diff --git a/.gitattributes b/.gitattributes index 29fc3c99..370e338a 100644 --- a/.gitattributes +++ b/.gitattributes @@ -6,3 +6,5 @@ ansible/files/csi-secret-cinderplugin.yaml.codfw1dev.crypt filter=git-crypt diff paws/codfw-secrets.yaml filter=git-crypt diff=git-crypt paws/files/minesweeper/secrets/** filter=git-crypt diff=git-crypt tofu/secrets.tf filter=git-crypt diff=git-crypt +secrets-eqiad1.sh filter=git-crypt diff=git-crypt +secrets-codfw1dev.sh filter=git-crypt diff=git-crypt diff --git a/README.md b/README.md index 7d16af20..c7183f29 100644 --- a/README.md +++ b/README.md @@ -116,3 +116,8 @@ bash deploy.sh update the web proxy in horizon to point to current cluster. https://wikitech.wikimedia.org/wiki/PAWS/Admin#Deployment + +#### Disaster Recovery +If the entire project is removed two parts of paws are not managed by tofu/ansible. +Object storage container: An object storage container named "tofu-state" will need to be generated in horizon. This is where the state file for tofu resides. +NFS: The NFS server is not included. And a fresh NFS server will be needed for paws to operate. diff --git a/deploy.sh b/deploy.sh index 786d3500..fe249103 100644 --- a/deploy.sh +++ b/deploy.sh @@ -15,6 +15,15 @@ else exit fi +if [ -n "${2}" ] +then + if [ "${2}" = 'tofu' ] + then + # exit after tofu + tofuonly=1 + fi +fi + if ! command -v kubectl ; then echo "please install kubectl" @@ -31,15 +40,22 @@ if ! command -v tofu ; then exit 1 fi +source secrets-${datacenter}.sh + python3 -m venv .venv/deploy source .venv/deploy/bin/activate pip install ansible==8.1.0 kubernetes==26.1.0 cd tofu -tofu init -tofu apply -var datacenter=${datacenter} # -auto-approve +AWS_ACCESS_KEY_ID=${ACCESS_KEY} AWS_SECRET_ACCESS_KEY=${SECRET_KEY} tofu init +AWS_ACCESS_KEY_ID=${ACCESS_KEY} AWS_SECRET_ACCESS_KEY=${SECRET_KEY} tofu apply -var datacenter=${datacenter} # -auto-approve export KUBECONFIG=$(pwd)/kube.config +if [ "${tofuonly}" = '1' ] +then + exit +fi + cd ../ansible ansible-playbook paws.yaml --extra-vars "datacenter=${datacenter}" diff --git a/secrets-eqiad1.sh b/secrets-eqiad1.sh new file mode 100644 index 00000000..6a74de2b Binary files /dev/null and b/secrets-eqiad1.sh differ diff --git a/tofu/main.tf b/tofu/main.tf index 05c25edf..abcf6d4a 100644 --- a/tofu/main.tf +++ b/tofu/main.tf @@ -1,5 +1,15 @@ terraform { required_version = ">= 1.6.0" + backend "s3" { + region = "eqiad1" + bucket = "paws:tofu-state" + endpoint = "https://object.eqiad1.wikimediacloud.org" + key = "state/main" + + skip_region_validation = true + skip_credentials_validation = true + force_path_style = true + } required_providers { openstack = { source = "terraform-provider-openstack/openstack"