alan-turing-institute · thinkC · Sep 30, 2025 · Oct 17, 2025 · Oct 24, 2025
diff --git a/.gitignore b/.gitignore
@@ -169,3 +169,9 @@ cython_debug/
 
 # PyPI configuration file
 .pypirc
+
+
+# Terraform 
+*.tfstate
+*.tfstate.*
+.terraform/
diff --git a/infra/fridge-openstack-infra/terraform/.terraform.lock.hcl b/infra/fridge-openstack-infra/terraform/.terraform.lock.hcl
diff --git a/infra/fridge-openstack-infra/terraform/instances.tf b/infra/fridge-openstack-infra/terraform/instances.tf
@@ -0,0 +1,206 @@
+# create a port
+
+resource "openstack_networking_port_v2" "controller_isolated_port" {
+  name = "controller-isolated-port"
+  network_id = openstack_networking_network_v2.isolated_net.id
+  fixed_ip {
+    subnet_id = openstack_networking_subnet_v2.isolated_subnet.id
+  }
+}
+
+
+resource "openstack_networking_port_v2" "worker1_isolated_port" {
+  name = "worker1-isolated-port"
+  network_id = openstack_networking_network_v2.isolated_net.id
+  fixed_ip {
+    subnet_id = openstack_networking_subnet_v2.isolated_subnet.id
+  }
+}
+
+# worker 2 port
+resource "openstack_networking_port_v2" "worker2_isolated_port" {
+  name = "worker2-isolated-port"
+  network_id = openstack_networking_network_v2.isolated_net.id
+  fixed_ip {
+    subnet_id = openstack_networking_subnet_v2.isolated_subnet.id
+  }
+}
+
+
+# Create port for private network
+
+resource "openstack_networking_port_v2" "controller_private_port" {
+  name = "controller-access-port"
+  network_id = openstack_networking_network_v2.private_network.id
+  fixed_ip {
+    subnet_id = openstack_networking_subnet_v2.private_subnet.id
+  }
+}
+
+
+resource "openstack_networking_port_v2" "worker1_private_port" {
+  name = "worker1-access-port"
+  network_id = openstack_networking_network_v2.private_network.id
+  fixed_ip {
+    subnet_id = openstack_networking_subnet_v2.private_subnet.id
+  }
+}
+
+resource "openstack_networking_port_v2" "worker2_private_port" {
+  name = "worker2-access-port"
+  network_id = openstack_networking_network_v2.private_network.id
+  fixed_ip {
+    subnet_id = openstack_networking_subnet_v2.private_subnet.id
+  }
+}
+
+
+# instances
+
+resource "openstack_compute_instance_v2" "controller" {
+  name = "controller"
+  image_name = var.image_name
+  flavor_name = var.flavor_name_small
+  key_pair = var.keypair_name
+  security_groups = [ openstack_networking_secgroup_v2.proxy_sg.name ]
+  network {
+    port = openstack_networking_port_v2.controller_private_port.id #kubeproxy_private_port.id 
+  }
+  network {
+    port = openstack_networking_port_v2.controller_isolated_port.id # kubeproxy_isolated_port.id
+  }
+}
+
+
+#worker1
+
+resource "openstack_compute_instance_v2" "worker1" {
+  name = "worker1"
+  image_name = var.image_name
+  flavor_name = var.flavor_name_small
+  key_pair = var.keypair_name
+  security_groups = [ openstack_networking_secgroup_v2.proxy_sg.name ]
+  network {
+    port = openstack_networking_port_v2.worker1_private_port.id 
+  }
+  network {
+    port = openstack_networking_port_v2.worker1_isolated_port.id 
+  }
+}
+
+
+
+#worker2 instance
+resource "openstack_compute_instance_v2" "worker2" {
+  name = "worker2"
+  image_name = var.image_name
+  flavor_name = var.flavor_name_small
+  key_pair = var.keypair_name
+  security_groups = [ openstack_networking_secgroup_v2.proxy_sg.name ]
+  network {
+    port = openstack_networking_port_v2.worker2_private_port.id
+  }
+  network {
+    port = openstack_networking_port_v2.worker2_isolated_port.id
+  }
+}
+
+
+# create port for bastion
+resource "openstack_networking_port_v2" "bastion_private_port" {
+  name = "bastion-access-port"
+  network_id = openstack_networking_network_v2.private_network.id
+  fixed_ip {
+    subnet_id = openstack_networking_subnet_v2.private_subnet.id
+  }
+}
+
+
+
+# instances - bastion 
+
+resource "openstack_compute_instance_v2" "bastion" {
+  name = "operator-bastion"
+  image_name = var.image_name
+  flavor_name = var.flavor_name_xsmall
+  key_pair = var.keypair_name
+  security_groups = [ openstack_networking_secgroup_v2.bastion_sg.name ]
+  network {
+    port = openstack_networking_port_v2.bastion_private_port.id
+  }
+
+}
+
+# allocate floating ip
+resource "openstack_networking_floatingip_v2" "bastion_fip" {
+  pool = var.external_network_name
+}
+
+#associate floating ip
+
+resource "openstack_compute_floatingip_associate_v2" "bastion_fip_assoc" {
+  floating_ip = openstack_networking_floatingip_v2.bastion_fip.address
+  instance_id = openstack_compute_instance_v2.bastion.id
+}
+
+# instance kube API VM in isolated network
+
+# create port for kubeapi
+resource "openstack_networking_port_v2" "kubeapi_controller_isolated_port" {
+  name = "kubeapi_controller-isolated-port"
+  network_id = openstack_networking_network_v2.isolated_net.id 
+  fixed_ip {
+    subnet_id = openstack_networking_subnet_v2.isolated_subnet.id
+  }
+}
+
+
+resource "openstack_compute_instance_v2" "kubeapi_controller" {
+  name = "kubeapi_controller"
+  image_name = var.image_name
+  flavor_name = var.flavor_name_small
+  key_pair = var.keypair_name 
+  security_groups = [ openstack_networking_secgroup_v2.isolated_sg.name ]
+  network {
+     port = openstack_networking_port_v2.kubeapi_controller_isolated_port.id
+  }
+}
+
+resource "openstack_networking_port_v2" "kubeapi_worker1_isolated_port" {
+  name = "kubeapi_worker1-isolated-port"
+  network_id = openstack_networking_network_v2.isolated_net.id 
+  fixed_ip {
+    subnet_id = openstack_networking_subnet_v2.isolated_subnet.id
+  }
+}
+
+resource "openstack_compute_instance_v2" "kubeapi_worker1" {
+  name = "kubeapi_worker1"
+  image_name = var.image_name
+  flavor_name = var.flavor_name_small
+  key_pair = var.keypair_name 
+  security_groups = [ openstack_networking_secgroup_v2.isolated_sg.name ]
+  network {
+     port = openstack_networking_port_v2.kubeapi_worker1_isolated_port.id
+  }
+}
+
+resource "openstack_networking_port_v2" "kubeapi_worker2_isolated_port" {
+  name = "kubeapi_worker2-isolated-port"
+  network_id = openstack_networking_network_v2.isolated_net.id 
+  fixed_ip {
+    subnet_id = openstack_networking_subnet_v2.isolated_subnet.id
+  }
+}
+
+resource "openstack_compute_instance_v2" "kubeapi_worker2" {
+  name = "kubeapi_worker2"
+  image_name = var.image_name
+  flavor_name = var.flavor_name_small
+  key_pair = var.keypair_name 
+  security_groups = [ openstack_networking_secgroup_v2.isolated_sg.name ]
+  network {
+     port = openstack_networking_port_v2.kubeapi_worker2_isolated_port.id
+  }
+}
+
diff --git a/infra/fridge-openstack-infra/terraform/main.tf b/infra/fridge-openstack-infra/terraform/main.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_version = ">= 1.1.0"
+  required_providers {
+    openstack = {
+        source = "terraform-provider-openstack/openstack"
+        version = "~> 1.48.0"
+    }
+  }
+}
+
+provider "openstack" {
+  cloud = var.openstack_cloud
+}
diff --git a/infra/fridge-openstack-infra/terraform/networking.tf b/infra/fridge-openstack-infra/terraform/networking.tf
@@ -0,0 +1,59 @@
+# private netwrok with access to the internet
+
+resource "openstack_networking_network_v2" "private_network" {
+  name = var.private_network
+}
+
+resource "openstack_networking_subnet_v2" "private_subnet" {
+  name = "${var.private_network}-subnet"
+  network_id = openstack_networking_network_v2.private_network.id
+  cidr = var.private_subnet_cidr
+  ip_version = 4
+  dns_nameservers = [ "131.111.8.42", "131.111.12.20" ]
+  enable_dhcp = true
+}
+
+# router conneting private network to the external network
+resource "openstack_networking_router_v2" "private_router" {
+  name = "${var.private_network}-router"
+  external_network_id = data.openstack_networking_network_v2.external_network.id 
+
+}
+
+resource "openstack_networking_router_interface_v2" "private_router_interface" {
+  router_id = openstack_networking_router_v2.private_router.id
+  subnet_id = openstack_networking_subnet_v2.private_subnet.id
+}
+
+# isolated network
+resource "openstack_networking_network_v2" "isolated_net" {
+  name = var.isolated_network
+}
+
+resource "openstack_networking_subnet_v2" "isolated_subnet" {
+  name = "${var.isolated_network}-subnet"
+  network_id = openstack_networking_network_v2.isolated_net.id
+  cidr = var.isolated_subnet_cidr
+  ip_version = 4
+  dns_nameservers = [ "131.111.8.42", "131.111.12.20" ]
+  enable_dhcp = true
+}
+
+
+data "openstack_networking_network_v2" "external_network"{
+    name = var.external_network_name
+}
+
+
+# create temporary router to route traffic in isolated network to install k3s etc
+# router conneting private network to the external network
+# resource "openstack_networking_router_v2" "isolated_router" {
+#   name = "${var.isolated_network}-router"
+#   external_network_id = data.openstack_networking_network_v2.external_network.id 
+
+# }
+
+# resource "openstack_networking_router_interface_v2" "isolated_router_interface" {
+#   router_id = openstack_networking_router_v2.isolated_router.id
+#   subnet_id = openstack_networking_subnet_v2.isolated_subnet.id
+# }
diff --git a/infra/fridge-openstack-infra/terraform/outputs.tf b/infra/fridge-openstack-infra/terraform/outputs.tf
@@ -0,0 +1,22 @@
+output "bastion_fip_floating_ip" {
+  value = openstack_networking_floatingip_v2.bastion_fip.address
+}
+
+# output "controller_isolated_ip" {
+#   value = openstack_networking_port_v2.controller_isolated_port.fixed_ip[0].ip_address
+# }
+
+# output "worker1_isolated_ip" {
+#   value = openstack_networking_port_v2.worker1_isolated_port.fixed_ip[0].ip_address
+# }
+output "private_subnet_cidr" {
+  value = openstack_networking_subnet_v2.private_subnet.cidr
+}
+
+output "isolated_subnet_cidr" {
+  value = openstack_networking_subnet_v2.isolated_subnet.cidr
+}
+
+# output "kubeapi_isolated_ip" {
+#   value = openstack_compute_instance_v2.kubeapi.access_ip_v4
+# }