diff --git a/azure/README.md b/azure/README.md index 44eac45..c2e14ae 100644 --- a/azure/README.md +++ b/azure/README.md @@ -1,74 +1,83 @@ SWH azure provisioning ------------------------- # Pre-requisite - az [1] - rights in the azure portal [2] [1] https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-apt?view=azure-cli-latest [2] https://portal.azure.com +Note: `azure-cli` is actually a Python package, so it can also be installed in +a virtualenv (preferably a frech dedicated one, since it pulls something like +130 packages.): + +``` sh +$ mkvirtualenv -p /usr/bin/python3 -a $PWD azure +(azure) $ +``` + # Create vm ``` sh $ ./create-vm.sh # create a node with name `name` and `type` at `location` # ... $ ./create-vm.sh worker01 worker euwest # creates a node worker01.euwest.azure of type `worker` at location `euwest` (default) # ... $ ./create-vm.sh dbreplica1 db # creates a node webapp0 of type `db` at location euwest # ... ``` Possible names: - worker01 - webapp0 - dbreplica0 Possible types: - db (replica or otherwise) - storage (stoarge service) - worker (computing nodes) - webapp This will: - create an azure vm node - running the latest debian stable (9 as of this writing) - with admin user zack (uid 1000) - with a local public key (so that we can connect later on) - and continue the provisioning steps # Provision ``` sh ADMIN_USER=zack scp ./provision-vm.sh $ADMIN_USER@:/tmp/ # check the ip and access the vm ssh $ADMIN_USER@ $ chmod +x /tmp/provision-vm.sh $ sudo /tmp/provision-vm.sh (public|private) # ... # Use Example: # machine destined to be publicly accessible $ sudo /tmp/provision-vm.sh public # ... # machine destined to be only seen through our vpn $ sudo /tmp/provision-vm.sh private ``` # update DNS server Trigger a record refresh on the dns server (pergamon) ``` sh $ sudo puppet agent --test ``` # More documentation cf. [New machine setup](https://wiki.softwareheritage.org/index.php?title=New_machine_setup#Setting_up_a_new_Virtual_Machine_.28semi-manual_process.29) diff --git a/azure/terraform/init.tf b/azure/terraform/init.tf index 02bb809..92ea2b2 100644 --- a/azure/terraform/init.tf +++ b/azure/terraform/init.tf @@ -1,61 +1,66 @@ # Keyword use: # - provider: Define the provider(s) # - data: Retrieve data information to be used within the file # - resource: Define resource and create/update terraform { backend "azurerm" { resource_group_name = "euwest-admin" storage_account_name = "swhterraform" container_name = "tfstate" key = "prod.azure.terraform.tfstate" } } # Configure the Microsoft Azure Provider # Empty if using the `az login` tool provider "azurerm" { version = "=1.43.0" } # Reuse the network security group as defined currently data "azurerm_network_security_group" "worker-nsg" { name = "worker-nsg" resource_group_name = "swh-resource" } # Same for the subnet data "azurerm_subnet" "default" { name = "default" virtual_network_name = "swh-vnet" resource_group_name = "swh-resource" } # same for resource group used by storage servers data "azurerm_resource_group" "euwest-servers" { name = "euwest-servers" } variable "firstboot_script" { type = string default = "/root/firstboot.sh" } variable "ssh_key_data_ardumont" { type = string default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZarzgHrzUYspvrgSI6fszrALo92BDys7QOkJgUfZa9t9m4g7dUANNtwBiqIbqijAQPmB1zKgG6QTZC5rJkRy6KqXCW/+Qeedw/FWIbuI7jOD5WxnglbEQgvPkkB8kf1xIF7icRfWcQmK2je/3sFd9yS4/+jftNMPPXkBCxYm74onMenyllA1akA8FLyujLu6MNA1D8iLLXvz6pBDTT4GZ5/bm3vSE6Go8Xbuyu4SCtYZSHaHC2lXZ6Hhi6dbli4d3OwkUWz+YhFGaEra5Fx45Iig4UCL6kXPkvL/oSc9KGerpT//Xj9qz1K7p/IrBS8+eA4X69bHYYV0UZKDADZSn ardumont@yavin4" } +variable "ssh_key_data_douardda" { + type = string + default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCoON7De2Bx03owpZfzbOyucZTmyQdm7F+LP4D4H9EyOFxtyMpjH2S9Ve/JvMoFIWGQQlXSkYzRv63Z0BzPLKD2NsYgomcjOLdw1Baxnv8VOH+Q01g4B3cabcP2LMVjerHt/KRkY3E6dnKLQGE5UiER/taQ7KazAwvu89nUd4BJsV43rJ3X3DtFEfH3lR4ZEIgFyPUkVemQAjBhueFmN3w8debOdr7t9cBpnYvYKzLQN+G/kQVFc+fgs+fFOtOv+Az9kTXChfLs5pKPBm+MuGxz4gS3fPiAjY9cN6vGzr7ZNkCRUSUjJ10Hlm7Gf2EN8f+k6iSR4CPeixDcZ+scbCg4dCORqTsliSQzUORIJED9fbUR6bBjF4rRwm5GvnXx5ZTToWDJu0PSHYOkomqffp30wqvAvs6gLb+bG1daYsOLp+wYru3q09J9zUAA8vNXoWYaERFxgwsmsf57t8+JevUuePJGUC45asHjQh/ON1H5PDXtULmeD1GKkjqyaS7SBNbpOWgQb21l3pwhLet3Mq3TJmxVqzGMDnYvQMUCkiPdZq2pDplzfpDpOKLaDg8q82rR5+/tAfB4P2Z9RCOqnMLRcQk9AluTyO1D472Mkp+v5VA4di0eTWZ0tuzwYJEft0OVo+QOVTslCGsyGiEUoOcHzkrdgsT5uQziyAfgTMSuiw== david.douard@sdfa3.org" +} + variable "ssh_key_data_olasd" { type = string default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ1TCpfzrvxLhEMhxjbxqPDCwY0nazIr1cyIbhGD2bUdAbZqVMdNtr7MeDnlLIKrIPJWuvltauvLNkYU0iLc1jMntdBCBM3hgXjmTyDtc8XvXseeBp5tDqccYNR/cnDUuweNcL5tfeu5kzaAg3DFi5Dsncs5hQK5KQ8CPKWcacPjEk4ir9gdFrtKG1rZmg/wi7YbfxrJYWzb171hdV13gSgyXdsG5UAFsNyxsKSztulcLKxvbmDgYbzytr38FK2udRk7WuqPbtEAW1zV4yrBXBSB/uw8EAMi+wwvLTwyUcEl4u0CTlhREljUx8LhYrsQUCrBcmoPAmlnLCD5Q9XrGH nicolasd@darboux id_rsa.inria.pub" } variable "user_admin" { type = string default = "tmpadmin" } variable "boot_diagnostics_uri" { default = "https://swhresourcediag966.blob.core.windows.net" } diff --git a/azure/terraform/mirror.tf b/azure/terraform/mirror.tf new file mode 100644 index 0000000..8ac13a8 --- /dev/null +++ b/azure/terraform/mirror.tf @@ -0,0 +1,311 @@ +# Define a new resource for a (test) mirror +# matching what we name elsewhere "euwest-${resource}" + +variable "mirror_replay_servers" { + default = 4 +} + +data "azurerm_platform_image" "debian10" { + location = "westeurope" + publisher = "debian" + offer = "debian-10" + sku = "10" +} + +resource "azurerm_resource_group" "euwest-mirror-test" { + name = "euwest-mirror-test" + location = "westeurope" + + tags = { + environment = "SWH Mirror" + } +} + +resource "azurerm_network_security_group" "mirror-nsg" { + name = "mirror-nsg" + resource_group_name = "euwest-mirror-test" + location = "westeurope" +} + +locals { + mirror_replay_servers = { + for i in range(var.mirror_replay_servers): + format("mirror-replay%02d", i + 1) => { + datadisks = {} + } + } +} + + +# master machine - run the docker swarm master node on which will run +# most of the services but the db and replayers +resource "azurerm_network_interface" "mirror-master-interface" { + name = "mirror-master-interface" + location = "westeurope" + resource_group_name = "euwest-mirror-test" + network_security_group_id = azurerm_network_security_group.mirror-nsg.id + + ip_configuration { + name = "mirrorMasterNicConfiguration" + subnet_id = data.azurerm_subnet.default.id + public_ip_address_id = "" + private_ip_address_allocation = "Dynamic" + } +} +#resource "azurerm_managed_disk" "mirror-master-osdisk" { +# name = "mirror-master-osdisk" +# create_option = "FromImage" +# location = "westeurope" +# resource_group_name = "euwest-mirror-test" +# storage_account_type = "Premium_LRS" +# image_reference_id = data.azurerm_platform_image.debian10.id + #image_reference_id = "/Subscriptions/49b7f681-8efc-4689-8524-870fc0c1db09/Providers/Microsoft.Compute/Locations/westeurope/Publishers/Debian/ArtifactTypes/VMImage/Offers/debian-10/Skus/10" +#} +resource "azurerm_virtual_machine" "mirror-master" { + name = "mirror-master" + location = "westeurope" + resource_group_name = "euwest-mirror-test" + network_interface_ids = [azurerm_network_interface.mirror-master-interface.id] + vm_size = "Standard_B2ms" + + + delete_os_disk_on_termination = true + +# storage_os_disk { +# create_option = "attach" +# name = "mirror-master-osdisk" +# caching = "ReadWrite" +# managed_disk_id = azurerm_managed_disk.mirror-master-osdisk.id +# os_type = "Linux" +# } + + storage_os_disk { + name = "mirror-master-osdisk" + caching = "ReadWrite" + create_option = "FromImage" + managed_disk_type = "Premium_LRS" + } + + storage_image_reference { + publisher = "debian" + offer = "debian-10" + sku = "10" + version = "latest" + } + + os_profile { + computer_name = "mirror-master" + admin_username = var.user_admin + } + + os_profile_linux_config { + disable_password_authentication = true + ssh_keys { + path = "/home/${var.user_admin}/.ssh/authorized_keys" + key_data = var.ssh_key_data_douardda + } + } + + provisioner "remote-exec" { + inline = [ + "sudo mkdir /root/.ssh", + "echo ${var.ssh_key_data_ardumont} | sudo tee -a /root/.ssh/authorized_keys", + "echo ${var.ssh_key_data_douardda} | sudo tee -a /root/.ssh/authorized_keys", + "echo ${var.ssh_key_data_olasd} | sudo tee -a /root/.ssh/authorized_keys" + ] + + connection { + type = "ssh" + user = var.user_admin + host = azurerm_network_interface.mirror-master-interface.private_ip_address + } + } + + tags = { + environment = "SWH Mirror" + } +} + +# the DB host +resource "azurerm_network_interface" "mirror-db-interface" { + name = "mirror-db-interface" + location = "westeurope" + resource_group_name = "euwest-mirror-test" + network_security_group_id = azurerm_network_security_group.mirror-nsg.id + + ip_configuration { + name = "mirrorDbNicConfiguration" + subnet_id = data.azurerm_subnet.default.id + public_ip_address_id = "" + private_ip_address_allocation = "Dynamic" + } +} +resource "azurerm_managed_disk" "mirror-db-storage" { + name = "mirror-db-disk1" + location = azurerm_resource_group.euwest-mirror-test.location + resource_group_name = azurerm_resource_group.euwest-mirror-test.name + storage_account_type = "Standard_LRS" + create_option = "Empty" + disk_size_gb = 1024 +} + +resource "azurerm_virtual_machine_data_disk_attachment" "mirror-db-storage" { + managed_disk_id = azurerm_managed_disk.mirror-db-storage.id + virtual_machine_id = azurerm_virtual_machine.mirror-db.id + lun = "10" + caching = "ReadWrite" +} + +resource "azurerm_virtual_machine" "mirror-db" { + name = "mirror-db" + location = "westeurope" + resource_group_name = "euwest-mirror-test" + network_interface_ids = [azurerm_network_interface.mirror-db-interface.id] + vm_size = "Standard_F8s_v2" + delete_os_disk_on_termination = true + + storage_os_disk { + name = "mirror-db-osdisk" + caching = "ReadWrite" + create_option = "FromImage" + managed_disk_type = "Premium_LRS" + } + + storage_image_reference { + publisher = "debian" + offer = "debian-10" + sku = "10" + version = "latest" + } + + os_profile { + computer_name = "mirror-db" + admin_username = var.user_admin + } + + os_profile_linux_config { + disable_password_authentication = true + ssh_keys { + path = "/home/${var.user_admin}/.ssh/authorized_keys" + key_data = var.ssh_key_data_douardda + } + } + + provisioner "remote-exec" { + inline = [ + "sudo mkdir /root/.ssh", + "echo ${var.ssh_key_data_ardumont} | sudo tee -a /root/.ssh/authorized_keys", + "echo ${var.ssh_key_data_douardda} | sudo tee -a /root/.ssh/authorized_keys", + "echo ${var.ssh_key_data_olasd} | sudo tee -a /root/.ssh/authorized_keys" + ] + + connection { + type = "ssh" + user = var.user_admin + host = azurerm_network_interface.mirror-db-interface.private_ip_address + } + } + + tags = { + environment = "SWH Mirror" + } +} + +# replayer machines +resource "azurerm_network_interface" "mirror-replayer-interface" { + for_each = local.mirror_replay_servers + + name = format("%s-interface", each.key) + location = "westeurope" + resource_group_name = azurerm_resource_group.euwest-mirror-test.name + network_security_group_id = azurerm_network_security_group.mirror-nsg.id + #enable_accelerated_networking = true + + ip_configuration { + name = "mirrorReplayerNicConfiguration" + subnet_id = data.azurerm_subnet.default.id + public_ip_address_id = "" + private_ip_address_allocation = "Dynamic" + } + + depends_on = [azurerm_resource_group.euwest-mirror-test] +} +resource "azurerm_virtual_machine" "mirror-replayer" { + for_each = local.mirror_replay_servers + name = each.key + location = "westeurope" + resource_group_name = "euwest-mirror-test" + network_interface_ids = [azurerm_network_interface.mirror-replayer-interface[each.key].id] + vm_size = "Standard_B2s" + + delete_os_disk_on_termination = true + delete_data_disks_on_termination = true + + storage_os_disk { + name = format("%s-osdisk", each.key) + caching = "ReadWrite" + create_option = "FromImage" + managed_disk_type = "Premium_LRS" + } + + storage_image_reference { + publisher = "debian" + offer = "debian-10" + sku = "10" + version = "latest" + } + + os_profile { + computer_name = each.key + admin_username = var.user_admin + } + + os_profile_linux_config { + disable_password_authentication = true + ssh_keys { + path = "/home/${var.user_admin}/.ssh/authorized_keys" + key_data = var.ssh_key_data_douardda + } + } + + provisioner "remote-exec" { + inline = [ + "sudo mkdir /root/.ssh", + "echo ${var.ssh_key_data_ardumont} | sudo tee -a /root/.ssh/authorized_keys", + "echo ${var.ssh_key_data_douardda} | sudo tee -a /root/.ssh/authorized_keys", + "echo ${var.ssh_key_data_olasd} | sudo tee -a /root/.ssh/authorized_keys" + ] + + connection { + type = "ssh" + user = var.user_admin + host = azurerm_network_interface.mirror-replayer-interface[self.name].private_ip_address + } + } + + tags = { + environment = "SWH Mirror" + } +} + +# for the obj storage, if any +#resource "azurerm_storage_account" "mirror-storage" { +# name = "mirror-storage" +# resource_group_name = "${azurerm_resource_group.euwest-mirror-test.name}" +# location = "westeurope" +# account_tier = "Standard" +# account_replication_type = "LRS" +# account_kind = "BlobStorage" +# access_tier = "Cool" +# tags = { +# environment = "SWH Mirror Storage" +# } +#} + +# A container for the blob storage named 'contents' (as other blob storages) +#resource "azurerm_storage_container" "mirror-graph-storage" { +# name = "mirror-graph-storage" +# resource_group_name = "${azurerm_resource_group.euwest-mirror-test.name}" +# storage_account_name = "${azurerm_storage_account.mirror-storage.name}" +# container_access_type = "private" +#} diff --git a/azure/terraform/vault.tf b/azure/terraform/vault.tf index 777023d..5990b7b 100644 --- a/azure/terraform/vault.tf +++ b/azure/terraform/vault.tf @@ -1,88 +1,86 @@ # Define a new resource for the vault # matching what we name elsewhere "euwest-${resource}" resource "azurerm_resource_group" "euwest-vault" { name = "euwest-vault" location = "westeurope" tags = { environment = "SWH Vault" } } resource "azurerm_network_interface" "vangogh-interface" { name = "vangogh-interface" location = "westeurope" resource_group_name = "euwest-vault" network_security_group_id = data.azurerm_network_security_group.worker-nsg.id ip_configuration { name = "vaultNicConfiguration" subnet_id = data.azurerm_subnet.default.id public_ip_address_id = "" private_ip_address_allocation = "Dynamic" } } # Blobstorage as defined in task resource "azurerm_storage_account" "vault-storage" { name = "swhvaultstorage" resource_group_name = azurerm_resource_group.euwest-vault.name location = "westeurope" account_tier = "Standard" account_replication_type = "LRS" account_kind = "BlobStorage" access_tier = "Cool" tags = { environment = "SWH Vault" } } # A container for the blob storage named 'contents' (as other blob storages) resource "azurerm_storage_container" "contents" { name = "contents" - resource_group_name = azurerm_resource_group.euwest-vault.name storage_account_name = azurerm_storage_account.vault-storage.name container_access_type = "private" } resource "azurerm_virtual_machine" "vault-server" { name = "vangogh" location = "westeurope" resource_group_name = "euwest-vault" network_interface_ids = [azurerm_network_interface.vangogh-interface.id] vm_size = "Standard_B2ms" storage_os_disk { name = "vangogh-osdisk" caching = "ReadWrite" create_option = "FromImage" managed_disk_type = "Premium_LRS" } storage_image_reference { publisher = "credativ" offer = "Debian" sku = "9" version = "latest" } # (Va)ngogh <-> (Va)ult os_profile { computer_name = "vangogh" admin_username = "ardumont" } os_profile_linux_config { disable_password_authentication = true ssh_keys { path = "/home/${var.user_admin}/.ssh/authorized_keys" key_data = var.ssh_key_data_ardumont } } tags = { environment = "SWH Vault" } } -