Page MenuHomeSoftware Heritage
Differential D1495

azure/terraform: Add azure vault vm using terraform
ClosedPublic
Actions

Authored by ardumont on May 20 2019, 6:31 PM.

Details

Reviewers
olasd
ftigeot
douardda
vlorentz
Group Reviewers
Reviewers
Commits
rSPREbcd3e28cf36e: azure/terraform/README.md: Describe what the vault.tf is about
rSPRE51f0205466d0: azure/terraform: Add azure vault vm to azure using terraform
Summary

Related T1716

Test Plan
($ terraform init)
$ terraform plan

Output:

$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.azurerm_subnet.default: Refreshing state...
data.azurerm_network_security_group.worker-nsg: Refreshing state...

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  + azurerm_network_interface.vault-servers_interfaces
      id:                                                                 <computed>
      applied_dns_servers.#:                                              <computed>
      dns_servers.#:                                                      <computed>
      enable_accelerated_networking:                                      "false"
      enable_ip_forwarding:                                               "false"
      internal_dns_name_label:                                            <computed>
      internal_fqdn:                                                      <computed>
      ip_configuration.#:                                                 "1"
      ip_configuration.0.application_gateway_backend_address_pools_ids.#: <computed>
      ip_configuration.0.application_security_group_ids.#:                <computed>
      ip_configuration.0.load_balancer_backend_address_pools_ids.#:       <computed>
      ip_configuration.0.load_balancer_inbound_nat_rules_ids.#:           <computed>
      ip_configuration.0.name:                                            "vaultNicConfiguration"
      ip_configuration.0.primary:                                         <computed>
      ip_configuration.0.private_ip_address_allocation:                   "dynamic"
      ip_configuration.0.private_ip_address_version:                      "IPv4"
      ip_configuration.0.subnet_id:                                       "/subscriptions/<redacted>/resourceGroups/swh-resource/providers/Microsoft.Network/virtualNetworks/swh-vnet/subnets/default"
      location:                                                           "westeurope"
      mac_address:                                                        <computed>
      name:                                                               "vault-server-0-interface"
      network_security_group_id:                                          "/subscriptions/<redacted>/resourceGroups/swh-resource/providers/Microsoft.Network/networkSecurityGroups/worker-nsg"
      private_ip_address:                                                 <computed>
      private_ip_addresses.#:                                             <computed>
      resource_group_name:                                                "euwest-vault"
      tags.%:                                                             <computed>
      virtual_machine_id:                                                 <computed>

  + azurerm_resource_group.euwest-vault
      id:                                                                 <computed>
      location:                                                           "westeurope"
      name:                                                               "euwest-vault"
      tags.%:                                                             "1"
      tags.environment:                                                   "SWH Vault"

  + azurerm_storage_account.vault-storage
      id:                                                                 <computed>
      access_tier:                                                        "Cool"
      account_encryption_source:                                          "Microsoft.Storage"
      account_kind:                                                       "BlobStorage"
      account_replication_type:                                           "LRS"
      account_tier:                                                       "Standard"
      enable_blob_encryption:                                             "false"
      enable_file_encryption:                                             "false"
      identity.#:                                                         <computed>
      is_hns_enabled:                                                     "false"
      location:                                                           "westeurope"
      name:                                                               "vaultstorage"
      primary_access_key:                                                 <computed>
      primary_blob_connection_string:                                     <computed>
      primary_blob_endpoint:                                              <computed>
      primary_blob_host:                                                  <computed>
      primary_connection_string:                                          <computed>
      primary_dfs_endpoint:                                               <computed>
      primary_dfs_host:                                                   <computed>
      primary_file_endpoint:                                              <computed>
      primary_file_host:                                                  <computed>
      primary_location:                                                   <computed>
      primary_queue_endpoint:                                             <computed>
      primary_queue_host:                                                 <computed>
      primary_table_endpoint:                                             <computed>
      primary_table_host:                                                 <computed>
      primary_web_endpoint:                                               <computed>
      primary_web_host:                                                   <computed>
      resource_group_name:                                                "euwest-vault"
      secondary_access_key:                                               <computed>
      secondary_blob_connection_string:                                   <computed>
      secondary_blob_endpoint:                                            <computed>
      secondary_blob_host:                                                <computed>
      secondary_connection_string:                                        <computed>
      secondary_dfs_endpoint:                                             <computed>
      secondary_dfs_host:                                                 <computed>
      secondary_file_endpoint:                                            <computed>
      secondary_file_host:                                                <computed>
      secondary_location:                                                 <computed>
      secondary_queue_endpoint:                                           <computed>
      secondary_queue_host:                                               <computed>
      secondary_table_endpoint:                                           <computed>
      secondary_table_host:                                               <computed>
      secondary_web_endpoint:                                             <computed>
      secondary_web_host:                                                 <computed>
      tags.%:                                                             "1"
      tags.environment:                                                   "SWH Vault"

  + azurerm_virtual_machine.vault-servers
      id:                                                                 <computed>
      availability_set_id:                                                <computed>
      delete_data_disks_on_termination:                                   "false"
      delete_os_disk_on_termination:                                      "false"
      identity.#:                                                         <computed>
      location:                                                           "westeurope"
      name:                                                               "vatican"
      network_interface_ids.#:                                            <computed>
      os_profile.#:                                                       "1"
      os_profile.3272332376.admin_password:                               <sensitive>
      os_profile.3272332376.admin_username:                               "ardumont"
      os_profile.3272332376.computer_name:                                "vatican"
      os_profile.3272332376.custom_data:                                  <computed>
      os_profile_linux_config.#:                                          "1"
      os_profile_linux_config.69840937.disable_password_authentication:   "true"
      os_profile_linux_config.69840937.ssh_keys.#:                        "1"
      os_profile_linux_config.69840937.ssh_keys.0.key_data:               "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZarzgHrzUYspvrgSI6fszrALo92BDys7QOkJgUfZa9t9m4g7dUANNtwBiqIbqijAQPmB1zKgG6QTZC5rJkRy6KqXCW/+Qeedw/FWIbuI7jOD5WxnglbEQgvPkkB8kf1xIF7icRfWcQmK2je/3sFd9yS4/+jftNMPPXkBCxYm74onMenyllA1akA8FLyujLu6MNA1D8iLLXvz6pBDTT4GZ5/bm3vSE6Go8Xbuyu4SCtYZSHaHC2lXZ6Hhi6dbli4d3OwkUWz+YhFGaEra5Fx45Iig4UCL6kXPkvL/oSc9KGerpT//Xj9qz1K7p/IrBS8+eA4X69bHYYV0UZKDADZSn ardumont@bespin"
      os_profile_linux_config.69840937.ssh_keys.0.path:                   "/home/ardumont/.ssh/authorized_keys"
      resource_group_name:                                                "euwest-vault"
      storage_data_disk.#:                                                <computed>
      storage_image_reference.#:                                          "1"
      storage_image_reference.1202893792.id:                              ""
      storage_image_reference.1202893792.offer:                           "Debian"
      storage_image_reference.1202893792.publisher:                       "credativ"
      storage_image_reference.1202893792.sku:                             "9"
      storage_image_reference.1202893792.version:                         "latest"
      storage_os_disk.#:                                                  "1"
      storage_os_disk.0.caching:                                          "ReadWrite"
      storage_os_disk.0.create_option:                                    "FromImage"
      storage_os_disk.0.disk_size_gb:                                     <computed>
      storage_os_disk.0.managed_disk_id:                                  <computed>
      storage_os_disk.0.managed_disk_type:                                "Premium_LRS"
      storage_os_disk.0.name:                                             "vault-server-0_osdisk"
      storage_os_disk.0.write_accelerator_enabled:                        "false"
      tags.%:                                                             "1"
      tags.environment:                                                   "SWH Vault"
      vm_size:                                                            "Standard_DS2_v2"


Plan: 4 to add, 0 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

Diff Detail

Repository
rSPRE sysadm-provisioning
Branch
master
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 5835
Build 7993: arc lint + arc unit

Event Timeline

ardumont created this revision.May 20 2019, 6:31 PM
Herald added a reviewer: Reviewers. · View Herald TranscriptMay 20 2019, 6:31 PM
Harbormaster completed remote builds in B5835: Diff 4897.May 20 2019, 6:31 PM
ardumont added inline comments.May 20 2019, 6:35 PM
.gitignore
1

As far as i understood it, this is filled with needed plugins installed by terraform init.

azure/terraform/README.md
29

Maybe we should have a generic admin user with a key in the swh password-store and set that as default here.

azure/terraform/variables.tf
8

Here would be the use case for the generic admin user and its associated public key.
(Maybe we already have that somewhere, i don't remember).

ardumont added reviewers: olasd, ftigeot, douardda, vlorentz.May 20 2019, 6:39 PM
vlorentz added a comment.May 21 2019, 9:57 AM

lgtm

azure/terraform/vault.tf
69

s/servers/workers/ ?

77

What about a B2ms or B4ms? They are roughly the same price, but you get more "burst" CPU power, which is good for a worker

ardumont added inline comments.May 21 2019, 10:34 AM
azure/terraform/vault.tf
69

It's for the vault's api and the objstorage's api, that's why i called it servers.

The cooking workers are already set up (and not part of this, but could be? <- outside of the diff's scope ;)

77

I did not get into that much details yet.
Thanks for reminding me. I kept the initial reference of the worker machine.

The use case here:

  • 2 apis (objstorage, cooking) running on the same machine.
  • discussion with a remote db (cache on prado)
  • discussion with a remote storage (running on azure)

Comparison:

|-----------+----------+-----------------+-------+------+-----------+----------+--------------+----------------|
| vm size   | offering | family          | vcpus | rams | data disk | max iops | temp storage | cost/month (€) |
|-----------+----------+-----------------+-------+------+-----------+----------+--------------+----------------|
| B2ms      | Standard | General purpose |     2 |    8 |         4 |     2400 | 16 GB        |          52.20 |
| B4ms      | Standard | General purpose |     4 |   16 |         8 |     3600 | 32 GB        |         104.15 |
| DS2_v2    | Standard | General purpose |     2 |    7 |         8 |     6400 | 14 GB        |          91.60 |
| D2s_v3    | Standard | General purpose |     2 |    8 |         4 |     3200 | 16 GB        |          60.23 |
|-----------+----------+-----------------+-------+------+-----------+----------+--------------+----------------|
| orangerie | X        | X               |     2 |    2 |         X |        ? |              |                |
|-----------+----------+-----------------+-------+------+-----------+----------+--------------+----------------|

The actual machine running the vault is orangerie.

ardumont updated this revision to Diff 4899.May 21 2019, 10:50 AM

Use B2ms as default vm size machine

Harbormaster completed remote builds in B5839: Diff 4899.May 21 2019, 10:50 AM
ardumont edited the test plan for this revision. (Show Details)May 21 2019, 10:51 AM
ardumont updated this revision to Diff 4901.May 21 2019, 11:44 AM

Rename vaultstorage blobstorage to swhvaultstorage

As otherwise, terraform complains it already exists.

Harbormaster completed remote builds in B5841: Diff 4901.May 21 2019, 11:44 AM
ardumont updated this revision to Diff 4903.May 21 2019, 12:16 PM

Add missing container for the new blob storage

Harbormaster completed remote builds in B5843: Diff 4903.May 21 2019, 12:16 PM
douardda added inline comments.May 21 2019, 12:29 PM
azure/terraform/README.md
1

I'd be delighted to have a 'what' part, i.e. an explanation of what this does, with a description of the deployed architecture, before entering the 'how' part.

ardumont added inline comments.May 21 2019, 1:09 PM
azure/terraform/vault.tf
86

Count is not needed, so this will be simplified (other instances as well).

109

Thanks for olasd's heads up, it's not one museum, so i'll change to 'vangogh' instead.

ardumont updated this revision to Diff 4904.May 21 2019, 1:11 PM

Simplify resources declaration

Harbormaster completed remote builds in B5844: Diff 4904.May 21 2019, 1:11 PM
ardumont updated this revision to Diff 4919.May 21 2019, 1:45 PM
  • azure/terraform/README.md: Describe what the vault.tf is about
Harbormaster completed remote builds in B5858: Diff 4919.May 21 2019, 1:45 PM
ardumont mentioned this in T1716: Vault: Migrate vault infrastructure to azure.May 21 2019, 2:51 PM

Thanks all for the reviews ;)

This revision was not accepted when it landed; it landed in state Needs Review.May 21 2019, 5:00 PM
Closed by commit rSPRE51f0205466d0: azure/terraform: Add azure vault vm to azure using terraform (authored by ardumont). · Explain Why
This revision was automatically updated to reflect the committed changes.
ardumont mentioned this in D1499: vault: Setup new vangogh server.May 22 2019, 9:58 AM

Revision Contents
Changeset List

PathSize
1 line
azure/
terraform/
37 lines
9 lines
118 lines

Diff 4897

View Options

.gitignore

Loading...
View Options

azure/terraform/README.md

Loading...
View Options

azure/terraform/variables.tf

Loading...
View Options

azure/terraform/vault.tf

Loading...
About · Developer information · Legal