-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathetcd3.cluster-main.tf
196 lines (167 loc) · 6.47 KB
/
etcd3.cluster-main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
### ############################################################## ###
### [[etcd3-cluster-module]] bring up etcd3 cluster using ignition ###
### ############################################################## ###
locals
{
ecosystem_id = "etcd3-cluster"
discovery_url = "${ data.external.etcd_url.result[ "etcd_discovery_url" ] }"
ignition_etcd3_json_content = "[Unit]\nRequires=coreos-metadata.service\nAfter=coreos-metadata.service\n\n[Service]\nEnvironmentFile=/run/metadata/coreos\nExecStart=\nExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \\\n --listen-peer-urls=\"http://$${COREOS_EC2_IPV4_LOCAL}:2380\" \\\n --listen-client-urls=\"http://0.0.0.0:2379\" \\\n --initial-advertise-peer-urls=\"http://$${COREOS_EC2_IPV4_LOCAL}:2380\" \\\n --advertise-client-urls=\"http://$${COREOS_EC2_IPV4_LOCAL}:2379\" \\\n --discovery=\"${local.discovery_url}\""
}
/*
| --
| -- Run a bash script which only contains a curl command to retrieve
| -- the etcd discovery url from the service offered by CoreOS.
| -- This is how to retrieve the URL from any command line.
| --
| -- $ curl https://discovery.etcd.io/new?size=3
| --
*/
data external etcd_url
{
program = [ "python", "${path.module}/etcd3-discovery-url.py", "${ var.in_node_count }" ]
}
/*
| --
| -- This EC2 instance bootsrap configured by ignition is the engine room
| -- that powers the etcd3 cluster running within the CoreOS machine.
| --
*/
resource aws_instance etcd3_node
{
count = "3"
instance_type = "t2.medium"
ami = "${ module.coreos_ami_id.out_ami_id }"
subnet_id = "${ element( module.vpc-network.out_private_subnet_ids, count.index ) }"
user_data = "${ data.ignition_config.etcd3.rendered }"
vpc_security_group_ids = [ "${ module.security-group.out_security_group_id }" ]
tags
{
Name = "node-0${ ( count.index + 1 ) }-${ local.ecosystem_id }-${ module.resource-tags.out_tag_timestamp }"
Class = "${ local.ecosystem_id }"
Instance = "${ local.ecosystem_id }-${ module.resource-tags.out_tag_timestamp }"
Desc = "This etcd3 node no.${ ( count.index + 1 ) } for ${ local.ecosystem_id } ${ module.resource-tags.out_tag_description }"
}
}
/*
| --
| -- Visit the terraform ignition user manual at the url below to
| -- understand how ignition is used as the de-factor cloud-init
| -- starter for a cluster of CoreOS machines.
| --
| -- https://www.terraform.io/docs/providers/ignition/index.html
| --
*/
data ignition_config etcd3
{
systemd =
[
"${data.ignition_systemd_unit.etcd3.id}",
]
}
/*
| --
| -- This slice of the ignition configuration deals with the
| -- systemd service. Once rendered it is then placed alongside
| -- the other ignition configuration blocks in ignition_config
| --
*/
data ignition_systemd_unit etcd3
{
name = "etcd-member.service"
enabled = "true"
dropin
{
name = "20-clct-etcd-member.conf"
content = "${ local.ignition_etcd3_json_content }"
}
}
/*
| --
| -- This load balancer plays a critical role in the etcd3 cluster
| -- eco-system. At the back-end it speaks to etcd using the http
| -- protocol on port 2379 whilst at the front-end it listens to
| -- external clients on the ubiquitous port 80.
| --
| -- It lives in the public subnets but expects its IP traffic to
| -- originate from private IP addresses in the twin private subnets.
| --
| -- In production the http plaintext interactions should be replaced
| -- by secure https communications including a pointer to a SSL
| -- certificate living in AWS's Certificate Manager.
| --
*/
module load-balancer
{
source = "github.com/devops4me/terraform-aws-load-balancer"
in_vpc_id = "${ module.vpc-network.out_vpc_id }"
in_subnet_ids = "${ module.vpc-network.out_public_subnet_ids }"
in_security_group_ids = [ "${ module.security-group.out_security_group_id }" ]
in_ip_addresses = "${ aws_instance.etcd3_node.*.private_ip }"
in_ip_address_count = 3
in_front_end = [ "http" ]
in_back_end = [ "etcd" ]
in_is_internal = false
in_ecosystem_name = "${local.ecosystem_id}"
in_tag_timestamp = "${ module.resource-tags.out_tag_timestamp }"
in_tag_description = "${ module.resource-tags.out_tag_description }"
}
/*
| --
| -- This module creates a VPC and then allocates subnets in a round robin manner
| -- to each availability zone. For example if 8 subnets are required in a region
| -- that has 3 availability zones - 2 zones will hold 3 subnets and the 3rd two.
| --
| -- Whenever and wherever public subnets are specified, this module knows to create
| -- an internet gateway and a route out to the net.
| --
*/
module vpc-network
{
source = "github.com/devops4me/terraform-aws-vpc-network"
in_vpc_cidr = "10.66.0.0/16"
in_ecosystem_name = "${local.ecosystem_id}"
in_tag_timestamp = "${ module.resource-tags.out_tag_timestamp }"
in_tag_description = "${ module.resource-tags.out_tag_description }"
}
/*
| --
| -- The security group needs to allow ssh for troubleshooting logins
| -- and http plus https to test the load balancers viability against
| -- a fleet of web servers.
| --
*/
module security-group
{
source = "github.com/devops4me/terraform-aws-security-group"
in_ingress = [ "http", "etcd-client", "etcd-server" ]
in_vpc_id = "${ module.vpc-network.out_vpc_id }"
in_ecosystem_name = "${local.ecosystem_id}"
in_tag_timestamp = "${ module.resource-tags.out_tag_timestamp }"
in_tag_description = "${ module.resource-tags.out_tag_description }"
}
/*
| --
| -- This module dynamically acquires the HVM CoreOS AMI ID for the region that
| -- this infrastructure is built in (specified by the AWS credentials in play).
| --
*/
module coreos_ami_id
{
source = "github.com/devops4me/terraform-aws-coreos-ami-id"
}
/*
| --
| -- Remember the AWS resource tags! Using this module, every
| -- infrastructure component is tagged to tell you 5 things.
| --
| -- a) who (which IAM user) created the component
| -- b) which eco-system instance is this component a part of
| -- c) when (timestamp) was this component created
| -- d) where (in which AWS region) was this component created
| -- e) which eco-system class is this component a part of
| --
*/
module resource-tags
{
source = "github.com/devops4me/terraform-aws-resource-tags"
}