diff --git a/openstack-tf/common_setups/10-main-network.tf b/openstack-tf/common_setups/10-main-network.tf index 33d53a20..cca5cf23 100644 --- a/openstack-tf/common_setups/10-main-network.tf +++ b/openstack-tf/common_setups/10-main-network.tf @@ -2,6 +2,7 @@ resource "openstack_dns_zone_v2" "primary_project_dns_zone" { name = var.dns_zone.zone_name email = var.dns_zone.email description = var.dns_zone.description + project_id = var.os_project_data.id ttl = var.dns_zone.ttl type = "PRIMARY" } @@ -16,6 +17,7 @@ resource "openstack_networking_network_v2" "main-private-network" { port_security_enabled = true shared = false region = var.main_region + tenant_id = var.os_project_data.id } resource "openstack_networking_subnet_v2" "main-private-subnet" { @@ -27,24 +29,42 @@ resource "openstack_networking_subnet_v2" "main-private-subnet" { dns_nameservers = var.resolvers_ip ip_version = 4 enable_dhcp = true + tenant_id = var.os_project_data.id allocation_pool { start = var.main_private_subnet.allocation_start end = var.main_private_subnet.allocation_end } } -# Shell command: -# openstack --os-cloud d4s-pre router create --description "D4Science Preprod main router" --external-gateway external-network d4s-pre-cloud-external-router -# resource "openstack_networking_router_v2" "external-router" { -# name = var.external_router.name -# description = var.external_router.description -# external_network_id = var.external_network.id -# enable_snat = true -# } +resource "openstack_networking_router_v2" "external-router" { + name = var.external_router.name + description = var.external_router.description + external_network_id = var.external_network.id + tenant_id = var.os_project_data.id + enable_snat = true + vendor_options { + set_router_gateway_after_create = true + } +} # Router interface configuration resource "openstack_networking_router_interface_v2" "private-network-routing" { - # router_id = openstack_networking_router_v2.external-router.id - router_id = var.external_router.id + router_id = openstack_networking_router_v2.external-router.id + # router_id = var.external_router.id subnet_id = openstack_networking_subnet_v2.main-private-subnet.id } + +output "main_private_network_id" { + description = "Main private network id" + value = openstack_networking_network_v2.main-private-network.id +} + +output "dns_zone_id" { + description = "Id of the new DNS zone" + value = openstack_dns_zone_v2.primary_project_dns_zone.id +} + +output "external_gateway_ip" { + description = "Public IP address of the external gateway" + value = openstack_networking_router_v2.external-router.external_fixed_ip[0].ip_address +} diff --git a/openstack-tf/common_setups/20-octavia.tf b/openstack-tf/common_setups/20-octavia.tf index 1639bb9c..2d43eb25 100644 --- a/openstack-tf/common_setups/20-octavia.tf +++ b/openstack-tf/common_setups/20-octavia.tf @@ -1,6 +1,6 @@ # Main load balancer. L4, backed by Octavia resource "openstack_lb_loadbalancer_v2" "main_lb" { - vip_network_id = var.main_private_network.id + vip_network_id = var.main_private_network_id name = var.octavia_information.main_lb_name description = var.octavia_information.main_lb_description flavor_id = var.octavia_information.octavia_flavor_id @@ -27,7 +27,7 @@ locals { } resource "openstack_dns_recordset_v2" "main_lb_dns_recordset" { - zone_id = var.dns_zone.id + zone_id = var.dns_zone_id name = local.recordset_name description = "Public IP address of the main load balancer" ttl = 8600 diff --git a/openstack-tf/common_setups/25-ssh-jump-proxy.tf b/openstack-tf/common_setups/25-ssh-jump-proxy.tf index c5dfaada..b923b6ea 100644 --- a/openstack-tf/common_setups/25-ssh-jump-proxy.tf +++ b/openstack-tf/common_setups/25-ssh-jump-proxy.tf @@ -38,7 +38,7 @@ locals { } resource "openstack_dns_recordset_v2" "ssh_jump_proxy_recordset" { - zone_id = var.dns_zone.id + zone_id = var.dns_zone_id name = local.ssh_recordset_name description = "Public IP address of the SSH Proxy Jump server" ttl = 8600 diff --git a/openstack-tf/common_setups/35-prometheus.tf b/openstack-tf/common_setups/35-prometheus.tf index f9bd5704..eab568b0 100644 --- a/openstack-tf/common_setups/35-prometheus.tf +++ b/openstack-tf/common_setups/35-prometheus.tf @@ -49,7 +49,7 @@ locals { } resource "openstack_dns_recordset_v2" "prometheus_server_recordset" { - zone_id = var.dns_zone.id + zone_id = var.dns_zone_id name = local.prometheus_recordset_name description = "Public IP address of the Prometheus server" ttl = 8600 diff --git a/openstack-tf/common_variables/01-external-network-and-resolvers.tf b/openstack-tf/common_variables/01-external-network-and-resolvers.tf index afb775a3..6df860a0 100644 --- a/openstack-tf/common_variables/01-external-network-and-resolvers.tf +++ b/openstack-tf/common_variables/01-external-network-and-resolvers.tf @@ -35,5 +35,16 @@ variable "availability_zones_names" { availability_zone_no_gpu = "cnr-isti-nova-a" availability_zone_with_gpu = "cnr-isti-nova-gpu-a" } - -} \ No newline at end of file +} + +variable "ssh_sources" { + type = map(string) + default = { + s2i2s_vpn_1_cidr = "146.48.28.10/32" + s2i2s_vpn_2_cidr = "146.48.28.11/32" + d4s_vpn_1_cidr = "146.48.122.27/32" + d4s_vpn_2_cidr = "146.48.122.49/32" + shell_d4s_cidr = "146.48.122.95/32" + infrascience_net_cidr = "146.48.122.0/23" + } +} diff --git a/openstack-tf/common_variables/05-projects-and-users-vars.tf b/openstack-tf/common_variables/05-projects-and-users-vars.tf index e9a75e50..54bb2846 100644 --- a/openstack-tf/common_variables/05-projects-and-users-vars.tf +++ b/openstack-tf/common_variables/05-projects-and-users-vars.tf @@ -87,6 +87,9 @@ variable "shared_postgresql_server_data" { vol_data_name = "shared-postgresql-data" vol_data_size = "100" vol_data_device = "/dev/vdb" +# vol_backup_name = "" +# vol_backup_size = "" +# vol_backup_device = "" network_name = "postgresql-srv-net" network_description = "Network used to communicate with the shared postgresql service" network_cidr = "192.168.0.0/22" diff --git a/openstack-tf/d4s-preprod/basic-infrastructure/provider.tf b/openstack-tf/d4s-preprod/basic-infrastructure/provider.tf new file mode 100644 index 00000000..b23015cc --- /dev/null +++ b/openstack-tf/d4s-preprod/basic-infrastructure/provider.tf @@ -0,0 +1,3 @@ +provider "openstack" { + cloud = "d4s-pre" +} diff --git a/openstack-tf/d4s-preprod/project-setup/provider.tf b/openstack-tf/d4s-preprod/project-setup/provider.tf new file mode 100644 index 00000000..b23015cc --- /dev/null +++ b/openstack-tf/d4s-preprod/project-setup/provider.tf @@ -0,0 +1,3 @@ +provider "openstack" { + cloud = "d4s-pre" +} diff --git a/openstack-tf/d4s-production/basic-infrastructure/.terraform.lock.hcl b/openstack-tf/d4s-production/basic-infrastructure/.terraform.lock.hcl new file mode 100644 index 00000000..46d2bb65 --- /dev/null +++ b/openstack-tf/d4s-production/basic-infrastructure/.terraform.lock.hcl @@ -0,0 +1,24 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/terraform-provider-openstack/openstack" { + version = "1.53.0" + constraints = "~> 1.53.0" + hashes = [ + "h1:ZSJPqrlaHQ3sj7wyJuPSG+NblFZbAA6Y0d3GjSJf3o8=", + "zh:09da7ca98ffd3de7b9ce36c4c13446212a6e763ba1162be71b50f95d453cb68e", + "zh:14041bcbb87312411d88612056ed185650bfd01284b8ea0761ce8105a331708e", + "zh:35bf4c788fdbc17c8e40ebc7b33c7de4b45a2fa2efaa657b10f0e3bd37c9627f", + "zh:46ede8ef4cfa12d654c538afc1e1ec34a1f3e8eb4e986ee23dceae398b7176a6", + "zh:59675734990dab1e8d87997853ea75e8104bba730b3f5a7146ac735540c9d6bf", + "zh:6de52428849806498670e827b54810be7510a2a79449602c1aede4235a0ec036", + "zh:78b2a20601272afceffac8f8ca78a6b647b84196c0dd8dc710fae297f6be15a4", + "zh:7c41ed3a4fac09677e676ecf9f9edd1e38eef449e656cb01a848d2c799c6de8f", + "zh:852800228f4118a4aa6cfaa4468b851247cbed6f037fd204f08de69eb1edc149", + "zh:86d618e7f9a07d978b8bc4b190be350a00de64ec535f9c8f5dfe133542a55483", + "zh:963a9e72b66d8bcf43de9b14a674ae3ca3719ce2f829217f7a65b66fc3773397", + "zh:a8e72ab67795071bda61f99a6de3d2d40122fb51971768fd75e1324abe874ced", + "zh:ce1890cf3af17d569af3bc7673cec0a8f78e6f5d701767593f3d29c551f44848", + "zh:e6f1b96eb684f527a47f71923f268c86a36d7894751b31ee9e726d7502a639cd", + ] +} diff --git a/openstack-tf/d4s-production/basic-infrastructure/00-terraform-provider.tf b/openstack-tf/d4s-production/basic-infrastructure/00-terraform-provider.tf new file mode 120000 index 00000000..c094d201 --- /dev/null +++ b/openstack-tf/d4s-production/basic-infrastructure/00-terraform-provider.tf @@ -0,0 +1 @@ +../../common_variables/00-terraform-provider.tf \ No newline at end of file diff --git a/openstack-tf/d4s-production/basic-infrastructure/00-variables.tf b/openstack-tf/d4s-production/basic-infrastructure/00-variables.tf new file mode 120000 index 00000000..df2af105 --- /dev/null +++ b/openstack-tf/d4s-production/basic-infrastructure/00-variables.tf @@ -0,0 +1 @@ +../variables/00-variables.tf \ No newline at end of file diff --git a/openstack-tf/d4s-production/basic-infrastructure/01-external-network-and-resolvers.tf b/openstack-tf/d4s-production/basic-infrastructure/01-external-network-and-resolvers.tf new file mode 120000 index 00000000..c53c78ad --- /dev/null +++ b/openstack-tf/d4s-production/basic-infrastructure/01-external-network-and-resolvers.tf @@ -0,0 +1 @@ +../../common_variables/01-external-network-and-resolvers.tf \ No newline at end of file diff --git a/openstack-tf/d4s-production/basic-infrastructure/05-projects-and-users-vars.tf b/openstack-tf/d4s-production/basic-infrastructure/05-projects-and-users-vars.tf new file mode 120000 index 00000000..22fce1fb --- /dev/null +++ b/openstack-tf/d4s-production/basic-infrastructure/05-projects-and-users-vars.tf @@ -0,0 +1 @@ +../../common_variables/05-projects-and-users-vars.tf \ No newline at end of file diff --git a/openstack-tf/d4s-production/basic-infrastructure/15-security-groups.tf b/openstack-tf/d4s-production/basic-infrastructure/15-security-groups.tf new file mode 120000 index 00000000..aad50415 --- /dev/null +++ b/openstack-tf/d4s-production/basic-infrastructure/15-security-groups.tf @@ -0,0 +1 @@ +../../common_setups/15-security-groups.tf \ No newline at end of file diff --git a/openstack-tf/d4s-production/basic-infrastructure/16-ssh-keys.tf b/openstack-tf/d4s-production/basic-infrastructure/16-ssh-keys.tf new file mode 120000 index 00000000..95414a12 --- /dev/null +++ b/openstack-tf/d4s-production/basic-infrastructure/16-ssh-keys.tf @@ -0,0 +1 @@ +../../common_setups/16-ssh-keys.tf \ No newline at end of file diff --git a/openstack-tf/d4s-production/basic-infrastructure/20-octavia.tf b/openstack-tf/d4s-production/basic-infrastructure/20-octavia.tf new file mode 120000 index 00000000..a104722c --- /dev/null +++ b/openstack-tf/d4s-production/basic-infrastructure/20-octavia.tf @@ -0,0 +1 @@ +../../common_setups/20-octavia.tf \ No newline at end of file diff --git a/openstack-tf/d4s-production/basic-infrastructure/25-ssh-jump-proxy.tf b/openstack-tf/d4s-production/basic-infrastructure/25-ssh-jump-proxy.tf new file mode 120000 index 00000000..46b1d6c9 --- /dev/null +++ b/openstack-tf/d4s-production/basic-infrastructure/25-ssh-jump-proxy.tf @@ -0,0 +1 @@ +../../common_setups/25-ssh-jump-proxy.tf \ No newline at end of file diff --git a/openstack-tf/d4s-production/basic-infrastructure/30-internal-ca.tf b/openstack-tf/d4s-production/basic-infrastructure/30-internal-ca.tf new file mode 120000 index 00000000..ac62be53 --- /dev/null +++ b/openstack-tf/d4s-production/basic-infrastructure/30-internal-ca.tf @@ -0,0 +1 @@ +../../common_setups/30-internal-ca.tf \ No newline at end of file diff --git a/openstack-tf/d4s-production/basic-infrastructure/35-prometheus.tf b/openstack-tf/d4s-production/basic-infrastructure/35-prometheus.tf new file mode 120000 index 00000000..31f4592b --- /dev/null +++ b/openstack-tf/d4s-production/basic-infrastructure/35-prometheus.tf @@ -0,0 +1 @@ +../../common_setups/35-prometheus.tf \ No newline at end of file diff --git a/openstack-tf/d4s-production/basic-infrastructure/40-postgresql.tf b/openstack-tf/d4s-production/basic-infrastructure/40-postgresql.tf new file mode 120000 index 00000000..968cc5a9 --- /dev/null +++ b/openstack-tf/d4s-production/basic-infrastructure/40-postgresql.tf @@ -0,0 +1 @@ +../../common_setups/40-postgresql.tf \ No newline at end of file diff --git a/openstack-tf/d4s-production/basic-infrastructure/41-postgresql-backup-vol.tf b/openstack-tf/d4s-production/basic-infrastructure/41-postgresql-backup-vol.tf new file mode 100644 index 00000000..302ab642 --- /dev/null +++ b/openstack-tf/d4s-production/basic-infrastructure/41-postgresql-backup-vol.tf @@ -0,0 +1,11 @@ +# Block device for the backup partition +resource "openstack_blockstorage_volume_v3" "shared_postgresql_backup_vol" { + name = var.shared_postgresql_server_data.vol_backup_name + size = var.shared_postgresql_server_data.vol_backup_size +} + +resource "openstack_compute_volume_attach_v2" "shared_postgresql_backup_attach_vol" { + instance_id = openstack_compute_instance_v2.shared_postgresql_server.id + volume_id = openstack_blockstorage_volume_v3.shared_postgresql_backup_vol.id + device = var.shared_postgresql_server_data.vol_backup_device +} diff --git a/openstack-tf/d4s-production/basic-infrastructure/45-haproxy.tf b/openstack-tf/d4s-production/basic-infrastructure/45-haproxy.tf new file mode 120000 index 00000000..e3b6c115 --- /dev/null +++ b/openstack-tf/d4s-production/basic-infrastructure/45-haproxy.tf @@ -0,0 +1 @@ +../../common_setups/45-haproxy.tf \ No newline at end of file diff --git a/openstack-tf/d4s-production/basic-infrastructure/README.md b/openstack-tf/d4s-production/basic-infrastructure/README.md new file mode 100644 index 00000000..d49c5cba --- /dev/null +++ b/openstack-tf/d4s-production/basic-infrastructure/README.md @@ -0,0 +1,13 @@ +# Main services + +* Load balancer as a service (openstack), L4. + +> * Main Octavia load balancer +> * Swarm Octavia load balancer + +* Two VMs as HAPROXY L7 instances for the main services. The dataminers will be also served by this load balancer. +* A shell server, with floating IP address, that will be used as a proxy to reach all the other VMs. +* A internal CA service. +* A Prometheus instance. +* A PostgreSQL server instance, with a dedicated network +* A Docker Swarm cluster with a NFS service on a dedicated network diff --git a/openstack-tf/d4s-production/basic-infrastructure/provider.tf b/openstack-tf/d4s-production/basic-infrastructure/provider.tf new file mode 100644 index 00000000..a0cf95eb --- /dev/null +++ b/openstack-tf/d4s-production/basic-infrastructure/provider.tf @@ -0,0 +1,3 @@ +provider "openstack" { + cloud = "d4s-production" +} diff --git a/openstack-tf/d4s-production/project-setup/.terraform.lock.hcl b/openstack-tf/d4s-production/project-setup/.terraform.lock.hcl new file mode 100644 index 00000000..46d2bb65 --- /dev/null +++ b/openstack-tf/d4s-production/project-setup/.terraform.lock.hcl @@ -0,0 +1,24 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/terraform-provider-openstack/openstack" { + version = "1.53.0" + constraints = "~> 1.53.0" + hashes = [ + "h1:ZSJPqrlaHQ3sj7wyJuPSG+NblFZbAA6Y0d3GjSJf3o8=", + "zh:09da7ca98ffd3de7b9ce36c4c13446212a6e763ba1162be71b50f95d453cb68e", + "zh:14041bcbb87312411d88612056ed185650bfd01284b8ea0761ce8105a331708e", + "zh:35bf4c788fdbc17c8e40ebc7b33c7de4b45a2fa2efaa657b10f0e3bd37c9627f", + "zh:46ede8ef4cfa12d654c538afc1e1ec34a1f3e8eb4e986ee23dceae398b7176a6", + "zh:59675734990dab1e8d87997853ea75e8104bba730b3f5a7146ac735540c9d6bf", + "zh:6de52428849806498670e827b54810be7510a2a79449602c1aede4235a0ec036", + "zh:78b2a20601272afceffac8f8ca78a6b647b84196c0dd8dc710fae297f6be15a4", + "zh:7c41ed3a4fac09677e676ecf9f9edd1e38eef449e656cb01a848d2c799c6de8f", + "zh:852800228f4118a4aa6cfaa4468b851247cbed6f037fd204f08de69eb1edc149", + "zh:86d618e7f9a07d978b8bc4b190be350a00de64ec535f9c8f5dfe133542a55483", + "zh:963a9e72b66d8bcf43de9b14a674ae3ca3719ce2f829217f7a65b66fc3773397", + "zh:a8e72ab67795071bda61f99a6de3d2d40122fb51971768fd75e1324abe874ced", + "zh:ce1890cf3af17d569af3bc7673cec0a8f78e6f5d701767593f3d29c551f44848", + "zh:e6f1b96eb684f527a47f71923f268c86a36d7894751b31ee9e726d7502a639cd", + ] +} diff --git a/openstack-tf/d4s-production/project-setup/00-terraform-provider.tf b/openstack-tf/d4s-production/project-setup/00-terraform-provider.tf new file mode 120000 index 00000000..c094d201 --- /dev/null +++ b/openstack-tf/d4s-production/project-setup/00-terraform-provider.tf @@ -0,0 +1 @@ +../../common_variables/00-terraform-provider.tf \ No newline at end of file diff --git a/openstack-tf/d4s-production/project-setup/00-variables.tf b/openstack-tf/d4s-production/project-setup/00-variables.tf new file mode 120000 index 00000000..df2af105 --- /dev/null +++ b/openstack-tf/d4s-production/project-setup/00-variables.tf @@ -0,0 +1 @@ +../variables/00-variables.tf \ No newline at end of file diff --git a/openstack-tf/d4s-production/project-setup/01-external-network-and-resolvers.tf b/openstack-tf/d4s-production/project-setup/01-external-network-and-resolvers.tf new file mode 120000 index 00000000..c53c78ad --- /dev/null +++ b/openstack-tf/d4s-production/project-setup/01-external-network-and-resolvers.tf @@ -0,0 +1 @@ +../../common_variables/01-external-network-and-resolvers.tf \ No newline at end of file diff --git a/openstack-tf/d4s-production/project-setup/10-main-network.tf b/openstack-tf/d4s-production/project-setup/10-main-network.tf new file mode 120000 index 00000000..ab1d8c73 --- /dev/null +++ b/openstack-tf/d4s-production/project-setup/10-main-network.tf @@ -0,0 +1 @@ +../../common_setups/10-main-network.tf \ No newline at end of file diff --git a/openstack-tf/d4s-production/project-setup/setup-provider.tf b/openstack-tf/d4s-production/project-setup/setup-provider.tf new file mode 100644 index 00000000..beb5d2ef --- /dev/null +++ b/openstack-tf/d4s-production/project-setup/setup-provider.tf @@ -0,0 +1,4 @@ +provider "openstack" { +# cloud = "d4s-production" + cloud = "ISTI-Cloud" +} diff --git a/openstack-tf/d4s-production/variables/00-variables.tf b/openstack-tf/d4s-production/variables/00-variables.tf new file mode 100644 index 00000000..7ded8876 --- /dev/null +++ b/openstack-tf/d4s-production/variables/00-variables.tf @@ -0,0 +1,97 @@ +# Configure the OpenStack Provider +variable "os_project_data" { + type = map(string) + default = { + id = "1b45adf388934758b56d0dfdb4bfacf3" + } +} + +variable "dns_zone" { + type = map(string) + default = { + zone_name = "cloud.d4science.org." + email = "postmaster@isti.cnr.it" + description = "DNS primary zone for the d4s-production-cloud project" + ttl = 8600 + } +} + +variable "dns_zone_id" { + # Set with the correct value after the setup is complete + default = "" +} + +variable "main_private_network" { + type = map(string) + default = { + name = "d4s-production-cloud-main" + description = "D4Science Production private network (use this as the main network)" + } +} + +variable "main_private_network_id" { + # Set with the correct value after the setup is complete + default = "" +} + +variable "main_private_subnet" { + type = map(string) + default = { + name = "d4s-production-cloud-main-subnet" + description = "D4Science Production main private subnet" + cidr = "10.1.40.0/21" + gateway_ip = "10.1.40.1" + allocation_start = "10.1.41.100" + allocation_end = "10.1.47.254" + } +} + +variable "external_router" { + type = map(string) + default = { + name = "d4s-production-cloud-external-router" + description = "D4Science Production main router" + id = "cc26064a-bb08-4c0b-929f-d0cb39f934a3" + } +} + +variable "basic_services_ip" { + type = map(string) + default = { + ca = "10.1.40.4" + ca_cidr = "10.1.40.4/32" + ssh_jump = "10.1.40.5" + ssh_jump_cidr = "10.1.40.5/32" + prometheus = "10.1.40.10" + prometheus_cidr = "10.1.40.10/32" + haproxy_l7_1 = "10.1.40.11" + haproxy_l7_1_cidr = "10.1.40.11/32" + haproxy_l7_2 = "10.1.40.12" + haproxy_l7_2_cidr = "10.1.40.12/32" + octavia_main = "10.1.40.20" + octavia_main_cidr = "10.1.40.20/32" + } +} + +variable "main_haproxy_l7_ip" { + type = list(string) + default = ["10.1.40.11", "10.1.40.12"] + +} + +variable "octavia_information" { + type = map(string) + default = { + main_lb_name = "d4s-production-cloud-l4-load-balancer" + main_lb_description = "Main L4 load balancer for the D4Science production" + swarm_lb_name = "d4s-production-cloud-l4-swarm-load-balancer" + octavia_flavor = "octavia_amphora-mvcpu-ha" + octavia_flavor_id = "394988b5-6603-4a1e-a939-8e177c6681c7" + main_lb_hostname = "main-lb" + # The following aren't available when the module runs so we have to get them with the command + # openstack --os-cloud d4s-pre port list -f value | grep octavia-lb-vrrp + # This means that the execution will fail + octavia_vrrp_ip_1 = "10.1.41.232" + octavia_vrrp_ip_2 = "10.1.42.229" + } +}