Commit 1f891175 authored by Daniele Valeriani's avatar Daniele Valeriani Committed by Ilya Frolov

Ops environment

parent 8b9d3bff
module "vnet" {
source = "../../modules/vnet"
location = "${var.location}"
resource_group_name = "${var.environment_full_name}"
address_space = ["10.250.0.0/16"]
dns_servers = ["10.67.4.101", "10.67.4.102", "10.67.4.103"]
}
module "subnet_ops" {
source = "../../modules/subnet"
subnet_name = "GitLabOps"
resource_group_name = "GitLabOps"
location = "${var.location}"
subnet_cidr = "10.250.1.0/24"
vnet_name = "${module.vnet.name}"
vnet_resource_group = "${module.vnet.resource_group_name}"
}
provider "azurerm" {
subscription_id = "${var.arm_subscription_id}"
client_id = "${var.arm_client_id}"
client_secret = "${var.arm_client_secret}"
tenant_id = "${var.arm_tenant_id}"
}
provider "aws" {
region = "us-east-1"
}
terraform {
backend "s3" {}
}
resource "azurerm_network_security_rule" "subnet_ops_ssh_from_vpn" {
name = "ssh-from-vpn"
priority = 140
direction = "Inbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
source_address_prefix = "10.254.4.0/23"
destination_port_range = "22"
destination_address_prefix = "*"
resource_group_name = "${module.subnet_ops.resource_group_name}"
network_security_group_name = "${module.subnet_ops.security_group_name}"
}
resource "azurerm_network_security_rule" "subnet_ops_deny_all" {
name = "deny-all"
priority = 200
direction = "Inbound"
access = "Deny"
protocol = "*"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "*"
destination_address_prefix = "*"
resource_group_name = "${module.subnet_ops.resource_group_name}"
network_security_group_name = "${module.subnet_ops.security_group_name}"
}
variable "environment" {
default = "ops"
}
variable "environment_full_name" {
default = "GitLabOps"
}
variable "domain_name" {
default = "gitlab.net"
}
variable "arm_subscription_id" {}
variable "arm_client_id" {}
variable "arm_client_secret" {}
variable "arm_tenant_id" {}
variable "ssh_user" {}
variable "ssh_private_key" {}
variable "ssh_public_key" {}
variable "location" {
default = "East US 2"
}
variable "chef_version" {
default = "12.19.36"
}
variable "chef_repo_dir" {}
variable "chef_vaults" {
type = "map"
default = {
"syslog_client" = "_default"
"gitlab_consul" = "client"
}
}
variable "gitlab_com_zone_id" {}
variable "gitlab_net_zone_id" {}
variable "use_dns" {
default = true
}
variable "use_tier_in_suffix" {
default = false
}
module "virtual_machine_bot" {
chef_repo_dir = "${var.chef_repo_dir}"
chef_version = "${var.chef_version}"
chef_vaults = "${jsonencode(var.chef_vaults)}"
domain_name = "${var.domain_name}"
environment = "${var.environment}"
gitlab_com_zone_id = "${var.gitlab_com_zone_id}"
location = "${var.location}"
count = 1
instance_type = "Standard_B1s"
name = "bot"
resource_group_name = "${module.subnet_ops.resource_group_name}"
source = "../../modules/virtual-machine"
ssh_private_key = "${var.ssh_private_key}"
ssh_public_key = "${var.ssh_public_key}"
ssh_user = "${var.ssh_user}"
subnet_id = "${module.subnet_ops.subnet_id}"
tier = "ops"
use_dns = "${var.use_dns}"
use_tier_in_suffix = "${var.use_tier_in_suffix}"
}
resource "azurerm_resource_group" "resource_group" {
name = "${var.resource_group_name}"
location = "${var.location}"
}
resource "azurerm_network_security_group" "security_group" {
name = "${var.subnet_name}"
location = "${var.location}"
resource_group_name = "${azurerm_resource_group.resource_group.name}"
}
resource "azurerm_subnet" "subnet" {
name = "${var.subnet_name}"
resource_group_name = "${var.vnet_resource_group}"
virtual_network_name = "${var.vnet_name}"
address_prefix = "${var.subnet_cidr}"
network_security_group_id = "${azurerm_network_security_group.security_group.id}"
}
output "subnet_id" {
value = "${azurerm_subnet.subnet.id}"
}
output "address_prefix" {
value = "${azurerm_subnet.subnet.address_prefix}"
}
output "resource_group_name" {
value = "${var.resource_group_name}"
}
output "resource_group_id" {
value = "${azurerm_resource_group.resource_group.id}"
}
output "security_group_name" {
value = "${azurerm_network_security_group.security_group.name}"
}
output "security_group_id" {
value = "${azurerm_network_security_group.security_group.id}"
}
variable "location" {
description = "The location"
}
variable "vnet_name" {
description = "The name of the virtual network"
}
variable "vnet_resource_group" {
description = "The name of the virtual network"
}
variable "subnet_cidr" {
description = "The CIDR of the subnet"
}
variable "subnet_name" {}
variable "resource_group_name" {}
variable "chef_repo_dir" {}
variable "chef_vaults" {}
variable "chef_vault_env" {
default = "_default"
}
variable "chef_version" {}
variable "domain_name" {}
variable "environment" {}
variable "gitlab_com_zone_id" {}
variable "location" {}
variable "count" {}
variable "instance_type" {}
variable "name" {}
variable "resource_group_name" {}
variable "ssh_private_key" {}
variable "ssh_public_key" {}
variable "ssh_user" {}
variable "subnet_id" {}
variable "tier" {}
variable "use_dns" {}
variable "use_tier_in_suffix" {}
data "null_data_source" "suffixes" {
inputs = {
dns_suffix_with_tier = "${join(".", list(var.tier, var.environment == "prod" ? "prd" : var.environment, var.domain_name))}"
dns_suffix_without_tier = "${join(".", list(var.environment == "prod" ? "prd" : var.environment, var.domain_name))}"
resource_suffix_with_tier = "${join("-", list(var.tier, var.environment == "prod" ? "prd" : var.environment, var.domain_name))}"
resource_suffix_without_tier = "${join("-", list(var.environment == "prod" ? "prd" : var.environment, var.domain_name))}"
}
}
data "null_data_source" "full_domain" {
inputs = {
dns_domain = "${var.use_tier_in_suffix ? data.null_data_source.suffixes.outputs["dns_suffix_with_tier"] : data.null_data_source.suffixes.outputs["dns_suffix_without_tier"]}"
resource_domain = "${var.use_tier_in_suffix ? data.null_data_source.suffixes.outputs["resource_suffix_with_tier"] : data.null_data_source.suffixes.outputs["resource_suffix_without_tier"]}"
}
}
resource "azurerm_availability_set" "availability_set" {
name = "${format("%s-%s", var.name, var.environment)}"
location = "${var.location}"
managed = true
platform_update_domain_count = 20
platform_fault_domain_count = 3
resource_group_name = "${var.resource_group_name}"
}
resource "azurerm_network_interface" "nic" {
count = "${var.count}"
name = "${format("%s-%02d.%s", var.name, count.index + 1, data.null_data_source.full_domain.outputs["dns_domain"])}"
internal_dns_name_label = "${format("%s-%02d-%v-%v", var.name, count.index + 1, var.tier, "gitlab-net")}" # sorry
location = "${var.location}"
resource_group_name = "${var.resource_group_name}"
ip_configuration {
name = "${format("%s-%02d.%s", var.name, count.index + 1, data.null_data_source.full_domain.outputs["dns_domain"])}"
subnet_id = "${var.subnet_id}"
private_ip_address_allocation = "dynamic"
}
}
resource "aws_route53_record" "dns_record" {
count = "${var.use_dns ? var.count : 0}"
zone_id = "${var.gitlab_com_zone_id}"
name = "${format("%s-%02d.%s", var.name, count.index + 1, data.null_data_source.full_domain.outputs["dns_domain"])}"
type = "A"
ttl = "300"
records = ["${azurerm_network_interface.nic.*.private_ip_address[count.index]}"]
}
data "template_file" "chef_bootstrap" {
count = "${var.count}"
template = "${file("${path.root}/../../templates/chef-bootstrap-ssh-keys.tpl")}"
vars {
chef_repo_dir = "${var.chef_repo_dir}"
chef_vaults = "${var.chef_vaults}"
chef_vault_env = "${var.chef_vault_env}"
chef_version = "${var.chef_version}"
environment = "${var.environment}"
hostname = "${format("%s-%02d.%s", var.name, count.index + 1, data.null_data_source.full_domain.outputs["dns_domain"])}"
ip_address = "${azurerm_network_interface.nic.*.private_ip_address[count.index]}"
ssh_private_key = "${var.ssh_private_key}"
ssh_user = "${var.ssh_user}"
}
}
resource "azurerm_virtual_machine" "vm" {
count = "${var.count}"
name = "${format("%s-%02d.%s", var.name, count.index + 1, data.null_data_source.full_domain.outputs["dns_domain"])}"
location = "${var.location}"
resource_group_name = "${var.resource_group_name}"
availability_set_id = "${azurerm_availability_set.availability_set.id}"
network_interface_ids = ["${azurerm_network_interface.nic.*.id[count.index]}"]
primary_network_interface_id = "${azurerm_network_interface.nic.*.id[count.index]}"
vm_size = "${var.instance_type}"
delete_os_disk_on_termination = true
storage_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
storage_os_disk {
name = "${format("osdisk-%s-%02d-%s", var.name, count.index + 1, var.environment)}"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
# storage_data_disk {
# name = "${format("data-%s-%02d-%s", var.name, count.index + 1, var.environment)}"
# managed_disk_type = "Premium_LRS"
# create_option = "Empty"
# lun = 0
# disk_size_gb = "${var.datadisk_size}"
# }
os_profile {
computer_name = "${format("%s-%02d.%s", var.name, count.index + 1, data.null_data_source.full_domain.outputs["dns_domain"])}"
admin_username = "${var.ssh_user}"
}
os_profile_linux_config {
disable_password_authentication = true
ssh_keys = {
path = "/home/${var.ssh_user}/.ssh/authorized_keys"
key_data = "${file("${var.ssh_public_key}")}"
}
}
provisioner "local-exec" {
command = "${data.template_file.chef_bootstrap.*.rendered[count.index]}"
}
provisioner "local-exec" {
when = "destroy"
command = "cd ${var.chef_repo_dir}; bundle exec knife node delete ${format("%s-%02d.%s", var.name, count.index + 1, data.null_data_source.full_domain.outputs["dns_domain"])} -y; bundle exec knife client delete ${format("%s-%02d.%s", var.name, count.index + 1, data.null_data_source.full_domain.outputs["dns_domain"])} -y"
}
provisioner "remote-exec" {
inline = ["nohup bash -c 'sudo chef-client &'"]
connection {
type = "ssh"
host = "${azurerm_network_interface.nic.*.private_ip_address[count.index]}"
user = "${var.ssh_user}"
private_key = "${file("${var.ssh_private_key}")}"
timeout = "10s"
}
}
}
resource "azurerm_resource_group" "resource_group" {
name = "${var.resource_group_name}"
location = "${var.location}"
}
resource "azurerm_virtual_network" "vnet" {
name = "${var.resource_group_name}"
address_space = "${var.address_space}"
location = "${var.location}"
resource_group_name = "${azurerm_resource_group.resource_group.name}"
dns_servers = "${var.dns_servers}"
}
output "id" {
value = "${azurerm_virtual_network.vnet.id}"
}
output "name" {
value = "${azurerm_virtual_network.vnet.name}"
}
output "resource_group_name" {
value = "${azurerm_resource_group.resource_group.name}"
}
variable "location" {}
variable "resource_group_name" {}
variable "address_space" {
type = "list"
}
variable "dns_servers" {
type = "list"
}
#!/bin/sh
set -eux
cd ${chef_repo_dir}
cd "${chef_repo_dir}"
bundle exec knife bootstrap ${ssh_user}@${ip_address} \
--ssh-identity-file ${ssh_private_key} \
bundle exec knife bootstrap "${ssh_user}@${ip_address}" \
--ssh-identity-file "${ssh_private_key}" \
--no-host-key-verify \
--sudo \
--environment ${environment == "prod" ? "prd" : environment} \
--node-name ${hostname} \
--environment "${environment == "prod" ? "prd" : environment}" \
--node-name "${hostname}" \
--bootstrap-version "${chef_version}" \
--run-list 'role[gitlab]' \
--json-attributes {\"azure\":{\"ipaddress\":\"${ip_address}\"}} \
--json-attributes "{\"azure\":{\"ipaddress\":\"${ip_address}\"}}" \
--bootstrap-vault-json '${chef_vaults}' \
--yes
for i in ${chef_vaults}
do
vault="`echo $i | cut -d : -f 1`"
if [[ $i == *':'* ]]; then
item="`echo $i | cut -d : -f 2`"
elif [[ $i == "syslog_client" ]]; then
item="_default"
else
item="${chef_vault_env}"
fi
bundle exec rake 'add_node_secrets[${hostname},'$vault','$item']'
done
bundle exec knife node from file nodes/${hostname}.json
bundle exec knife node from file "nodes/${hostname}.json"
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment