diff --git a/openstack-tf/d4s-dev/keycloak/main.tf b/openstack-tf/d4s-dev/keycloak/main.tf index 9fb02f5..63f1a29 100644 --- a/openstack-tf/d4s-dev/keycloak/main.tf +++ b/openstack-tf/d4s-dev/keycloak/main.tf @@ -4,7 +4,7 @@ terraform { required_providers { openstack = { source = "terraform-provider-openstack/openstack" - version = "~> 1.53.0" + # version = "~> 1.53.0" } } } @@ -24,42 +24,14 @@ module "common_variables" { source = "../../modules/common_variables" } -# -# Creates the server group "keycloak" -# Even in dev because this service is crucial the server group is -# created with anti-affinity policy -# -resource "openstack_compute_servergroup_v2" "keycloak_server_group" { - name = "keycloak" - policies = [module.common_variables.policy_list.anti_affinity] -} - -# Creating object bucket to store avatars -resource "openstack_objectstorage_container_v1" "keycloak_1" { - name = "keycloak" -} - -module "instance_without_data_volume" { - source = "../../modules/instance_without_data_volume" - - instances_without_data_volume_map = { - keycloak = { - name = "keycloak", - description = "This instance serves keycloak service", - flavor = module.common_variables.flavor_list.m1_medium, - networks = [data.terraform_remote_state.privnet_dns_router.outputs.main_private_network.name, module.common_variables.networks_list.shared_postgresql], - security_groups = [data.terraform_remote_state.privnet_dns_router.outputs.security_group_list.default, data.terraform_remote_state.privnet_dns_router.outputs.security_group_list.http_and_https_from_the_load_balancers], - server_groups_ids = [], - image_ref = data.terraform_remote_state.privnet_dns_router.outputs.ubuntu_2204 +module "keycloak" { + source = "../../modules/keycloak" + keycloak_recordsets = { + keycloak_main_record = { + name = join(".", ["accounts", data.terraform_remote_state.privnet_dns_router.outputs.dns_zone.zone_name]), + description = "Keycloak dev endpoint" } } -} -resource "openstack_dns_recordset_v2" "keycloak_dev_dns_recordset" { - zone_id = data.terraform_remote_state.privnet_dns_router.outputs.dns_zone_id - name = join(".", ["accounts"], [data.terraform_remote_state.privnet_dns_router.outputs.dns_zone.zone_name]) - description = "Keycloak d4science dev endpoint" - ttl = 8600 - type = "CNAME" - records = [join(".", ["main-lb"], [data.terraform_remote_state.privnet_dns_router.outputs.dns_zone.zone_name])] + keycloak_object_store = "keycloak-data-dev" } diff --git a/openstack-tf/d4s-dev/keycloak/terraform.tfstate b/openstack-tf/d4s-dev/keycloak/terraform.tfstate index 952df2f..86cefcf 100644 --- a/openstack-tf/d4s-dev/keycloak/terraform.tfstate +++ b/openstack-tf/d4s-dev/keycloak/terraform.tfstate @@ -1,7 +1,7 @@ { "version": 4, - "terraform_version": "1.6.6", - "serial": 9, + "terraform_version": "1.7.5", + "serial": 36, "lineage": "2d09d087-e2e3-bb5d-0474-c09dfa4c7145", "outputs": {}, "resources": [ @@ -394,105 +394,406 @@ ] }, { - "mode": "managed", - "type": "openstack_compute_servergroup_v2", - "name": "keycloak_server_group", - "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", + "module": "module.keycloak", + "mode": "data", + "type": "terraform_remote_state", + "name": "privnet_dns_router", + "provider": "provider[\"terraform.io/builtin/terraform\"]", "instances": [ { "schema_version": 0, "attributes": { - "id": "9bb60610-a2ba-433b-a7c6-6c0bb3d47089", - "members": [], - "name": "keycloak", - "policies": [ - "anti-affinity" - ], - "region": "isti_area_pi_1", - "rules": [ - { - "max_server_per_host": 0 - } - ], - "value_specs": null + "backend": "local", + "config": { + "value": { + "path": "../project-setup/terraform.tfstate" + }, + "type": [ + "object", + { + "path": "string" + } + ] + }, + "defaults": null, + "outputs": { + "value": { + "almalinux_9": { + "name": "AlmaLinux-9.0-20220718", + "uuid": "541650fc-dd19-4f38-bb1d-7333ed9dd688" + }, + "availability_zone_no_gpu_name": "cnr-isti-nova-a", + "availability_zone_with_gpu_name": "cnr-isti-nova-gpu-a", + "availability_zones_names": { + "availability_zone_no_gpu": "cnr-isti-nova-a", + "availability_zone_with_gpu": "cnr-isti-nova-gpu-a" + }, + "basic_services_ip": { + "ca": "10.1.29.247", + "ca_cidr": "10.1.29.247/32", + "haproxy_l7_1": "10.1.28.50", + "haproxy_l7_1_cidr": "10.1.28.50/32", + "haproxy_l7_2": "10.1.30.241", + "haproxy_l7_2_cidr": "10.1.30.241/32", + "octavia_main": "10.1.28.227", + "octavia_main_cidr": "10.1.28.227/32", + "prometheus": "10.1.30.129", + "prometheus_cidr": "10.1.30.129/32", + "ssh_jump": "10.1.29.164", + "ssh_jump_cidr": "10.1.29.164/32" + }, + "centos_7": { + "name": "CentOS-7", + "uuid": "f0187a99-64f6-462a-ab5f-ef52fe62f2ca" + }, + "default_security_group_name": "default", + "dns_zone": { + "description": "DNS primary zone for the d4s-dev-cloud project", + "email": "postmaster@isti.cnr.it", + "ttl": "8600", + "zone_name": "cloud-dev.d4science.org." + }, + "dns_zone_id": "cbae638a-9d99-44aa-946c-0f5ffb7fc488", + "el7_data_file": "../../openstack_vm_data_scripts/el7.sh", + "external_gateway_ip": [ + { + "ip_address": "146.48.31.109", + "subnet_id": "57f87509-4016-46fb-b8c3-25fca7f72ccb" + } + ], + "external_network": { + "id": "1d2ff137-6ff7-4017-be2b-0d6c4af2353b", + "name": "external-network" + }, + "external_network_id": "1d2ff137-6ff7-4017-be2b-0d6c4af2353b", + "external_router": { + "description": "D4Science DEV main router", + "id": "2ae28c5f-036b-45db-bc9f-5bab8fa3e914", + "name": "d4s-dev-cloud-external-router" + }, + "flavor_list": { + "c1_large": "c1.large", + "c1_medium": "c1.medium", + "c1_small": "c1.small", + "c2_large": "c2.large", + "m1_large": "m1.large", + "m1_medium": "m1.medium", + "m1_xlarge": "m1.xlarge", + "m1_xxl": "m1.xxl", + "m2_large": "m2.large", + "m2_medium": "m2.medium", + "m2_small": "m2.small", + "m3_large": "m3.large" + }, + "floating_ip_pools": { + "main_public_ip_pool": "external-network" + }, + "haproxy_l7_data": { + "flavor": "m1.medium", + "haproxy_1": "haproxy-l7-1", + "haproxy_2": "haproxy-l7-2", + "name": "main-haproxy-l7", + "vm_count": "2" + }, + "internal_ca_data": { + "flavor": "m1.small", + "name": "ca" + }, + "main_haproxy_l7_ip": [ + "10.1.28.50", + "10.1.30.241" + ], + "main_private_network": { + "description": "D4Science DEV private network (use this as the main network)", + "name": "d4s-dev-cloud-main" + }, + "main_private_network_id": "e0af5eba-f24a-4d0d-8184-bc654b980c4a", + "main_private_subnet": { + "allocation_end": "10.1.31.254", + "allocation_start": "10.1.28.30", + "cidr": "10.1.28.0/22", + "description": "D4Science DEV main private subnet", + "gateway_ip": "10.1.28.1", + "name": "d4s-dev-cloud-sub" + }, + "main_region": "isti_area_pi_1", + "main_subnet_network_id": "2aa977f2-80b4-447c-a6b0-dfa06bf68751", + "mtu_size": 8942, + "networks_list": { + "cassandra": "cassandra-net", + "orientdb": "orientdb-net", + "orientdb_se": "orientdb-se-net", + "shared_postgresql": "postgresql-srv-net", + "swarm": "swarm-nfs-net", + "timescaledb": "timescaledb-net" + }, + "networks_with_d4s_services": { + "garr_ct1_net": "90.147.166.0/23", + "garr_na_net": "90.147.152.0/24", + "garr_pa1_net": "90.147.188.0/23", + "infrascience_net": "146.48.122.0/23", + "isti_net": "146.48.80.0/21", + "s2i2s_net": "146.48.28.0/22" + }, + "nfs_share_no_ingress_secgroup_id": "5887da8d-e362-4509-93ac-8a70bf8baef9", + "octavia_information": { + "main_lb_description": "Main L4 load balancer for the D4Science DEV", + "main_lb_hostname": "main-lb", + "main_lb_name": "lb-dev-l4", + "octavia_flavor": "octavia_amphora-mvcpu-ha", + "octavia_flavor_id": "394988b5-6603-4a1e-a939-8e177c6681c7" + }, + "os_project_data": { + "id": "e8f8ca72f30648a8b389b4e745ac83a9" + }, + "policy_list": { + "affinity": "affinity", + "anti_affinity": "anti-affinity", + "soft_affinity": "soft-affinity", + "soft_anti_affinity": "soft-anti-affinity" + }, + "prometheus_server_data": { + "flavor": "m1.medium", + "name": "prometheus", + "public_grafana_server_cidr": "146.48.28.103/32", + "vol_data_device": "/dev/vdb", + "vol_data_name": "prometheus-data", + "vol_data_size": "100" + }, + "resolvers_ip": [ + "146.48.29.97", + "146.48.29.98", + "146.48.29.99" + ], + "resource_registry_addresses": {}, + "security_group_list": { + "acaland": "acaland's dev machine", + "access_to_orientdb": "access_to_orientdb", + "access_to_orientdb_se": "access_to_orientdb_se", + "access_to_the_timescaledb_service": "access_to_the_timescaledb_service", + "cassandra": "Cassandra", + "dataminer-publish": "dataminer-publish", + "debugging_from_jump_node": "debugging_from_jump_node", + "default": "default", + "docker_swarm": "Docker Swarm", + "docker_swarm_NFS": "Docker Swarm NFS", + "haproxy": "traffic_from_main_lb_to_haproxy_l7", + "http_and_https_from_the_load_balancers": "traffic_from_the_main_load_balancers", + "limited_HTTPS_access": "restricted_web_service", + "limited_SSH_access": "Limited SSH access", + "mongo": "mongo", + "nfs_share_no_ingress": "nfs_share_no_ingress", + "orientdb_internal_docker_traffic": "orientdb_internal_docker_traffic", + "postgreSQL": "PostgreSQL service", + "public_HTTPS": "Public HTTPS" + }, + "shared_postgresql_server_data": { + "allocation_pool_end": "192.168.3.254", + "allocation_pool_start": "192.168.0.100", + "flavor": "m1.medium", + "name": "shared-postgresql-server", + "network_cidr": "192.168.0.0/22", + "network_description": "Network used to communicate with the shared postgresql service", + "network_name": "postgresql-srv-net", + "server_cidr": "192.168.0.5/22", + "server_ip": "192.168.0.5", + "vol_data_device": "/dev/vdb", + "vol_data_name": "shared-postgresql-data", + "vol_data_size": "100" + }, + "smartexecutor_addresses": {}, + "ssh_jump_proxy": { + "flavor": "m2.small", + "name": "ssh-jump-proxy" + }, + "ssh_sources": { + "d4s_vpn_1_cidr": "146.48.122.27/32", + "d4s_vpn_2_cidr": "146.48.122.49/32", + "infrascience_net_cidr": "146.48.122.0/23", + "s2i2s_vpn_1_cidr": "146.48.28.10/32", + "s2i2s_vpn_2_cidr": "146.48.28.11/32", + "shell_d4s_cidr": "146.48.122.95/32" + }, + "storage_nfs_network_id": "5f4023cc-4016-404c-94e5-86220095fbaf", + "storage_nfs_subnet_id": "6ff0f9e8-0e74-4cc3-a268-7ed4af435696", + "ubuntu1804_data_file": "../../openstack_vm_data_scripts/ubuntu1804.sh", + "ubuntu2204_data_file": "../../openstack_vm_data_scripts/ubuntu2204.sh", + "ubuntu_1804": { + "name": "Ubuntu-Bionic-18.04", + "user_data_file": "../../openstack_vm_data_scripts/ubuntu1804.sh", + "uuid": "7ed6a2cd-2b07-482e-8ce4-f018dff16c89" + }, + "ubuntu_2204": { + "name": "Ubuntu-Jammy-22.04", + "user_data_file": "../../openstack_vm_data_scripts/ubuntu2204.sh", + "uuid": "54768889-8556-4be4-a2eb-82a4d9b34627" + } + }, + "type": [ + "object", + { + "almalinux_9": [ + "map", + "string" + ], + "availability_zone_no_gpu_name": "string", + "availability_zone_with_gpu_name": "string", + "availability_zones_names": [ + "map", + "string" + ], + "basic_services_ip": [ + "map", + "string" + ], + "centos_7": [ + "map", + "string" + ], + "default_security_group_name": "string", + "dns_zone": [ + "map", + "string" + ], + "dns_zone_id": "string", + "el7_data_file": "string", + "external_gateway_ip": [ + "list", + [ + "object", + { + "ip_address": "string", + "subnet_id": "string" + } + ] + ], + "external_network": [ + "map", + "string" + ], + "external_network_id": "string", + "external_router": [ + "map", + "string" + ], + "flavor_list": [ + "map", + "string" + ], + "floating_ip_pools": [ + "map", + "string" + ], + "haproxy_l7_data": [ + "map", + "string" + ], + "internal_ca_data": [ + "map", + "string" + ], + "main_haproxy_l7_ip": [ + "list", + "string" + ], + "main_private_network": [ + "map", + "string" + ], + "main_private_network_id": "string", + "main_private_subnet": [ + "map", + "string" + ], + "main_region": "string", + "main_subnet_network_id": "string", + "mtu_size": "number", + "networks_list": [ + "map", + "string" + ], + "networks_with_d4s_services": [ + "map", + "string" + ], + "nfs_share_no_ingress_secgroup_id": "string", + "octavia_information": [ + "map", + "string" + ], + "os_project_data": [ + "map", + "string" + ], + "policy_list": [ + "map", + "string" + ], + "prometheus_server_data": [ + "map", + "string" + ], + "resolvers_ip": [ + "list", + "string" + ], + "resource_registry_addresses": [ + "map", + "string" + ], + "security_group_list": [ + "map", + "string" + ], + "shared_postgresql_server_data": [ + "map", + "string" + ], + "smartexecutor_addresses": [ + "map", + "string" + ], + "ssh_jump_proxy": [ + "map", + "string" + ], + "ssh_sources": [ + "map", + "string" + ], + "storage_nfs_network_id": "string", + "storage_nfs_subnet_id": "string", + "ubuntu1804_data_file": "string", + "ubuntu2204_data_file": "string", + "ubuntu_1804": [ + "map", + "string" + ], + "ubuntu_2204": [ + "map", + "string" + ] + } + ] + }, + "workspace": null }, - "sensitive_attributes": [], - "private": "bnVsbA==" + "sensitive_attributes": [] } ] }, { - "mode": "managed", - "type": "openstack_dns_recordset_v2", - "name": "keycloak_dev_dns_recordset", - "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "description": "Keycloak d4science dev endpoint", - "disable_status_check": false, - "id": "cbae638a-9d99-44aa-946c-0f5ffb7fc488/effa71d2-37ff-4237-9a6e-86f4c2e1c53f", - "name": "accounts.cloud-dev.d4science.org.", - "project_id": "e8f8ca72f30648a8b389b4e745ac83a9", - "records": [ - "main-lb.cloud-dev.d4science.org." - ], - "region": "isti_area_pi_1", - "timeouts": null, - "ttl": 8600, - "type": "CNAME", - "value_specs": null, - "zone_id": "cbae638a-9d99-44aa-946c-0f5ffb7fc488" - }, - "sensitive_attributes": [], - "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6NjAwMDAwMDAwMDAwLCJ1cGRhdGUiOjYwMDAwMDAwMDAwMH19", - "dependencies": [ - "data.terraform_remote_state.privnet_dns_router" - ] - } - ] - }, - { - "mode": "managed", - "type": "openstack_objectstorage_container_v1", - "name": "keycloak_1", - "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", - "instances": [ - { - "schema_version": 1, - "attributes": { - "container_read": null, - "container_sync_key": null, - "container_sync_to": null, - "container_write": null, - "content_type": null, - "force_destroy": null, - "id": "keycloak", - "metadata": null, - "name": "keycloak", - "region": "isti_area_pi_1", - "storage_policy": "default-placement", - "versioning": false, - "versioning_legacy": [] - }, - "sensitive_attributes": [], - "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==" - } - ] - }, - { - "module": "module.instance_without_data_volume", + "module": "module.keycloak", "mode": "managed", "type": "openstack_compute_instance_v2", - "name": "smartgears_service", + "name": "keycloak", "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", "instances": [ { - "index_key": "keycloak", + "index_key": 0, "schema_version": 0, "attributes": { - "access_ip_v4": "10.1.28.218", + "access_ip_v4": "10.1.31.104", "access_ip_v6": "", "admin_pass": null, "all_metadata": {}, @@ -515,34 +816,34 @@ } ], "config_drive": null, - "created": "2023-12-14 15:47:39 +0000 UTC", + "created": "2024-03-22 14:02:30 +0000 UTC", "flavor_id": "4", "flavor_name": "m1.medium", "floating_ip": null, "force_delete": false, - "id": "40dfb5fb-ec19-4f51-9fd6-1b1be47f66bb", + "id": "1d087839-d883-4e25-a2ee-a596640e3dff", "image_id": "Attempt to boot from volume - no image supplied", "image_name": null, - "key_pair": "mauromugnaini", + "key_pair": "adellam", "metadata": null, - "name": "keycloak", + "name": "keycloak-01", "network": [ { "access_network": false, - "fixed_ip_v4": "10.1.28.218", + "fixed_ip_v4": "10.1.31.104", "fixed_ip_v6": "", "floating_ip": "", - "mac": "fa:16:3e:ca:dc:34", + "mac": "fa:16:3e:21:8f:df", "name": "d4s-dev-cloud-main", "port": "", "uuid": "e0af5eba-f24a-4d0d-8184-bc654b980c4a" }, { "access_network": false, - "fixed_ip_v4": "192.168.2.143", + "fixed_ip_v4": "192.168.2.101", "fixed_ip_v6": "", "floating_ip": "", - "mac": "fa:16:3e:76:7c:b5", + "mac": "fa:16:3e:f8:d3:0b", "name": "postgresql-srv-net", "port": "", "uuid": "00422a4a-4b8b-4c85-acf9-ef733df842b9" @@ -552,26 +853,383 @@ "personality": [], "power_state": "active", "region": "isti_area_pi_1", - "scheduler_hints": [], + "scheduler_hints": [ + { + "additional_properties": {}, + "build_near_host_ip": "", + "different_cell": [], + "different_host": [], + "group": "23506021-0871-472e-b8f2-199ccdca8ec7", + "query": [], + "same_host": [], + "target_cell": "" + } + ], "security_groups": [ "default", - "traffic_from_the_main_load_balancers" + "keycloak_cluster_traffic", + "traffic_to_keycloak_from_the_main_load_balancers" ], "stop_before_destroy": false, "tags": [], "timeouts": null, - "updated": "2023-12-14 15:48:18 +0000 UTC", - "user_data": "bb83b25fd1219aa1b850ece9be8d7b0f31714608", + "updated": "2024-03-22 14:04:26 +0000 UTC", + "user_data": "47d4769e61324c305c4b70ed6673de4fad84150d", "vendor_options": [], "volume": [] }, "sensitive_attributes": [], "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInVwZGF0ZSI6MTgwMDAwMDAwMDAwMH19", "dependencies": [ - "data.terraform_remote_state.privnet_dns_router" + "module.keycloak.data.terraform_remote_state.privnet_dns_router", + "module.keycloak.openstack_compute_servergroup_v2.keycloak_server_group", + "module.keycloak.openstack_networking_secgroup_v2.keycloak_cluster_traffic", + "module.keycloak.openstack_networking_secgroup_v2.traffic_from_haproxy_to_keycloak" ] } ] + }, + { + "module": "module.keycloak", + "mode": "managed", + "type": "openstack_compute_servergroup_v2", + "name": "keycloak_server_group", + "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "23506021-0871-472e-b8f2-199ccdca8ec7", + "members": [ + "1d087839-d883-4e25-a2ee-a596640e3dff" + ], + "name": "keycloak", + "policies": [ + "soft-anti-affinity" + ], + "region": "isti_area_pi_1", + "rules": [ + { + "max_server_per_host": 0 + } + ], + "value_specs": null + }, + "sensitive_attributes": [], + "private": "bnVsbA==" + } + ] + }, + { + "module": "module.keycloak", + "mode": "managed", + "type": "openstack_dns_recordset_v2", + "name": "keycloak_dns_recordset", + "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", + "instances": [ + { + "index_key": "keycloak_main_record", + "schema_version": 0, + "attributes": { + "description": "Keycloak dev endpoint", + "disable_status_check": false, + "id": "cbae638a-9d99-44aa-946c-0f5ffb7fc488/197bb339-e445-47e2-828b-e1b6b4da8368", + "name": "accounts.cloud-dev.d4science.org.", + "project_id": "e8f8ca72f30648a8b389b4e745ac83a9", + "records": [ + "main-lb.cloud-dev.d4science.org." + ], + "region": "isti_area_pi_1", + "timeouts": null, + "ttl": 8600, + "type": "CNAME", + "value_specs": null, + "zone_id": "cbae638a-9d99-44aa-946c-0f5ffb7fc488" + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6NjAwMDAwMDAwMDAwLCJ1cGRhdGUiOjYwMDAwMDAwMDAwMH19", + "dependencies": [ + "data.terraform_remote_state.privnet_dns_router", + "module.keycloak.data.terraform_remote_state.privnet_dns_router" + ] + } + ] + }, + { + "module": "module.keycloak", + "mode": "managed", + "type": "openstack_networking_secgroup_rule_v2", + "name": "haproxy-l7-8443", + "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", + "instances": [ + { + "index_key": "10.1.28.50", + "schema_version": 0, + "attributes": { + "description": "HTTPS traffic from HAPROXY L7 to Keycloak", + "direction": "ingress", + "ethertype": "IPv4", + "id": "ebc725ed-0133-46f4-a26c-498bfb4798b6", + "port_range_max": 9443, + "port_range_min": 9443, + "protocol": "tcp", + "region": "isti_area_pi_1", + "remote_group_id": "", + "remote_ip_prefix": "10.1.28.50/32", + "security_group_id": "cbbd4036-e1c4-43ac-80cd-24d3fbbef692", + "tenant_id": "e8f8ca72f30648a8b389b4e745ac83a9", + "timeouts": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjo2MDAwMDAwMDAwMDB9fQ==", + "dependencies": [ + "module.keycloak.data.terraform_remote_state.privnet_dns_router", + "module.keycloak.openstack_networking_secgroup_v2.traffic_from_haproxy_to_keycloak" + ] + }, + { + "index_key": "10.1.30.241", + "schema_version": 0, + "attributes": { + "description": "HTTPS traffic from HAPROXY L7 to Keycloak", + "direction": "ingress", + "ethertype": "IPv4", + "id": "21b774d6-b0f2-4b2e-841e-32f5cb2e842a", + "port_range_max": 9443, + "port_range_min": 9443, + "protocol": "tcp", + "region": "isti_area_pi_1", + "remote_group_id": "", + "remote_ip_prefix": "10.1.30.241/32", + "security_group_id": "cbbd4036-e1c4-43ac-80cd-24d3fbbef692", + "tenant_id": "e8f8ca72f30648a8b389b4e745ac83a9", + "timeouts": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjo2MDAwMDAwMDAwMDB9fQ==", + "dependencies": [ + "module.keycloak.data.terraform_remote_state.privnet_dns_router", + "module.keycloak.openstack_networking_secgroup_v2.traffic_from_haproxy_to_keycloak" + ] + } + ] + }, + { + "module": "module.keycloak", + "mode": "managed", + "type": "openstack_networking_secgroup_rule_v2", + "name": "igmp_egress_between_keycloak_nodes", + "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "description": "Egress IGMP traffic between keycloak nodes", + "direction": "egress", + "ethertype": "IPv4", + "id": "0856a12c-f897-43a8-bdaa-91355930f1c0", + "port_range_max": 0, + "port_range_min": 0, + "protocol": "igmp", + "region": "isti_area_pi_1", + "remote_group_id": "", + "remote_ip_prefix": "0.0.0.0/0", + "security_group_id": "6d68b513-7ecd-43da-9cee-8f82b567049c", + "tenant_id": "e8f8ca72f30648a8b389b4e745ac83a9", + "timeouts": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjo2MDAwMDAwMDAwMDB9fQ==", + "dependencies": [ + "module.keycloak.openstack_networking_secgroup_v2.keycloak_cluster_traffic" + ] + } + ] + }, + { + "module": "module.keycloak", + "mode": "managed", + "type": "openstack_networking_secgroup_rule_v2", + "name": "igmp_ingress_between_keycloak_nodes", + "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "description": "Ingress IGMP traffic between keycloak nodes", + "direction": "ingress", + "ethertype": "IPv4", + "id": "3f6419b5-8079-4445-80dd-5bb259705664", + "port_range_max": 0, + "port_range_min": 0, + "protocol": "igmp", + "region": "isti_area_pi_1", + "remote_group_id": "", + "remote_ip_prefix": "0.0.0.0/0", + "security_group_id": "6d68b513-7ecd-43da-9cee-8f82b567049c", + "tenant_id": "e8f8ca72f30648a8b389b4e745ac83a9", + "timeouts": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjo2MDAwMDAwMDAwMDB9fQ==", + "dependencies": [ + "module.keycloak.openstack_networking_secgroup_v2.keycloak_cluster_traffic" + ] + } + ] + }, + { + "module": "module.keycloak", + "mode": "managed", + "type": "openstack_networking_secgroup_rule_v2", + "name": "tcp_traffic_between_keycloak_nodes", + "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", + "instances": [ + { + "index_key": 0, + "schema_version": 0, + "attributes": { + "description": "TCP traffic between keycloak nodes", + "direction": "ingress", + "ethertype": "IPv4", + "id": "399505c1-e0d3-4077-85d7-e000a46dfa8e", + "port_range_max": 0, + "port_range_min": 0, + "protocol": "tcp", + "region": "isti_area_pi_1", + "remote_group_id": "", + "remote_ip_prefix": "10.1.31.104/32", + "security_group_id": "6d68b513-7ecd-43da-9cee-8f82b567049c", + "tenant_id": "e8f8ca72f30648a8b389b4e745ac83a9", + "timeouts": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjo2MDAwMDAwMDAwMDB9fQ==", + "dependencies": [ + "module.keycloak.data.terraform_remote_state.privnet_dns_router", + "module.keycloak.openstack_compute_instance_v2.keycloak", + "module.keycloak.openstack_compute_servergroup_v2.keycloak_server_group", + "module.keycloak.openstack_networking_secgroup_v2.keycloak_cluster_traffic", + "module.keycloak.openstack_networking_secgroup_v2.traffic_from_haproxy_to_keycloak" + ] + } + ] + }, + { + "module": "module.keycloak", + "mode": "managed", + "type": "openstack_networking_secgroup_rule_v2", + "name": "udp_traffic_between_keycloak_nodes", + "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", + "instances": [ + { + "index_key": 0, + "schema_version": 0, + "attributes": { + "description": "UDP traffic between keycloak nodes", + "direction": "ingress", + "ethertype": "IPv4", + "id": "88c61a79-d86f-4f07-a0a7-91f0033b242a", + "port_range_max": 0, + "port_range_min": 0, + "protocol": "udp", + "region": "isti_area_pi_1", + "remote_group_id": "", + "remote_ip_prefix": "10.1.31.104/32", + "security_group_id": "6d68b513-7ecd-43da-9cee-8f82b567049c", + "tenant_id": "e8f8ca72f30648a8b389b4e745ac83a9", + "timeouts": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjo2MDAwMDAwMDAwMDB9fQ==", + "dependencies": [ + "module.keycloak.data.terraform_remote_state.privnet_dns_router", + "module.keycloak.openstack_compute_instance_v2.keycloak", + "module.keycloak.openstack_compute_servergroup_v2.keycloak_server_group", + "module.keycloak.openstack_networking_secgroup_v2.keycloak_cluster_traffic", + "module.keycloak.openstack_networking_secgroup_v2.traffic_from_haproxy_to_keycloak" + ] + } + ] + }, + { + "module": "module.keycloak", + "mode": "managed", + "type": "openstack_networking_secgroup_v2", + "name": "keycloak_cluster_traffic", + "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "all_tags": [], + "delete_default_rules": true, + "description": "Traffic between the keycloak cluster nodes", + "id": "6d68b513-7ecd-43da-9cee-8f82b567049c", + "name": "keycloak_cluster_traffic", + "region": "isti_area_pi_1", + "tags": [], + "tenant_id": "e8f8ca72f30648a8b389b4e745ac83a9", + "timeouts": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjo2MDAwMDAwMDAwMDB9fQ==" + } + ] + }, + { + "module": "module.keycloak", + "mode": "managed", + "type": "openstack_networking_secgroup_v2", + "name": "traffic_from_haproxy_to_keycloak", + "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "all_tags": [], + "delete_default_rules": true, + "description": "Allow traffic from the main L7 HAPROXY load balancers to keycloak", + "id": "cbbd4036-e1c4-43ac-80cd-24d3fbbef692", + "name": "traffic_to_keycloak_from_the_main_load_balancers", + "region": "isti_area_pi_1", + "tags": [], + "tenant_id": "e8f8ca72f30648a8b389b4e745ac83a9", + "timeouts": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjo2MDAwMDAwMDAwMDB9fQ==" + } + ] + }, + { + "module": "module.keycloak", + "mode": "managed", + "type": "openstack_objectstorage_container_v1", + "name": "keycloak_1", + "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", + "instances": [ + { + "schema_version": 1, + "attributes": { + "container_read": null, + "container_sync_key": null, + "container_sync_to": null, + "container_write": null, + "content_type": null, + "force_destroy": false, + "id": "keycloak-data-dev", + "metadata": null, + "name": "keycloak-data-dev", + "region": "isti_area_pi_1", + "storage_policy": "default-placement", + "versioning": false, + "versioning_legacy": [] + }, + "sensitive_attributes": [], + "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==" + } + ] } ], "check_results": null diff --git a/openstack-tf/modules/keycloak/keycloak-outputs.tf b/openstack-tf/modules/keycloak/keycloak-outputs.tf new file mode 100644 index 0000000..c358bf8 --- /dev/null +++ b/openstack-tf/modules/keycloak/keycloak-outputs.tf @@ -0,0 +1,11 @@ +output "keycloak_data" { + value = var.keycloak_data +} + +output "keycloak_recordsets" { + value = var.keycloak_recordsets +} + +output "keycloak_object_store" { + value = var.keycloak_object_store +} \ No newline at end of file diff --git a/openstack-tf/modules/keycloak/keycloak-variables.tf b/openstack-tf/modules/keycloak/keycloak-variables.tf new file mode 100644 index 0000000..368240b --- /dev/null +++ b/openstack-tf/modules/keycloak/keycloak-variables.tf @@ -0,0 +1,27 @@ +variable "keycloak_data" { + type = map(string) + default = { + affinity_policy = "soft-anti-affinity" + srv_name = "keycloak" + vm_count = 1 + vm_flavor = "m1.medium" + boot_vol_size = 10 + } +} + +variable "keycloak_recordsets" { + type = map(object({ + name = string + description = string + })) + default = { + keycloak_dns_record = { + name = "", + description = "" + } + } +} + +variable "keycloak_object_store" { + default = "" +} diff --git a/openstack-tf/modules/keycloak/keycloak.tf b/openstack-tf/modules/keycloak/keycloak.tf new file mode 100644 index 0000000..a47a525 --- /dev/null +++ b/openstack-tf/modules/keycloak/keycloak.tf @@ -0,0 +1,134 @@ +# +# keycloak nodes +# +# +# Security group +# +resource "openstack_networking_secgroup_v2" "keycloak_cluster_traffic" { + name = "keycloak_cluster_traffic" + delete_default_rules = "true" + description = "Traffic between the keycloak cluster nodes" +} + +resource "openstack_networking_secgroup_rule_v2" "tcp_traffic_between_keycloak_nodes" { + count = var.keycloak_data.vm_count + security_group_id = openstack_networking_secgroup_v2.keycloak_cluster_traffic.id + description = "TCP traffic between keycloak nodes" + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + remote_ip_prefix = join("/", [openstack_compute_instance_v2.keycloak[count.index].access_ip_v4, "32"]) +} + +resource "openstack_networking_secgroup_rule_v2" "udp_traffic_between_keycloak_nodes" { + count = var.keycloak_data.vm_count + security_group_id = openstack_networking_secgroup_v2.keycloak_cluster_traffic.id + description = "UDP traffic between keycloak nodes" + direction = "ingress" + ethertype = "IPv4" + protocol = "udp" + remote_ip_prefix = join("/", [openstack_compute_instance_v2.keycloak[count.index].access_ip_v4, "32"]) +} + +resource "openstack_networking_secgroup_rule_v2" "igmp_ingress_between_keycloak_nodes" { + security_group_id = openstack_networking_secgroup_v2.keycloak_cluster_traffic.id + description = "Ingress IGMP traffic between keycloak nodes" + direction = "ingress" + ethertype = "IPv4" + protocol = "igmp" + remote_ip_prefix = "0.0.0.0/0" +} + +resource "openstack_networking_secgroup_rule_v2" "igmp_egress_between_keycloak_nodes" { + security_group_id = openstack_networking_secgroup_v2.keycloak_cluster_traffic.id + description = "Egress IGMP traffic between keycloak nodes" + direction = "egress" + ethertype = "IPv4" + protocol = "igmp" + remote_ip_prefix = "0.0.0.0/0" +} + +# Traffic from the main HAPROXY load balancers +# +resource "openstack_networking_secgroup_v2" "traffic_from_haproxy_to_keycloak" { + name = "traffic_to_keycloak_from_the_main_load_balancers" + delete_default_rules = "true" + description = "Allow traffic from the main L7 HAPROXY load balancers to keycloak" +} + +resource "openstack_networking_secgroup_rule_v2" "haproxy-l7-8443" { + for_each = { for ha_ip in data.terraform_remote_state.privnet_dns_router.outputs.main_haproxy_l7_ip : join("", [ha_ip]) => ha_ip } + security_group_id = openstack_networking_secgroup_v2.traffic_from_haproxy_to_keycloak.id + description = "HTTPS traffic from HAPROXY L7 to Keycloak" + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 9443 + port_range_max = 9443 + remote_ip_prefix = join("/", [each.value, "32"]) +} + +# Creating object bucket to store avatars +resource "openstack_objectstorage_container_v1" "keycloak_1" { + name = var.keycloak_object_store +} + +# +# Server group +# +resource "openstack_compute_servergroup_v2" "keycloak_server_group" { + name = "keycloak" + policies = [var.keycloak_data.affinity_policy] +} + +# Instance(s) +resource "openstack_compute_instance_v2" "keycloak" { + count = var.keycloak_data.vm_count + name = format("%s-%02d", var.keycloak_data.srv_name, count.index + 1) + availability_zone_hints = module.common_variables.availability_zones_names.availability_zone_no_gpu + flavor_name = var.keycloak_data.vm_flavor + key_pair = module.ssh_settings.ssh_key_name + security_groups = [data.terraform_remote_state.privnet_dns_router.outputs.default_security_group_name, openstack_networking_secgroup_v2.keycloak_cluster_traffic.name, openstack_networking_secgroup_v2.traffic_from_haproxy_to_keycloak.name] + scheduler_hints { + group = openstack_compute_servergroup_v2.keycloak_server_group.id + } + block_device { + uuid = data.terraform_remote_state.privnet_dns_router.outputs.ubuntu_2204.uuid + source_type = "image" + volume_size = var.keycloak_data.boot_vol_size + boot_index = 0 + destination_type = "volume" + delete_on_termination = false + } + + network { + name = data.terraform_remote_state.privnet_dns_router.outputs.main_private_network.name + } + network { + name = module.common_variables.shared_postgresql_server_data.network_name + } + + user_data = file("${data.terraform_remote_state.privnet_dns_router.outputs.ubuntu1804_data_file}") + # Do not replace the instance when the ssh key changes + lifecycle { + ignore_changes = [ + # Ignore changes to tags, e.g. because a management agent + # updates these based on some ruleset managed elsewhere. + key_pair, user_data, network + ] + } +} + +locals { + cname_target = "main-lb.${data.terraform_remote_state.privnet_dns_router.outputs.dns_zone.zone_name}" +} + +resource "openstack_dns_recordset_v2" "keycloak_dns_recordset" { + for_each = var.keycloak_recordsets + zone_id = data.terraform_remote_state.privnet_dns_router.outputs.dns_zone_id + name = each.value.name + description = each.value.description + ttl = 8600 + type = "CNAME" + records = [local.cname_target] +} diff --git a/openstack-tf/modules/keycloak/terraform-provider.tf b/openstack-tf/modules/keycloak/terraform-provider.tf new file mode 100644 index 0000000..0e76179 --- /dev/null +++ b/openstack-tf/modules/keycloak/terraform-provider.tf @@ -0,0 +1,29 @@ +# Define required providers +terraform { + required_version = ">= 0.14.0" + required_providers { + openstack = { + source = "terraform-provider-openstack/openstack" + # version = "~> 1.53.0" + } + } +} + +data "terraform_remote_state" "privnet_dns_router" { + backend = "local" + + config = { + path = "../project-setup/terraform.tfstate" + } +} + +# SSH settings +module "ssh_settings" { + source = "../../modules/ssh-key-ref" +} + +# Global variables (constants, really) +module "common_variables" { + source = "../../modules/common_variables" +} +