List of private subnet ids. | list | `[]` | no |
+| private\_subnets\_cidr\_blocks | List of cidr_blocks of private subnets | list | `[]` | no |
+| public\_subnets | List of public subnet ids. | list | `[]` | no |
+| public\_subnets\_cidr\_blocks | List of cidr_blocks of public subnets | list | `[]` | no |
+| r53\_domain | DNS domain for Route53 zone (defaults to domain if unset) | string | `""` | no |
+| rancher\_chart | Helm chart to use for Rancher install | string | `"rancher-stable/rancher"` | no |
+| rancher\_password |  | string | n/a | yes |
+| rancher\_version | Version of Rancher to install | string | `"2.3.1"` | no |
+| server\_image\_id | AMI to use for k3s server instances | string | `"null"` | no |
+| server\_instance\_ssh\_user | Username for sshing into instances | string | `"ubuntu"` | no |
+| server\_instance\_type |  | string | `"m5.large"` | no |
+| server\_node\_count | Number of server nodes to launch | number | `"1"` | no |
+| skip\_final\_snapshot | Boolean that defines whether or not the final snapshot should be created on RDS cluster deletion | bool | `"true"` | no |
+| ssh\_keys | SSH keys to inject into Rancher instances | list | `[]` | no |
+| storage\_cafile | Location to download RDS CA Bundle | string | `"/srv/rds-combined-ca-bundle.pem"` | no |
+| use\_default\_vpc | Should the default VPC for the region selected be used for Rancher | bool | `"true"` | no |
+| vpc\_id | If use_default_vpc is false, the vpc id that Rancher should use | string | `"null"` | no |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/data.tf b/data.tf
@@ -0,0 +1,87 @@
+data "aws_vpc" "default" {
+  default = var.vpc_id == null ? true : false
+  id      = var.vpc_id
+}
+
+data "aws_subnet_ids" "available" {
+  vpc_id = data.aws_vpc.default.id
+}
+
+data "aws_route53_zone" "dns_zone" {
+  provider = aws.r53
+  name     = local.r53_domain
+}
+
+data "aws_ami" "ubuntu" {
+  most_recent = true
+  owners      = ["099720109477"]
+
+  filter {
+    name   = "name"
+    values = ["ubuntu-minimal/images/*/ubuntu-bionic-18.04-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+}
+
+data "rancher2_user" "admin" {
+  username   = "admin"
+  depends_on = [rancher2_bootstrap.admin]
+}
+
+data "template_cloudinit_config" "k3s_server" {
+  gzip          = true
+  base64_encode = true
+
+  # Main cloud-config configuration file.
+  part {
+    filename     = "init.cfg"
+    content_type = "text/cloud-config"
+    content      = templatefile("${path.module}/files/cloud-config-base.yaml", { ssh_keys = var.ssh_keys })
+  }
+
+  part {
+    content_type = "text/x-shellscript"
+    content      = templatefile("${path.module}/files/k3s-install.sh", { install_k3s_version = local.install_k3s_version, k3s_exec = local.server_k3s_exec, k3s_cluster_secret = local.k3s_cluster_secret, is_k3s_server = true, k3s_url = aws_lb.server-lb.dns_name, storage_cafile = local.storage_cafile })
+  }
+
+  part {
+    content_type = "text/x-shellscript"
+    content      = file("${path.module}/files/ingress-install.sh")
+  }
+
+  part {
+    content_type = "text/x-shellscript"
+    content      = templatefile("${path.module}/files/rancher-install.sh", { certmanager_version = local.certmanager_version, letsencrypt_email = local.letsencrypt_email, rancher_version = local.rancher_version, rancher_hostname = "${local.name}.${local.domain}", install_rancher = local.install_rancher, install_ingress = local.install_ingress, install_certmanager = local.install_certmanager })
+  }
+}
+
+data "template_cloudinit_config" "k3s_agent" {
+  gzip          = true
+  base64_encode = true
+
+  # Main cloud-config configuration file.
+  part {
+    filename     = "init.cfg"
+    content_type = "text/cloud-config"
+    content      = templatefile("${path.module}/files/cloud-config-base.yaml", { ssh_keys = var.ssh_keys })
+  }
+
+  part {
+    content_type = "text/x-shellscript"
+    content      = templatefile("${path.module}/files/k3s-install.sh", { install_k3s_version = local.install_k3s_version, k3s_exec = local.agent_k3s_exec, k3s_cluster_secret = local.k3s_cluster_secret, is_k3s_server = false, k3s_url = aws_lb.server-lb.dns_name, storage_cafile = local.storage_cafile })
+  }
+}
diff --git a/examples/bastion.tmpl b/examples/bastion.tmpl
@@ -0,0 +1,11 @@
+#cloud-config
+%{ if length(ssh_keys) > 0 }
+ssh_authorized_keys:
+%{ for ssh_key in ssh_keys }
+- ${ssh_key}
+%{ endfor }
+%{ endif }
+runcmd:
+- apt-get update
+- apt-get install -y software-properties-common
+- DEBIAN_FRONTEND=noninteractive apt-get upgrade -y
diff --git a/examples/main.tf b/examples/main.tf
@@ -0,0 +1,118 @@
+provider "aws" {
+  region  = "us-west-2"
+  profile = "rancher-eng"
+}
+
+provider "aws" {
+  alias   = "r53"
+  region  = "us-west-2"
+  profile = "rancher-eng"
+}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "2.17.0"
+
+  name = "example"
+  cidr = "10.105.0.0/16"
+
+  azs             = ["us-west-2a", "us-west-2b", "us-west-2c"]
+  public_subnets  = ["10.105.1.0/24", "10.105.2.0/24", "10.105.3.0/24"]
+  private_subnets = ["10.105.4.0/24", "10.105.5.0/24", "10.105.6.0/24"]
+
+  create_database_subnet_group = false
+
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+  enable_nat_gateway   = true
+
+  tags = {
+    "Name" = "example"
+  }
+}
+
+data "aws_ami" "ubuntu" {
+  most_recent = true
+  owners      = ["099720109477"]
+
+  filter {
+    name   = "name"
+    values = ["ubuntu-minimal/images/*/ubuntu-bionic-18.04-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+}
+
+resource "aws_security_group" "bastion" {
+  name   = "example-bastion"
+  vpc_id = module.vpc.vpc_id
+}
+
+resource "aws_security_group_rule" "bastion_ssh" {
+  type              = "ingress"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "TCP"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.bastion.id
+}
+
+resource "aws_security_group_rule" "bastion_egress_all" {
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.bastion.id
+}
+
+resource "aws_instance" "bastion" {
+  ami           = "${data.aws_ami.ubuntu.id}"
+  instance_type = "t2.micro"
+  subnet_id     = element(module.vpc.public_subnets, 0)
+  user_data     = templatefile("${path.module}/bastion.tmpl", { ssh_keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5O7k6gRYCU7YPkCH6dyXVW10izMAkDAQtQxNxdRE22 drpebcak"] })
+
+  vpc_security_group_ids = [aws_security_group.bastion.id, module.vpc.default_security_group_id]
+
+  tags = {
+    Name = "example-bastion"
+  }
+}
+
+module "k3s_rancher" {
+  source                       = "../"
+  rancher_password             = "changeme"
+  use_default_vpc              = false
+  vpc_id                       = module.vpc.vpc_id
+  aws_region                   = "us-west-2"
+  aws_profile                  = "rancher-eng"
+  private_subnets              = module.vpc.private_subnets
+  public_subnets               = module.vpc.public_subnets
+  ssh_keys                     = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5O7k6gRYCU7YPkCH6dyXVW10izMAkDAQtQxNxdRE22 drpebcak"]
+  name                         = "example"
+  k3s_cluster_secret           = "secretvaluechangeme"
+  domain                       = "eng.rancher.space"
+  aws_azs                      = ["us-west-2a", "us-west-2b", "us-west-2c"]
+  db_user                      = "exampleuser"
+  db_pass                      = "mD,50cbf5597fd320b6a732ce778082a0359"
+  extra_server_security_groups = [module.vpc.default_security_group_id]
+  extra_agent_security_groups  = [module.vpc.default_security_group_id]
+  private_subnets_cidr_blocks  = module.vpc.private_subnets_cidr_blocks
+  providers = {
+    aws     = "aws"
+    aws.r53 = "aws.r53"
+  }
+}
diff --git a/files/cloud-config-base.yaml b/files/cloud-config-base.yaml
@@ -0,0 +1,11 @@
+#cloud-config
+%{ if length(ssh_keys) > 0 }
+ssh_authorized_keys:
+%{ for ssh_key in ssh_keys }
+- ${ssh_key}
+%{ endfor }
+%{ endif }
+runcmd:
+- apt-get update
+- apt-get install -y software-properties-common
+- DEBIAN_FRONTEND=noninteractive apt-get upgrade -y