From 0c9f46f9bb1cdce20414d8072971e31f31677523 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 1 Dec 2023 12:18:39 +0100 Subject: [PATCH] common_setups is not relevant anymore. --- .../common_setups/15-security-groups.tf | 373 ------------------ openstack-tf/common_setups/20-octavia.tf | 186 --------- .../common_setups/25-ssh-jump-proxy.tf | 47 --- openstack-tf/common_setups/30-internal-ca.tf | 21 - openstack-tf/common_setups/35-prometheus.tf | 68 ---- openstack-tf/common_setups/40-postgresql.tf | 87 ---- openstack-tf/common_setups/45-haproxy.tf | 138 ------- 7 files changed, 920 deletions(-) delete mode 100644 openstack-tf/common_setups/15-security-groups.tf delete mode 100644 openstack-tf/common_setups/20-octavia.tf delete mode 100644 openstack-tf/common_setups/25-ssh-jump-proxy.tf delete mode 100644 openstack-tf/common_setups/30-internal-ca.tf delete mode 100644 openstack-tf/common_setups/35-prometheus.tf delete mode 100644 openstack-tf/common_setups/40-postgresql.tf delete mode 100644 openstack-tf/common_setups/45-haproxy.tf diff --git a/openstack-tf/common_setups/15-security-groups.tf b/openstack-tf/common_setups/15-security-groups.tf deleted file mode 100644 index ac82b97..0000000 --- a/openstack-tf/common_setups/15-security-groups.tf +++ /dev/null @@ -1,373 +0,0 @@ -# -# This is the security group that should be added to every instance -resource "openstack_networking_secgroup_v2" "default" { - name = var.default_security_group_name - delete_default_rules = "true" - description = "Default security group with rules for ssh access via jump proxy, prometheus scraping" -} - -resource "openstack_networking_secgroup_rule_v2" "egress-ipv4" { - security_group_id = openstack_networking_secgroup_v2.default.id - direction = "egress" - ethertype = "IPv4" -} - -resource "openstack_networking_secgroup_rule_v2" "ingress-icmp" { - security_group_id = openstack_networking_secgroup_v2.default.id - description = "Allow ICMP from remote" - direction = "ingress" - ethertype = "IPv4" - remote_ip_prefix = "0.0.0.0/0" - protocol = "icmp" -} - -resource "openstack_networking_secgroup_rule_v2" "ssh-jump-proxy" { - security_group_id = openstack_networking_secgroup_v2.default.id - description = "SSH traffic from the jump proxy" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 22 - port_range_max = 22 - remote_ip_prefix = var.basic_services_ip.ssh_jump_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "prometheus-node" { - security_group_id = openstack_networking_secgroup_v2.default.id - description = "Prometheus access to the node exporter" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 9100 - port_range_max = 9100 - remote_ip_prefix = var.basic_services_ip.prometheus_cidr -} - -# -# SSH access to the jump proxy. Used by the jump proxy VM only -resource "openstack_networking_secgroup_v2" "access_to_the_jump_proxy" { - name = "ssh_access_to_the_jump_node" - delete_default_rules = "true" - description = "Security group that allows SSH access to the jump node from a limited set of sources" -} - -resource "openstack_networking_secgroup_rule_v2" "ssh-s2i2s-vpn-1" { - security_group_id = openstack_networking_secgroup_v2.access_to_the_jump_proxy.id - description = "SSH traffic from S2I2S VPN 1" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 22 - port_range_max = 22 - remote_ip_prefix = var.ssh_sources.s2i2s_vpn_1_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "ssh-s2i2s-vpn-2" { - security_group_id = openstack_networking_secgroup_v2.access_to_the_jump_proxy.id - description = "SSH traffic from S2I2S VPN 2" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 22 - port_range_max = 22 - remote_ip_prefix = var.ssh_sources.s2i2s_vpn_2_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "ssh-d4s-vpn-1" { - security_group_id = openstack_networking_secgroup_v2.access_to_the_jump_proxy.id - description = "SSH traffic from D4Science VPN 1" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 22 - port_range_max = 22 - remote_ip_prefix = var.ssh_sources.d4s_vpn_1_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "ssh-d4s-vpn-2" { - security_group_id = openstack_networking_secgroup_v2.access_to_the_jump_proxy.id - description = "SSH traffic from D4Science VPN 2" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 22 - port_range_max = 22 - remote_ip_prefix = var.ssh_sources.d4s_vpn_2_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "ssh-shell-d4s" { - security_group_id = openstack_networking_secgroup_v2.access_to_the_jump_proxy.id - description = "SSH traffic from shell.d4science.org" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 22 - port_range_max = 22 - remote_ip_prefix = var.ssh_sources.shell_d4s_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "ssh-infrascience-net" { - security_group_id = openstack_networking_secgroup_v2.access_to_the_jump_proxy.id - description = "SSH traffic from the InfraScience network" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 22 - port_range_max = 22 - remote_ip_prefix = var.ssh_sources.infrascience_net_cidr -} - -# Debug via tunnel from the jump proxy node -resource "openstack_networking_secgroup_v2" "debugging" { - name = "debugging_from_jump_node" - delete_default_rules = "true" - description = "Security group that allows web app debugging via tunnel from the ssh jump node" -} - -resource "openstack_networking_secgroup_rule_v2" "shell_8100" { - security_group_id = openstack_networking_secgroup_v2.debugging.id - description = "Tomcat debug on port 8100 from the shell jump proxy" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 8100 - port_range_max = 8100 - remote_ip_prefix = var.basic_services_ip.ssh_jump_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "shell_80" { - security_group_id = openstack_networking_secgroup_v2.debugging.id - description = "http debug port 80 from the shell jump proxy" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 80 - port_range_max = 80 - remote_ip_prefix = var.basic_services_ip.ssh_jump_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "shell_443" { - security_group_id = openstack_networking_secgroup_v2.debugging.id - description = "https debug port 443 from the shell jump proxy" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 - remote_ip_prefix = var.basic_services_ip.ssh_jump_cidr -} - -# Traffic from the main HAPROXY load balancers -# Use on the web services that are exposed through the main HAPROXY -resource "openstack_networking_secgroup_v2" "traffic_from_main_haproxy" { - name = "traffic_from_the_main_load_balancers" - delete_default_rules = "true" - description = "Allow traffic from the main L7 HAPROXY load balancers" -} - -resource "openstack_networking_secgroup_rule_v2" "haproxy-l7-1-80" { - security_group_id = openstack_networking_secgroup_v2.traffic_from_main_haproxy.id - description = "HTTP traffic from HAPROXY L7 1" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 80 - port_range_max = 80 - remote_ip_prefix = var.basic_services_ip.haproxy_l7_1_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "haproxy-l7-2-80" { - security_group_id = openstack_networking_secgroup_v2.traffic_from_main_haproxy.id - description = "HTTP traffic from HAPROXY L7 2" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 80 - port_range_max = 80 - remote_ip_prefix = var.basic_services_ip.haproxy_l7_2_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "haproxy-l7-1-443" { - security_group_id = openstack_networking_secgroup_v2.traffic_from_main_haproxy.id - description = "HTTPS traffic from HAPROXY L7 1" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 - remote_ip_prefix = var.basic_services_ip.haproxy_l7_1_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "haproxy-l7-2-443" { - security_group_id = openstack_networking_secgroup_v2.traffic_from_main_haproxy.id - description = "HTTPS traffic from HAPROXY L7 2" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 - remote_ip_prefix = var.basic_services_ip.haproxy_l7_2_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "haproxy-l7-1-8080" { - security_group_id = openstack_networking_secgroup_v2.traffic_from_main_haproxy.id - description = "HTTP traffic from HAPROXY L7 1" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 8080 - port_range_max = 8080 - remote_ip_prefix = var.basic_services_ip.haproxy_l7_1_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "haproxy-l7-2-8080" { - security_group_id = openstack_networking_secgroup_v2.traffic_from_main_haproxy.id - description = "HTTP traffic from HAPROXY L7 2" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 8080 - port_range_max = 8080 - remote_ip_prefix = var.basic_services_ip.haproxy_l7_2_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "haproxy-l7-1-8888" { - security_group_id = openstack_networking_secgroup_v2.traffic_from_main_haproxy.id - description = "HTTP traffic from HAPROXY L7 1" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 8888 - port_range_max = 8888 - remote_ip_prefix = var.basic_services_ip.haproxy_l7_1_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "haproxy-l7-2-8888" { - security_group_id = openstack_networking_secgroup_v2.traffic_from_main_haproxy.id - description = "HTTP traffic from HAPROXY L7 2" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 8888 - port_range_max = 8888 - remote_ip_prefix = var.basic_services_ip.haproxy_l7_2_cidr -} - -# Security group that exposes web services directly. A floating IP is required. -resource "openstack_networking_secgroup_v2" "public_web" { - name = "public_web_service" - delete_default_rules = "true" - description = "Security group that allows HTTPS and HTTP from everywhere, for the services that are not behind any load balancer" -} - -resource "openstack_networking_secgroup_rule_v2" "public_http" { - security_group_id = openstack_networking_secgroup_v2.public_web.id - description = "Allow HTTP from everywhere" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 80 - port_range_max = 80 - remote_ip_prefix = "0.0.0.0/0" -} - -resource "openstack_networking_secgroup_rule_v2" "public_https" { - security_group_id = openstack_networking_secgroup_v2.public_web.id - description = "Allow HTTPS from everywhere" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 - remote_ip_prefix = "0.0.0.0/0" -} - -# HTTP and HTTPS access through the VPN nodes. Floating IP is required -resource "openstack_networking_secgroup_v2" "restricted_web" { - name = "restricted_web_service" - delete_default_rules = "true" - description = "Security group that restricts HTTPS sources to the VPN nodes and shell.d4science.org. HTTP is open to all, because letsencrypt" -} - -resource "openstack_networking_secgroup_rule_v2" "http_from_everywhere" { - security_group_id = openstack_networking_secgroup_v2.restricted_web.id - description = "Allow HTTP from everywhere" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 80 - port_range_max = 80 - remote_ip_prefix = "0.0.0.0/0" -} - -resource "openstack_networking_secgroup_rule_v2" "https_from_d4s_vpn_1" { - security_group_id = openstack_networking_secgroup_v2.restricted_web.id - description = "Allow HTTPS from D4Science VPN 1" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 - remote_ip_prefix = var.ssh_sources.d4s_vpn_1_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "https_from_d4s_vpn_2" { - security_group_id = openstack_networking_secgroup_v2.restricted_web.id - description = "Allow HTTPS from D4Science VPN 2" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 - remote_ip_prefix = var.ssh_sources.d4s_vpn_2_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "https_from_s2i2s_vpn_1" { - security_group_id = openstack_networking_secgroup_v2.restricted_web.id - description = "Allow HTTPS from S2I2S VPN 1" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 - remote_ip_prefix = var.ssh_sources.s2i2s_vpn_1_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "https_from_s2i2s_vpn_2" { - security_group_id = openstack_networking_secgroup_v2.restricted_web.id - description = "Allow HTTPS from S2I2S VPN 2" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 - remote_ip_prefix = var.ssh_sources.s2i2s_vpn_2_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "https_from_shell_d4s" { - security_group_id = openstack_networking_secgroup_v2.restricted_web.id - description = "Allow HTTPS from shell.d4science.org" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 - remote_ip_prefix = var.ssh_sources.shell_d4s_cidr -} - -resource "openstack_networking_secgroup_v2" "prometheus_access_from_grafana" { - name = "prometheus_access_from_grafana" - delete_default_rules = "true" - description = "The public grafana server must be able to get data from Prometheus" -} - -resource "openstack_networking_secgroup_rule_v2" "grafana_d4s" { - security_group_id = openstack_networking_secgroup_v2.prometheus_access_from_grafana.id - description = "Allow HTTPS from grafana.d4science.org" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 - remote_ip_prefix = var.prometheus_server_data.public_grafana_server_cidr -} diff --git a/openstack-tf/common_setups/20-octavia.tf b/openstack-tf/common_setups/20-octavia.tf deleted file mode 100644 index 4a8cbd5..0000000 --- a/openstack-tf/common_setups/20-octavia.tf +++ /dev/null @@ -1,186 +0,0 @@ -# Main load balancer. L4, backed by Octavia -resource "openstack_lb_loadbalancer_v2" "main_lb" { - vip_subnet_id = var.main_private_subnet_id - name = var.octavia_information.main_lb_name - description = var.octavia_information.main_lb_description - flavor_id = var.octavia_information.octavia_flavor_id - vip_address = var.basic_services_ip.octavia_main - loadbalancer_provider = "amphora" -} - -# Allocate a floating IP -resource "openstack_networking_floatingip_v2" "main_lb_ip" { - pool = var.floating_ip_pools.main_public_ip_pool - # The DNS association does not work because of a bug in the OpenStack API - # dns_name = "main-lb" - # dns_domain = var.dns_zone.zone_name - description = var.octavia_information.main_lb_description -} - -resource "openstack_networking_floatingip_associate_v2" "main_lb" { - floating_ip = openstack_networking_floatingip_v2.main_lb_ip.address - port_id = openstack_lb_loadbalancer_v2.main_lb.vip_port_id -} - -locals { - recordset_name = "${var.octavia_information.main_lb_hostname}.${var.dns_zone.zone_name}" -} - -resource "openstack_dns_recordset_v2" "main_lb_dns_recordset" { - zone_id = var.dns_zone_id - name = local.recordset_name - description = "Public IP address of the main load balancer" - ttl = 8600 - type = "A" - records = [openstack_networking_floatingip_v2.main_lb_ip.address] -} - -# Main HAPROXY stats listener -resource "openstack_lb_listener_v2" "main_haproxy_stats_listener" { - loadbalancer_id = openstack_lb_loadbalancer_v2.main_lb.id - protocol = "TCP" - protocol_port = 8880 - description = "Listener for the stats of the main HAPROXY instances" - name = "main_haproxy_stats_listener" - allowed_cidrs = [var.ssh_sources.d4s_vpn_1_cidr,var.ssh_sources.d4s_vpn_2_cidr,var.ssh_sources.s2i2s_vpn_1_cidr,var.ssh_sources.s2i2s_vpn_2_cidr] - -} - -resource "openstack_lb_pool_v2" "main_haproxy_stats_pool" { - listener_id = openstack_lb_listener_v2.main_haproxy_stats_listener.id - protocol = "TCP" - lb_method = "LEAST_CONNECTIONS" - name = "main-haproxy-lb-stats" - description = "Pool for the stats of the main HAPROXY instances" - persistence { - type = "SOURCE_IP" - } -} - -resource "openstack_lb_members_v2" "main_haproxy_stats_pool_members" { - pool_id = openstack_lb_pool_v2.main_haproxy_stats_pool.id - member { - name = "haproxy l7 1" - address = var.basic_services_ip.haproxy_l7_1 - protocol_port = 8880 - } - member { - name = "haproxy l7 2" - address = var.basic_services_ip.haproxy_l7_2 - protocol_port = 8880 - } -} - -resource "openstack_lb_monitor_v2" "main_haproxy_stats_monitor" { - pool_id = openstack_lb_pool_v2.main_haproxy_stats_pool.id - name = "main_haproxy_stats_monitor" - type = "TCP" - delay = 20 - timeout = 5 - max_retries = 3 - admin_state_up = true -} - -# Main HAPROXY HTTP -resource "openstack_lb_listener_v2" "main_haproxy_http_listener" { - loadbalancer_id = openstack_lb_loadbalancer_v2.main_lb.id - protocol = "TCP" - protocol_port = 80 - description = "HTTP listener of the main HAPROXY instances" - name = "main_haproxy_http_listener" - admin_state_up = true -} - -resource "openstack_lb_pool_v2" "main_haproxy_http_pool" { - listener_id = openstack_lb_listener_v2.main_haproxy_http_listener.id - protocol = "PROXYV2" - lb_method = "LEAST_CONNECTIONS" - name = "main-haproxy-lb-http" - description = "Pool for the HTTP listener of the main HAPROXY instances" - persistence { - type = "SOURCE_IP" - } - admin_state_up = true -} - -resource "openstack_lb_members_v2" "main_haproxy_http_pool_members" { - pool_id = openstack_lb_pool_v2.main_haproxy_http_pool.id - member { - name = "haproxy l7 1" - address = var.basic_services_ip.haproxy_l7_1 - protocol_port = 80 - } - member { - name = "haproxy l7 2" - address = var.basic_services_ip.haproxy_l7_2 - protocol_port = 80 - } -} - -resource "openstack_lb_monitor_v2" "main_haproxy_http_monitor" { - pool_id = openstack_lb_pool_v2.main_haproxy_http_pool.id - name = "main_haproxy_http_monitor" - type = "HTTP" - http_method = "GET" - url_path = "/_haproxy_health_check" - expected_codes = "200" - delay = 20 - timeout = 5 - max_retries = 3 - admin_state_up = true -} - -# Main HAPROXY HTTPS -resource "openstack_lb_listener_v2" "main_haproxy_https_listener" { - loadbalancer_id = openstack_lb_loadbalancer_v2.main_lb.id - protocol = "TCP" - protocol_port = 443 - description = "HTTPS listener of the main HAPROXY instances" - name = "main_haproxy_https_listener" - admin_state_up = true -} - -resource "openstack_lb_pool_v2" "main_haproxy_https_pool" { - listener_id = openstack_lb_listener_v2.main_haproxy_https_listener.id - protocol = "PROXYV2" - lb_method = "LEAST_CONNECTIONS" - name = "main-haproxy-lb-https" - description = "Pool for the HTTPS listener of the main HAPROXY instances" - persistence { - type = "SOURCE_IP" - } - admin_state_up = true -} - -resource "openstack_lb_members_v2" "main_haproxy_https_pool_members" { - pool_id = openstack_lb_pool_v2.main_haproxy_https_pool.id - member { - name = "haproxy l7 1" - address = var.basic_services_ip.haproxy_l7_1 - protocol_port = 443 - } - member { - name = "haproxy l7 2" - address = var.basic_services_ip.haproxy_l7_2 - protocol_port = 443 - } -} - -resource "openstack_lb_monitor_v2" "main_haproxy_https_monitor" { - pool_id = openstack_lb_pool_v2.main_haproxy_https_pool.id - name = "main_haproxy_https_monitor" - type = "HTTPS" - http_method = "GET" - url_path = "/_haproxy_health_check" - expected_codes = "200" - delay = 20 - timeout = 5 - max_retries = 3 - admin_state_up = true -} - -output "main_loadbalancer_ip" { - description = "Main Load balancer IP address" - value = openstack_lb_loadbalancer_v2.main_lb.vip_address -} - diff --git a/openstack-tf/common_setups/25-ssh-jump-proxy.tf b/openstack-tf/common_setups/25-ssh-jump-proxy.tf deleted file mode 100644 index 7f8097e..0000000 --- a/openstack-tf/common_setups/25-ssh-jump-proxy.tf +++ /dev/null @@ -1,47 +0,0 @@ -# VM used as jump proxy. A floating IP is required -resource "openstack_compute_instance_v2" "ssh_jump_proxy" { - name = var.ssh_jump_proxy.name - availability_zone_hints = var.availability_zones_names.availability_zone_no_gpu - flavor_name = var.ssh_jump_proxy.flavor - key_pair = module.ssh_settings.ssh_key_name - security_groups = [var.default_security_group_name,openstack_networking_secgroup_v2.access_to_the_jump_proxy.name] - block_device { - uuid = var.ubuntu_2204.uuid - source_type = "image" - volume_size = 30 - boot_index = 0 - destination_type = "volume" - delete_on_termination = false - } - - network { - name = var.main_private_network.name - fixed_ip_v4 = var.basic_services_ip.ssh_jump - } - user_data = "${file("${var.ubuntu2204_data_file}")}" -} - -# Floating IP and DNS record -resource "openstack_networking_floatingip_v2" "ssh_jump_proxy_ip" { - pool = var.floating_ip_pools.main_public_ip_pool - # The DNS association does not work because of a bug in the OpenStack API - description = "SSH Proxy Jump Server" -} - -resource "openstack_compute_floatingip_associate_v2" "ssh_jump_proxy" { - floating_ip = openstack_networking_floatingip_v2.ssh_jump_proxy_ip.address - instance_id = openstack_compute_instance_v2.ssh_jump_proxy.id -} - -locals { - ssh_recordset_name = "${var.ssh_jump_proxy.name}.${var.dns_zone.zone_name}" -} - -resource "openstack_dns_recordset_v2" "ssh_jump_proxy_recordset" { - zone_id = var.dns_zone_id - name = local.ssh_recordset_name - description = "Public IP address of the SSH Proxy Jump server" - ttl = 8600 - type = "A" - records = [openstack_networking_floatingip_v2.ssh_jump_proxy_ip.address] -} diff --git a/openstack-tf/common_setups/30-internal-ca.tf b/openstack-tf/common_setups/30-internal-ca.tf deleted file mode 100644 index b346b5f..0000000 --- a/openstack-tf/common_setups/30-internal-ca.tf +++ /dev/null @@ -1,21 +0,0 @@ -resource "openstack_compute_instance_v2" "internal_ca" { - name = var.internal_ca_data.name - availability_zone_hints = var.availability_zones_names.availability_zone_no_gpu - flavor_name = var.internal_ca_data.flavor - key_pair = module.ssh_settings.ssh_key_name - security_groups = [var.default_security_group_name] - block_device { - uuid = var.ubuntu_2204.uuid - source_type = "image" - volume_size = 10 - boot_index = 0 - destination_type = "volume" - delete_on_termination = false - } - - network { - name = var.main_private_network.name - fixed_ip_v4 = var.basic_services_ip.ca - } - user_data = "${file("${var.ubuntu2204_data_file}")}" -} diff --git a/openstack-tf/common_setups/35-prometheus.tf b/openstack-tf/common_setups/35-prometheus.tf deleted file mode 100644 index b745e81..0000000 --- a/openstack-tf/common_setups/35-prometheus.tf +++ /dev/null @@ -1,68 +0,0 @@ -# Promertheus server. A floating IP is required -resource "openstack_blockstorage_volume_v3" "prometheus_data_vol" { - name = var.prometheus_server_data.vol_data_name - size = var.prometheus_server_data.vol_data_size -} - -resource "openstack_compute_instance_v2" "prometheus_server" { - name = var.prometheus_server_data.name - availability_zone_hints = var.availability_zones_names.availability_zone_no_gpu - flavor_name = var.prometheus_server_data.flavor - key_pair = module.ssh_settings.ssh_key_name - security_groups = [var.default_security_group_name, openstack_networking_secgroup_v2.restricted_web.name, openstack_networking_secgroup_v2.prometheus_access_from_grafana.name] - block_device { - uuid = var.ubuntu_2204.uuid - source_type = "image" - volume_size = 10 - boot_index = 0 - destination_type = "volume" - delete_on_termination = false - } - - network { - name = var.main_private_network.name - fixed_ip_v4 = var.basic_services_ip.prometheus - } - user_data = file("${var.ubuntu2204_data_file}") -} - -resource "openstack_compute_volume_attach_v2" "prometheus_data_attach_vol" { - instance_id = openstack_compute_instance_v2.prometheus_server.id - volume_id = openstack_blockstorage_volume_v3.prometheus_data_vol.id - device = var.prometheus_server_data.vol_data_device -} - -# Floating IP and DNS record -resource "openstack_networking_floatingip_v2" "prometheus_server_ip" { - pool = var.floating_ip_pools.main_public_ip_pool - # The DNS association does not work because of a bug in the OpenStack API - description = "Prometheus server" -} - -resource "openstack_compute_floatingip_associate_v2" "prometheus_server" { - floating_ip = openstack_networking_floatingip_v2.prometheus_server_ip.address - instance_id = openstack_compute_instance_v2.prometheus_server.id -} - -locals { - prometheus_recordset_name = "${var.prometheus_server_data.name}.${var.dns_zone.zone_name}" - alertmanager_recordset_name = "alertmanager.${var.dns_zone.zone_name}" -} - -resource "openstack_dns_recordset_v2" "prometheus_server_recordset" { - zone_id = var.dns_zone_id - name = local.prometheus_recordset_name - description = "Public IP address of the Prometheus server" - ttl = 8600 - type = "A" - records = [openstack_networking_floatingip_v2.prometheus_server_ip.address] -} - -resource "openstack_dns_recordset_v2" "alertmanager_server_recordset" { - zone_id = var.dns_zone_id - name = local.alertmanager_recordset_name - description = "Prometheus alertmanager" - ttl = 8600 - type = "CNAME" - records = [local.prometheus_recordset_name] -} diff --git a/openstack-tf/common_setups/40-postgresql.tf b/openstack-tf/common_setups/40-postgresql.tf deleted file mode 100644 index 083e47c..0000000 --- a/openstack-tf/common_setups/40-postgresql.tf +++ /dev/null @@ -1,87 +0,0 @@ -# PostgreSQL shared server -# Network -resource "openstack_networking_network_v2" "shared_postgresql_net" { - name = var.shared_postgresql_server_data.network_name - admin_state_up = "true" - external = "false" - description = var.shared_postgresql_server_data.network_description - dns_domain = var.dns_zone.zone_name - mtu = var.mtu_size - port_security_enabled = true - shared = false - region = var.main_region -} - -# Subnet -resource "openstack_networking_subnet_v2" "shared_postgresql_subnet" { - name = "shared-postgresql-subnet" - description = "subnet used to connect to the shared PostgreSQL service" - network_id = openstack_networking_network_v2.shared_postgresql_net.id - cidr = var.shared_postgresql_server_data.network_cidr - dns_nameservers = var.resolvers_ip - ip_version = 4 - enable_dhcp = true - no_gateway = true - allocation_pool { - start = var.shared_postgresql_server_data.allocation_pool_start - end = var.shared_postgresql_server_data.allocation_pool_end - } -} - -# Security group -resource "openstack_networking_secgroup_v2" "shared_postgresql_access" { - name = "access_to_the_shared_postgresql_service" - delete_default_rules = "true" - description = "Access the shared PostgreSQL service using the dedicated network" -} - -resource "openstack_networking_secgroup_rule_v2" "shared_postgresql_access_from_dedicated_subnet" { - security_group_id = openstack_networking_secgroup_v2.shared_postgresql_access.id - description = "Allow connections to port 5432 from the 192.168.2.0/22 network" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 5432 - port_range_max = 5432 - remote_ip_prefix = var.shared_postgresql_server_data.network_cidr -} - -# Block device -resource "openstack_blockstorage_volume_v3" "shared_postgresql_data_vol" { - name = var.shared_postgresql_server_data.vol_data_name - size = var.shared_postgresql_server_data.vol_data_size -} - -# Instance -resource "openstack_compute_instance_v2" "shared_postgresql_server" { - name = var.shared_postgresql_server_data.name - availability_zone_hints = var.availability_zones_names.availability_zone_no_gpu - flavor_name = var.shared_postgresql_server_data.flavor - key_pair = module.ssh_settings.ssh_key_name - security_groups = [var.default_security_group_name,openstack_networking_secgroup_v2.shared_postgresql_access.name] - block_device { - uuid = var.ubuntu_2204.uuid - source_type = "image" - volume_size = 10 - boot_index = 0 - destination_type = "volume" - delete_on_termination = false - } - - network { - name = var.main_private_network.name - } - network { - name = var.shared_postgresql_server_data.network_name - fixed_ip_v4 = var.shared_postgresql_server_data.server_ip - } - - user_data = "${file("${var.ubuntu2204_data_file}")}" -} - -resource "openstack_compute_volume_attach_v2" "shared_postgresql_data_attach_vol" { - instance_id = openstack_compute_instance_v2.shared_postgresql_server.id - volume_id = openstack_blockstorage_volume_v3.shared_postgresql_data_vol.id - device = var.shared_postgresql_server_data.vol_data_device - depends_on = [openstack_compute_instance_v2.shared_postgresql_server] -} diff --git a/openstack-tf/common_setups/45-haproxy.tf b/openstack-tf/common_setups/45-haproxy.tf deleted file mode 100644 index 2d8a729..0000000 --- a/openstack-tf/common_setups/45-haproxy.tf +++ /dev/null @@ -1,138 +0,0 @@ -# -# HAPROXY L7 behind the main Octavia balancer -# -# FIXME: terraform does not return the Octavia VRRP addresses, so we have to find them before creating the security group that allows the traffic between octavia and the haproxy instances -# -# openstack --os-cloud d4s-pre port list -f value | grep octavia-lb-vrrp -# 5cc2354e-4465-4a1d-8390-c214e208c6de octavia-lb-vrrp-72392023-a774-4b58-a025-c1e99c5d152a fa:16:3e:62:24:2c [{'subnet_id': 'cd77a2fd-4a36-4254-b1d0-70b3874c6d04', 'ip_address': '10.1.34.232'}] ACTIVE -# 8aa4e97f-723d-4a2a-b79f-912fa7651653 octavia-lb-vrrp-fbfcf712-0ceb-4a38-82da-0c9ebef5dff3 fa:16:3e:79:62:a5 [{'subnet_id': 'cd77a2fd-4a36-4254-b1d0-70b3874c6d04', 'ip_address': '10.1.33.229'}] ACTIVE -# -# Server group -# -resource "openstack_compute_servergroup_v2" "main_haproxy_l7" { - name = "main_haproxy_l7" - policies = ["anti-affinity"] -} -# Security group -resource "openstack_networking_secgroup_v2" "main_lb_to_haproxy_l7" { - name = "traffic_from_main_lb_to_haproxy_l7" - delete_default_rules = "true" - description = "Traffic coming the main L4 lb directed to the haproxy l7 servers" -} - -resource "openstack_networking_secgroup_rule_v2" "haproxy_l7_1_peer" { - security_group_id = openstack_networking_secgroup_v2.main_lb_to_haproxy_l7.id - description = "Peer traffic from haproxy l7 1 to l7 2" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 10000 - port_range_max = 10000 - remote_ip_prefix = var.basic_services_ip.haproxy_l7_1_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "haproxy_l7_2_peer" { - security_group_id = openstack_networking_secgroup_v2.main_lb_to_haproxy_l7.id - description = "Peer traffic from haproxy l7 2 to l7 1" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 10000 - port_range_max = 10000 - remote_ip_prefix = var.basic_services_ip.haproxy_l7_2_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "lb3_1_haproxy_l7_80" { - security_group_id = openstack_networking_secgroup_v2.main_lb_to_haproxy_l7.id - description = "Traffic from the first main lb instance to HAPROXY l7 1 port 80" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 80 - port_range_max = 80 - remote_ip_prefix = var.octavia_information.octavia_vrrp_ip_1 -} - -resource "openstack_networking_secgroup_rule_v2" "lb3_1_haproxy_l7_443" { - security_group_id = openstack_networking_secgroup_v2.main_lb_to_haproxy_l7.id - description = "Traffic from the first main lb instance to HAPROXY l7 1 port 443" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 - remote_ip_prefix = var.octavia_information.octavia_vrrp_ip_1 -} - -resource "openstack_networking_secgroup_rule_v2" "lb3_1_haproxy_l7_8080" { - security_group_id = openstack_networking_secgroup_v2.main_lb_to_haproxy_l7.id - description = "Traffic from the first main lb instance to HAPROXY l7 1 port 8080" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 8080 - port_range_max = 8080 - remote_ip_prefix = var.octavia_information.octavia_vrrp_ip_1 -} - -resource "openstack_networking_secgroup_rule_v2" "lb3_2_haproxy_l7_80" { - security_group_id = openstack_networking_secgroup_v2.main_lb_to_haproxy_l7.id - description = "Traffic from the first main lb instance to HAPROXY l7 2 port 80" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 80 - port_range_max = 80 - remote_ip_prefix = var.octavia_information.octavia_vrrp_ip_2 -} - -resource "openstack_networking_secgroup_rule_v2" "lb3_2_haproxy_l7_443" { - security_group_id = openstack_networking_secgroup_v2.main_lb_to_haproxy_l7.id - description = "Traffic from the first main lb instance to HAPROXY l7 2 port 443" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 - remote_ip_prefix = var.octavia_information.octavia_vrrp_ip_2 -} - -resource "openstack_networking_secgroup_rule_v2" "lb3_2_haproxy_l7_8080" { - security_group_id = openstack_networking_secgroup_v2.main_lb_to_haproxy_l7.id - description = "Traffic from the first main lb instance to HAPROXY l7 2 port 8080" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 8080 - port_range_max = 8080 - remote_ip_prefix = var.octavia_information.octavia_vrrp_ip_2 -} - - -# Instance -resource "openstack_compute_instance_v2" "main_haproxy_l7" { - count = var.haproxy_l7_data.vm_count - name = format("%s-%02d", var.haproxy_l7_data.name, count.index+1) - availability_zone_hints = var.availability_zones_names.availability_zone_no_gpu - flavor_name = var.haproxy_l7_data.flavor - key_pair = module.ssh_settings.ssh_key_name - security_groups = [var.default_security_group_name,openstack_networking_secgroup_v2.main_lb_to_haproxy_l7.name] - scheduler_hints { - group = openstack_compute_servergroup_v2.main_haproxy_l7.id - } - block_device { - uuid = var.ubuntu_2204.uuid - source_type = "image" - volume_size = 10 - boot_index = 0 - destination_type = "volume" - delete_on_termination = false - } - - network { - name = var.main_private_network.name - fixed_ip_v4 = var.main_haproxy_l7_ip.*[count.index] - } - - user_data = "${file("${var.ubuntu2204_data_file}")}" -}