~damien/infrastructure

a22e935706fc55b9d318aa46a2588edc66235aaf — Damien Radtke 9 months ago 4138dd7
Add some support for multiple workspaces and rely more on outputs
6 files changed, 100 insertions(+), 42 deletions(-)

M terraform/domain-address/main.tf
M terraform/domains.tf
M terraform/main.tf
M terraform/outputs.tf
A tools/set-cluster-env
R terraform/update-nomad-client-firewall.sh => tools/update-nomad-client-firewall
M terraform/domain-address/main.tf => terraform/domain-address/main.tf +13 -11
@@ 1,19 1,21 @@
data "linode_domain" "d" {
	domain = var.domain
  domain = var.domain
}

// Domains should only be applied in the default workspace to avoid clobbering DNS records in test deployments.

resource "linode_domain_record" "a" {
	for_each = toset(var.instances[*].ip_address)
	domain_id = data.linode_domain.d.id
	name = var.name
	record_type = "A"
	target = each.value
  for_each    = toset(terraform.workspace == "default" ? var.instances[*].ip_address : [])
  domain_id   = data.linode_domain.d.id
  name        = var.name
  record_type = "A"
  target      = each.value
}

resource "linode_domain_record" "aaaa" {
	for_each = toset([for ip in var.instances[*].ipv6: split("/", ip)[0]])
	domain_id = data.linode_domain.d.id
	name = var.name
	record_type = "AAAA"
	target = each.value
  for_each    = toset(terraform.workspace == "default" ? [for ip in var.instances[*].ipv6 : split("/", ip)[0]] : [])
  domain_id   = data.linode_domain.d.id
  name        = var.name
  record_type = "AAAA"
  target      = each.value
}

M terraform/domains.tf => terraform/domains.tf +23 -23
@@ 1,40 1,40 @@
module "damienradtke-com" {
	source = "./domain-address"
	domain = "damienradtke.com"
	instances = module.nomad-client-load-balancer.instances
  source    = "./domain-address"
  domain    = "damienradtke.com"
  instances = module.nomad-client-load-balancer.instances
}

module "www-damienradtke-com" {
	source = "./domain-address"
	domain = "damienradtke.com"
	name = "www"
	instances = module.nomad-client-load-balancer.instances
  source    = "./domain-address"
  domain    = "damienradtke.com"
  name      = "www"
  instances = module.nomad-client-load-balancer.instances
}

module "photos-radtke-family" {
	source = "./domain-address"
	domain = "radtke.family"
	name = "photos"
	instances = module.nomad-client-load-balancer.instances
  source    = "./domain-address"
  domain    = "radtke.family"
  name      = "photos"
  instances = module.nomad-client-load-balancer.instances
}

module "consul-damienradtke-com" {
	source = "./domain-address"
	domain = "damienradtke.com"
	name = "consul"
	instances = [module.consul-server.instances[0]]
  source    = "./domain-address"
  domain    = "damienradtke.com"
  name      = "consul"
  instances = [module.consul-server.instances[0]]
}

module "nomad-damienradtke-com" {
	source = "./domain-address"
	domain = "damienradtke.com"
	name = "nomad"
	instances = [module.nomad-server.instances[0]]
  source    = "./domain-address"
  domain    = "damienradtke.com"
  name      = "nomad"
  instances = [module.nomad-server.instances[0]]
}

module "vault-damienradtke-com" {
	source = "./domain-address"
	domain = "damienradtke.com"
	name = "vault"
	instances = [module.vault-server.instances[0]]
  source    = "./domain-address"
  domain    = "damienradtke.com"
  name      = "vault"
  instances = [module.vault-server.instances[0]]
}

M terraform/main.tf => terraform/main.tf +2 -2
@@ 50,7 50,7 @@ module "nomad-server" {
  authorized_users = local.authorized_users
  ca_host          = var.ca_host
  ca_key           = var.ca_key
	vault_token      = var.vault_token
  vault_token      = var.vault_token
}

module "nomad-client" {


@@ 76,7 76,7 @@ module "nomad-client-load-balancer" {
  clients           = 1
  consul_version    = "1.7.2"
  nomad_version     = "0.11.3"
	node_class        = "load-balancer"
  node_class        = "load-balancer"
  consul_server_ips = module.consul-server.instances[*].ipv6

  datacenter       = local.region

M terraform/outputs.tf => terraform/outputs.tf +17 -5
@@ 1,12 1,24 @@
output "consul_server_ips" {
	value = [for ip in module.consul-server.instances[*].ipv6: split("/", ip)[0]]
}

output "nomad_server_ips" {
	value = [for ip in module.nomad-server.instances[*].ipv6: split("/", ip)[0]]
}

output "vault_server_ips" {
	value = [for ip in module.vault-server.instances[*].ipv6: split("/", ip)[0]]
}

output "nomad_client_ips" {
	/*
  /*
	value = concat(
		[for ip in module.nomad-client.instances[*].ipv6: split("/", ip)[0]],
		[for ip in module.nomad-client-load-balancer.instances[*].ipv6: split("/", ip)[0]],
	)
	*/
	value = flatten(concat(
		module.nomad-client.instances[*].ipv4,
		module.nomad-client-load-balancer.instances[*].ipv4,
	))
  value = flatten(concat(
    module.nomad-client.instances[*].ip_address,
    module.nomad-client-load-balancer.instances[*].ip_address,
  ))
}

A tools/set-cluster-env => tools/set-cluster-env +36 -0
@@ 0,0 1,36 @@
#!/usr/bin/env bash
#
# This script sets the environment variables necessary for Consul, Nomad, and Vault
# CLI tools. It queries Terraform state for node addresses, so this script will need
# to be re-invoked after switching workspaces.
#
# In order for CLI tools to work immediately, add something like this to your .bashrc:
#
#     $ source "$(which set-cluster-env)" "${HOME}/infrastructure/terraform/terraform.tfstate"
#

state_file="${1:-terraform.tfstate}"

if [[ ! -f "${state_file}" ]]; then
	echo "state file '${state_file}' not found, are you in the right directory?"
	exit 1
fi

consul_server="$(terraform output -json -state "${state_file}" consul_server_ips | jq -r '.[0]')"
nomad_server="$(terraform output -json -state "${state_file}" nomad_server_ips | jq -r '.[0]')"
vault_server="$(terraform output -json -state "${state_file}" vault_server_ips | jq -r '.[0]')"

export CONSUL_HTTP_ADDR="https://[${consul_server}]:8501"
export CONSUL_CACERT="/etc/ssl/consul/ca.pem"
export CONSUL_CLIENT_CERT="${HOME}/consul-cli.pem"
export CONSUL_CLIENT_KEY="${HOME}/consul-cli-key.pem"

export NOMAD_ADDR="https://[${nomad_server}]:4646"
export NOMAD_CACERT="/etc/ssl/nomad/ca.pem"
export NOMAD_CLIENT_CERT="${HOME}/nomad-cli.pem"
export NOMAD_CLIENT_KEY="${HOME}/nomad-cli-key.pem"

export VAULT_ADDR="https://[${vault_server}]:8200"
export VAULT_CACERT="/etc/ssl/vault/ca.pem"
export VAULT_CLIENT_CERT="${HOME}/vault-cli.pem"
export VAULT_CLIENT_KEY="${HOME}/vault-cli-key.pem"

R terraform/update-nomad-client-firewall.sh => tools/update-nomad-client-firewall +9 -1
@@ 1,5 1,13 @@
#!/usr/bin/env bash
client_ips="$(cat terraform.tfstate | jq -r '.outputs.nomad_client_ips.value[]')"

# TODO: it might be good to enhance this script to also update the confured "join" values for node configurations.

if [[ ! -f terraform.tfstate ]]; then
	echo "no state file found, are you in the right directory?"
	exit 1
fi

client_ips="$(terraform output -json nomad_client_ips | jq -r '.[]')"
for from_ip in ${client_ips}; do
	echo "clearing existing values for ${from_ip}"
	ssh "${from_ip}" "sudo sed -i '/<source address/d' /etc/firewalld/zones/nomad-clients.xml"