diff --git a/azure/terraform/cassandra-replayers.tf b/azure/terraform/cassandra-replayers.tf index 17656c0..e57632b 100644 --- a/azure/terraform/cassandra-replayers.tf +++ b/azure/terraform/cassandra-replayers.tf @@ -1,143 +1,146 @@ variable "cassandra_replay_servers" { default = 0 } resource "azurerm_resource_group" "euwest-cassandra-replay" { # Disable this - count = 0 + count = 0 name = "euwest-cassandra-replay" location = "westeurope" tags = { environment = "Cassandra" } } locals { cassandra_replay_servers = { - for i in range(var.cassandra_replay_servers): - format("cassandra-replay%02d", i + 1) => { - datadisks = {} - } + for i in range(var.cassandra_replay_servers) : + format("cassandra-replay%02d", i + 1) => { + datadisks = {} + } } } - - resource "azurerm_network_interface" "cassandra-replayer-interface" { - for_each = local.cassandra_replay_servers + for_each = local.cassandra_replay_servers - name = format("%s-interface", each.key) - location = "westeurope" - resource_group_name = azurerm_resource_group.euwest-cassandra-replay[0].name - network_security_group_id = data.azurerm_network_security_group.worker-nsg.id + name = format("%s-interface", each.key) + location = "westeurope" + resource_group_name = azurerm_resource_group.euwest-cassandra-replay[0].name enable_accelerated_networking = true ip_configuration { name = "vaultNicConfiguration" subnet_id = data.azurerm_subnet.default.id public_ip_address_id = "" private_ip_address_allocation = "Dynamic" } - depends_on = [azurerm_resource_group.euwest-cassandra-replay] + depends_on = [azurerm_resource_group.euwest-cassandra-replay] } +resource "azurerm_network_interface_security_group_association" "cassandra-replayer-interface-sga" { + for_each = local.cassandra_replay_servers + + network_interface_id = azurerm_network_interface.cassandra-replayer-interface[each.key].id + network_security_group_id = data.azurerm_network_security_group.worker-nsg.id +} resource "azurerm_virtual_machine" "cassandra-replay-server" { - for_each = local.cassandra_replay_servers + for_each = local.cassandra_replay_servers - depends_on = [azurerm_resource_group.euwest-cassandra-replay] + depends_on = [azurerm_resource_group.euwest-cassandra-replay] name = each.key location = "westeurope" resource_group_name = azurerm_resource_group.euwest-cassandra-replay[0].name network_interface_ids = [azurerm_network_interface.cassandra-replayer-interface[each.key].id] vm_size = "Standard_F8s_v2" delete_os_disk_on_termination = true delete_data_disks_on_termination = true boot_diagnostics { enabled = true storage_uri = var.boot_diagnostics_uri } storage_os_disk { name = format("%s-osdisk", each.key) caching = "ReadWrite" create_option = "FromImage" managed_disk_type = "Premium_LRS" } storage_image_reference { publisher = "debian" offer = "debian-10" sku = "10" version = "latest" } os_profile { computer_name = each.key admin_username = var.user_admin } os_profile_linux_config { disable_password_authentication = true ssh_keys { path = "/home/${var.user_admin}/.ssh/authorized_keys" key_data = var.ssh_key_data_olasd } } provisioner "remote-exec" { inline = [ "sudo mkdir /root/.ssh", "echo ${var.ssh_key_data_ardumont} | sudo tee -a /root/.ssh/authorized_keys", "echo ${var.ssh_key_data_olasd} | sudo tee -a /root/.ssh/authorized_keys", ] connection { type = "ssh" user = var.user_admin host = azurerm_network_interface.cassandra-replayer-interface[self.name].private_ip_address } } provisioner "file" { - content = templatefile("templates/firstboot.sh.tpl", { - hostname = self.name - fqdn = format("%s.euwest.azure.internal.softwareheritage.org", self.name) - ip_address = azurerm_network_interface.cassandra-replayer-interface[self.name].private_ip_address + content = templatefile("templates/firstboot.sh.tpl", { + hostname = self.name + fqdn = format("%s.euwest.azure.internal.softwareheritage.org", self.name) + ip_address = azurerm_network_interface.cassandra-replayer-interface[self.name].private_ip_address facter_location = "azure_euwest" - disk_setup = {} + disk_setup = {} }) destination = var.firstboot_script connection { type = "ssh" user = "root" host = azurerm_network_interface.cassandra-replayer-interface[self.name].private_ip_address } } provisioner "remote-exec" { inline = [ "userdel -f ${var.user_admin}", "chmod +x ${var.firstboot_script}", "cat ${var.firstboot_script}", - "${var.firstboot_script}", + var.firstboot_script, ] connection { type = "ssh" user = "root" host = azurerm_network_interface.cassandra-replayer-interface[self.name].private_ip_address } } tags = { environment = "Cassandra" } } diff --git a/azure/terraform/cassandra.tf b/azure/terraform/cassandra.tf index eafe0dd..371801c 100644 --- a/azure/terraform/cassandra.tf +++ b/azure/terraform/cassandra.tf @@ -1,181 +1,186 @@ variable "cassandra_servers" { default = 6 } variable "cassandra_disk_size" { default = 1024 } variable "cassandra_disks_per_server" { default = 4 } resource "azurerm_resource_group" "euwest-cassandra" { name = "euwest-cassandra" location = "westeurope" tags = { environment = "Cassandra" } } locals { cassandra_servers = { - for i in range(var.cassandra_servers): + for i in range(var.cassandra_servers) : format("cassandra%02d", i + 1) => { datadisks = { - for i in range(var.cassandra_disks_per_server): + for i in range(var.cassandra_disks_per_server) : format("datadisk%02d", i + 1) => { lun = i + 1 path = format("/dev/disk/azure/scsi1/lun%d", i + 1) } } } } } resource "azurerm_network_interface" "cassandra-interface" { - for_each = local.cassandra_servers + for_each = local.cassandra_servers - name = format("%s-interface", each.key) - location = "westeurope" - resource_group_name = azurerm_resource_group.euwest-cassandra.name - network_security_group_id = data.azurerm_network_security_group.worker-nsg.id + name = format("%s-interface", each.key) + location = "westeurope" + resource_group_name = azurerm_resource_group.euwest-cassandra.name enable_accelerated_networking = true ip_configuration { name = "vaultNicConfiguration" subnet_id = data.azurerm_subnet.default.id public_ip_address_id = "" private_ip_address_allocation = "Dynamic" } - depends_on = [azurerm_resource_group.euwest-cassandra] + depends_on = [azurerm_resource_group.euwest-cassandra] } +resource "azurerm_network_interface_security_group_association" "cassandra-interface-sga" { + for_each = local.cassandra_servers + + network_interface_id = azurerm_network_interface.cassandra-interface[each.key].id + network_security_group_id = data.azurerm_network_security_group.worker-nsg.id +} resource "azurerm_virtual_machine" "cassandra-server" { - for_each = local.cassandra_servers + for_each = local.cassandra_servers - depends_on = [azurerm_resource_group.euwest-cassandra] + depends_on = [azurerm_resource_group.euwest-cassandra] name = each.key location = "westeurope" resource_group_name = azurerm_resource_group.euwest-cassandra.name network_interface_ids = [azurerm_network_interface.cassandra-interface[each.key].id] vm_size = "Standard_DS13_v2" delete_os_disk_on_termination = true delete_data_disks_on_termination = true boot_diagnostics { enabled = true storage_uri = var.boot_diagnostics_uri } storage_os_disk { name = format("%s-osdisk", each.key) caching = "ReadWrite" create_option = "FromImage" managed_disk_type = "Premium_LRS" } - dynamic storage_data_disk { + dynamic "storage_data_disk" { for_each = each.value.datadisks content { name = format("%s-%s", each.key, storage_data_disk.key) caching = "None" create_option = "Empty" managed_disk_type = "Standard_LRS" disk_size_gb = var.cassandra_disk_size lun = storage_data_disk.value.lun } } storage_image_reference { publisher = "debian" offer = "debian-10" sku = "10" version = "latest" } os_profile { computer_name = each.key admin_username = var.user_admin } os_profile_linux_config { disable_password_authentication = true ssh_keys { path = "/home/${var.user_admin}/.ssh/authorized_keys" key_data = var.ssh_key_data_olasd } } provisioner "remote-exec" { inline = [ "sudo mkdir /root/.ssh", "echo ${var.ssh_key_data_ardumont} | sudo tee -a /root/.ssh/authorized_keys", "echo ${var.ssh_key_data_olasd} | sudo tee -a /root/.ssh/authorized_keys", ] connection { type = "ssh" user = var.user_admin host = azurerm_network_interface.cassandra-interface[self.name].private_ip_address } } provisioner "file" { - content = templatefile("templates/firstboot.sh.tpl", { - hostname = self.name - fqdn = format("%s.euwest.azure.internal.softwareheritage.org", self.name) - ip_address = azurerm_network_interface.cassandra-interface[self.name].private_ip_address + content = templatefile("templates/firstboot.sh.tpl", { + hostname = self.name + fqdn = format("%s.euwest.azure.internal.softwareheritage.org", self.name) + ip_address = azurerm_network_interface.cassandra-interface[self.name].private_ip_address facter_location = "azure_euwest" disk_setup = { - disks = [ - for disk in local.cassandra_servers[self.name].datadisks: { - base_disk = disk.path - } - ] - raids = [{ - path = "/dev/md0" - level = 0 - chunk = "128K" - members = [for disk in local.cassandra_servers[self.name].datadisks: format("%s-part1", disk.path)] - mountpoint = "/srv/cassandra" - filesystem = "ext4" - mount_options = "defaults" - }] + disks = [ + for disk in local.cassandra_servers[self.name].datadisks : { + base_disk = disk.path + } + ] + raids = [{ + path = "/dev/md0" + level = 0 + chunk = "128K" + members = [for disk in local.cassandra_servers[self.name].datadisks : format("%s-part1", disk.path)] + mountpoint = "/srv/cassandra" + filesystem = "ext4" + mount_options = "defaults" + }] } }) destination = var.firstboot_script connection { type = "ssh" user = "root" host = azurerm_network_interface.cassandra-interface[self.name].private_ip_address } } provisioner "remote-exec" { inline = [ "userdel -f ${var.user_admin}", "chmod +x ${var.firstboot_script}", "cat ${var.firstboot_script}", - "${var.firstboot_script}", + var.firstboot_script, ] connection { type = "ssh" user = "root" host = azurerm_network_interface.cassandra-interface[self.name].private_ip_address } } tags = { environment = "Cassandra" } } diff --git a/azure/terraform/init.tf b/azure/terraform/init.tf index 92ea2b2..2292f2b 100644 --- a/azure/terraform/init.tf +++ b/azure/terraform/init.tf @@ -1,66 +1,73 @@ # Keyword use: # - provider: Define the provider(s) # - data: Retrieve data information to be used within the file # - resource: Define resource and create/update terraform { + required_version = ">= 0.13" backend "azurerm" { resource_group_name = "euwest-admin" storage_account_name = "swhterraform" container_name = "tfstate" key = "prod.azure.terraform.tfstate" } + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "=2.97.0" + } + } } # Configure the Microsoft Azure Provider # Empty if using the `az login` tool provider "azurerm" { - version = "=1.43.0" + features {} } # Reuse the network security group as defined currently data "azurerm_network_security_group" "worker-nsg" { name = "worker-nsg" resource_group_name = "swh-resource" } # Same for the subnet data "azurerm_subnet" "default" { name = "default" virtual_network_name = "swh-vnet" resource_group_name = "swh-resource" } # same for resource group used by storage servers data "azurerm_resource_group" "euwest-servers" { name = "euwest-servers" } variable "firstboot_script" { - type = string + type = string default = "/root/firstboot.sh" } variable "ssh_key_data_ardumont" { type = string default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZarzgHrzUYspvrgSI6fszrALo92BDys7QOkJgUfZa9t9m4g7dUANNtwBiqIbqijAQPmB1zKgG6QTZC5rJkRy6KqXCW/+Qeedw/FWIbuI7jOD5WxnglbEQgvPkkB8kf1xIF7icRfWcQmK2je/3sFd9yS4/+jftNMPPXkBCxYm74onMenyllA1akA8FLyujLu6MNA1D8iLLXvz6pBDTT4GZ5/bm3vSE6Go8Xbuyu4SCtYZSHaHC2lXZ6Hhi6dbli4d3OwkUWz+YhFGaEra5Fx45Iig4UCL6kXPkvL/oSc9KGerpT//Xj9qz1K7p/IrBS8+eA4X69bHYYV0UZKDADZSn ardumont@yavin4" } variable "ssh_key_data_douardda" { type = string default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCoON7De2Bx03owpZfzbOyucZTmyQdm7F+LP4D4H9EyOFxtyMpjH2S9Ve/JvMoFIWGQQlXSkYzRv63Z0BzPLKD2NsYgomcjOLdw1Baxnv8VOH+Q01g4B3cabcP2LMVjerHt/KRkY3E6dnKLQGE5UiER/taQ7KazAwvu89nUd4BJsV43rJ3X3DtFEfH3lR4ZEIgFyPUkVemQAjBhueFmN3w8debOdr7t9cBpnYvYKzLQN+G/kQVFc+fgs+fFOtOv+Az9kTXChfLs5pKPBm+MuGxz4gS3fPiAjY9cN6vGzr7ZNkCRUSUjJ10Hlm7Gf2EN8f+k6iSR4CPeixDcZ+scbCg4dCORqTsliSQzUORIJED9fbUR6bBjF4rRwm5GvnXx5ZTToWDJu0PSHYOkomqffp30wqvAvs6gLb+bG1daYsOLp+wYru3q09J9zUAA8vNXoWYaERFxgwsmsf57t8+JevUuePJGUC45asHjQh/ON1H5PDXtULmeD1GKkjqyaS7SBNbpOWgQb21l3pwhLet3Mq3TJmxVqzGMDnYvQMUCkiPdZq2pDplzfpDpOKLaDg8q82rR5+/tAfB4P2Z9RCOqnMLRcQk9AluTyO1D472Mkp+v5VA4di0eTWZ0tuzwYJEft0OVo+QOVTslCGsyGiEUoOcHzkrdgsT5uQziyAfgTMSuiw== david.douard@sdfa3.org" } variable "ssh_key_data_olasd" { type = string default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ1TCpfzrvxLhEMhxjbxqPDCwY0nazIr1cyIbhGD2bUdAbZqVMdNtr7MeDnlLIKrIPJWuvltauvLNkYU0iLc1jMntdBCBM3hgXjmTyDtc8XvXseeBp5tDqccYNR/cnDUuweNcL5tfeu5kzaAg3DFi5Dsncs5hQK5KQ8CPKWcacPjEk4ir9gdFrtKG1rZmg/wi7YbfxrJYWzb171hdV13gSgyXdsG5UAFsNyxsKSztulcLKxvbmDgYbzytr38FK2udRk7WuqPbtEAW1zV4yrBXBSB/uw8EAMi+wwvLTwyUcEl4u0CTlhREljUx8LhYrsQUCrBcmoPAmlnLCD5Q9XrGH nicolasd@darboux id_rsa.inria.pub" } variable "user_admin" { type = string default = "tmpadmin" } variable "boot_diagnostics_uri" { default = "https://swhresourcediag966.blob.core.windows.net" } diff --git a/azure/terraform/mirror.tf b/azure/terraform/mirror.tf index 29f5cf8..4c9dbbb 100644 --- a/azure/terraform/mirror.tf +++ b/azure/terraform/mirror.tf @@ -1,335 +1,357 @@ # Define a new resource for a (test) mirror # matching what we name elsewhere "euwest-${resource}" variable "mirror_replay_servers" { default = 0 } data "azurerm_platform_image" "debian10" { location = "westeurope" publisher = "debian" offer = "debian-10" sku = "10" } resource "azurerm_resource_group" "euwest-mirror-test" { # disable this count = 0 name = "euwest-mirror-test" location = "westeurope" tags = { - environment = "SWH Mirror" + environment = "SWH Mirror" } } resource "azurerm_network_security_group" "mirror-nsg" { # disable this count = 0 name = "mirror-nsg" resource_group_name = "euwest-mirror-test" location = "westeurope" } locals { mirror_replay_servers = { - for i in range(var.mirror_replay_servers): - format("mirror-replay%02d", i + 1) => { - datadisks = {} - } + for i in range(var.mirror_replay_servers) : + format("mirror-replay%02d", i + 1) => { + datadisks = {} + } } } # master machine - run the docker swarm master node on which will run # most of the services but the db and replayers resource "azurerm_network_interface" "mirror-master-interface" { # disable this count = 0 name = "mirror-master-interface" location = "westeurope" resource_group_name = "euwest-mirror-test" - network_security_group_id = azurerm_network_security_group.mirror-nsg[0].id ip_configuration { name = "mirrorMasterNicConfiguration" subnet_id = data.azurerm_subnet.default.id public_ip_address_id = "" private_ip_address_allocation = "Dynamic" } } + +resource "azurerm_network_interface_security_group_association" "mirror-master-interface-sga" { + count = 0 + network_interface_id = azurerm_network_interface.mirror-master-interface[0].id + network_security_group_id = azurerm_network_security_group.mirror-nsg[0].id +} + #resource "azurerm_managed_disk" "mirror-master-osdisk" { # name = "mirror-master-osdisk" # create_option = "FromImage" # location = "westeurope" # resource_group_name = "euwest-mirror-test" # storage_account_type = "Premium_LRS" # image_reference_id = data.azurerm_platform_image.debian10.id - #image_reference_id = "/Subscriptions/49b7f681-8efc-4689-8524-870fc0c1db09/Providers/Microsoft.Compute/Locations/westeurope/Publishers/Debian/ArtifactTypes/VMImage/Offers/debian-10/Skus/10" +#image_reference_id = "/Subscriptions/49b7f681-8efc-4689-8524-870fc0c1db09/Providers/Microsoft.Compute/Locations/westeurope/Publishers/Debian/ArtifactTypes/VMImage/Offers/debian-10/Skus/10" #} resource "azurerm_virtual_machine" "mirror-master" { # disable this count = 0 name = "mirror-master" location = "westeurope" resource_group_name = "euwest-mirror-test" network_interface_ids = [azurerm_network_interface.mirror-master-interface[count.index].id] vm_size = "Standard_B2ms" delete_os_disk_on_termination = true -# storage_os_disk { -# create_option = "attach" -# name = "mirror-master-osdisk" -# caching = "ReadWrite" -# managed_disk_id = azurerm_managed_disk.mirror-master-osdisk.id -# os_type = "Linux" -# } + # storage_os_disk { + # create_option = "attach" + # name = "mirror-master-osdisk" + # caching = "ReadWrite" + # managed_disk_id = azurerm_managed_disk.mirror-master-osdisk.id + # os_type = "Linux" + # } storage_os_disk { name = "mirror-master-osdisk" caching = "ReadWrite" create_option = "FromImage" managed_disk_type = "Premium_LRS" } storage_image_reference { publisher = "debian" offer = "debian-10" sku = "10" version = "latest" } os_profile { computer_name = "mirror-master" admin_username = var.user_admin } os_profile_linux_config { disable_password_authentication = true ssh_keys { - path = "/home/${var.user_admin}/.ssh/authorized_keys" + path = "/home/${var.user_admin}/.ssh/authorized_keys" key_data = var.ssh_key_data_douardda } } provisioner "remote-exec" { inline = [ "sudo mkdir /root/.ssh", "echo ${var.ssh_key_data_ardumont} | sudo tee -a /root/.ssh/authorized_keys", "echo ${var.ssh_key_data_douardda} | sudo tee -a /root/.ssh/authorized_keys", "echo ${var.ssh_key_data_olasd} | sudo tee -a /root/.ssh/authorized_keys" ] connection { type = "ssh" user = var.user_admin host = azurerm_network_interface.mirror-master-interface[count.index].private_ip_address } } tags = { - environment = "SWH Mirror" + environment = "SWH Mirror" } } # the DB host resource "azurerm_network_interface" "mirror-db-interface" { # disable this count = 0 name = "mirror-db-interface" location = "westeurope" resource_group_name = "euwest-mirror-test" - network_security_group_id = azurerm_network_security_group.mirror-nsg[0].id + # network_security_group_id = azurerm_network_security_group.mirror-nsg[0].id ip_configuration { name = "mirrorDbNicConfiguration" subnet_id = data.azurerm_subnet.default.id public_ip_address_id = "" private_ip_address_allocation = "Dynamic" } } + +resource "azurerm_network_interface_security_group_association" "mirror-db-interface-sga" { + count = 0 + + network_interface_id = azurerm_network_interface.mirror-db-interface[0].id + network_security_group_id = azurerm_network_security_group.mirror-nsg[0].id +} + + resource "azurerm_managed_disk" "mirror-db-storage" { # disable this count = 0 name = "mirror-db-disk1" location = azurerm_resource_group.euwest-mirror-test[0].location resource_group_name = azurerm_resource_group.euwest-mirror-test[0].name storage_account_type = "Standard_LRS" create_option = "Empty" disk_size_gb = 1024 } resource "azurerm_virtual_machine_data_disk_attachment" "mirror-db-storage" { # disable this count = 0 managed_disk_id = azurerm_managed_disk.mirror-db-storage[count.index].id virtual_machine_id = azurerm_virtual_machine.mirror-db[count.index].id lun = "10" caching = "ReadWrite" } resource "azurerm_virtual_machine" "mirror-db" { # disable this count = 0 - name = "mirror-db" - location = "westeurope" - resource_group_name = "euwest-mirror-test" - network_interface_ids = [azurerm_network_interface.mirror-db-interface[count.index].id] - vm_size = "Standard_F8s_v2" + name = "mirror-db" + location = "westeurope" + resource_group_name = "euwest-mirror-test" + network_interface_ids = [azurerm_network_interface.mirror-db-interface[count.index].id] + vm_size = "Standard_F8s_v2" delete_os_disk_on_termination = true storage_os_disk { name = "mirror-db-osdisk" caching = "ReadWrite" create_option = "FromImage" managed_disk_type = "Premium_LRS" } storage_image_reference { publisher = "debian" offer = "debian-10" sku = "10" version = "latest" } os_profile { computer_name = "mirror-db" admin_username = var.user_admin } os_profile_linux_config { disable_password_authentication = true ssh_keys { - path = "/home/${var.user_admin}/.ssh/authorized_keys" + path = "/home/${var.user_admin}/.ssh/authorized_keys" key_data = var.ssh_key_data_douardda } } provisioner "remote-exec" { inline = [ "sudo mkdir /root/.ssh", "echo ${var.ssh_key_data_ardumont} | sudo tee -a /root/.ssh/authorized_keys", "echo ${var.ssh_key_data_douardda} | sudo tee -a /root/.ssh/authorized_keys", "echo ${var.ssh_key_data_olasd} | sudo tee -a /root/.ssh/authorized_keys" ] connection { type = "ssh" user = var.user_admin host = azurerm_network_interface.mirror-db-interface[count.index].private_ip_address } } tags = { - environment = "SWH Mirror" + environment = "SWH Mirror" } } # replayer machines resource "azurerm_network_interface" "mirror-replayer-interface" { - for_each = local.mirror_replay_servers + for_each = local.mirror_replay_servers name = format("%s-interface", each.key) location = "westeurope" resource_group_name = azurerm_resource_group.euwest-mirror-test[0].name - network_security_group_id = azurerm_network_security_group.mirror-nsg[0].id #enable_accelerated_networking = true ip_configuration { name = "mirrorReplayerNicConfiguration" subnet_id = data.azurerm_subnet.default.id public_ip_address_id = "" private_ip_address_allocation = "Dynamic" } depends_on = [azurerm_resource_group.euwest-mirror-test] } + +resource "azurerm_network_interface_security_group_association" "mirror-replayer-interface-sga" { + for_each = local.mirror_replay_servers + + network_interface_id = azurerm_network_interface.mirror-replayer-interface[each.key].id + network_security_group_id = azurerm_network_security_group.mirror-nsg[0].id +} + resource "azurerm_virtual_machine" "mirror-replayer" { - for_each = local.mirror_replay_servers - name = each.key + for_each = local.mirror_replay_servers + name = each.key location = "westeurope" resource_group_name = "euwest-mirror-test" network_interface_ids = [azurerm_network_interface.mirror-replayer-interface[each.key].id] vm_size = "Standard_B2s" delete_os_disk_on_termination = true delete_data_disks_on_termination = true storage_os_disk { name = format("%s-osdisk", each.key) caching = "ReadWrite" create_option = "FromImage" managed_disk_type = "Premium_LRS" } storage_image_reference { publisher = "debian" offer = "debian-10" sku = "10" version = "latest" } os_profile { computer_name = each.key admin_username = var.user_admin } os_profile_linux_config { disable_password_authentication = true ssh_keys { - path = "/home/${var.user_admin}/.ssh/authorized_keys" + path = "/home/${var.user_admin}/.ssh/authorized_keys" key_data = var.ssh_key_data_douardda } } provisioner "remote-exec" { inline = [ "sudo mkdir /root/.ssh", "echo ${var.ssh_key_data_ardumont} | sudo tee -a /root/.ssh/authorized_keys", "echo ${var.ssh_key_data_douardda} | sudo tee -a /root/.ssh/authorized_keys", "echo ${var.ssh_key_data_olasd} | sudo tee -a /root/.ssh/authorized_keys" ] connection { type = "ssh" user = var.user_admin host = azurerm_network_interface.mirror-replayer-interface[self.name].private_ip_address } } tags = { - environment = "SWH Mirror" + environment = "SWH Mirror" } } # for the obj storage, if any #resource "azurerm_storage_account" "mirror-storage" { # name = "mirror-storage" # resource_group_name = "${azurerm_resource_group.euwest-mirror-test[0].name}" # location = "westeurope" # account_tier = "Standard" # account_replication_type = "LRS" # account_kind = "BlobStorage" # access_tier = "Cool" # tags = { # environment = "SWH Mirror Storage" # } #} # A container for the blob storage named 'contents' (as other blob storages) #resource "azurerm_storage_container" "mirror-graph-storage" { # name = "mirror-graph-storage" # resource_group_name = "${azurerm_resource_group.euwest-mirror-test[0].name}" # storage_account_name = "${azurerm_storage_account.mirror-storage.name}" # container_access_type = "private" #} diff --git a/azure/terraform/storage.tf b/azure/terraform/storage.tf index 1400b58..4170b31 100644 --- a/azure/terraform/storage.tf +++ b/azure/terraform/storage.tf @@ -1,130 +1,136 @@ # will start from 1 storage01... variable "storage_servers" { default = 2 } variable "storage_disk_size" { default = 30720 } locals { storage_servers = { - for i in range(var.storage_servers): - format("storage%02d", i + 1) => { - datadisks = {} - } + for i in range(var.storage_servers) : + format("storage%02d", i + 1) => { + datadisks = {} + } } } resource "azurerm_network_interface" "storage-interface" { for_each = local.storage_servers - name = format("%s-interface", each.key) - location = "westeurope" - resource_group_name = "euwest-servers" - network_security_group_id = data.azurerm_network_security_group.worker-nsg.id + name = format("%s-interface", each.key) + location = "westeurope" + resource_group_name = "euwest-servers" ip_configuration { name = "storageNicConfiguration" subnet_id = data.azurerm_subnet.default.id public_ip_address_id = "" private_ip_address_allocation = "Dynamic" } } +resource "azurerm_network_interface_security_group_association" "storage-interface-sga" { + for_each = local.storage_servers + + network_interface_id = azurerm_network_interface.storage-interface[each.key].id + network_security_group_id = data.azurerm_network_security_group.worker-nsg.id +} + resource "azurerm_virtual_machine" "storage-server" { for_each = local.storage_servers name = each.key location = "westeurope" resource_group_name = "euwest-servers" network_interface_ids = [azurerm_network_interface.storage-interface[each.key].id] vm_size = "Standard_D8s_v3" boot_diagnostics { enabled = true storage_uri = var.boot_diagnostics_uri } storage_os_disk { name = format("%s-osdisk", each.key) caching = "ReadWrite" create_option = "FromImage" managed_disk_type = "Premium_LRS" } storage_image_reference { publisher = "debian" offer = "debian-10" sku = "10" version = "latest" } os_profile { computer_name = each.key admin_username = var.user_admin } os_profile_linux_config { disable_password_authentication = true ssh_keys { path = "/home/${var.user_admin}/.ssh/authorized_keys" key_data = var.ssh_key_data_ardumont } ssh_keys { path = "/home/${var.user_admin}/.ssh/authorized_keys" key_data = var.ssh_key_data_olasd } } provisioner "remote-exec" { inline = [ "sudo mkdir /root/.ssh", "echo ${var.ssh_key_data_ardumont} | sudo tee -a /root/.ssh/authorized_keys", "echo ${var.ssh_key_data_olasd} | sudo tee -a /root/.ssh/authorized_keys", ] connection { type = "ssh" user = var.user_admin host = azurerm_network_interface.storage-interface[each.key].private_ip_address } } provisioner "file" { - content = templatefile("templates/firstboot.sh.tpl", { - hostname = each.key - fqdn = format("%s.euwest.azure.internal.softwareheritage.org", each.key), - ip_address = azurerm_network_interface.storage-interface[each.key].private_ip_address, + content = templatefile("templates/firstboot.sh.tpl", { + hostname = each.key + fqdn = format("%s.euwest.azure.internal.softwareheritage.org", each.key), + ip_address = azurerm_network_interface.storage-interface[each.key].private_ip_address, facter_location = "azure_euwest" - disk_setup = {} + disk_setup = {} }) destination = var.firstboot_script connection { type = "ssh" user = "root" host = azurerm_network_interface.storage-interface[each.key].private_ip_address } } provisioner "remote-exec" { inline = [ "userdel -f ${var.user_admin}", "chmod +x ${var.firstboot_script}", "cat ${var.firstboot_script}", - "${var.firstboot_script}", + var.firstboot_script, ] connection { type = "ssh" user = "root" host = azurerm_network_interface.storage-interface[each.key].private_ip_address } } tags = { environment = "Storage" } } diff --git a/azure/terraform/vault.tf b/azure/terraform/vault.tf index 082fb4c..515ca3a 100644 --- a/azure/terraform/vault.tf +++ b/azure/terraform/vault.tf @@ -1,87 +1,91 @@ # Define a new resource for the vault # matching what we name elsewhere "euwest-${resource}" resource "azurerm_resource_group" "euwest-vault" { name = "euwest-vault" location = "westeurope" tags = { environment = "SWH Vault" } } resource "azurerm_network_interface" "vangogh-interface" { - name = "vangogh-interface" - location = "westeurope" - resource_group_name = "euwest-vault" - network_security_group_id = data.azurerm_network_security_group.worker-nsg.id + name = "vangogh-interface" + location = "westeurope" + resource_group_name = "euwest-vault" ip_configuration { name = "vaultNicConfiguration" subnet_id = data.azurerm_subnet.default.id public_ip_address_id = "" private_ip_address_allocation = "Dynamic" } } +resource "azurerm_network_interface_security_group_association" "vangogh-interface-sga" { + network_interface_id = azurerm_network_interface.vangogh-interface.id + network_security_group_id = data.azurerm_network_security_group.worker-nsg.id +} + # Blobstorage as defined in task resource "azurerm_storage_account" "vault-storage" { name = "swhvaultstorage" resource_group_name = azurerm_resource_group.euwest-vault.name location = "westeurope" account_tier = "Standard" account_replication_type = "LRS" account_kind = "BlobStorage" access_tier = "Cool" enable_https_traffic_only = true tags = { environment = "SWH Vault" } } # A container for the blob storage named 'contents' (as other blob storages) resource "azurerm_storage_container" "contents" { name = "contents" storage_account_name = azurerm_storage_account.vault-storage.name container_access_type = "private" } resource "azurerm_virtual_machine" "vault-server" { name = "vangogh" location = "westeurope" resource_group_name = "euwest-vault" network_interface_ids = [azurerm_network_interface.vangogh-interface.id] vm_size = "Standard_B2ms" storage_os_disk { name = "vangogh-osdisk" caching = "ReadWrite" create_option = "FromImage" managed_disk_type = "Premium_LRS" } storage_image_reference { publisher = "credativ" offer = "Debian" sku = "9" version = "latest" } # (Va)ngogh <-> (Va)ult os_profile { computer_name = "vangogh" admin_username = "ardumont" } os_profile_linux_config { disable_password_authentication = true ssh_keys { path = "/home/${var.user_admin}/.ssh/authorized_keys" key_data = var.ssh_key_data_ardumont } } tags = { environment = "SWH Vault" } } diff --git a/azure/terraform/versions.tf b/azure/terraform/versions.tf deleted file mode 100644 index d9b6f79..0000000 --- a/azure/terraform/versions.tf +++ /dev/null @@ -1,3 +0,0 @@ -terraform { - required_version = ">= 0.12" -}