From fc69bbb74e182c5008842575ed1a7266a649c4c6 Mon Sep 17 00:00:00 2001 From: Rob Kaufman Date: Thu, 1 Sep 2022 22:28:53 -0700 Subject: [PATCH] provision fcrepo/solr/mariadb servers --- PROVISION.md | 13 ++++ bin/decrypt-secrets | 14 ++-- bin/encrypt-secrets | 10 +-- bin/tf | 23 ++++++ ops/provision/.backend.enc | 21 ++++++ ops/provision/.env.notch8.enc | 21 ++++++ ops/provision/.gitignore | 36 +++++++++ ops/provision/main.tf | 26 +++++++ ops/provision/modules/ec2/iam.tf | 44 +++++++++++ ops/provision/modules/ec2/main.tf | 74 +++++++++++++++++++ ops/provision/modules/ec2/output.tf | 5 ++ .../modules/ec2/user_data.fcrepo.yaml | 55 ++++++++++++++ ops/provision/modules/ec2/variables.tf | 51 +++++++++++++ ops/provision/modules/networking/output.tf | 7 ++ .../modules/networking/security-groups.tf | 25 +++++++ ops/provision/modules/networking/variables.tf | 3 + ops/provision/modules/networking/vpc.tf | 16 ++++ ops/provision/modules/ssh/main.tf | 14 ++++ ops/provision/modules/ssh/output.tf | 8 ++ ops/provision/modules/ssh/variables.tf | 3 + ops/provision/outputs.tf | 6 ++ ops/provision/provider.tf | 4 + ops/provision/variables.tf | 48 ++++++++++++ ops/provision/versions.tf | 3 + 24 files changed, 514 insertions(+), 16 deletions(-) create mode 100644 PROVISION.md create mode 100755 bin/tf create mode 100644 ops/provision/.backend.enc create mode 100644 ops/provision/.env.notch8.enc create mode 100644 ops/provision/.gitignore create mode 100644 ops/provision/main.tf create mode 100644 ops/provision/modules/ec2/iam.tf create mode 100644 ops/provision/modules/ec2/main.tf create mode 100644 ops/provision/modules/ec2/output.tf create mode 100644 ops/provision/modules/ec2/user_data.fcrepo.yaml create mode 100644 ops/provision/modules/ec2/variables.tf create mode 100644 ops/provision/modules/networking/output.tf create mode 100644 ops/provision/modules/networking/security-groups.tf create mode 100644 ops/provision/modules/networking/variables.tf create mode 100644 ops/provision/modules/networking/vpc.tf create mode 100644 ops/provision/modules/ssh/main.tf create mode 100644 ops/provision/modules/ssh/output.tf create mode 100644 ops/provision/modules/ssh/variables.tf create mode 100644 ops/provision/outputs.tf create mode 100644 ops/provision/provider.tf create mode 100644 ops/provision/variables.tf create mode 100644 ops/provision/versions.tf diff --git a/PROVISION.md b/PROVISION.md new file mode 100644 index 000000000..3406b5609 --- /dev/null +++ b/PROVISION.md @@ -0,0 +1,13 @@ +# To create a new fcrepo / mariadb / solr server + +1) Decrypt the secrets with `./bin/decrypt-secrets` + +2) Create or edit the .env.$ENVIRONMENT file, changin the namespace to be unique for each network set you want to make. + +3) Make sure the AWS profile in your ~/.aws/config and ~/.aws/credentials files match the AWS account you want to deploy to. + +4) Run `./bin/tf workspace new $ENVIRONMENT` + +5) Run `./bin/tf $ENVIRONMENT init` + +6) Run `./bin/tf $ENVIRONMENT apply` diff --git a/bin/decrypt-secrets b/bin/decrypt-secrets index 8f0f46cb9..ee5460865 100755 --- a/bin/decrypt-secrets +++ b/bin/decrypt-secrets @@ -8,18 +8,14 @@ Dir.chdir(File.join(parent_dir)) # TODO: Troubleshoot local env encrypt/decrypt # ".env", # ".env.*", - "chart/*-values.yaml", - "ops/kube_config.yml", - "ops/.backend", - "ops/*-deploy.tmpl.yaml", - "ops/k8s/*-values.yaml" + "ops/provision/.backend", + "ops/provision/.env.*" ].each do |files| Dir.glob(files).each do |file| - if file.match(/enc/) - next unless File.exists?(file) - cmd = "sops --decrypt #{file} > #{file.gsub(/.enc$/, '')}" + if File.exists?(file + ".enc") + cmd = "sops --decrypt #{file}.enc > #{file}" puts cmd `#{cmd}` end end -end \ No newline at end of file +end diff --git a/bin/encrypt-secrets b/bin/encrypt-secrets index 8d57f46b2..96e7f6bd5 100755 --- a/bin/encrypt-secrets +++ b/bin/encrypt-secrets @@ -5,13 +5,9 @@ parent_dir = File.dirname(__dir__) [ # TODO: Troubleshoot local env encrypt/decrypt - # ".env", # ".env.*", - "chart/*-values.yaml", - "ops/kube_config.yml", - "ops/.backend", - "ops/*-deploy.tmpl.yaml", - "ops/k8s/*-values.yaml" + "ops/provision/.backend", + "ops/provision/.env.*" ].each do |files| Dir.glob(files).each do |file| next if /enc/.match?(file) @@ -19,4 +15,4 @@ parent_dir = File.dirname(__dir__) puts cmd `#{cmd}` end -end \ No newline at end of file +end diff --git a/bin/tf b/bin/tf new file mode 100755 index 000000000..22c2e5761 --- /dev/null +++ b/bin/tf @@ -0,0 +1,23 @@ +#!/usr/bin/env ruby + +# require 'byebug' + +dir = File.expand_path(File.join(__FILE__, '../../ops/provision')) +env_file = File.expand_path("#{dir}/.env.#{ARGV[0]}") +workspace = "#{ARGV[0]}" + +# workspace commands can not have TF_WORKSPACE set +cmd = if(ARGV[0].match(/workspace/) && ARGV[1].match(/new/)) + %Q{cd #{dir} && unset TF_WORKSPACE && terraform workspace #{ARGV[1..-1].join(' ')}} + elsif ARGV[0].match(/workspace/) + %Q{cd #{dir} && TF_WORKSPACE=default terraform workspace #{ARGV[1..-1].join(' ')}} + else + %Q{cd #{dir} && TF_WORKSPACE=#{workspace} dotenv -f #{env_file} "terraform #{ARGV[1..-1].join(' ')}"} + end + +if ARGV[1].match(/init/) + cmd[0..-2] += " -backend-config=./.backend " +end + +puts cmd +exec cmd diff --git a/ops/provision/.backend.enc b/ops/provision/.backend.enc new file mode 100644 index 000000000..b5703efd5 --- /dev/null +++ b/ops/provision/.backend.enc @@ -0,0 +1,21 @@ +{ + "data": "ENC[AES256_GCM,data:Ewgr1+G9pWtEmcRIB3TnfR7g4FUXaoBhCO+ftg3LQy4pHN8ij2A9EjdpISALdTzk7FBm39H2+zTA++lt4oqfyXtabNvCi8fRTHJLFPgQ8L5NdWklvpsSAT3UwU3Fopcl7Pvc2etx+kYfPjw/x207Tlk=,iv:Tsxdt13gBH+Ps/XV4XPSNCi0OXXOby6nvSA2Cq5G3qQ=,tag:ECjzHHi4diP1/+TdXxiC1w==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-09-01T23:58:01Z", + "mac": "ENC[AES256_GCM,data:MU/kWWPao2iTy1eBpLIu1aD6p1+3+J/ljZyUuJHdugqJ9u+Xu76AiRkFXXMdJEX9rNvq1p0Ivip0uXoRh28UdJGYl+81CZefAhOtTDRdgvFPIBDzWIyNO3h1prVNelrDb7uheqXe6JinNTGaGTzSe7oK8feGS/zVhHHkSyqzMqw=,iv:KF1v2eINhc2qz+L35eskQTjENt7xgHC1QP/lKraFW90=,tag:wKev4XqUspW6BaB0yB51VQ==,type:str]", + "pgp": [ + { + "created_at": "2022-09-01T23:58:00Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nwcFMAx1u4ocvSXxJARAAobSuTLCtx17k5BKXmXXXQrsgLBnNNvyNp63HsGUH1STL\nGMk493GBOQpSXuwlKpEH5V9WFwHyxs/1sWizVc3ZANWomYAtxK0XshpaNQV3wicK\n6xxBfx+M7K+hOo+Cqd5yJuPsmG+sXuOTlciN4mQ32NhMA61QQitt7omPspoZa160\novjSEaNuzRGlFClwS76N1wqhwCCcSNGMDFvHM2BuHmlnbLQFr3nuD9TMM2NrTCCI\nW9yYUEPUTW+Wvkg0hmbLE0gTsRyPBTbg41Tu4IZGs0NZyAAfem2W/AslSH0Hk/Me\n8nItE5xt/yqd4MdT11yZSe0HPwuy9ecuP4SCV+aGwZzJG3s/d9aSoJMnTCHAN1HS\n9c+8CcDLSRaQhVLqIeNBuY/sg477JBhD/QvFkLyGFInBcRZg99bIhWS6JL6nblCN\neOx3N1SfFkFUIsnTMyqIZeR5fVgddxF20Jjyl76fbhHzS+/pIyUIWr58uk/F7Wlb\nw5dGV0yRgRP2hUItiS/D1gFV9UvZ4M9j2S7+jDAVzOVqWYdnnTu0YKBw6gyW/fgF\nenQAOxunuAZntD23AcSwZJzg5odtzQ6qtBI1wHw9i9cMmZa4uHVdfm/lAJrbLWbk\nuBhG3hgqtvQ850fjJn81OIeJ/hhMMqRy1/CPyO0nP3InrgR2J2dqaNQFgjCMki3S\n5gEsFKIDL8QRiHlWgAEqym7twau5L8oFGkmj5vpEs8DESs9k90AtxRetQJKfW8Am\nsemLliFEahXvuks4IPM9+Y7k2YIQPIsz6OwA7wY5ur2LyeJMwmpYAA==\n=ClwK\n-----END PGP MESSAGE-----", + "fp": "B6125B16B0DD59F34D6975FBF885927FDA9C48E2" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.2" + } +} \ No newline at end of file diff --git a/ops/provision/.env.notch8.enc b/ops/provision/.env.notch8.enc new file mode 100644 index 000000000..e2130e468 --- /dev/null +++ b/ops/provision/.env.notch8.enc @@ -0,0 +1,21 @@ +{ + "data": "ENC[AES256_GCM,data:CxEUPydRgaLZ+QZZfqbHtx6sWtXbhA2oyJQITrV8pgctLgp9w/klq2VuXWjK5y1xa9zc+y7Jr8T9OMSrJAuLGh6H6BgaYHIaGgllOWZCGmUq52RhJSz7K4RMSvJvF7VBdL9StNHRoV/K+x+gYTd7eSvXo3xkH+MbPV7kYIemxOC/8rRJFoLToe08DWLbK2s2aDqDhzaQZ7lBTxAfLDJZQp58fmo9I/nV6umfMmYW+5JfTTAo4DFdGGJ9Up0H4OOS0jcrPa+v6UQUAlrjfgyek3vuZC3i2Q2hzL/A/gqiRFzWqrId2jYzD8gCSPN5EOGpSxkoGqc8dE4tBzssM5uFH06TspdBupkNlRuMBINlKgqe0SCfFewWNbe9bvqFX25QHJ71PmB312sbvM5b5szLbAS8MuSVW9z7CcSNk8oJ4OtEAt7bGARnhiPnWQ6kj6AgKC1iARqB02MUNQb/2q3z3RgBS4x5s47C0fiWFw==,iv:EpzdZ36fkczA2dvHhzeGTbJQJpV9ojy4VotBMmRYLEQ=,tag:OkymqCpCf3yF0Zwk0vwuBA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-09-01T23:58:02Z", + "mac": "ENC[AES256_GCM,data:fX8+ojw8IiqR/xWQ3tHdZvuNRs6YbL0Reu8H04PF2XmDZzTWPIXQ7+PGAEgVRpubC+P1G80V/CPn9qnqK4u35X3+mUss1BT+lPykeHU3ifbuQ/jsFnd91f4uyV3ji+ZMQ5j6Yqq0BEfcoe/0/Te/iqp42+ye5Tv7Tn38WrF9UZY=,iv:AWIgVAa4vh6zSsF8+GIcZPYBgFsFC2DT43DOK5pWHko=,tag:iKPSKezCH+uas5CXbPQtkA==,type:str]", + "pgp": [ + { + "created_at": "2022-09-01T23:58:01Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nwcFMAx1u4ocvSXxJARAAUamwpQNhcrX2D01OEINsRoly4v6TgVLitmLd6CA93EDS\nUKq4AHPTUr5W+GSgXAikgSbablQ73GBj004li1kRGrvXbpycOhMQ8hf3qay8k6Zp\nwZeUHi8I1y2spxd75ux6IAqZOps8akFrG6qz4fMVotRuWay1kAKC6NhtdZN0pq4Y\nWWDqidxtnakTAdQ0XMLUOPDwhKjOjZqeca+QNcPXIAjFuEHgrQ2g3jsgXo3wpxaX\n/mFz2qGO1CV4K9CRe2bwSnbkzGcjsBjwW19y/68aXkKbZ8yjZR4S7mFNrq/sQXmC\n1vqPaV54g31eceEGPzv3JCwIWOhrx/EoHR9rMuJp0lBQR8x/sf4WBzqgkY45Iplj\n6X7+YXQP5qREYyKlM6O2KuBKdc1r9JXpjlwYhVxJh90fPf+3w5k6y76Dumfa42ca\nZZjxYwyZbx1/c7alOJjgfiS0Eowxj51Wd205Zwjy7WJo+dbTWSa4Gm+LGlSk7hhl\nHIjxobZAFZ7YSiejvpZyy0uXdS3qMwhrUwSlpUxbGbqKd5CX/jT5lYX/LH7jGgoJ\n/9Efvn7B9pVwwrXrMXqNScoF27HMoyHDA9jFVtW9Iy41/VnbLS8wONULnWTt1xY6\nyMHKKyK+L7Xwf27EFmOrI1FqGJxQzLh5YvJ/KofHWqegn47wdc4lE/C4HBUPCsXS\n5gE/AsK7tQzgobUw4Z1PkAmBMUAOsGz+bRrFafiFQ03VJ/cAN2AUZOgGAJt9c9kv\nU4z3exjgruwjNVB6l0Lilt3kJ0adeMuuv7wuYIaQ0xi0DeIJoZdLAA==\n=d98t\n-----END PGP MESSAGE-----", + "fp": "B6125B16B0DD59F34D6975FBF885927FDA9C48E2" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.2" + } +} \ No newline at end of file diff --git a/ops/provision/.gitignore b/ops/provision/.gitignore new file mode 100644 index 000000000..dfcec4576 --- /dev/null +++ b/ops/provision/.gitignore @@ -0,0 +1,36 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# Ignore any .tfvars files that are generated automatically for each Terraform run. Most +# .tfvars files are managed as part of configuration and so should be included in +# version control. +# +# example.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* +.backend +.env.* +!.env.*.enc +*-values.yaml +kube_config.*.yml +*.pem +.terraform.lock.hcl diff --git a/ops/provision/main.tf b/ops/provision/main.tf new file mode 100644 index 000000000..ec623ccfd --- /dev/null +++ b/ops/provision/main.tf @@ -0,0 +1,26 @@ +module "networking" { + source = "./modules/networking" + namespace = var.namespace +} + +module "ssh" { + source = "./modules/ssh" + namespace = var.namespace +} + +module "ec2" { + source = "./modules/ec2" + namespace = var.namespace + vpc = module.networking.vpc + sg_pub_id = module.networking.sg_pub_id + key_name = module.ssh.key_name + keypair = module.ssh.ssh_keypair + fcrepo_instance = var.fcrepo_instance + fcrepo_snapshot = var.fcrepo_snapshot + fcrepo_db_hostname = var.fcrepo_db_hostname + fcrepo_db_username = var.fcrepo_db_username + fcrepo_db_password = var.fcrepo_db_password + solr_collection = var.solr_collection + site24x7_key = var.site24x7_key + site24x7_group = var.site24x7_group +} diff --git a/ops/provision/modules/ec2/iam.tf b/ops/provision/modules/ec2/iam.tf new file mode 100644 index 000000000..9590e64f3 --- /dev/null +++ b/ops/provision/modules/ec2/iam.tf @@ -0,0 +1,44 @@ +resource "aws_iam_role" "instance_role" { + name = "${var.namespace}_instance_role" + + assume_role_policy = < v.public_ip + } +} diff --git a/ops/provision/modules/ec2/user_data.fcrepo.yaml b/ops/provision/modules/ec2/user_data.fcrepo.yaml new file mode 100644 index 000000000..181687ba5 --- /dev/null +++ b/ops/provision/modules/ec2/user_data.fcrepo.yaml @@ -0,0 +1,55 @@ +#cloud-config +bootcmd: + - mkdir -p /mnt/sdf + +runcmd: + - echo "n" | mkfs.ext4 /dev/sdf + - echo "/dev/sdf /mnt/sdf auto defaults,nofail 0 0" >> /etc/fstab + - mount -a + - echo ${base64encode(var.keypair)} | base64 -d >> /home/ec2-user/.ssh/${var.key_name}.pem + - chmod 400 /home/ec2-user/.ssh/${var.key_name}.pem + - hostnamectl set-hostname ${var.hostname} + - echo 'Install Java 8 and Mariadb' + - yum -y remove java-1.7.0-openjdk + - yum -y install java-1.8.0 + - echo 'Instal Mariadb' + - test ! -f /mnt/sdf/complete && mkdir -p /mnt/sdf/mysql-data + - ln -sf /mnt/sdf/mysql-data /var/lib/mysql + - yum -y install mysql-devel mariadb-server + - service mariadb restart + - test ! -f /mnt/sdf/complete && mysql -e "CREATE USER '${var.fcrepo_db_username}'@'localhost' IDENTIFIED BY '${var.fcrepo_db_password}';" + - test ! -f /mnt/sdf/complete && mysql -e "GRANT ALL PRIVILEGES ON *.* TO '${var.fcrepo_db_username}'@'localhost';" + - echo 'Install Fedora' + - yum -y install tomcat + - echo 'JAVA_OPTS=\"$${JAVA_OPTS} -Dfcrepo.home=/mnt/sdf/fedora-data\"' >> /etc/sysconfig/tomcat7 + - test ! -f /mnt/sdf/complete && mkdir -p /mnt/sdf/fedora-data + - test ! -f /mnt/sdf/complete && chown tomcat:tomcat /mnt/sdf/fedora-data/ + - cd /tmp + - wget https://github.com/fcrepo4/fcrepo4/releases/download/fcrepo-4.7.5/fcrepo-webapp-4.7.5.war + - cp fcrepo-webapp-4.7.5.war /var/lib/tomcat/webapps/ + - echo 'fcrepo.home=/mnt/sdf/fedora-data' >> /etc/tomcat/catalina.properties + - echo 'fcrepo.mysql.host=${var.fcrepo_db_hostname}' >> /etc/tomcat/catalina.properties + - echo 'fcrepo.mysql.username=${var.fcrepo_db_username}' >> /etc/tomcat/catalina.properties + - echo 'fcrepo.mysql.password=${var.fcrepo_db_password}' >> /etc/tomcat/catalina.properties + - echo 'fcrepo.modeshape.configuration=file:/var/lib/tomcat/webapps/fcrepo-webapp-4.7.5/WEB-INF/classes/config/jdbc-mysql/repository.json' >> /etc/tomcat/catalina.properties + - service tomcat restart + - echo 'Install Solr' + - cd /tmp + - wget http://archive.apache.org/dist/lucene/solr/7.7.3/solr-7.7.3.tgz + - tar xzf solr-7.7.3.tgz solr-7.7.3/bin/install_solr_service.sh --strip-components=2 + - ./install_solr_service.sh solr-7.7.3.tgz -d /mnt/sdf/solr-data + - mkdir -p /tmp/hyrax-config/ + - aws s3 sync s3://hyrax-install-assets/solr-config/ /tmp/hyrax-config/ + - test ! -f /mnt/sdf/complete && sudo -u solr /opt/solr/bin/solr create -c ${var.solr_collection} -d /tmp/hyrax-config + - /opt/solr/bin/init.d/solr restart + - chkconfig mariadb on + - chkconfig tomcat on + - chkconfig solr on + - echo 'Install site24x7' + - wget https://staticdownloads.site24x7.com/server/Site24x7InstallScript.sh + - bash Site24x7InstallScript.sh -i -key=${var.site24x7_key} -gn=${var.site24x7_group} -tp="Default Threshold - SERVER" -np="Main" + - echo 'complete' >> /status + - touch /mnt/sdf/complete + +# debug logging +output : { all : '| tee -a /var/log/cloud-init-output.log' } diff --git a/ops/provision/modules/ec2/variables.tf b/ops/provision/modules/ec2/variables.tf new file mode 100644 index 000000000..89eefe14a --- /dev/null +++ b/ops/provision/modules/ec2/variables.tf @@ -0,0 +1,51 @@ +variable "namespace" { + type = string +} + +variable "vpc" { + type = any +} + +variable key_name { + type = string +} + +variable keypair { + type = string +} + +variable "sg_pub_id" { + type = any +} + +variable "fcrepo_instance" { + default = "t2.xlarge" +} + +variable "fcrepo_snapshot" { + default = "" +} + +variable "fcrepo_db_hostname" { + type = string +} + +variable "fcrepo_db_username" { + type = string +} + +variable "fcrepo_db_password" { + type = string +} + +variable "solr_collection" { + type = string +} + +variable "site24x7_key" { + type = string +} + +variable "site24x7_group" { + type = string +} diff --git a/ops/provision/modules/networking/output.tf b/ops/provision/modules/networking/output.tf new file mode 100644 index 000000000..748e359ee --- /dev/null +++ b/ops/provision/modules/networking/output.tf @@ -0,0 +1,7 @@ +output "vpc" { + value = module.vpc +} + +output "sg_pub_id" { + value = aws_security_group.access.id +} diff --git a/ops/provision/modules/networking/security-groups.tf b/ops/provision/modules/networking/security-groups.tf new file mode 100644 index 000000000..244648bff --- /dev/null +++ b/ops/provision/modules/networking/security-groups.tf @@ -0,0 +1,25 @@ +// SG to allow SSH connections from anywhere +resource "aws_security_group" "access" { + name = "${var.namespace}-access" + description = "Allow SSH inbound traffic" + vpc_id = module.vpc.vpc_id + + ingress { + description = "SSH from the internet" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.namespace}-access" + } +} diff --git a/ops/provision/modules/networking/variables.tf b/ops/provision/modules/networking/variables.tf new file mode 100644 index 000000000..74333a1a9 --- /dev/null +++ b/ops/provision/modules/networking/variables.tf @@ -0,0 +1,3 @@ +variable "namespace" { + type = string +} diff --git a/ops/provision/modules/networking/vpc.tf b/ops/provision/modules/networking/vpc.tf new file mode 100644 index 000000000..99397d5f9 --- /dev/null +++ b/ops/provision/modules/networking/vpc.tf @@ -0,0 +1,16 @@ +data "aws_availability_zones" "available" {} + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.14.2" + + name = "${var.namespace}-vpc" + cidr = "10.0.0.0/16" + azs = data.aws_availability_zones.available.names + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] + enable_nat_gateway = true + single_nat_gateway = true + enable_dns_hostnames = true + enable_dns_support = true +} diff --git a/ops/provision/modules/ssh/main.tf b/ops/provision/modules/ssh/main.tf new file mode 100644 index 000000000..547b96df0 --- /dev/null +++ b/ops/provision/modules/ssh/main.tf @@ -0,0 +1,14 @@ +resource "tls_private_key" "key" { + algorithm = "RSA" +} + +resource "local_sensitive_file" "private_key" { + filename = "${var.namespace}-key.pem" + content = tls_private_key.key.private_key_pem + file_permission = "0400" +} + +resource "aws_key_pair" "key_pair" { + key_name = "${var.namespace}-key" + public_key = tls_private_key.key.public_key_openssh +} diff --git a/ops/provision/modules/ssh/output.tf b/ops/provision/modules/ssh/output.tf new file mode 100644 index 000000000..593493cd2 --- /dev/null +++ b/ops/provision/modules/ssh/output.tf @@ -0,0 +1,8 @@ +output "ssh_keypair" { + value = tls_private_key.key.private_key_pem +} + +output "key_name" { + value = aws_key_pair.key_pair.key_name + +} diff --git a/ops/provision/modules/ssh/variables.tf b/ops/provision/modules/ssh/variables.tf new file mode 100644 index 000000000..74333a1a9 --- /dev/null +++ b/ops/provision/modules/ssh/variables.tf @@ -0,0 +1,3 @@ +variable "namespace" { + type = string +} diff --git a/ops/provision/outputs.tf b/ops/provision/outputs.tf new file mode 100644 index 000000000..d7a9b7b94 --- /dev/null +++ b/ops/provision/outputs.tf @@ -0,0 +1,6 @@ +output "fcrepo_prod_connection_string" { + description = "Copy/Paste/Enter - You are in the matrix" + value = [ + for k, v in module.ec2.fcrepo_ips : "${k} ~ ssh -i ./ops/provision/${module.ssh.key_name}.pem ec2-user@${v}" + ] +} diff --git a/ops/provision/provider.tf b/ops/provision/provider.tf new file mode 100644 index 000000000..c0fc95d9d --- /dev/null +++ b/ops/provision/provider.tf @@ -0,0 +1,4 @@ +provider "aws" { + region = var.region + profile = var.profile +} \ No newline at end of file diff --git a/ops/provision/variables.tf b/ops/provision/variables.tf new file mode 100644 index 000000000..c71c198bd --- /dev/null +++ b/ops/provision/variables.tf @@ -0,0 +1,48 @@ +variable "profile" { + default = "ams" +} + +variable "namespace" { + description = "The project namespace to use for unique resource naming" + default = "TEST" + type = string +} + +variable "region" { + description = "AWS region" + default = "us-east-2" + type = string +} + +variable "fcrepo_instance" { + type = string + default = "t2.xlarge" +} + +variable "fcrepo_snapshot" { + type = string +} + +variable "fcrepo_db_hostname" { + type = string +} + +variable "fcrepo_db_username" { + type = string +} + +variable "fcrepo_db_password" { + type = string +} + +variable "solr_collection" { + type = string +} + +variable "site24x7_key" { + type = string +} + +variable "site24x7_group" { + type = string +} diff --git a/ops/provision/versions.tf b/ops/provision/versions.tf new file mode 100644 index 000000000..6b6318def --- /dev/null +++ b/ops/provision/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.13" +}