├── .gitignore
├── CHANGELOG.md
├── LICENSE
├── Makefile
├── README-vault.md
├── README.md
├── Vagrantfile
├── app-deploy-key.pem.yaml.sample
├── cluster-manager.sh
├── envs.sh.sample
├── graph-examples
    ├── admiral.png
    ├── efs.png
    ├── elb-ci.png
    ├── etcd.png
    ├── iam.png
    ├── rds.png
    ├── route53.png
    ├── s3.png
    ├── vpc.png
    └── worker.png
├── modules
    ├── asg-with-elb
    │   ├── autoscaling-group-with-elb.tf
    │   └── variables.tf
    ├── cloudtrail
    │   ├── main.tf
    │   └── variables.tf
    ├── cluster
    │   ├── cluster.tf
    │   └── variables.tf
    ├── efs-target
    │   └── efs-target.tf
    └── subnet
    │   └── subnet.tf
├── resources
    ├── certs
    │   ├── Makefile
    │   ├── README.md
    │   ├── etcd-client.cnf
    │   ├── etcd.cnf
    │   ├── rootCA.cnf
    │   └── site.cnf
    ├── cloud-config
    │   ├── admiral.yaml.tmpl
    │   ├── common-files.yaml.tmpl
    │   ├── dockerhub.yaml
    │   ├── etcd.yaml.tmpl
    │   ├── files-vault.yaml
    │   ├── files.yaml
    │   ├── s3-cloudconfig-bootstrap.sh
    │   ├── systemd-units-flannel.yaml
    │   ├── systemd-units.yaml
    │   ├── vault.yaml.tmpl
    │   └── worker.yaml.tmpl
    ├── makefiles
    │   ├── admiral.mk
    │   ├── cloudtrail.mk
    │   ├── efs.mk
    │   ├── elb-ci.mk
    │   ├── etcd.mk
    │   ├── iam.mk
    │   ├── init.mk
    │   ├── rds.mk
    │   ├── route53.mk
    │   ├── s3.mk
    │   ├── vault.mk
    │   ├── vpc.mk
    │   └── worker.mk
    ├── policies
    │   ├── admiral_policy.json
    │   ├── assume_role_policy.json
    │   ├── deployment_policy.json
    │   ├── dockerhub_policy.json
    │   ├── etcd_policy.json
    │   ├── vault_policy.json
    │   └── worker_policy.json
    └── terraforms
    │   ├── admiral
    │       └── admiral.tf
    │   ├── cloudtrail
    │       └── cloudtrail.tf
    │   ├── efs
    │       └── efs.tf
    │   ├── elb-ci
    │       └── ci.tf
    │   ├── elb-dockerhub
    │       └── dockerhub.tf
    │   ├── etcd
    │       └── etcd.tf
    │   ├── iam
    │       └── iam.tf
    │   ├── rds
    │       ├── mysql.tf
    │       ├── postgres.tf
    │       └── security-group.tf
    │   ├── route53
    │       └── route53.tf
    │   ├── s3
    │       └── s3.tf
    │   ├── vault
    │       ├── elb.tf
    │       ├── variables.tf
    │       └── vault.tf
    │   ├── vpc
    │       ├── vpc-subnet-admiral.tf
    │       ├── vpc-subnet-elb.tf
    │       ├── vpc-subnet-etcd.tf
    │       ├── vpc-subnet-rds.tf
    │       ├── vpc-subnet-vault.tf
    │       ├── vpc-subnet-worker.tf
    │       └── vpc.tf
    │   └── worker
    │       └── worker.tf
└── scripts
    ├── aws-keypair.sh
    ├── cloudtrail-admin.sh
    ├── gen-provider.sh
    ├── gen-rds-password.sh
    ├── gen-tf-vars.sh
    ├── get-ami.sh
    ├── get-dns-name.sh
    ├── get-ec2-public-id.sh
    ├── get-vpc-id.sh
    ├── session-lock.sh
    ├── setup_vault.sh
    ├── substitute-AWS-ACCOUNT.sh
    ├── substitute-CLUSTER-NAME.sh
    └── tf-apply-confirm.sh


/.gitignore:
--------------------------------------------------------------------------------
 1 | build*/*
 2 | secrets
 3 | hushhush
 4 | *.pem
 5 | *.key
 6 | .DS_Store
 7 | .git
 8 | .terraform
 9 | .vagrant
10 | coreos-cluster
11 | envs.sh
12 | 


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
 1 | ## v0.2.1
 2 | 
 3 | FEATURES:
 4 | 
 5 | * Added AWS Cloudtrail module
 6 | * Added Vault cluster with dedicated etcd storage backend
 7 | 
 8 | ## v0.2.0
 9 | 
10 | DESIGN CHANGE:
11 | 
12 | In previous implementation, we use one build directory for all resources, so there is only one __terraform.tfstate__ file to maintain.
13 | 
14 | For more complicated cases, ongoing modifications to the infrastructure, e.g., a small change such as a security group rule, could take long time because all resources need to be refreshed and checked for consistency.
15 | 
16 | In this release, each resource has its owner __terraform/\<resource\>__ and coresponding __build/\<resource\>__ directory, so it can
17 | be invidually managed, for example, `make <resource_only>` target will only plan and appply changes for that resource, without checking vpc dependency, if you are sure there is no vpc changes. This will speed up operations. 
18 | 
19 | This release is backwards incompatible because of the structure change. You will need to migrate to this structure.
20 | 
21 | FEATURES:
22 | 
23 |  * **envs.sh:** the file is used to override default environment variable values in **Makefile**. See [envs.sh.sample](https://github.com/xuwang/aws-terraform/blob/master/envs.sh.sample).
24 |  * **lock, unlock:** these targets can be used in a team workflow to make sure only the person who owns the lock can alter the infrastructure. An pair of AWS key is used to facilitate the lock. 
25 |  * **session start, session end:** same as _lock_, _unlock_, these targets force git pull and git push to keep repository in-sync if you use git to maintain terraform status and code.  
26 |  * **etcd cluster:** the default cluster contains 1 etcd node, 1 worker node, t2.miro instance type. Change these in __terraform/etcd/etcd.tf__ or __terraform/worker/worker.tf__ for different configurations. The etcd cluster is in autoscaling group and can self-discover IP changes.
27 |  * **graph** _make graph_ target will generate dependency graph in png format, under build/<resource> directory. See [graph-examples](https://github.com/xuwang/aws-terraform/tree/master/graph-examples) for examples. 
28 |  * **two stage bootstraping:** all instances use the same [_user-data_](https://github.com/xuwang/aws-terraform/blob/master/resources/cloud-config/s3-cloudconfig-bootstrap.sh) file, a bootstrap script that will download the instance's specific
29 | cloud-config file from their corresponding S3 bucket, then CoreOS will run cloud-config using the downloaed cloud-config yaml file. This means that you rarely need to tear down and rebuild machine if the only change is in the cloud-config.yaml: reboot the instance will pick up the change. 
30 |  * **applicaiton bootstraping:** a git-sync timer unit is provisioned by cloud-config to download application relocated code, such as post-boot provisionning, account
31 | creation, file system mount, docker units files etc. The content of the applicaiton repo is cloned under/var/lib/apps location. The timer runs every minute, to pick up new changes.  A [default app repo](https://github.com/dockerage/coreos-cluster-apps) is provided, and you can change it in __envs.sh__ to use your own repoistory. You can also configure a private key for git-sync to use for the sync.
32 |  * **route53, iam server certificate**: these are optional resources. If you define APP_DOMAIN in envs.sh, the domain name will be used as a default route53 zone and a self-signed star server certificate will be generated and can used as default elb certitificate.
33 |  * **default VPC**: If you change AWS region, you need to go through __terraform/vpc__ directory to make sure availablity zones are set correctly for the region,otherwise, the build will fail.
34 |  * **technical details**: See [Technical notes](https://github.com/xuwang/aws-terraform#technical-notes).
35 | 
36 | ## v0.1.0
37 | 
38 | Initial release.
39 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2015 Xu Wang
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
  1 | ###################
  2 | ## Customization ##
  3 | ###################
  4 | # Change here or use environment variables, e.g. export AWS_PROFILE=<aws profile name>.
  5 | 
  6 | # Default SHELL for make for consistency on different platforms
  7 | SHELL := /bin/bash
  8 | # Load environments
  9 | include envs.sh
 10 | 
 11 | # Default AWS profile and cluster name. Please choose cluster name carefully. It will used as prefix in many AWS resources to be created.
 12 | AWS_PROFILE ?= NODEFAULT
 13 | CLUSTER_NAME ?= NODEFAULT
 14 | # Application repository. Automatically synced to /var/lib/apps every minute
 15 | APP_REPOSITORY ?= https://github.com/dockerage/coreos-cluster-apps
 16 | APP_REPOSITORY_DEPLOYKEY ?= ''
 17 | 
 18 | # Domain: default domain for Route53 zone and a self-signed *.domain cert for default ELBs.
 19 | APP_DOMAIN ?= 'example.com'
 20 | 
 21 | # For get-ami.sh
 22 | COREOS_UPDATE_CHANNEL ?= stable
 23 | AWS_REGION ?= us-west-2
 24 | VM_TYPE ?= hvm
 25 | 
 26 | # All resources used in destroy_all, in the order of dependencies.
 27 | # It doesn't hurt if a resource in the list is not created, but if it does, add 
 28 | # it to the list to make sure cleanup is done properly. 
 29 | ALL_RESOURCES := vault admiral worker etcd iam s3 elb-ci elb-gitlab elb_dockerhub efs rds route53 cloudtrail vpc
 30 | 
 31 | # To prevent you from mistakenly using a wrong account (and end up destroying live environment),
 32 | # a list of allowed AWS account IDs should be defined:
 33 | #ALLOWED_ACCOUNT_IDS := "123456789012","012345678901"
 34 | AWS_ACCOUNT := $(shell aws --profile ${AWS_PROFILE} iam get-user | jq -r ".User.Arn" | grep -Eo '[[:digit:]]{12}')
 35 | AWS_USER := $(shell aws --profile ${AWS_PROFILE} iam get-user | jq -r ".User.UserName")
 36 | ALLOWED_ACCOUNT_IDS := "$(AWS_ACCOUNT)"
 37 | 
 38 | # Working Directories and files
 39 | ROOT_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
 40 | SCRIPTS := $(ROOT_DIR)scripts
 41 | MODULES := $(ROOT_DIR)modules
 42 | RESOURCES := $(ROOT_DIR)resources
 43 | TF_RESOURCES := $(ROOT_DIR)resources/terraforms
 44 | BUILD := $(ROOT_DIR)build-$(CLUSTER_NAME)
 45 | BUILD_SUBDIRS = $(shell [ -d $(BUILD) ] && cd $(BUILD) && ls -d */ | tr '/' ' ')
 46 | CONFIG := $(BUILD)/cloud-config
 47 | CERTS := $(BUILD)/certs
 48 | SITE_CERT := $(CERTS)/site.pem
 49 | POLICIES := $(BUILD)/policies
 50 | AMI_VAR := ami.tf
 51 | 
 52 | # LOCKKEY to prevent multiple terraform runs. The private key for the lock will be put in $HOME/.aws/{LOCK_KEYNAME}.pem
 53 | # which is used to valide if you own the lock.
 54 | LOCK_KEYNAME := $(CLUSTER_NAME)-tfstate-lock
 55 | 
 56 | # Default to confirm when applying Terraform changes to the infrastrucutre
 57 | CONFIRM_TF_APPLY ?= YES
 58 | 
 59 | # Terraform files
 60 | TF_PROVIDER := provider.tf
 61 | TF_DESTROY_PLAN_OUT := destroy.tfplan
 62 | TF_APPLY_PLAN := apply.tfplan
 63 | TF_STATE := terraform.tfstate
 64 | 
 65 | # Terraform commands
 66 | # Note: for production, set -refresh=true to be safe
 67 | TF_APPLY := terraform apply -refresh=true
 68 | # Note: for production, remove --force to confirm destroy.
 69 | TF_DESTROY := terraform destroy -force
 70 | TF_DESTROY_PLAN := terraform plan -destroy -refresh=true
 71 | TF_GET := terraform get -update
 72 | TF_GRAPH := terraform graph -module-depth=0
 73 | TF_PLAN := terraform plan -module-depth=1 -refresh=true
 74 | TF_SHOW := terraform show -module-depth=1
 75 | TF_REFRESH := terraform refresh
 76 | TF_TAINT := terraform taint -allow-missing
 77 | TF_OUTPUT := terraform output
 78 | 
 79 | # Git clone/pull command
 80 | GIT_SSH_COMMAND := ssh -i /root/.ssh/git-sync-rsa.pem -o 'StrictHostKeyChecking no'
 81 | 
 82 | # Comman separated list of cidr blocks to allow ssh; default to  $(curl -s http://ipinfo.io/ip)/32
 83 | # TF_VAR_allow_ssh_cidr := "$(shell curl -s http://ipinfo.io/ip)/32"
 84 | TF_VAR_timestamp := $(shell date +%Y-%m-%d-%H%M)
 85 | TF_VAR_iamuser := $(AWS_USER)
 86 | 
 87 | ##########################
 88 | ## End of customization ##
 89 | ##########################
 90 | 
 91 | export
 92 | 
 93 | all: worker admiral
 94 | 
 95 | help:
 96 | 	@echo "Usage: make plan_<resource> | <resource> | plan_destroy_<resource> | destroy_<resource>"
 97 | 	@echo "Or make show_<resource> | graph"
 98 | 	@echo "Or make plan_destroy_all | destroy_all"
 99 | 	@echo "Available resources: cloudtrail vault vpc s3 route53 iam efs elb etcd worker admiral rds"
100 | 	@echo "For example: make plan_worker # to show what resources are planned for worker"
101 | 
102 | lock:
103 | 	$(SCRIPTS)/session-lock.sh -l $(LOCK_KEYNAME)
104 | 
105 | unlock:
106 | 	$(SCRIPTS)/session-lock.sh -u $(LOCK_KEYNAME)
107 | 
108 | session_start: lock
109 | 	$(MAKE) pull_tf_state
110 | 
111 | session_end:
112 | 	@if ! git diff-index --name-status --exit-code HEAD -- ; then \
113 | 	    echo "You have unpublished changes:"; exit 1 ; \
114 | 	fi
115 | 	$(MAKE) push_tf_state
116 | 	$(SCRIPTS)/session-lock.sh -u $(LOCK_KEYNAME) && rm session_start
117 | 
118 | plan_destroy_all:
119 | 	@echo $(BUILD_SUBDIRS)
120 | 	@rm -rf /tmp/$(CLUSTER_NAME); mkdir -p /tmp/$(CLUSTER_NAME)
121 | 	@$(foreach resource,$(BUILD_SUBDIRS),cd $(BUILD)/$(resource) && $(TF_DESTROY_PLAN) -out /tmp/$(CLUSTER_NAME)/$(resource)-destroy.plan 2> /tmp/destroy.err;)
122 | 
123 | confirm:
124 | 	@echo "CONTINUE? [Y/N]: "; read ANSWER; \
125 | 	if [ ! "$$ANSWER" = "Y" ]; then \
126 | 		echo "Exiting." ; exit 1 ; \
127 |     fi
128 | 
129 | destroy_all: | plan_destroy_all
130 | 	@for i in /tmp/$(CLUSTER_NAME)/*.plan; do $(TF_SHOW) $$i; done | grep -- -
131 | 	@$(eval total=$(shell for i in /tmp/$(CLUSTER_NAME)/*.plan; do $(TF_SHOW) $$i; done | grep -- - | wc -l))
132 | 	@echo ""
133 | 	@echo "Will destroy $$total resources"
134 | 	@$(MAKE) confirm
135 | 	@for i in $(ALL_RESOURCES); do \
136 | 	  if [ -d $(BUILD)/$$i ]; then \
137 | 	    $(MAKE) "destroy_$$i"; \
138 | 	  fi ; \
139 | 	done
140 | 	#rm -rf $(BUILD)
141 | 
142 | destroy: 
143 | 	@echo "Usage: make destroy_<resource> | make plan_destroy_all | make destroy_all"
144 | 	@echo "For example: make destroy_worker"
145 | 	@echo "Node: destroy may fail because of outstanding dependences"
146 | 
147 | graph: | $(BUILD)
148 | 	@mkdir -p $(BUILD)/graph
149 | 	@for i in $(ALL_RESOURCES); do \
150 | 	  if [ -d $(BUILD)/$$i ]; then \
151 | 	  	cd $(BUILD)/$$i ; \
152 | 	    $(TF_GRAPH) | dot -Tpng > $(BUILD)/graph/$$i.png ; \
153 | 	  fi ; \
154 | 	done
155 | 
156 | plan:
157 | 	@echo "plan_<resource>"
158 | show_all:
159 | 	@$(foreach resource,$(BUILD_SUBDIRS),$(TF_SHOW) $(BUILD)/$(resource)/terraform.tfstate 2> /dev/null; )
160 | 
161 | # TODO: Push/Pull terraform states from a tf state repo
162 | # For team work, you need to commit terraform to a remote location, such as git repo, S3 
163 | # Should implement a locking method to prevent alter infrastructure at the same time.
164 | pull_tf_state:
165 | 	@mkdir -p $(BUILD)
166 | 	@echo pull terraform state from ...
167 | 	#git pull --rebase 
168 | 
169 | push_tf_state:
170 | 	@echo push terraform state to ....
171 | 	#git push
172 | 
173 | # Load all resouces makefile
174 | include resources/makefiles/*.mk
175 | 
176 | .PHONY: all confirm destroy destroy_all graph lock unlock plan_destroy_all help pull_tf_state push_tf_state
177 | .NOTPARALLEL:
178 | 
179 | 


--------------------------------------------------------------------------------
/README-vault.md:
--------------------------------------------------------------------------------
 1 | 
 2 | This repo contains a vault cluster runs with etcd backend. By default, the vault and etcd are running
 3 | on the same instance. 3 instances are created. 
 4 | 
 5 | With this setup, you can afford to lose one machine and still keep etcd healthy, so if needed, only reboot machines one at a time and
 6 | check etcd health before reboot another.
 7 | 
 8 | ## Get ips of the vault servers
 9 | 
10 | You can get ips of the vault servers by:
11 | 
12 | ```
13 | $ make get_vault_ips
14 | ```
15 | 
16 | The ssh access is open to your own machine's IP from where you built the vault.
17 | 
18 | ## Initialize and unseal the vault
19 | 
20 | You need to run Vault initialization on one of the vault servers. The master key and 5 unsealing keys will be stored in etcd K/V store.
21 | You need to run unseal process on all vault servers after its reboot.
22 | 
23 | * Copy scripts/setup_vault.sh to all vault servers:
24 | 
25 | ```
26 | $ scp scripts/setup_vault.sh core@<vault-server-ips>:/tmp
27 | ```
28 | 
29 | * Initialize and unseal the vault servers
30 | 
31 | Run this on all vault servers - note it is okay to run setup_vault.multiple times. It will skip initialization if the vault is already
32 | initialized.
33 | ```
34 | $ ssh core@<vault-server-ips>
35 | $ cd /tmp
36 | $ ./setup_vault.sh
37 | ```
38 | 
39 | ## Validate vault setup
40 | 
41 | This doesn't need vault authentication
42 | 
43 | ```
44 | $ vault status
45 | core@ip-10-10-6-72-vault /tmp $vault status
46 | Sealed: false
47 | Key Shares: 5
48 | Key Threshold: 3
49 | Unseal Progress: 0
50 | Version: 0.6.4
51 | Cluster Name: vault-cluster-4932646e
52 | Cluster ID: b47b8de3-b609-e730-d2f2-c894d1c77ec8
53 | ```
54 | Authenticate to vault and check mounts:
55 | 
56 | ```
57 | $ vault auth $(etcdctl get /service/vault/root-token)
58 | Successfully authenticated! You are now logged in.
59 | token: xxxxxx-ea73-1063-02bf-070f2ab60123
60 | token_duration: 0
61 | token_policies: [root]
62 | 
63 | $ core@ip-10-10-6-72-vault /etc/profile.d $vault mounts
64 | Path        Type       Default TTL  Max TTL  Description
65 | cubbyhole/  cubbyhole  n/a          n/a      per-token private secret storage
66 | secret/     generic    system       system   generic secret storage
67 | sys/        system     n/a          n/a      system endpoints used for control, policy and debugging
68 | ```
69 | ## Validate vault elb health
70 | 
71 | You can check on AWS EC2/Loadbalancer console, or run:
72 | 
73 | ```
74 | $ aws elb --profile <profile> describe-instance-health --load-balancer-name=vault --region <region>
75 | ```
76 | 


--------------------------------------------------------------------------------
/Vagrantfile:
--------------------------------------------------------------------------------
 1 | # -*- mode: ruby -*-
 2 | # vi: set ft=ruby :
 3 | 
 4 | Vagrant.configure("2") do |config|
 5 |   config.vm.box = "ubuntu/trusty64"
 6 |   config.vm.define vm_name = "my-aws-terraform-box"
 7 |   
 8 | 
 9 |   # app ports
10 |   # config.vm.network :forwarded_port, guest: 8080, host: 80, auto_correct: true
11 |   # config.vm.network :forwarded_port, guest: 8443, host: 443, auto_correct: true
12 |   # Create a private network, which allows host-only access to the machine
13 |   # using a specific IP.
14 |   config.vm.network :private_network, ip: "192.168.33.10"
15 | 
16 |   # Create a public network, which generally matched to bridged network.
17 |   # Bridged networks make the machine appear as another physical device on
18 |   # your network.
19 |   # config.vm.network :public_network
20 | 
21 |   # Share an additional folder to the guest VM. The first argument is
22 |   # the path on the host to the actual folder. The second argument is
23 |   # the path on the guest to mount the folder. And the optional third
24 |   # argument is a set of non-required options.
25 |   config.vm.synced_folder ".", "/home/vagrant/aws-terraform"
26 |   config.vm.synced_folder "~/.aws", "/home/vagrant/.aws"
27 |   config.vm.provision "file", source: "~/.gitconfig", destination: ".gitconfig"
28 | 
29 |   # Get rid of stdin: not tty error
30 |   config.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'"
31 | 
32 |   # Provider-specific configuration so you can fine-tune various
33 |   # backing providers for Vagrant. These expose provider-specific options.
34 |   # Example for VirtualBox:
35 |   #
36 |   config.vm.provider :virtualbox do |vb|
37 |     vb.customize [
38 |       "modifyvm", :id,
39 |       "--memory", "2048"
40 |     ]
41 |   end
42 |    config.vm.provision "shell", inline: $install_tools
43 | end
44 | 
45 | $install_tools = <<SCRIPT
46 | echo installing jq, unzip, and pip ...
47 | export DEBIAN_FRONTEND=noninteractive
48 | apt-get update; apt-get install -y python-pip jq unzip git mysql-client-core-5.6 postgresql-client-9.3 graphviz
49 | echo installing awscli ...
50 | pip install --upgrade awscli s3cmd
51 | echo installing terraform ...
52 | mkdir -p /opt/terraform
53 | pushd /opt/terraform
54 | wget -q https://releases.hashicorp.com/terraform/0.8.8/terraform_0.8.8_linux_amd64.zip
55 | unzip -q -o terraform_0.8.8_linux_amd64.zip
56 | popd
57 | mkdir -p /etc/profile.d
58 | echo PATH=$PATH:/opt/terraform > /etc/profile.d/terraform.sh
59 | aws --version
60 | jq --version
61 | /opt/terraform/terraform --version
62 | SCRIPT
63 | 


--------------------------------------------------------------------------------
/app-deploy-key.pem.yaml.sample:
--------------------------------------------------------------------------------
1 |   - path: /root/.ssh/git-sync-rsa.pem
2 |     permissions: 0400
3 |     owner: root
4 |     content: |
5 |       -----BEGIN RSA PRIVATE KEY-----
6 |       .....
7 |       -----END RSA PRIVATE KEY-----
8 | 


--------------------------------------------------------------------------------
/cluster-manager.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | #
  3 | # Written by Xueshan Feng <xueshan.feng@gmail.com>
  4 | #
  5 | # Init variables and sanity checks
  6 | export DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
  7 | function init() {
  8 |     export PROJECTROOT=$DIR
  9 |     export GITROOT=$DIR
 10 |     export SCRIPTDIR=$GITROOT/scripts
 11 |     [ -f $DIR/envs.sh ] && source $DIR/envs.sh
 12 | 
 13 |     if [ ! -d $PROJECTROOT ];
 14 |     then 
 15 |         echo "$PROJECTROOT doesn't exist."
 16 |         exit 1
 17 |     fi
 18 |     aws --profile $AWS_PROFILE support help 2>/dev/null 1>&2
 19 |     if [ $? = "255" ];
 20 |     then
 21 |         echo "Account $AWS_PROFILE doesn't exit."
 22 |         exit 1
 23 |     fi
 24 |     # Update git repo
 25 |     cd $GITROOT
 26 |     git pull 
 27 | }
 28 | 
 29 | #############
 30 | # Subroutines
 31 | #############
 32 | 
 33 | # Show all resources
 34 | function showAllResources() {
 35 |   make show_all | more -R
 36 | }
 37 | # Make graph
 38 | function makeGraph() {
 39 |   make graph && echo "Graphs are generated under build/graph directory."
 40 | }
 41 | 
 42 | function updateResource() {
 43 |   make $resourceType -k 2>&1 | tee /tmp/$resourceType.$$.log
 44 | }
 45 | 
 46 | function createCluster() {
 47 |   make all -k 2>&1  | tee /tmp/build.$$.log
 48 | }
 49 | 
 50 | function distroyCluster() {
 51 |   make destroy_all -k 2>&1  | tee /tmp/destroy.$$.log
 52 | }
 53 | 
 54 | function hitAnyKey() {
 55 |     echo -n "Hit any key to continue, or Ctl-C to cancel....."
 56 |     read -n 1
 57 |     clear
 58 | }
 59 | 
 60 | # Get confirmation for an action
 61 | function answerMe() {
 62 |     answer='N'
 63 |     echo -n "Are you sure to contiune? [Y/N]: "
 64 |     read answer
 65 |     echo ""
 66 | }
 67 | 
 68 | # Core display screen
 69 | function clusterScreen() {
 70 |     echo "===== Cluster-Wide Operations ======"
 71 |     echo ""
 72 |     echo "0. Create Cluster"
 73 |     echo "1. Destroy Cluster"
 74 |     echo "2. Show all Resources"
 75 |     echo "3. Make graph"
 76 |     echo 
 77 |     echo "===== Update Individual Resources ======"
 78 |     echo "10. Admiral"
 79 |     echo "11. Worker"
 80 |     echo "12. Etcd"
 81 |     echo "13. Iam"
 82 |     echo "14. Elastic loadbalancer: CI"
 83 |     echo "15. Elastic loadbalancer: GitLab (WIP)"
 84 |     echo "16. Elastic loadbalancer: dockerhub (WIP)"
 85 |     echo "17. EFS"
 86 |     echo "18. RDS"
 87 |     echo "19. Route53"
 88 |     echo "20. S3 buckets"
 89 |     echo "21. VPC"
 90 |     echo "88. Exit"
 91 |     echo ""
 92 |     echo "Note: If resources already exist, current status will be displayed."
 93 |     echo -n "Please select one of the options above: "
 94 |     read CHOICE 
 95 |  
 96 |     echo ""
 97 |     case $CHOICE in
 98 |  	    0)
 99 | 	    createCluster 
100 |             hitAnyKey
101 |             return $callAgain
102 | 	        ;;
103 |         1)
104 |             distroyCluster
105 |             hitAnyKey
106 |             return $callAgain
107 | 	        ;;
108 |         2)
109 |             showAllResources
110 |             hitAnyKey
111 |             return $callAgain
112 | 	        ;;
113 |         3)
114 |             makeGraph
115 |             hitAnyKey
116 |             return $callAgain
117 |             ;;
118 |         10)
119 |             resourceType='admiral'
120 |             updateResource
121 |             hitAnyKey
122 |             return $callAgain
123 |             ;;
124 |         11)
125 |             resourceType='worker'
126 |             updateResource
127 |             hitAnyKey
128 |             return $callAgain
129 |             ;;
130 |         12)
131 |             resourceType='etcd'
132 |             updateResource
133 |             hitAnyKey
134 |             return $callAgain
135 |             ;;
136 |         13)
137 |             resourceType='iam'
138 |             updateResource
139 |             hitAnyKey
140 |             return $callAgain
141 |             ;;
142 |         14)
143 |             resourceType='elb_ci'
144 |             updateResource
145 |             hitAnyKey
146 |             return $callAgain
147 |             ;;
148 |         15)
149 |             resourceType='elb-gitlab'
150 |             updateResource
151 |             hitAnyKey
152 |             return $callAgain
153 |             ;;
154 |         16)
155 |             resourceType='elb-dockerhub'
156 |             updateResource
157 |             hitAnyKey
158 |             return $callAgain
159 |             ;;
160 |         17)
161 |             resourceType='efs'
162 |             updateResource
163 |             hitAnyKey
164 |             return $callAgain
165 |             ;;
166 |         18)
167 |             resourceType='rds'
168 |             updateResource
169 |             hitAnyKey
170 |             return $callAgain
171 |             ;;
172 |         19)
173 |             resourceType='route53'
174 |             updateResource
175 |             hitAnyKey
176 |             return $callAgain
177 |             ;;
178 |         20)
179 |             resourceType='s3'
180 |             updateResource
181 |             hitAnyKey
182 |             return $callAgain
183 |             ;;
184 |         21)
185 |             resourceType='vpc'
186 |             updateResource
187 |             hitAnyKey
188 |             return $callAgain
189 |             ;;
190 |         88|q|quit|exit)
191 |             # Reminder to uppdate git repo
192 |             cd $GITROOT
193 |             if ! git diff-index --name-status --exit-code HEAD -- ; then \
194 |                echo "You have unpublished changes:"; exit 1 ; \
195 |             else
196 |                exit 0
197 |             fi
198 |             ;;
199 |         *)
200 |             clear
201 |             return $callAgain
202 |     esac
203 | } 
204 | 
205 | ################
206 | # Main routine. 
207 | ################
208 | 
209 | if [ ! -f "envs.sh" ];
210 | then
211 |     echo "Please define required environment variables in envs.sh"
212 |     exit 1
213 | fi
214 | init
215 | callAgain=99
216 | status=$callAgain
217 | while [ $status -eq $callAgain ]
218 | do
219 |     clusterScreen
220 |     status=$?
221 |     clear
222 | done
223 | 
224 | exit 0
225 | 
226 | DOCS=<<__END_OF_DOCS__
227 | 
228 | =head1 NAME
229 | 
230 | cluster-manager.sh - Menu-driven script to install CoreOS docker platform.
231 | 
232 | =head1 FILES
233 | 
234 | The script reads the platform configuration from envs.sh.
235 | 
236 | =head1 AUTHORS
237 | 
238 | Xueshan Feng <xueshan.feng@gmail.com>
239 | 
240 | =cut
241 | 


--------------------------------------------------------------------------------
/envs.sh.sample:
--------------------------------------------------------------------------------
 1 | # You can override default values in Makefile by creating envs.sh and run source ./envs.sh
 2 | #unset AWS_PROFILE CLUSTER_NAME REGION APP_REPOSITORY APP_REPOSITORY_DEPLOYKEY APP_DOMAIN
 3 | 
 4 | export AWS_PROFILE=my-aws-profile
 5 | export CLUSTER_NAME=my-cluster
 6 | export AWS_REGION=us-west-2
 7 | 
 8 | # Default domain for route53 zone and for iam server certificate
 9 | #export APP_DOMAIN=dockerage.com
10 | 
11 | # If you have a private repo needs to be synced to host under /var/lib/app. :
12 | #export APP_REPOSITORY=git@example.com:user/app-repo.git
13 | #export APP_REPOSITORY_DEPLOYKEY=/path/to/private/app-deploy-key.pem.yaml
14 | 
15 | # If you have a public repo
16 | #export APP_REPOSITORY=https://github.com/user/app-repo.git
17 | 
18 | # Default CONFIRM_TF_APPLY
19 | #export CONFIRM_TF_APPLY=YES
20 | 


--------------------------------------------------------------------------------
/graph-examples/admiral.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xuwang/aws-terraform/9868dc7e3bd773765606e29a01908108c2f94225/graph-examples/admiral.png


--------------------------------------------------------------------------------
/graph-examples/efs.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xuwang/aws-terraform/9868dc7e3bd773765606e29a01908108c2f94225/graph-examples/efs.png


--------------------------------------------------------------------------------
/graph-examples/elb-ci.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xuwang/aws-terraform/9868dc7e3bd773765606e29a01908108c2f94225/graph-examples/elb-ci.png


--------------------------------------------------------------------------------
/graph-examples/etcd.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xuwang/aws-terraform/9868dc7e3bd773765606e29a01908108c2f94225/graph-examples/etcd.png


--------------------------------------------------------------------------------
/graph-examples/iam.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xuwang/aws-terraform/9868dc7e3bd773765606e29a01908108c2f94225/graph-examples/iam.png


--------------------------------------------------------------------------------
/graph-examples/rds.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xuwang/aws-terraform/9868dc7e3bd773765606e29a01908108c2f94225/graph-examples/rds.png


--------------------------------------------------------------------------------
/graph-examples/route53.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xuwang/aws-terraform/9868dc7e3bd773765606e29a01908108c2f94225/graph-examples/route53.png


--------------------------------------------------------------------------------
/graph-examples/s3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xuwang/aws-terraform/9868dc7e3bd773765606e29a01908108c2f94225/graph-examples/s3.png


--------------------------------------------------------------------------------
/graph-examples/vpc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xuwang/aws-terraform/9868dc7e3bd773765606e29a01908108c2f94225/graph-examples/vpc.png


--------------------------------------------------------------------------------
/graph-examples/worker.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xuwang/aws-terraform/9868dc7e3bd773765606e29a01908108c2f94225/graph-examples/worker.png


--------------------------------------------------------------------------------
/modules/asg-with-elb/autoscaling-group-with-elb.tf:
--------------------------------------------------------------------------------
  1 | #
  2 | #  General cluster autoscale group configurations
  3 | #
  4 | resource "aws_autoscaling_group" "asg_pool" {
  5 |   vpc_zone_identifier = ["${split(",",var.cluster_vpc_zone_identifiers)}"]
  6 |   name = "${var.cluster_name}-${var.asg_name}"
  7 |   min_size = "${var.cluster_min_size}"
  8 |   max_size = "${var.cluster_max_size}"
  9 |   desired_capacity = "${var.cluster_desired_capacity}"
 10 |   
 11 |   health_check_type = "EC2"
 12 |   health_check_grace_period = 300
 13 |   force_delete = true
 14 |   metrics_granularity = "1Minute"
 15 |   load_balancers = ["${var.load_balancers}"]
 16 | 
 17 |   launch_configuration = "${aws_launch_configuration.asg_pool.name}"
 18 |   
 19 |   tag {
 20 |     key = "Name"
 21 |     value = "${var.cluster_name}-${var.asg_name}"
 22 |     propagate_at_launch = true
 23 |   }
 24 | }
 25 | 
 26 | resource "aws_launch_configuration" "asg_pool" {
 27 |   # use system generated name to allow changes of launch_configuration
 28 |   name_prefix = "${var.cluster_name}-${var.asg_name}-"
 29 |   image_id = "${var.ami}"
 30 |   instance_type = "${var.image_type}"
 31 |   iam_instance_profile = "${aws_iam_instance_profile.asg_pool.name}"
 32 |   security_groups = ["${split(",",var.cluster_security_groups)}"]
 33 |   key_name = "${var.keypair}"  
 34 |   lifecycle { create_before_destroy = true }
 35 | 
 36 |   # /root
 37 |   root_block_device = {
 38 |     volume_type = "${var.root_volume_type}" 
 39 |     volume_size = "${var.root_volume_size}" 
 40 |   }
 41 | 
 42 |   # /var/lib/docker
 43 |   ebs_block_device = {
 44 |     device_name = "/dev/sdb"
 45 |     volume_type = "${var.docker_volume_type}" 
 46 |     volume_size = "${var.docker_volume_size}" 
 47 |   }
 48 | 
 49 |   # /opt/data
 50 |   ebs_block_device = {
 51 |     device_name = "/dev/sdc"
 52 |     volume_type = "${var.data_volume_type}"
 53 |     volume_size = "${var.data_volume_size}"
 54 |   }
 55 | 
 56 |   # instance store device, necessary for instance with ephemeral devices, e.g. m3.
 57 |   # no effect for instances without ephemeral disks. 
 58 |   ephemeral_block_device  {
 59 |     device_name = "/dev/sdd"
 60 |     virtual_name = "ephemeral0"
 61 |   }
 62 | 
 63 |   # cluser user_data
 64 |   user_data = "${var.user_data}"
 65 | }
 66 | 
 67 | # Define policy and role
 68 | resource "aws_iam_role_policy" "asg_pool" {
 69 |   name = "${var.asg_name}"
 70 |   role = "${aws_iam_role.asg_pool.id}"
 71 |   policy = "${var.iam_role_policy}"
 72 |   lifecycle { create_before_destroy = true }
 73 | }
 74 | 
 75 | # setup ec2 instance profile
 76 | resource "aws_iam_instance_profile" "asg_pool" {
 77 |   name = "${var.asg_name}"
 78 |   roles = ["${aws_iam_role.asg_pool.name}"]
 79 |   lifecycle { create_before_destroy = true }
 80 | 
 81 |   # Sleep a little to wait the IAM profile to be ready - 
 82 |   # This seems to fix:
 83 |   #     aws_launch_configuration.asg_pool: Error creating launch configuration: ValidationError: You are not authorized to #       perform this operation
 84 |   provisioner "local-exec" {
 85 |     command = "sleep 10"
 86 |   }
 87 | }
 88 | 
 89 | resource "aws_iam_role" "asg_pool" {
 90 |   name = "${var.asg_name}"
 91 |   path = "/"
 92 |   lifecycle { create_before_destroy = true }
 93 |   assume_role_policy =  <<EOF
 94 | {
 95 |   "Version": "2012-10-17",
 96 |   "Statement": [
 97 |     {
 98 |       "Sid": "",
 99 |       "Effect": "Allow",
100 |       "Principal": {
101 |         "Service": "ec2.amazonaws.com"
102 |       },
103 |       "Action": "sts:AssumeRole"
104 |     }
105 |   ]
106 | }
107 | EOF
108 | }
109 | 


--------------------------------------------------------------------------------
/modules/asg-with-elb/variables.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | # cluster variables
 3 | variable "cluster_name" { }
 4 | variable "asg_name" { }
 5 | # a list of subnet IDs to launch resources in.
 6 | variable "cluster_vpc_zone_identifiers" { }
 7 | variable "cluster_security_groups" { }
 8 | variable "cluster_min_size" { }
 9 | variable "cluster_max_size" { }
10 | variable "cluster_desired_capacity" { }
11 | variable "load_balancers" { }
12 | 
13 | # Instance specifications
14 | variable "ami" { }
15 | variable "image_type" { default = "t2.micro" }
16 | variable "keypair" { }
17 | variable "root_volume_type" { default = "gp2" }
18 | variable "root_volume_size" { default = 12 }
19 | variable "docker_volume_type"  { default = "gp2" }
20 | variable "docker_volume_size" { default = 12 }
21 | variable "data_volume_type"  { default = "gp2" }
22 | variable "data_volume_size" { default = 12 }
23 | variable "user_data" { }
24 | variable "iam_role_policy" { }
25 | 


--------------------------------------------------------------------------------
/modules/cloudtrail/main.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_cloudtrail" "cluster_cloudtrail" {
 2 |     name = "${var.trail_name}"
 3 |     s3_bucket_name = "${aws_s3_bucket.cluster_cloudtrail.id}"
 4 |     include_global_service_events = "${var.include_global_service_events}"
 5 |     is_multi_region_trail = "${var.is_multi_region_trail}"
 6 |     #sns_topic_name = "${var.sns_topic_name}"
 7 |     tags {
 8 |         Name = "${var.trail_name}"
 9 |     }
10 | }
11 | 
12 | resource "aws_s3_bucket" "cluster_cloudtrail" {
13 |     bucket = "${var.s3_bucket_name}"
14 |     force_destroy = true
15 |     policy = <<POLICY
16 | {
17 |     "Version": "2012-10-17",
18 |     "Statement": [
19 |         {
20 |             "Sid": "AWSCloudTrailAclCheck",
21 |             "Effect": "Allow",
22 |             "Principal": {
23 |               "Service": "cloudtrail.amazonaws.com"
24 |             },
25 |             "Action": "s3:GetBucketAcl",
26 |             "Resource": "arn:aws:s3:::${var.aws_account_id}-${var.cluster_name}-cloudtrail"
27 |         },
28 |         {
29 |             "Sid": "AWSCloudTrailWrite",
30 |             "Effect": "Allow",
31 |             "Principal": {
32 |               "Service": "cloudtrail.amazonaws.com"
33 |             },
34 |             "Action": "s3:PutObject",
35 |             "Resource": "arn:aws:s3:::${var.aws_account_id}-${var.cluster_name}-cloudtrail/AWSLogs/${var.aws_account_id}/*",
36 |             "Condition": {
37 |                 "StringEquals": {
38 |                     "s3:x-amz-acl": "bucket-owner-full-control"
39 |                 }
40 |             }
41 |         }
42 |     ]
43 | }
44 | POLICY
45 | }
46 | 


--------------------------------------------------------------------------------
/modules/cloudtrail/variables.tf:
--------------------------------------------------------------------------------
1 | 
2 | # Cloudtrail default variables
3 | variable "trail_name" { }
4 | variable "s3_bucket_name" { }
5 | variable "is_multi_region_trail" { default = false }
6 | variable "include_global_service_events" { default = false }
7 | variable "cluster_name" {}
8 | variable "aws_account_id" {}
9 | 


--------------------------------------------------------------------------------
/modules/cluster/cluster.tf:
--------------------------------------------------------------------------------
  1 | #
  2 | #  General cluster autoscale group configurations
  3 | #
  4 | resource "aws_autoscaling_group" "instance_pool" {
  5 |   vpc_zone_identifier = ["${split(",",var.cluster_vpc_zone_identifiers)}"]
  6 |   name = "${var.cluster_name}-${var.asg_name}"
  7 |   min_size = "${var.cluster_min_size}"
  8 |   max_size = "${var.cluster_max_size}"
  9 |   desired_capacity = "${var.cluster_desired_capacity}"
 10 |   
 11 |   health_check_type = "EC2"
 12 |   health_check_grace_period = 300
 13 |   force_delete = true
 14 |   metrics_granularity = "1Minute"
 15 | 
 16 |   launch_configuration = "${aws_launch_configuration.instance_pool.name}"
 17 |   
 18 |   tag {
 19 |     key = "Name"
 20 |     value = "${var.cluster_name}-${var.asg_name}"
 21 |     propagate_at_launch = true
 22 |   }
 23 | }
 24 | 
 25 | resource "aws_launch_configuration" "instance_pool" {
 26 |   # use system generated name to allow changes of launch_configuration
 27 |   name_prefix = "${var.cluster_name}-${var.asg_name}-"
 28 |   image_id = "${var.ami}"
 29 |   instance_type = "${var.image_type}"
 30 |   iam_instance_profile = "${aws_iam_instance_profile.instance_pool.name}"
 31 |   security_groups = ["${split(",",var.cluster_security_groups)}"]
 32 |   key_name = "${var.keypair}"  
 33 |   lifecycle { create_before_destroy = true }
 34 | 
 35 |   # /root
 36 |   root_block_device = {
 37 |     volume_type = "${var.root_volume_type}" 
 38 |     volume_size = "${var.root_volume_size}" 
 39 |   }
 40 | 
 41 |   # /var/lib/docker
 42 |   ebs_block_device = {
 43 |     device_name = "/dev/sdb"
 44 |     volume_type = "${var.docker_volume_type}" 
 45 |     volume_size = "${var.docker_volume_size}" 
 46 |   }
 47 | 
 48 |   # /opt/data
 49 |   ebs_block_device = {
 50 |     device_name = "/dev/sdc"
 51 |     volume_type = "${var.data_volume_type}"
 52 |     volume_size = "${var.data_volume_size}"
 53 |   }
 54 | 
 55 |   # instance store device, necessary for instance with ephemeral devices, e.g. m3.
 56 |   # no effect for instances without ephemeral disks. 
 57 |   ephemeral_block_device  {
 58 |     device_name = "/dev/sdd"
 59 |     virtual_name = "ephemeral0"
 60 |   }
 61 | 
 62 |   # cluser user_data
 63 |   user_data = "${var.user_data}"
 64 | }
 65 | 
 66 | # Define policy and role
 67 | resource "aws_iam_role_policy" "instance_pool" {
 68 |   name = "${var.asg_name}"
 69 |   role = "${aws_iam_role.instance_pool.id}"
 70 |   policy = "${var.iam_role_policy}"
 71 |   lifecycle { create_before_destroy = true }
 72 | }
 73 | 
 74 | # setup ec2 instance profile
 75 | resource "aws_iam_instance_profile" "instance_pool" {
 76 |   name = "${var.asg_name}"
 77 |   roles = ["${aws_iam_role.instance_pool.name}"]
 78 |   lifecycle { create_before_destroy = true }
 79 | 
 80 |   # Sleep a little to wait the IAM profile to be ready - 
 81 |   # This seems to fix:
 82 |   #     aws_launch_configuration.instance_pool: Error creating launch configuration: ValidationError: You are not authorized to #       perform this operation
 83 |   provisioner "local-exec" {
 84 |     command = "sleep 10"
 85 |   }
 86 | }
 87 | 
 88 | resource "aws_iam_role" "instance_pool" {
 89 |   name = "${var.asg_name}"
 90 |   path = "/"
 91 |   lifecycle { create_before_destroy = true }
 92 |   assume_role_policy =  <<EOF
 93 | {
 94 |   "Version": "2012-10-17",
 95 |   "Statement": [
 96 |     {
 97 |       "Sid": "",
 98 |       "Effect": "Allow",
 99 |       "Principal": {
100 |         "Service": "ec2.amazonaws.com"
101 |       },
102 |       "Action": "sts:AssumeRole"
103 |     }
104 |   ]
105 | }
106 | EOF
107 | }
108 | 


--------------------------------------------------------------------------------
/modules/cluster/variables.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | # cluster variables
 3 | variable "cluster_name" { }
 4 | variable "asg_name" { }
 5 | # a list of subnet IDs to launch resources in.
 6 | variable "cluster_vpc_zone_identifiers" { }
 7 | variable "cluster_security_groups" { }
 8 | variable "cluster_min_size" { }
 9 | variable "cluster_max_size" { }
10 | variable "cluster_desired_capacity" { }
11 | 
12 | # Instance specifications
13 | variable "ami" { }
14 | variable "image_type" { default = "t2.micro" }
15 | variable "keypair" { }
16 | variable "root_volume_type" { default = "gp2" }
17 | variable "root_volume_size" { default = 12 }
18 | variable "docker_volume_type"  { default = "gp2" }
19 | variable "docker_volume_size" { default = 12 }
20 | variable "data_volume_type"  { default = "gp2" }
21 | variable "data_volume_size" { default = 12 }
22 | variable "user_data" { }
23 | variable "iam_role_policy" { }
24 | 


--------------------------------------------------------------------------------
/modules/efs-target/efs-target.tf:
--------------------------------------------------------------------------------
 1 | # EFS mount targets
 2 | 
 3 | variable "efs_subnet_0_id" { }
 4 | variable "efs_subnet_1_id" { }
 5 | variable "efs_subnet_2_id" { }
 6 | variable "filesystem_id" { }
 7 | variable "security_group_id" { }
 8 | 
 9 | resource "aws_efs_mount_target" "efs-a" {
10 |   file_system_id = "${var.filesystem_id}"
11 |   subnet_id = "${var.efs_subnet_0_id}"
12 |   security_groups = ["${var.security_group_id}"]
13 | }
14 | resource "aws_efs_mount_target" "efs-b" {
15 |   file_system_id = "${var.filesystem_id}"
16 |   subnet_id = "${var.efs_subnet_1_id}"
17 |   security_groups = ["${var.security_group_id}"]
18 | }
19 | resource "aws_efs_mount_target" "efs-c" {
20 |   file_system_id = "${var.filesystem_id}"
21 |   subnet_id = "${var.efs_subnet_2_id}"
22 |   security_groups = ["${var.security_group_id}"]
23 | }
24 | 


--------------------------------------------------------------------------------
/modules/subnet/subnet.tf:
--------------------------------------------------------------------------------
 1 | # subnet
 2 | 
 3 | variable "subnet_name" { }
 4 | variable "vpc_id" { }
 5 | variable "subnet_cidr" { }
 6 | variable "subnet_az" { }
 7 | variable "route_table_id" { }
 8 | 
 9 | resource "aws_subnet" "subnet" {
10 |     vpc_id = "${var.vpc_id}"
11 |     availability_zone = "${var.subnet_az}"
12 |     cidr_block = "${var.subnet_cidr}"
13 |     map_public_ip_on_launch = "true"
14 |     tags {
15 |         Name = "${var.subnet_name}"
16 |     }
17 | }
18 | 
19 | resource "aws_route_table_association" "rt" {
20 |     subnet_id = "${aws_subnet.subnet.id}"
21 |     route_table_id = "${var.route_table_id}"
22 | }
23 | 
24 | output "id" { value = "${aws_subnet.subnet.id}" }
25 | output "az" { value = "${var.subnet_az}" }


--------------------------------------------------------------------------------
/resources/certs/Makefile:
--------------------------------------------------------------------------------
 1 | CWD := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
 2 | CA_CERT := $(CWD)/rootCA.pem
 3 | ETCD_CERT := $(CWD)/etcd.pem
 4 | SITE_CERT := $(CWD)/site.pem
 5 | DHPARAM := $(CWD)/dhparam.pem
 6 | 
 7 | all: | $(CA_CERT) $(ETCD_CERT) $(SITE_CERT)
 8 | 
 9 | clean:
10 | 	rm -f *.pem *.csr *.srl *.key *.crt
11 | 
12 | ca: | $(CA_CERT)
13 | 
14 | site: | $(SITE_CERT)
15 | 
16 | etcd: | $(ETCD_CERT)
17 | 
18 | $(CA_CERT): 
19 | 	echo "creating rootCA-key.pem and rootCA.pem ..."
20 | 	openssl req -x509 -new -nodes -days 9999 -config rootCA.cnf -out rootCA.pem
21 | 	chmod 600 *.pem
22 | 
23 | $(ETCD_CERT): | $(CA_CERT)
24 | 	echo "creating the etcd-key.pem and etcd.csr...."
25 | 	openssl req -new -out etcd.csr -config etcd.cnf
26 | 	echo "creating the etcd-client-key.pem and etcd-client.csr...."
27 | 	openssl req -new -out etcd-client.csr -config etcd-client.cnf
28 | 	echo "signing etcd.csr..."
29 | 	openssl x509 -req -days 9999 -in etcd.csr -CA rootCA.pem -CAkey rootCA-key.pem \
30 | 			-CAcreateserial -extensions v3_req -out etcd.pem -extfile etcd.cnf
31 | 	echo "signing etcd-client.csr..."
32 | 	openssl x509 -req -days 9999 -in etcd-client.csr -CA rootCA.pem -CAkey rootCA-key.pem \
33 | 			-CAcreateserial -extensions v3_req -out etcd-client.pem -extfile etcd-client.cnf
34 | 	echo "etcd.pem is generated:"
35 | 	openssl x509 -text -noout -in etcd.pem
36 | 	echo "etcd-client.pem is generated:"
37 | 	openssl x509 -text -noout -in etcd-client.pem
38 | 	chmod 600 *.pem
39 | 
40 | $(SITE_CERT): | $(CA_CERT)
41 | 	echo "creating the site-key.pem and site.csr...."
42 | 	openssl req -new -out site.csr -config site.cnf
43 | 	echo "signing site.csr..."
44 | 	openssl x509 -req -days 9999 -in site.csr \
45 | 		-CA rootCA.pem -CAkey rootCA-key.pem -CAcreateserial \
46 | 		-extensions v3_req -out site.pem -extfile site.cnf
47 | 	echo "site.pem is generated:"
48 | 	openssl x509 -text -noout -in site.pem
49 | 	chmod 600 *.pem
50 | 
51 | $(DHPARAM):
52 | 	#see https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
53 | 	echo "generating dhparam.pem/2048 for strengthening the server security ..."
54 | 	openssl dhparam -out dhparam.pem 2048
55 | 	chmod 600 *.pem
56 | 
57 | .PHONY: all clean ca site etcd $(CA_CERT) $(ETCD_CERT) $(SITE_CERT) $(DHPARAM)
58 | 


--------------------------------------------------------------------------------
/resources/certs/README.md:
--------------------------------------------------------------------------------
 1 | ## Setup HTTPS testing certs for register.docker.local and index.docker.local
 2 | 
 3 | ###Generate a self-signed multi-domain certs:
 4 | 
 5 |     $ make
 6 | 
 7 | ###To destroy/cleanup all certs and keys
 8 | 
 9 |     $ make clean
10 | 
11 | ###To entrust this self-signed certs on a test vbox:
12 |    
13 |     $ sudo cp rootCA.pem /etc/ssl/certs/XXX-Dockerage.pem
14 |     $ cd /etc/ssl/certs && sudo update-ca-certificates [--fresh]
15 | 
16 | ###To test ssl connection and the cert:
17 | 
18 |     $ openssl s_client -showcerts -connect dockerhub.DOMAIN:443
19 | 
20 | 
21 | 
22 | 


--------------------------------------------------------------------------------
/resources/certs/etcd-client.cnf:
--------------------------------------------------------------------------------
 1 | # OpenSSL configuration to generate a new key with signing requst for a x509v3 
 2 | # multidomain certificate
 3 | #
 4 | # openssl req -config bla.cnf -new | tee csr.pem
 5 | # or
 6 | # openssl req -config bla.cnf -new -out csr.pem
 7 | [ req ]
 8 | default_bits       = 2048
 9 | default_md         = sha512
10 | default_keyfile    = etcd-client-key.pem
11 | prompt             = no
12 | encrypt_key        = no
13 | 
14 | # base request
15 | distinguished_name = req_distinguished_name
16 | 
17 | # extensions
18 | req_extensions     = v3_req
19 | 
20 | # distinguished_name
21 | [ req_distinguished_name ]
22 | commonName             = "etcd-clinet"      # CN=
23 | 
24 | [ ssl_client ]
25 | basicConstraints        = CA:FALSE
26 | nsCertType              = client
27 | keyUsage                = keyEncipherment, dataEncipherment, digitalSignature
28 | extendedKeyUsage        = clientAuth
29 | nsComment               = "OpenSSL Certificate for ETCD SSL Client"
30 | 
31 | # req_extensions
32 | [ v3_req ]
33 | # The subject alternative name extension allows various literal values to be 
34 | # included in the configuration file
35 | # http://www.openssl.org/docs/apps/x509v3_config.html
36 | 
37 | keyUsage                = keyEncipherment, dataEncipherment, digitalSignature
38 | extendedKeyUsage        = clientAuth


--------------------------------------------------------------------------------
/resources/certs/etcd.cnf:
--------------------------------------------------------------------------------
 1 | # OpenSSL configuration to generate a new key with signing requst for a x509v3 
 2 | # multidomain certificate
 3 | #
 4 | # openssl req -config bla.cnf -new | tee csr.pem
 5 | # or
 6 | # openssl req -config bla.cnf -new -out csr.pem
 7 | [ req ]
 8 | default_bits       = 2048
 9 | default_md         = sha512
10 | default_keyfile    = etcd-key.pem
11 | prompt             = no
12 | encrypt_key        = no
13 | 
14 | # base request
15 | distinguished_name = req_distinguished_name
16 | 
17 | # extensions
18 | req_extensions     = v3_req
19 | 
20 | # distinguished_name
21 | [ req_distinguished_name ]
22 | commonName             = "etcd.DOMAIN"      # CN=
23 | emailAddress           = "admin@DOMAIN"     # CN/emailAddress=
24 | 
25 | # req_extensions
26 | [ v3_req ]
27 | # The subject alternative name extension allows various literal values to be 
28 | # included in the configuration file
29 | # http://www.openssl.org/docs/apps/x509v3_config.html
30 | 
31 | keyUsage = keyEncipherment, dataEncipherment, digitalSignature
32 | extendedKeyUsage = serverAuth
33 | subjectAltName = @alt_names
34 | 
35 | [alt_names]
36 | # ETCD servers ip
37 | IP.1 = 127.0.0.1
38 | 


--------------------------------------------------------------------------------
/resources/certs/rootCA.cnf:
--------------------------------------------------------------------------------
 1 | # OpenSSL configuration to generate a new key with signing requst for a x509v3 
 2 | # multidomain certificate
 3 | #
 4 | # openssl req -config bla.cnf -new | tee csr.pem
 5 | # or
 6 | # openssl req -config bla.cnf -new -out csr.pem
 7 | 
 8 | [ req ]
 9 | default_bits       = 2048
10 | default_md         = sha512
11 | default_keyfile    = rootCA-key.pem
12 | prompt             = no
13 | encrypt_key        = no
14 | 
15 | # base request
16 | distinguished_name = req_distinguished_name
17 | 
18 | # distinguished_name
19 | [ req_distinguished_name ]
20 | countryName            = "US"                     # C=
21 | stateOrProvinceName    = "CA"                     # ST=
22 | localityName           = "Example City"          # L=
23 | postalCode             = "94019"                  # L/postalcode=
24 | organizationName       = "Dockerage"              # O=
25 | organizationalUnitName = "IT Department"          # OU=
26 | commonName             = "ca.DOMAIN"        # CN=
27 | emailAddress           = "admin@ca.DOMAIN"    # CN/emailAddress=
28 | 
29 | 


--------------------------------------------------------------------------------
/resources/certs/site.cnf:
--------------------------------------------------------------------------------
 1 | # OpenSSL configuration to generate a new key with signing requst for a x509v3 
 2 | # multidomain certificate
 3 | #
 4 | # openssl req -config bla.cnf -new | tee csr.pem
 5 | # or
 6 | # openssl req -config bla.cnf -new -out csr.pem
 7 | [ req ]
 8 | default_bits       = 2048
 9 | default_md         = sha512
10 | default_keyfile    = site-key.pem
11 | prompt             = no
12 | encrypt_key        = no
13 | 
14 | # base request
15 | distinguished_name = req_distinguished_name
16 | 
17 | # extensions
18 | req_extensions     = v3_req
19 | 
20 | # distinguished_name
21 | [ req_distinguished_name ]
22 | countryName            = "US"                     # C=
23 | stateOrProvinceName    = "CA"                     # ST=
24 | localityName           = "Example City"          # L=
25 | postalCode             = "99999"                  # L/postalcode=
26 | organizationName       = "Dockerage"              # O=
27 | organizationalUnitName = "IT Department"          # OU=
28 | commonName             = "*.DOMAIN"      # CN=
29 | emailAddress           = "admin@example.com"  # CN/emailAddress=
30 | 
31 | # req_extensions
32 | [ v3_req ]
33 | # The subject alternative name extension allows various literal values to be 
34 | # included in the configuration file
35 | # http://www.openssl.org/docs/apps/x509v3_config.html
36 | 
37 | keyUsage = keyEncipherment, dataEncipherment, digitalSignature
38 | extendedKeyUsage = serverAuth
39 | subjectAltName = @alt_names
40 | 
41 | [alt_names]
42 | DNS.1 = DOMAIN
43 | DNS.2 = *.DOMAIN
44 | 


--------------------------------------------------------------------------------
/resources/cloud-config/admiral.yaml.tmpl:
--------------------------------------------------------------------------------
  1 | #cloud-config
  2 | 
  3 | coreos: 
  4 |   etcd2:
  5 |     proxy: on
  6 |     listen-client-urls: http://0.0.0.0:2379,http://0.0.0.0:4001
  7 |   fleet:
  8 |     public-ip: $private_ipv4
  9 |     metadata: env=${CLUSTER_NAME},platform=ec2,provider=aws,role=admiral
 10 |   update:
 11 |     reboot-strategy: best-effort
 12 |   locksmith:
 13 |     group: worker
 14 |   units:
 15 |     - name: locksmithd.service
 16 |       command: start
 17 |       drop-ins:
 18 |       - name: 30-cloudinit.conf
 19 |         content: |
 20 |           [Service]
 21 |           Environment="LOCKSMITHD_REBOOT_WINDOW_START=05:30"
 22 |           Environment="LOCKSMITHD_REBOOT_WINDOW_LENGTH=3h"
 23 |     - name: etcd2.service
 24 |       command: start
 25 |       drop-ins:
 26 |         - name: 60-initial-cluster.conf
 27 |           content: |
 28 |             [Service]
 29 |             EnvironmentFile=/etc/sysconfig/initial-cluster
 30 |     - name: fleet.service
 31 |       command: reload-or-restart
 32 |     - name: docker-tcp.socket
 33 |       command: start
 34 |       enable: true
 35 |       content: |
 36 |           [Unit]
 37 |           Description=Docker Socket for the API
 38 |           
 39 |           [Socket]
 40 |           ListenStream=2375
 41 |           Service=docker.service
 42 |           BindIPv6Only=both
 43 |           
 44 |           [Install] 
 45 |           WantedBy=sockets.target
 46 |     - name: format-opt-data.service
 47 |       command: start
 48 |       content: |
 49 |         [Unit]
 50 |         Description=Formats opt data drive
 51 |         [Service]
 52 |         Type=oneshot
 53 |         RemainAfterExit=yes
 54 |         Environment="LABEL=opt-data"
 55 |         Environment="DEV=/dev/xvdc"
 56 |         ExecStart=-/bin/bash -c "if ! findfs LABEL=$LABEL > /tmp/label.$LABEL; then  wipefs -a -f $DEV && mkfs.ext4 -F -L $LABEL $DEV && echo wiped; fi" 
 57 |     - name: opt-data.mount
 58 |       command: start
 59 |       content: |
 60 |         [Unit]
 61 |         Description=Mount data to /opt/data
 62 |         Requires=format-opt-data.service
 63 |         After=format-opt-data.service
 64 |         [Mount]
 65 |         What=/dev/xvdc
 66 |         Where=/opt/data
 67 |         Type=ext4
 68 | 
 69 | # coreos.units.* components
 70 |     - name: format-disk.service
 71 |       command: start
 72 |       content: |
 73 |         [Unit]
 74 |         Description=Formats the disk drive
 75 |         [Service]
 76 |         Type=oneshot
 77 |         RemainAfterExit=yes
 78 |         Environment="LABEL=var-lib-docker"
 79 |         Environment="DEV=/dev/xvdb"
 80 |         # Do not wipe the disk if it's already being used, so the docker images persistent cross reboot.
 81 |         ExecStart=-/bin/bash -c "if ! findfs LABEL=$LABEL > /tmp/label.$LABEL; then wipefs -a -f $DEV && mkfs.ext4 -T news -F -L $LABEL $DEV && echo wiped; fi"
 82 |     - name: var-lib-docker.mount
 83 |       command: start
 84 |       content: |
 85 |         [Unit]
 86 |         Description=Mount disk to /var/lib/docker
 87 |         Requires=format-disk.service
 88 |         After=format-disk.service
 89 |         Before=docker.service
 90 |         [Mount]
 91 |         What=/dev/xvdb
 92 |         Where=/var/lib/docker
 93 |         Type=ext4
 94 |     - name: docker.service
 95 |       command: start
 96 |       drop-ins:
 97 |         - name: 60-docker-wait-for-var-lib.conf
 98 |           content: |
 99 |               [Unit]
100 |               Requires=var-lib-docker.mount
101 |               After=var-lib-docker.mount
102 |               [Service]
103 |               Restart=always
104 |               RestartSec=5
105 |     - name: git-sync.service
106 |       command: start
107 |       content: |
108 |         [Unit]
109 |         Description=git-sync
110 |         ConditionPathExists=/opt/bin/git-sync.sh
111 |         
112 |         [Service]
113 |         EnvironmentFile=/etc/environment
114 |         TimeoutStartSec=10min
115 |         ExecStart=/opt/bin/git-sync.sh
116 |     - name: git-sync.timer
117 |       command: start
118 |       content: |      
119 |         [Unit]
120 |         Description=git-sync timer
121 |         
122 |         [Timer]
123 |         OnCalendar=*:*:00
124 |         #OnUnitActiveSec=30
125 |     - name: post-provisioning.service
126 |       command: start
127 |       content: |       
128 |         [Unit]
129 |         Description=A hook to excute bootstrap script at boot
130 |         Wants=git-sync.service
131 |         After=git-sync.service
132 |         ConditionPathExists=/opt/bin/post-provision.sh
133 |         
134 |         [Service]
135 |         Type=oneshot
136 |         RemainAfterExit=true
137 |         EnvironmentFile=/etc/environment
138 |         ExecStart=/opt/bin/post-provision.sh
139 | write_files:            
140 |   - path: /opt/bin/git-sync.sh
141 |     permissions: 0700
142 |     owner: root
143 |     content: |
144 |         #!/bin/bash
145 |         # This script sync /var/lib/apps with github repo
146 |         export GIT_SSH_COMMAND=${GIT_SSH_COMMAND}
147 |         if [[ -d /var/lib/apps/.git ]]; 
148 |         then 
149 |             cd /var/lib/apps; git pull
150 |         else
151 |             mkdir -p /var/lib
152 |             git clone ${APP_REPOSITORY} /var/lib/apps
153 |         fi
154 |   - path: /opt/bin/s3sync.sh
155 |     permissions: 0700
156 |     owner: root
157 |     content: |
158 |         #!/bin/bash
159 |         # This script run a awscli docker to sync /var/lib/apps with s3 bucket
160 |         # this allows us to dynamicarlly config hosted applications
161 |         AWS_CONFIG_ENV=/root/.aws/envvars
162 |         source $AWS_CONFIG_ENV
163 |         IMAGE=suet/awscli:latest
164 |         APPBUCKET=s3://${AWS_ACCOUNT}-${CLUSTER_NAME}-config/apps
165 |         DST=/var/lib/apps
166 |         CMD="aws s3 sync --exact-timestamps --delete $APPBUCKET $DST && chmod 755 $DST/bin/*"
167 |         
168 |         # pull the IMAGE if not loaded
169 |         docker history $IMAGE > /dev/null 2>&1 || docker pull $IMAGE
170 |         # sync s3 apps to
171 |         docker run --rm --name s3sync -v $DST:$DST --env-file=$AWS_CONFIG_ENV $IMAGE /bin/bash -c "$CMD"
172 |   - path: /opt/bin/post-provision.sh
173 |     permissions: 0700
174 |     owner: root
175 |     content: |
176 |         #!/usr/bin/bash
177 |         # This script gets excecuted on each reboot. 
178 |         # It can be an additional config you want to set after CoreOS's cloud-config.
179 |         post_provision='/var/lib/apps/post_provision'
180 |         # wait until the post_provision is downloaded from git/s3
181 |         until [ -d $post_provision ]; do sleep 3; done;
182 |         if [ -d $post_provision ]
183 |         then
184 |             for i in $post_provision/*.sh
185 |             do
186 |               /bin/bash -x $i
187 |             done
188 |         fi
189 |         exit 0
190 | 
191 |   - path: /etc/systemd/system/docker.service.d/50-insecure-registry.conf
192 |     content: |
193 |         [Service]
194 |         Environment=DOCKER_OPTS='--insecure-registry=10.0.0.0/8,dockerhub.coreos-cluster.local'
195 | 
196 |   - path: /etc/aws/account.envvars
197 |     permissions: 0644
198 |     owner: root
199 |     content: |
200 |         AWS_ACCOUNT=${AWS_ACCOUNT}
201 |         AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}
202 |         CLUSTER_NAME=${CLUSTER_NAME}
203 |   - path: /root/.aws/envvars
204 |     permissions: 0600
205 |     owner: root
206 |     content: |
207 |         AWS_ACCOUNT=${AWS_ACCOUNT}
208 |         AWS_USER=${AWS_USER}
209 |         AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
210 |         AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
211 |         AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}
212 |   - path: /root/.aws/config
213 |     permissions: 0600
214 |     owner: root
215 |     content: |
216 |         [default]
217 |         aws_access_key_id=${AWS_ACCESS_KEY_ID}
218 |         aws_secret_access_key=${AWS_SECRET_ACCESS_KEY}
219 |         region=${AWS_DEFAULT_REGION}
220 | 
221 | 
222 | 


--------------------------------------------------------------------------------
/resources/cloud-config/common-files.yaml.tmpl:
--------------------------------------------------------------------------------
 1 | 
 2 |   - path: /opt/bin/git-sync.sh
 3 |     permissions: 0700
 4 |     owner: root
 5 |     content: |
 6 |         #!/bin/bash
 7 |         # This script sync /var/lib/apps with github repo
 8 |         export GIT_SSH_COMMAND=${GIT_SSH_COMMAND}
 9 |         if [[ -d /var/lib/apps/.git ]]; 
10 |         then 
11 |             cd /var/lib/apps; git pull
12 |         else
13 |             mkdir -p /var/lib
14 |             #git clone https://github.com/dockerage/coreos-cluster-apps /var/lib/apps
15 |             git clone ${APP_REPOSITORY} /var/lib/apps
16 |         fi
17 |   - path: /opt/bin/s3sync.sh
18 |     permissions: 0700
19 |     owner: root
20 |     content: |
21 |         #!/bin/bash
22 |         # This script run a awscli docker to sync /var/lib/apps with s3 bucket
23 |         # this allows us to dynamically config hosted applications
24 |         AWS_CONFIG_ENV=/root/.aws/envvars
25 |         source $AWS_CONFIG_ENV
26 |         IMAGE=suet/awscli:latest
27 |         APPBUCKET=s3://${AWS_ACCOUNT}-${CLUSTER_NAME}-config/apps
28 |         DST=/var/lib/apps
29 |         CMD="aws s3 sync --exact-timestamps --delete $APPBUCKET $DST && chmod 755 $DST/bin/*"
30 |         
31 |         # pull the IMAGE if not loaded
32 |         docker history $IMAGE > /dev/null 2>&1 || docker pull $IMAGE
33 |         # sync s3 apps to
34 |         docker run --rm --name s3sync -v $DST:$DST --env-file=$AWS_CONFIG_ENV $IMAGE /bin/bash -c "$CMD"
35 |   - path: /opt/bin/post-provision.sh
36 |     permissions: 0700
37 |     owner: root
38 |     content: |
39 |         #!/usr/bin/bash
40 |         # This script gets excecuted on each reboot. 
41 |         # It can be an additional config you want to set after CoreOS's cloud-config.
42 |         post_provision='/var/lib/apps/post_provision'
43 |         # wait until the post_provision is downloaded from git/s3
44 |         until [ -d $post_provision ]; do sleep 3; done;
45 |         if [ -d $post_provision ]
46 |         then
47 |             for i in $post_provision/*.sh
48 |             do
49 |               /bin/bash -x $i
50 |             done
51 |         fi
52 |         exit 0
53 |   - path: /etc/aws/account.envvars
54 |     permissions: 0644
55 |     owner: root
56 |     content: |
57 |         AWS_ACCOUNT=${AWS_ACCOUNT}
58 |         AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}
59 |         CLUSTER_NAME=${CLUSTER_NAME}
60 |   - path: /root/.aws/envvars
61 |     permissions: 0600
62 |     owner: root
63 |     content: |
64 |         AWS_ACCOUNT=${AWS_ACCOUNT}
65 |         AWS_USER=${AWS_USER}
66 |         AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
67 |         AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
68 |         AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}
69 |   - path: /root/.aws/config
70 |     permissions: 0600
71 |     owner: root
72 |     content: |
73 |         [default]
74 |         aws_access_key_id=${AWS_ACCESS_KEY_ID}
75 |         aws_secret_access_key=${AWS_SECRET_ACCESS_KEY}
76 |         region=${AWS_DEFAULT_REGION}
77 | 
78 | 
79 | 


--------------------------------------------------------------------------------
/resources/cloud-config/dockerhub.yaml:
--------------------------------------------------------------------------------
 1 | #cloud-config
 2 | 
 3 | # Dockerhub cloud-config
 4 | coreos:
 5 |   etcd2:
 6 |     proxy: on
 7 |     listen-client-urls: http://0.0.0.0:2379,http://0.0.0.0:4001
 8 |   fleet:
 9 |     public-ip: $private_ipv4
10 |     metadata: "env=CLUSTER-NAME,platform=ec2,provider=aws,role=dockerhub"
11 |   update:
12 |     reboot-strategy: off
13 |   units:
14 |     - name: etcd2.service
15 |       command: start
16 |       drop-ins:
17 |         - name: 60-initial-cluster.conf
18 |           content: |
19 |             [Service]
20 |             EnvironmentFile=/etc/sysconfig/initial-cluster
21 |     - name: fleet.service
22 |       command: start
23 |     - name: update-window.service
24 |       command: start
25 |       content: |
26 |         [Unit]
27 |         Description=Reboot if an update has been downloaded
28 |         ConditionPathExists=/opt/bin/update-window.sh
29 |         [Service]
30 |         ExecStart=/opt/bin/update-window.sh
31 |     - name: update-window.timer
32 |       command: start
33 |       content: |
34 |         [Unit]
35 |         Description=Reboot timer
36 |         [Timer]
37 |         OnCalendar=*-*-* 05,06:00/30:00
38 | 


--------------------------------------------------------------------------------
/resources/cloud-config/etcd.yaml.tmpl:
--------------------------------------------------------------------------------
  1 | #cloud-config
  2 | coreos:
  3 |   etcd2:
  4 |     advertise-client-urls: http://$private_ipv4:2379
  5 |     initial-advertise-peer-urls: http://$private_ipv4:2380
  6 |     listen-client-urls: http://0.0.0.0:2379,http://0.0.0.0:4001
  7 |     listen-peer-urls: http://$private_ipv4:2380
  8 |   fleet:
  9 |     metadata: env=${CLUSTER_NAME},platform=ec2,provider=aws,role=etcd2
 10 |     public-ip: $private_ipv4
 11 |   update:
 12 |     reboot-strategy: best-effort
 13 |   locksmith:
 14 |     group: etcd
 15 |   units:
 16 |     - name: locksmithd.service
 17 |       command: start
 18 |       drop-ins:
 19 |       - name: 30-cloudinit.conf
 20 |         content: |
 21 |           [Service]
 22 |           Environment="LOCKSMITHD_REBOOT_WINDOW_START=05:30"
 23 |           Environment="LOCKSMITHD_REBOOT_WINDOW_LENGTH=3h"
 24 |     - name: etcd2.service
 25 |       command: start
 26 |       drop-ins:
 27 |         - name: 60-etcd-peers.conf
 28 |           content: |
 29 |               [Service]
 30 |               EnvironmentFile=/etc/sysconfig/etcd-peers
 31 |     - name: fleet.service
 32 |       command: start
 33 |     - name: etcd-init.service
 34 |       command: start
 35 |       content: |
 36 |         [Unit]
 37 |         Description=etcd init
 38 |         Requires=docker.service
 39 |         After=docker.service
 40 |         
 41 |         [Service]
 42 |         Type=oneshot
 43 |         RemainAfterExit=true
 44 |         EnvironmentFile=/etc/environment
 45 |         TimeoutStartSec=10min
 46 |         ExecStart=/opt/bin/etcd-init.sh
 47 |         [Install]
 48 |         WantedBy=multi-user.target      
 49 | 
 50 | # coreos.units.* components
 51 |     - name: format-disk.service
 52 |       command: start
 53 |       content: |
 54 |         [Unit]
 55 |         Description=Formats the disk drive
 56 |         [Service]
 57 |         Type=oneshot
 58 |         RemainAfterExit=yes
 59 |         Environment="LABEL=var-lib-docker"
 60 |         Environment="DEV=/dev/xvdb"
 61 |         # Do not wipe the disk if it's already being used, so the docker images persistent cross reboot.
 62 |         ExecStart=-/bin/bash -c "if ! findfs LABEL=$LABEL > /tmp/label.$LABEL; then wipefs -a -f $DEV && mkfs.ext4 -T news -F -L $LABEL $DEV && echo wiped; fi"
 63 |     - name: var-lib-docker.mount
 64 |       command: start
 65 |       content: |
 66 |         [Unit]
 67 |         Description=Mount disk to /var/lib/docker
 68 |         Requires=format-disk.service
 69 |         After=format-disk.service
 70 |         Before=docker.service
 71 |         [Mount]
 72 |         What=/dev/xvdb
 73 |         Where=/var/lib/docker
 74 |         Type=ext4
 75 |     - name: docker.service
 76 |       command: start
 77 |       drop-ins:
 78 |         - name: 60-docker-wait-for-var-lib.conf
 79 |           content: |
 80 |               [Unit]
 81 |               Requires=var-lib-docker.mount
 82 |               After=var-lib-docker.mount
 83 |               [Service]
 84 |               Restart=always
 85 |               RestartSec=5
 86 |     - name: git-sync.service
 87 |       command: start
 88 |       content: |
 89 |         [Unit]
 90 |         Description=git-sync
 91 |         ConditionPathExists=/opt/bin/git-sync.sh
 92 |         
 93 |         [Service]
 94 |         EnvironmentFile=/etc/environment
 95 |         TimeoutStartSec=10min
 96 |         ExecStart=/opt/bin/git-sync.sh
 97 |     - name: git-sync.timer
 98 |       command: start
 99 |       content: |      
100 |         [Unit]
101 |         Description=git-sync timer
102 |         
103 |         [Timer]
104 |         OnCalendar=*:*:00
105 |         #OnUnitActiveSec=30
106 |     - name: post-provisioning.service
107 |       command: start
108 |       content: |       
109 |         [Unit]
110 |         Description=A hook to excute bootstrap script at boot
111 |         Wants=git-sync.service
112 |         After=git-sync.service
113 |         ConditionPathExists=/opt/bin/post-provision.sh
114 |         
115 |         [Service]
116 |         Type=oneshot
117 |         RemainAfterExit=true
118 |         EnvironmentFile=/etc/environment
119 |         ExecStart=/opt/bin/post-provision.sh
120 | write_files:            
121 |   - path: /opt/bin/git-sync.sh
122 |     permissions: 0700
123 |     owner: root
124 |     content: |
125 |         #!/bin/bash
126 |         # This script sync /var/lib/apps with github repo
127 |         export GIT_SSH_COMMAND=${GIT_SSH_COMMAND}
128 |         if [[ -d /var/lib/apps/.git ]]; 
129 |         then 
130 |             cd /var/lib/apps; git pull
131 |         else
132 |             mkdir -p /var/lib
133 |             #git clone https://github.com/dockerage/coreos-cluster-apps /var/lib/apps
134 |             git clone ${APP_REPOSITORY} /var/lib/apps
135 |         fi
136 |   - path: /opt/bin/s3sync.sh
137 |     permissions: 0700
138 |     owner: root
139 |     content: |
140 |         #!/bin/bash
141 |         # This script run a awscli docker to sync /var/lib/apps with s3 bucket
142 |         # this allows us to dynamically config hosted applications
143 |         AWS_CONFIG_ENV=/root/.aws/envvars
144 |         source $AWS_CONFIG_ENV
145 |         IMAGE=suet/awscli:latest
146 |         APPBUCKET=s3://${AWS_ACCOUNT}-${CLUSTER_NAME}-config/apps
147 |         DST=/var/lib/apps
148 |         CMD="aws s3 sync --exact-timestamps --delete $APPBUCKET $DST && chmod 755 $DST/bin/*"
149 |         
150 |         # pull the IMAGE if not loaded
151 |         docker history $IMAGE > /dev/null 2>&1 || docker pull $IMAGE
152 |         # sync s3 apps to
153 |         docker run --rm --name s3sync -v $DST:$DST --env-file=$AWS_CONFIG_ENV $IMAGE /bin/bash -c "$CMD"
154 |   - path: /opt/bin/post-provision.sh
155 |     permissions: 0700
156 |     owner: root
157 |     content: |
158 |         #!/usr/bin/bash
159 |         # This script gets excecuted on each reboot. 
160 |         # It can be an additional config you want to set after CoreOS's cloud-config.
161 |         post_provision='/var/lib/apps/post_provision'
162 |         # wait until the post_provision is downloaded from git/s3
163 |         until [ -d $post_provision ]; do sleep 3; done;
164 |         if [ -d $post_provision ]
165 |         then
166 |             for i in $post_provision/*.sh
167 |             do
168 |               /bin/bash -x $i
169 |             done
170 |         fi
171 |         exit 0
172 |   - path: /etc/systemd/system/docker.service.d/50-insecure-registry.conf
173 |     content: |
174 |         [Service]
175 |         Environment=DOCKER_OPTS='--insecure-registry=10.0.0.0/8,dockerhub.coreos-cluster.local'
176 | 
177 |   - path: /opt/bin/etcd-init.sh
178 |     permissions: 0700
179 |     owner: root
180 |     content: |
181 |       #!/bin/bash
182 |       
183 |       # dyamically create/join the etcd cluster by querying autoscaling group
184 |       # see https://github.com/dockerage/etcd-aws-cluster
185 |       image=dockerage/etcd-aws-cluster
186 |       /usr/bin/docker run -v /etc/sysconfig/:/etc/sysconfig/ $image
187 |       
188 |       # upload etcd initial-cluster urls to s3 bucket for worker cluster's etcd_proxy
189 |       /usr/bin/docker run -v /etc/sysconfig/:/etc/sysconfig/ --env S3BUCKET="s3://${AWS_ACCOUNT}-${CLUSTER_NAME}-cloudinit" --entrypoint /etcd-aws-proxy $image
190 | 
191 |   - path: /etc/aws/account.envvars
192 |     permissions: 0644
193 |     owner: root
194 |     content: |
195 |         AWS_ACCOUNT=${AWS_ACCOUNT}
196 |         AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}
197 |         CLUSTER_NAME=${CLUSTER_NAME}
198 |   - path: /root/.aws/envvars
199 |     permissions: 0600
200 |     owner: root
201 |     content: |
202 |         AWS_ACCOUNT=${AWS_ACCOUNT}
203 |         AWS_USER=${AWS_USER}
204 |         AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
205 |         AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
206 |         AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}
207 |   - path: /root/.aws/config
208 |     permissions: 0600
209 |     owner: root
210 |     content: |
211 |         [default]
212 |         aws_access_key_id=${AWS_ACCESS_KEY_ID}
213 |         aws_secret_access_key=${AWS_SECRET_ACCESS_KEY}
214 |         region=${AWS_DEFAULT_REGION}
215 | 
216 | 


--------------------------------------------------------------------------------
/resources/cloud-config/files-vault.yaml:
--------------------------------------------------------------------------------
  1 | 
  2 |   - path: /var/lib/apps/vault/vault.hcl
  3 |     permissions: 0644
  4 |     owner: root
  5 |     content: |
  6 |       backend "etcd" {
  7 |         address = "http://127.0.0.1:2379"
  8 |         redirect_addr = "https://$public_ipv4:8200"
  9 |         path = "vault"
 10 |         sync = "yes"
 11 |       }
 12 |       listener "tcp" {
 13 |         address = "0.0.0.0:8200"
 14 |         tls_disable = 0
 15 |         tls_cert_file = "/var/lib/apps/vault/certs/vault.crt"
 16 |         tls_key_file = "/var/lib/apps/vault/certs/vault.key"
 17 |       }
 18 |       # if mlock is not supported
 19 |       # disable_mlock = true
 20 |       /* Need to install statesite for this to work 
 21 |       telemetry {
 22 |         statsite_address = "0.0.0.0:8125"
 23 |         disable_hostname = true
 24 |       }
 25 |       */
 26 |   - path: /var/lib/apps/vault/certs/vault.cnf
 27 |     permissions: 0644
 28 |     owner: root
 29 |     content: |
 30 |       [ req ]
 31 |       default_bits       = 2048
 32 |       default_md         = sha512
 33 |       default_keyfile    = vault.key
 34 |       distinguished_name = req_distinguished_name
 35 |       x509_extensions    = v3_req
 36 |       prompt             = no
 37 |       encrypt_key        = no
 38 | 
 39 |       [req_distinguished_name]
 40 |       C = US
 41 |       ST = CA
 42 |       L =  city
 43 |       O = company
 44 |       CN = *
 45 | 
 46 |       [v3_req]
 47 |       subjectKeyIdentifier = hash
 48 |       authorityKeyIdentifier = keyid,issuer
 49 |       basicConstraints = CA:TRUE
 50 |       subjectAltName = @alt_names
 51 | 
 52 |       [alt_names]
 53 |       DNS.1 = *
 54 |       DNS.2 = *.*
 55 |       DNS.3 = *.*.*
 56 |       DNS.4 = *.*.*.*
 57 |       DNS.5 = *.*.*.*.*
 58 |       DNS.6 = *.*.*.*.*.*
 59 |       DNS.7 = *.*.*.*.*.*.*
 60 |       IP.1 = $private_ipv4
 61 |       IP.2 = $public_ipv4
 62 |       IP.3 = 127.0.0.1
 63 |       IP.4 = ${vault_service_address}
 64 |   - path: /var/lib/apps/vault/certs/gen.sh
 65 |     permissions: 0700
 66 |     owner: root
 67 |     content: |      
 68 |       #!/bin/sh
 69 |       echo "creating the vault.key and vault.csr...."
 70 |       openssl req -new -out vault.csr -config vault.cnf
 71 |       echo "signing vault.csr..."
 72 |       openssl x509 -req -days 9999 -in vault.csr -CA ca.pem -CAkey ca.key \
 73 |               -CAcreateserial -extensions v3_req -out vault.crt -extfile vault.cnf
 74 |   - path: /var/lib/apps/vault/certs/ca.pem
 75 |     permissions: 0644
 76 |     owner: root
 77 |     content: |
 78 |       -----BEGIN CERTIFICATE-----
 79 |       MIID2jCCAsICCQDFuc3c4hwfyjANBgkqhkiG9w0BAQ0FADCBrjELMAkGA1UEBhMC
 80 |       VVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1IYWxmIE1vb24gQmF5MQ4wDAYDVQQR
 81 |       DAU5NDAxOTESMBAGA1UECgwJRG9ja2VyYWdlMRYwFAYDVQQLDA1JVCBEZXBhcnRt
 82 |       ZW50MRgwFgYDVQQDDA9jYS5kb2NrZXIubG9jYWwxJDAiBgkqhkiG9w0BCQEWFWFk
 83 |       bWluQGNhLmRvY2tlci5sb2NhbDAeFw0xNjAzMDEwNjQzNTVaFw00MzA3MTcwNjQz
 84 |       NTVaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDUhhbGYg
 85 |       TW9vbiBCYXkxDjAMBgNVBBEMBTk0MDE5MRIwEAYDVQQKDAlEb2NrZXJhZ2UxFjAU
 86 |       BgNVBAsMDUlUIERlcGFydG1lbnQxGDAWBgNVBAMMD2NhLmRvY2tlci5sb2NhbDEk
 87 |       MCIGCSqGSIb3DQEJARYVYWRtaW5AY2EuZG9ja2VyLmxvY2FsMIIBIjANBgkqhkiG
 88 |       9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnBnvGi9GoysVZHhbHh1aEQbO8g7EqkiElDQz
 89 |       RmLT7UZh3FaoSgdWKYdu1C8779trwzjPltjthxmrGuFIjPXZ3gBe3k6s/etf9na+
 90 |       QFa0lXmKmUX3LJAnwupmfC+fDFnVVN3beol8lW35eV/KGh8SXrbHrHpadcNdQURy
 91 |       /MnavNQXSFxcW8vyUUlkoaI8qIeKu/70wv98Nfb0I8HMDmuaJjqBaOXevD4CBUFr
 92 |       vrEQKWCF2DHomjDsCaQjxyoXAd85Ow8ZLxi6j4JmL2bFhR2bCfO0O8cpCHoU/W5g
 93 |       dZhgjbld/TdcMagOd409krolG69ReR4uibju1/xlsMtvdCnaFQIDAQABMA0GCSqG
 94 |       SIb3DQEBDQUAA4IBAQA6nkGIotTMZVZNiL3I9ZqGpSvN9AzENRt2ZvvJ9T2CGNX6
 95 |       e8H8H8lD/AAfGdiitYxSgTL47dYhQ3MgECSRqX7jEeW3wHxhTTxVuFUu2PNXUCio
 96 |       vbIm9kKqxspKSTN//BKDCAwHFUqYGiS8cw15HobpCnav9zmT7edRvdOEptM4VRJd
 97 |       2hIBkPEAW4OAF2D59Y6sZxHuUorkLhTRqOutl6h7sPbdUQeIfOqHMaX6T2xl6VtJ
 98 |       3I+Yza5TkVCPck88Q2PCECaXRSDN8UR5xTtXVBL1ikwdMsyEv7aD2ZzsET+djyZc
 99 |       jsZnSW1rVS7qOLwmOmOH2LMxknD0AOobvGkugZTA
100 |       -----END CERTIFICATE-----
101 |   - path: /var/lib/apps/vault/certs/ca.key
102 |     permissions: 0600
103 |     owner: root
104 |     content: |
105 |       -----BEGIN RSA PRIVATE KEY-----
106 |       MIIEpQIBAAKCAQEAnBnvGi9GoysVZHhbHh1aEQbO8g7EqkiElDQzRmLT7UZh3Fao
107 |       SgdWKYdu1C8779trwzjPltjthxmrGuFIjPXZ3gBe3k6s/etf9na+QFa0lXmKmUX3
108 |       LJAnwupmfC+fDFnVVN3beol8lW35eV/KGh8SXrbHrHpadcNdQURy/MnavNQXSFxc
109 |       W8vyUUlkoaI8qIeKu/70wv98Nfb0I8HMDmuaJjqBaOXevD4CBUFrvrEQKWCF2DHo
110 |       mjDsCaQjxyoXAd85Ow8ZLxi6j4JmL2bFhR2bCfO0O8cpCHoU/W5gdZhgjbld/Tdc
111 |       MagOd409krolG69ReR4uibju1/xlsMtvdCnaFQIDAQABAoIBAG+GP8MvX4IXt9Lu
112 |       AftD8SMVACkD0BHweXgAy1lQJiTxEd1/tAAfubk130KM9H9q/lSddAJLvXe2KP6t
113 |       UU4UH7FyBlVBVGqdDRRixY3l5GKeUR0sVWlrHF0vZkT3KOSEEdvuHW4wZ+fCiGfk
114 |       vdlntZIheAqL57EXALsukhB0jmg06TjsPS8zbbnOJPbU3ZjDUjxMgfMB8xvj8LxX
115 |       kB9MB04ABkss47a7Ep5iHhhSQFu14udFiYOMvrrYbqp7l1zvzLYnsidrEGZIVcLr
116 |       xW52UfDtR4AROofSWBNpPCxv4u5OvH1NYTE1OPo21lqXhRSYiEAtO4NiZEPdH8gp
117 |       Az/XrsECgYEAyuDsdo0NwUuv3ByWEh+u3hOXAGa7LngwsdrlK7bUgqOfMukc6O+a
118 |       ZRYPvTMm+h6K3gbcE6M2XdWNuPF+uwkJuDI35ZXQBCBOlovx1cOMV4g/VzrXbA34
119 |       Tj61QytaZw/zQG+HwswfV12JH8L+HNpJ9EWtwJoWDzHWpg1Fp9+ErrkCgYEAxPl/
120 |       zrzcXfrfiP7akACzQp931LH54+FRiPTH3n3+QrQRyT0CXTxkDR6rgaHr6DxWDSKo
121 |       HRuvq73A1N3bucqrvr28krSgOge1kOAge76/X+BRlbdfXuNGsed4hgFyf71XTnGb
122 |       AX6xeuKvkxqNe84nXmZgm69T7LQ8MHAA2H4R+D0CgYEAtXzeq/LlAiz2Bf8glNf4
123 |       87sskvRTsG9eiExcRG3Kz48VxFJbRVnKkXFZ5RQUYx3ddl9Gkt6nrOt0W6TVjPW5
124 |       1yg9bslFC9vm0bAhR+wl6Mv+dccynPwmS8C3IH5w4c+X+OWM2ksGIn6PQ3WJI0B3
125 |       dei7VZfB8hfQgD1ROaqvpCkCgYEAo8HdrK2883D/aHCgmnnKjofvYuf4HakUVS1U
126 |       ATh0K1ZzNv++uG7dqz6lTWelrfSDgfYfF9wNp1VhPFeaNhM1x6UMYldCohwIqgJ7
127 |       XwWNKxNeIH9MDaIcAwmyXI5Vd7edHv055ftDaCuP1leL6rLQbh3lEWmo9zA8nfRv
128 |       74yYOe0CgYEAo8f33HogLL5/xtKkovlmTN/M+8NPMtu550gr9OKxxgYbvmQ895qy
129 |       hpSQnWoQ3z+Ry5sSXln4Ot5A5PfrlSCL35X7js/BOhjR3t45b9vT9KhAxmPRQiHO
130 |       dpiWS6BVt6AA13lV4LXIMRZ+ITJ+BC2yvPprmSTrLrt0FPyC35PJBYU=
131 |       -----END RSA PRIVATE KEY-----
132 |   - path: /etc/profile.d/path.sh
133 |     content: |
134 |         export VAULT_CACERT=/var/lib/apps/vault/certs/ca.pem
135 |         #export VAULT_ADDR=<vault-service-endpoint-ip>
136 |         #export VAULT_CLIENT_CERT=/var/lib/apps/vault/certs/client.crt
137 |         #export VAULT_CLIENT_KEY=/var/lib/apps/vault/certs/client.key
138 | 
139 | 


--------------------------------------------------------------------------------
/resources/cloud-config/files.yaml:
--------------------------------------------------------------------------------
  1 | write_files:            
  2 |   - path: /opt/bin/git-sync.sh
  3 |     permissions: 0700
  4 |     owner: root
  5 |     content: |
  6 |         #!/bin/bash
  7 |         # This script sync /var/lib/apps with github repo
  8 |         if [[ -d /var/lib/apps ]]; 
  9 |         then 
 10 |             cd /var/lib/apps; git pull
 11 |         else
 12 |             make -p /var/lib
 13 |             git clone https://github.com/dockerage/coreos-cluster-apps /var/lib/apps
 14 |         fi
 15 |   - path: /opt/bin/s3sync.sh
 16 |     permissions: 0700
 17 |     owner: root
 18 |     content: |
 19 |         #!/bin/bash
 20 |         # This script run a awscli docker to sync /var/lib/apps with s3 bucket
 21 |         # this allows us to dynamically config hosted applications
 22 |         AWS_CONFIG_ENV=/root/.aws/envvars
 23 |         source $AWS_CONFIG_ENV
 24 |         IMAGE=suet/awscli:latest
 25 |         APPBUCKET=s3://$${AWS_ACCOUNT}-coreos-cluster-config/apps
 26 |         DST=/var/lib/apps
 27 |         CMD="aws s3 sync --exact-timestamps --delete $APPBUCKET $DST && chmod 755 $${DST}/bin/*"
 28 |         
 29 |         # pull the IMAGE if not loaded
 30 |         docker history $IMAGE > /dev/null 2>&1 || docker pull $IMAGE
 31 |         # sync s3 apps to
 32 |         docker run --rm --name s3sync -v $${DST}:$${DST} --env-file=$AWS_CONFIG_ENV $IMAGE /bin/bash -c "$CMD"
 33 |   - path: /opt/bin/post-provision.sh
 34 |     permissions: 0700
 35 |     owner: root
 36 |     content: |
 37 |         #!/usr/bin/bash
 38 |         # This script gets excecuted on each reboot. 
 39 |         # It can be an additional config you want to set after CoreOS's cloud-config.
 40 |         post_provision='/var/lib/apps/post_provision'
 41 |         # wait until the post_provision is downloaded from git/s3
 42 |         until [ -d $post_provision ]; do sleep 3; done;
 43 |         if [ -d $post_provision ]
 44 |         then
 45 |             for i in $post_provision/*.sh
 46 |             do
 47 |               /bin/bash -x $i
 48 |             done
 49 |         fi
 50 |         exit 0
 51 |   - path: /opt/bin/update-window.sh
 52 |     permissions: 0700
 53 |     owner: root
 54 |     content: |
 55 |         #!/bin/bash
 56 |         # If etcd is active, this uses locksmith. Otherwise, it randomly delays the reboot.
 57 |         delay=$(/usr/bin/expr $RANDOM % 3600 )
 58 |         rebootflag='NEED_REBOOT'
 59 |         hostip=$(hostname -i | tr -d ' ')
 60 |         ismember=$(etcdctl member list |grep -Eo "(http://$hostip:2380)")
 61 |         
 62 |         if update_engine_client -status | grep $rebootflag;
 63 |         then
 64 |             echo -n "etcd2 is "
 65 |             if systemctl is-active etcd2 && [[ $ismember != "" ]];
 66 |             then
 67 |                 echo "Update reboot with locksmithctl."
 68 |                 locksmithctl reboot
 69 |             else
 70 |                 echo "Update reboot in $delay seconds."
 71 |                 sleep $delay
 72 |                 reboot
 73 |             fi
 74 |         fi
 75 |         exit 0
 76 |   - path: /etc/systemd/system/docker.service.d/50-insecure-registry.conf
 77 |     content: |
 78 |         [Service]
 79 |         Environment=DOCKER_OPTS='--insecure-registry=10.0.0.0/8,dockerhub.coreos-cluster.local'
 80 | 
 81 |   - path: /opt/bin/etcd-init.sh
 82 |     permissions: 0700
 83 |     owner: root
 84 |     content: |
 85 |       #!/bin/bash
 86 |       
 87 |       # dyamically create/join the etcd cluster by querying autoscaling group
 88 |       # see https://github.com/dockerage/etcd-aws-cluster
 89 |       image=dockerage/etcd-aws-cluster
 90 |       /usr/bin/docker run -v /etc/sysconfig/:/etc/sysconfig/ $image /etcd-aws-cluster
 91 |       
 92 |       # upload etcd initial-cluster urls to s3 bucket for worker cluster's etcd_proxy
 93 |       /usr/bin/docker run -v /etc/sysconfig/:/etc/sysconfig/ $image /etcd-aws-proxy
 94 | 
 95 |   - path: /etc/aws/account.envvars
 96 |     permissions: 0644
 97 |     owner: root
 98 |     content: |
 99 |         AWS_ACCOUNT=${AWS_ACCOUNT}
100 |         AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}
101 |         CLUSTER_NAME=coreos-cluster
102 |   - path: /root/.aws/envvars
103 |     permissions: 0600
104 |     owner: root
105 |     content: |
106 |         AWS_ACCOUNT=${AWS_ACCOUNT}
107 |         AWS_USER=${AWS_USER}
108 |         AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
109 |         AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
110 |         AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}
111 |   - path: /root/.aws/config
112 |     permissions: 0600
113 |     owner: root
114 |     content: |
115 |         [default]
116 |         aws_access_key_id=${AWS_ACCESS_KEY_ID}
117 |         aws_secret_access_key=${AWS_SECRET_ACCESS_KEY}
118 |         region=${AWS_DEFAULT_REGION}
119 | 
120 | 
121 | 


--------------------------------------------------------------------------------
/resources/cloud-config/s3-cloudconfig-bootstrap.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash -e
  2 | #
  3 | # Copyright 2014, 2017 Xu Wang
  4 | #
  5 | # Licensed under the Apache License, Version 2.0 (the "License");
  6 | # you may not use this file except in compliance with the License.
  7 | # You may obtain a copy of the License at
  8 | #
  9 | #     http://www.apache.org/licenses/LICENSE-2.0
 10 | #
 11 | # Unless required by applicable law or agreed to in writing, software
 12 | # distributed under the License is distributed on an "AS IS" BASIS,
 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 14 | # See the License for the specific language governing permissions and
 15 | # limitations under the License.
 16 | #
 17 | 
 18 | # This is a coreos-cluster-cloudinit bootstrap script. It is passed in as 'user-data' file during the machine build. 
 19 | # Then the script is executed to download the CoreOs "cloud-config.yaml" file  and "initial-cluster" files.
 20 | # These files  will configure the system to join the CoreOS cluster. The second stage cloud-config.yaml can 
 21 | # be changed to allow system configuration changes without having to rebuild the system. All it takes is a reboot.
 22 | # If this script changes, the machine will need to be rebuild (user-data change)
 23 | # 
 24 | # AWS doc: http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html.
 25 | # Reference: http://czak.pl/2015/09/15/s3-rest-api-with-curl.html
 26 | 
 27 | # Convention: 
 28 | # 1. A bucket should exist that contains role-based cloud-config.yaml
 29 | #  e.g. <account-id>-coreos-cluster-cloudinit/<roleProfile>/cloud-config.yaml
 30 | # 2. All machines should have instance role profile, with a policy that allows readonly access to this bucket.
 31 | 
 32 | # Initilize variables
 33 | init_vars() {
 34 | 
 35 |   # For signature v4 signning purpose
 36 |   timestamp=$(date -u "+%Y-%m-%d %H:%M:%S")
 37 |   isoTimpstamp=$(date -ud "${timestamp}" "+%Y%m%dT%H%M%SZ")
 38 |   dateScope=$(date -ud "${timestamp}" "+%Y%m%d")
 39 |   #dateHeader=$(date -ud "${timestamp}" "+%a, %d %h %Y %T %Z") 
 40 |   signedHeaders="host;x-amz-content-sha256;x-amz-date;x-amz-security-token"
 41 |   service="s3"
 42 | 
 43 |   # Get instance auth token from meta-data
 44 |   region=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document/ | jq -r '.region')
 45 |   instanceProfile=$(curl -s http://169.254.169.254/latest/meta-data/iam/info \
 46 |         | jq -r '.InstanceProfileArn' \
 47 |         | sed  's#.*instance-profile/##')
 48 |   roleProfile=${instanceProfile}
 49 |   accountId=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .'accountId')
 50 | 
 51 |   # Bucket  
 52 |   bucket=${accountId}-CLUSTER-NAME-cloudinit
 53 | 
 54 |   # KeyId, secret, and token
 55 |   accessKeyId=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/$roleProfile | jq -r '.AccessKeyId')
 56 |   secretAccessKey=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/$roleProfile | jq -r '.SecretAccessKey')
 57 |   stsToken=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/$roleProfile | jq -r '.Token')
 58 | 
 59 |   # Path to cloud-config.yaml. e.g. worker/cloud-config.yaml
 60 |   cloudConfigYaml="${roleProfile}/cloud-config.yaml"
 61 | 
 62 |   # Path to initial-cluster urls file to join cluster
 63 |   initialCluster="etcd/initial-cluster"
 64 | 
 65 |   workDir="/root/cloudinit"
 66 |   mkdir -m 700 -p ${workDir}
 67 | 
 68 |   # Empty payload hash (we are getting content, not upload)
 69 |   payload=$(sha256_hash /dev/null)
 70 | 
 71 |   # Host header 
 72 |   hostHeader="${bucket}.s3-${region}.amazonaws.com"
 73 | 
 74 |   # Curl options
 75 |   opts="-v -L --fail --retry 5 --retry-delay 3 --silent --show-error"
 76 |   # Curl logs
 77 |   bootstrapLog=${workDir}/bootstrap.log
 78 | }
 79 | 
 80 | # Untilities
 81 | hmac_sha256() {
 82 |   key="$1"
 83 |   data="$2"
 84 |   echo -n "$data" | openssl dgst -sha256  -mac HMAC -macopt "$key" | sed 's/^.* //'
 85 | }
 86 | sha256_hash() {
 87 |   echo $(sha256sum "$1" | awk '{print $1}')
 88 | }
 89 | 
 90 | # Authorization: <Algorithm> Credential=<Access Key ID/Scope>, SignedHeaders=<SignedHeaders>, Signature=<Signature>
 91 | # Virtual Hosted-style API: http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html#VirtualHostingLimitations
 92 | # Using Example Virtual Hosted–Style Method - this will default to US East and cause a temporary redirect (307) 
 93 | #     https://${bucket}.s3.amazonaws.com/${filePath}
 94 | #    Host: ${bucket}.s3.amazonaws.com" \
 95 | # This should avoid the redirect
 96 | #  Virtual Hosted–Style Method for a Bucket in a Region Other Than US East
 97 | curl_get() {
 98 |   curl $opts -H "Host: ${hostHeader}" \
 99 |      -H "Authorization: AWS4-HMAC-SHA256 \
100 | 	Credential=${accessKeyId}/${dateScope}/${region}/s3/aws4_request, \
101 | 	SignedHeaders=${signedHeaders}, Signature=${signature}" \
102 |      -H "x-amz-content-sha256: ${payload}" \
103 |      -H "x-amz-date: ${isoTimpstamp}" \
104 |      -H "x-amz-security-token:${stsToken}" \
105 |      https://${hostHeader}/${filePath}
106 | }
107 | 
108 | # 1. Canonical request(note Query string is empty, payload is empty for download).
109 | #<HTTPMethod>\n #<CanonicalURI>\n #<CanonicalQueryString>\n #<CanonicalHeaders>\n #<SignedHeaders>\n #<HashedPayload>
110 | #echo "/${bucket}/${cloudConfigYaml}"
111 | canonical_request() {
112 |   echo "GET"
113 |   echo "/${filePath}"
114 |   echo ""
115 |   echo host:${hostHeader}
116 |   echo "x-amz-content-sha256:${payload}"
117 |   echo "x-amz-date:${isoTimpstamp}"
118 |   echo "x-amz-security-token:${stsToken}"
119 |   echo ""
120 |   echo "${signedHeaders}"
121 |   printf "${payload}"
122 | }
123 | # 2. String to sign
124 | string_to_sign() {
125 |   echo "AWS4-HMAC-SHA256"
126 |   echo "${isoTimpstamp}"
127 |   echo "${dateScope}/${region}/s3/aws4_request"
128 |   printf "$(canonical_request | sha256_hash -)"
129 | }
130 | # 3. Signing key
131 | signing_key() {
132 |   dateKey=$(hmac_sha256 key:"AWS4$secretAccessKey" $dateScope)
133 |   dateRegionKey=$(hmac_sha256 hexkey:$dateKey $region)
134 |   dateRegionServiceKey=$(hmac_sha256 hexkey:$dateRegionKey $service)
135 |   signingKey=$(hmac_sha256 hexkey:$dateRegionServiceKey "aws4_request")
136 |   printf "${signingKey}"
137 | }
138 | 
139 | # Initlize varables
140 | init_vars
141 | 
142 | cd ${workDir}
143 | 
144 | # Download coreos-cluster-cloudinit/<profile>/clould-config.yaml
145 | # 
146 | # And replace ipv4 vars in clould-config.yaml
147 | # because oem-cloudinit.service does it only on native "user-data", i.e. this script.
148 | # Canonical resource path
149 | filePath=${cloudConfigYaml}
150 | signature=$(string_to_sign | openssl dgst -sha256 -mac HMAC -macopt hexkey:$(signing_key) | awk '{print $NF}')
151 | curl_get 2>> ${bootstrapLog} | \
152 |     sed "s/\\$private_ipv4/$private_ipv4/g; s/\\$public_ipv4/$public_ipv4/g; s/role=INSTANCE_PROFILE/role=$instanceProfile/g" > ${workDir}/cloud-config.yaml
153 | 
154 | # Download initial-cluster
155 | filePath=${initialCluster}
156 | signature=$(string_to_sign | openssl dgst -sha256 -mac HMAC -macopt hexkey:$(signing_key) | awk '{print $NF}')
157 | curl_get 2>> ${bootstrapLog} > ${workDir}/initial-cluster 
158 | if [[ -f ${workDir}/initial-cluster ]] && grep -q 'ETCD_INITIAL_CLUSTER' ${workDir}/initial-cluster ;
159 | then
160 |   mkdir -p /etc/sysconfig
161 |   cp ${workDir}/initial-cluster /etc/sysconfig/initial-cluster
162 | fi
163 | 
164 | # Create /etc/environment file so the cloud-init can get IP addresses
165 | coreos_env='/etc/environment'
166 | if [ ! -f $coreos_env ];
167 | then
168 |     echo "COREOS_PRIVATE_IPV4=$private_ipv4" > /etc/environment
169 |     echo "COREOS_PUBLIC_IPV4=$public_ipv4" >> /etc/environment
170 |     echo "INSTANCE_PROFILE=$instanceProfile" >> /etc/environment
171 | fi
172 | 
173 | # Run cloud-init
174 | coreos-cloudinit --from-file=${workDir}/cloud-config.yaml
175 | 


--------------------------------------------------------------------------------
/resources/cloud-config/systemd-units-flannel.yaml:
--------------------------------------------------------------------------------
 1 | 
 2 | # coreos.units.* components
 3 |     - name: flanneld.service
 4 |       command: start
 5 |       drop-ins:
 6 |         - name: 50-network-config.conf
 7 |           content: |
 8 |             [Service]
 9 |             ExecStartPre=/usr/bin/etcdctl set /coreos.com/network/config '{ "Network": "10.1.0.0/16" }'
10 |     - name: format-disk.service
11 |       command: start
12 |       content: |
13 |         [Unit]
14 |         Description=Formats the disk drive
15 |         [Service]
16 |         Type=oneshot
17 |         RemainAfterExit=yes
18 |         Environment="LABEL=var-lib-docker"
19 |         Environment="DEV=/dev/xvdb"
20 |         # Do not wipe the disk if it's already being used, so the docker images persistent cross reboot.
21 |         ExecStart=-/bin/bash -c "if ! findfs LABEL=$LABEL > /tmp/label.$LABEL; then wipefs -a -f $DEV && mkfs.ext4 -T news -F -L $LABEL $DEV && echo wiped; fi"
22 |     - name: var-lib-docker.mount
23 |       command: start
24 |       content: |
25 |         [Unit]
26 |         Description=Mount disk to /var/lib/docker
27 |         Requires=format-disk.service
28 |         After=format-disk.service
29 |         Before=docker.service
30 |         [Mount]
31 |         What=/dev/xvdb
32 |         Where=/var/lib/docker
33 |         Type=ext4
34 |     - name: docker.service
35 |       command: start
36 |       drop-ins:
37 |         - name: 60-docker-wait-for-var-lib.conf
38 |           content: |
39 |               [Unit]
40 |               Requires=var-lib-docker.mount
41 |               After=var-lib-docker.mount
42 |               [Service]
43 |               Restart=always
44 |               RestartSec=5
45 |     - name: git-sync.service
46 |       command: start
47 |       content: |
48 |         [Unit]
49 |         Description=git-sync
50 |         ConditionPathExists=/opt/bin/git-sync.sh
51 |         
52 |         [Service]
53 |         EnvironmentFile=/etc/environment
54 |         TimeoutStartSec=10min
55 |         ExecStart=/opt/bin/git-sync.sh
56 |     - name: git-sync.timer
57 |       command: start
58 |       content: |      
59 |         [Unit]
60 |         Description=git-sync timer
61 |         
62 |         [Timer]
63 |         OnCalendar=*:*:00
64 |         #OnUnitActiveSec=30
65 |     - name: post-provisioning.service
66 |       command: start
67 |       content: |       
68 |         [Unit]
69 |         Description=A hook to excute bootstrap script at boot
70 |         Wants=git-sync.service
71 |         After=git-sync.service
72 |         ConditionPathExists=/opt/bin/post-provision.sh
73 |         
74 |         [Service]
75 |         Type=oneshot
76 |         RemainAfterExit=true
77 |         EnvironmentFile=/etc/environment
78 |         ExecStart=/opt/bin/post-provision.sh
79 | 
80 | 


--------------------------------------------------------------------------------
/resources/cloud-config/systemd-units.yaml:
--------------------------------------------------------------------------------
 1 | 
 2 | # coreos.units.* components
 3 |     - name: format-disk.service
 4 |       command: start
 5 |       content: |
 6 |         [Unit]
 7 |         Description=Formats the disk drive
 8 |         [Service]
 9 |         Type=oneshot
10 |         RemainAfterExit=yes
11 |         Environment="LABEL=var-lib-docker"
12 |         Environment="DEV=/dev/xvdb"
13 |         # Do not wipe the disk if it's already being used, so the docker images persistent cross reboot.
14 |         ExecStart=-/bin/bash -c "if ! findfs LABEL=$LABEL > /tmp/label.$LABEL; then wipefs -a -f $DEV && mkfs.ext4 -T news -F -L $LABEL $DEV && echo wiped; fi"
15 |     - name: var-lib-docker.mount
16 |       command: start
17 |       content: |
18 |         [Unit]
19 |         Description=Mount disk to /var/lib/docker
20 |         Requires=format-disk.service
21 |         After=format-disk.service
22 |         Before=docker.service
23 |         [Mount]
24 |         What=/dev/xvdb
25 |         Where=/var/lib/docker
26 |         Type=ext4
27 |     - name: docker.service
28 |       command: start
29 |       drop-ins:
30 |         - name: 60-docker-wait-for-var-lib.conf
31 |           content: |
32 |               [Unit]
33 |               Requires=var-lib-docker.mount
34 |               After=var-lib-docker.mount
35 |               [Service]
36 |               Restart=always
37 |               RestartSec=5
38 |     - name: git-sync.service
39 |       command: start
40 |       content: |
41 |         [Unit]
42 |         Description=git-sync
43 |         ConditionPathExists=/opt/bin/git-sync.sh
44 |         
45 |         [Service]
46 |         EnvironmentFile=/etc/environment
47 |         TimeoutStartSec=10min
48 |         ExecStart=/opt/bin/git-sync.sh
49 |     - name: git-sync.timer
50 |       command: start
51 |       content: |      
52 |         [Unit]
53 |         Description=git-sync timer
54 |         
55 |         [Timer]
56 |         OnCalendar=*:*:00
57 |         #OnUnitActiveSec=30
58 |     - name: post-provisioning.service
59 |       command: start
60 |       content: |       
61 |         [Unit]
62 |         Description=A hook to excute bootstrap script at boot
63 |         Wants=git-sync.service
64 |         After=git-sync.service
65 |         ConditionPathExists=/opt/bin/post-provision.sh
66 |         
67 |         [Service]
68 |         Type=oneshot
69 |         RemainAfterExit=true
70 |         EnvironmentFile=/etc/environment
71 |         ExecStart=/opt/bin/post-provision.sh
72 | 


--------------------------------------------------------------------------------
/resources/cloud-config/vault.yaml.tmpl:
--------------------------------------------------------------------------------
  1 | #cloud-config
  2 | coreos:
  3 |   etcd2:
  4 |     advertise-client-urls: http://$private_ipv4:2379
  5 |     initial-advertise-peer-urls: http://$private_ipv4:2380
  6 |     listen-client-urls: http://0.0.0.0:2379,http://0.0.0.0:4001
  7 |     listen-peer-urls: http://$private_ipv4:2380
  8 |   fleet:
  9 |     metadata: env=${CLUSTER_NAME},platform=ec2,provider=aws,role=etcd2
 10 |     public-ip: $private_ipv4
 11 |   update:
 12 |     reboot-strategy: best-effort
 13 |   locksmith:
 14 |     group: etcd
 15 |   units:
 16 |     - name: locksmithd.service
 17 |       command: start
 18 |       drop-ins:
 19 |       - name: 30-cloudinit.conf
 20 |         content: |
 21 |           [Service]
 22 |           Environment=LOCKSMITHD_REBOOT_WINDOW_START=05:30
 23 |           Environment=LOCKSMITHD_REBOOT_WINDOW_LENGTH=3h
 24 |     - name: etcd2.service
 25 |       command: start
 26 |       drop-ins:
 27 |         - name: 60-etcd-peers.conf
 28 |           content: |
 29 |               [Service]
 30 |               EnvironmentFile=/etc/sysconfig/etcd-peers
 31 |     - name: fleet.service
 32 |       command: start
 33 |     - name: etcd-init.service
 34 |       command: start
 35 |       content: |
 36 |         [Unit]
 37 |         Description=etcd init
 38 |         Requires=docker.service
 39 |         After=docker.service
 40 |         
 41 |         [Service]
 42 |         Type=oneshot
 43 |         RemainAfterExit=true
 44 |         EnvironmentFile=/etc/environment
 45 |         TimeoutStartSec=10min
 46 |         ExecStart=/opt/bin/etcd-init.sh
 47 |         [Install]
 48 |         WantedBy=multi-user.target
 49 |     - name: install-vault.service
 50 |       command: start
 51 |       enable: true
 52 |       content: |
 53 |         [Unit]
 54 |         Description=Install Vault and server cert
 55 |         [Service]
 56 |         Type=oneshot
 57 |         RemainAfterExit=true
 58 |         ExecStart=/bin/bash -c "[ -x /opt/bin/vault ] || \
 59 |           (mkdir -p /opt/bin; cd /tmp;  \
 60 |           curl -s -L -O ${VAULT_RELEASE_URL} \
 61 |           && unzip -o $(basename ${VAULT_RELEASE_URL}) -d /opt/bin/ \
 62 |           && chmod 755 /opt/bin/vault \
 63 |           && rm $(basename ${VAULT_RELEASE_URL})) "
 64 |     - name: vault.service
 65 |       command: start
 66 |       enable: true
 67 |       content: |
 68 |         [Unit]
 69 |         Description=vault
 70 |         Wants=install-vault.service
 71 |         After=install-vault.service
 72 |         [Service]
 73 |         ExecStartPre=/bin/bash -c "cd /opt/etc/vault/certs && if [ ! -f "vault.crt" ]; then ./gen.sh; fi"
 74 |         ExecStart=/opt/bin/vault server -config /opt/etc/vault/vault.hcl
 75 |         RestartSec=5
 76 |         Restart=always
 77 | 
 78 | # coreos.units.* components
 79 |     - name: format-disk.service
 80 |       command: start
 81 |       content: |
 82 |         [Unit]
 83 |         Description=Formats the disk drive
 84 |         [Service]
 85 |         Type=oneshot
 86 |         RemainAfterExit=yes
 87 |         Environment="LABEL=var-lib-docker"
 88 |         Environment="DEV=/dev/xvdb"
 89 |         # Do not wipe the disk if it's already being used, so the docker images persistent cross reboot.
 90 |         ExecStart=-/bin/bash -c "if ! findfs LABEL=$LABEL > /tmp/label.$LABEL; then wipefs -a -f $DEV && mkfs.ext4 -T news -F -L $LABEL $DEV && echo wiped; fi"
 91 |     - name: var-lib-docker.mount
 92 |       command: start
 93 |       content: |
 94 |         [Unit]
 95 |         Description=Mount disk to /var/lib/docker
 96 |         Requires=format-disk.service
 97 |         After=format-disk.service
 98 |         Before=docker.service
 99 |         [Mount]
100 |         What=/dev/xvdb
101 |         Where=/var/lib/docker
102 |         Type=ext4
103 |     - name: docker.service
104 |       command: start
105 |       drop-ins:
106 |         - name: 60-docker-wait-for-var-lib.conf
107 |           content: |
108 |               [Unit]
109 |               Requires=var-lib-docker.mount
110 |               After=var-lib-docker.mount
111 |               [Service]
112 |               Restart=always
113 |               RestartSec=5
114 |     - name: git-sync.service
115 |       command: start
116 |       content: |
117 |         [Unit]
118 |         Description=git-sync
119 |         ConditionPathExists=/opt/bin/git-sync.sh
120 |         
121 |         [Service]
122 |         EnvironmentFile=/etc/environment
123 |         TimeoutStartSec=10min
124 |         ExecStart=/opt/bin/git-sync.sh
125 |     - name: git-sync.timer
126 |       command: start
127 |       content: |      
128 |         [Unit]
129 |         Description=git-sync timer
130 |         
131 |         [Timer]
132 |         OnCalendar=*:*:00
133 |         #OnUnitActiveSec=30
134 |     - name: post-provisioning.service
135 |       command: start
136 |       content: |       
137 |         [Unit]
138 |         Description=A hook to excute bootstrap script at boot
139 |         Wants=git-sync.service
140 |         After=git-sync.service
141 |         ConditionPathExists=/opt/bin/post-provision.sh
142 |         
143 |         [Service]
144 |         Type=oneshot
145 |         RemainAfterExit=true
146 |         EnvironmentFile=/etc/environment
147 |         ExecStart=/opt/bin/post-provision.sh
148 | write_files:
149 |   - path: /etc/systemd/system/docker.service.d/50-insecure-registry.conf
150 |     content: |
151 |         [Service]
152 |         Environment=DOCKER_OPTS='--insecure-registry=10.0.0.0/8,dockerhub.coreos-cluster.local'
153 | 
154 |   - path: /opt/bin/etcd-init.sh
155 |     permissions: 0700
156 |     owner: root
157 |     content: |
158 |       #!/bin/bash
159 |       
160 |       # dyamically create/join the etcd cluster by querying autoscaling group
161 |       # see https://github.com/dockerage/etcd-aws-cluster
162 |       image=dockerage/etcd-aws-cluster
163 |       /usr/bin/docker run -v /etc/sysconfig/:/etc/sysconfig/ $image
164 |       
165 |       # Placeholder - this isn't necessary for Vault's etcd cluster. 
166 |       /usr/bin/docker run -v /etc/sysconfig/:/etc/sysconfig/ --env S3BUCKET="s3://${AWS_ACCOUNT}-${CLUSTER_NAME}-vault-cloudinit" --entrypoint /etcd-aws-proxy $image
167 |   - path: /opt/etc/vault/vault.hcl
168 |     permissions: 0644
169 |     owner: root
170 |     content: |
171 |       backend "etcd" {
172 |         address = "http://127.0.0.1:2379"
173 |         redirect_addr = "https://$public_ipv4:8200"
174 |         path = "vault"
175 |         sync = "yes"
176 |       }
177 |       listener "tcp" {
178 |         address = "127.0.0.1:8200"
179 |         tls_disable = 1
180 |       }
181 |       listener "tcp" {
182 |         address = "$private_ipv4:8200"
183 |         tls_cert_file = "/opt/etc/vault/certs/vault.crt"
184 |         tls_key_file = "/opt/etc/vault/certs/vault.key"
185 |       }
186 |       # if mlock is not supported
187 |       # disable_mlock = true
188 |       /* Need to install statesite for this to work 
189 |       telemetry {
190 |         statsite_address = "0.0.0.0:8125"
191 |         disable_hostname = true
192 |       }
193 |       */
194 |   - path: /opt/etc/vault/certs/vault.cnf
195 |     permissions: 0644
196 |     owner: root
197 |     content: |
198 |       [ req ]
199 |       default_bits       = 2048
200 |       default_md         = sha512
201 |       default_keyfile    = vault.key
202 |       distinguished_name = req_distinguished_name
203 |       x509_extensions    = v3_req
204 |       prompt             = no
205 |       encrypt_key        = no
206 | 
207 |       [req_distinguished_name]
208 |       C = US
209 |       ST = CA
210 |       L =  city
211 |       O = company
212 |       CN = *
213 | 
214 |       [v3_req]
215 |       subjectKeyIdentifier = hash
216 |       authorityKeyIdentifier = keyid,issuer
217 |       basicConstraints = CA:TRUE
218 |       subjectAltName = @alt_names
219 | 
220 |       [alt_names]
221 |       DNS.1 = *
222 |       DNS.2 = *.*
223 |       DNS.3 = *.*.*
224 |       DNS.4 = *.*.*.*
225 |       DNS.5 = *.*.*.*.*
226 |       DNS.6 = *.*.*.*.*.*
227 |       DNS.7 = *.*.*.*.*.*.*
228 |       DNS.8 = vault.example.com
229 |       IP.1 = $private_ipv4
230 |       IP.2 = $public_ipv4
231 |       IP.3 = 127.0.0.1
232 |   - path: /opt/etc/vault/certs/gen.sh
233 |     permissions: 0700
234 |     owner: root
235 |     content: |      
236 |       #!/bin/sh
237 |       echo "creating the vault.key and vault.csr...."
238 |       openssl req -new -out vault.csr -config vault.cnf
239 |       echo "signing vault.csr..."
240 |       openssl x509 -req -days 9999 -in vault.csr -CA ca.pem -CAkey ca.key \
241 |               -CAcreateserial -extensions v3_req -out vault.crt -extfile vault.cnf
242 |   - path: /opt/etc/vault/certs/ca.pem
243 |     permissions: 0644
244 |     owner: root
245 |     content: |
246 |       -----BEGIN CERTIFICATE-----
247 |       MIID2jCCAsICCQDFuc3c4hwfyjANBgkqhkiG9w0BAQ0FADCBrjELMAkGA1UEBhMC
248 |       VVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1IYWxmIE1vb24gQmF5MQ4wDAYDVQQR
249 |       DAU5NDAxOTESMBAGA1UECgwJRG9ja2VyYWdlMRYwFAYDVQQLDA1JVCBEZXBhcnRt
250 |       ZW50MRgwFgYDVQQDDA9jYS5kb2NrZXIubG9jYWwxJDAiBgkqhkiG9w0BCQEWFWFk
251 |       bWluQGNhLmRvY2tlci5sb2NhbDAeFw0xNjAzMDEwNjQzNTVaFw00MzA3MTcwNjQz
252 |       NTVaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDUhhbGYg
253 |       TW9vbiBCYXkxDjAMBgNVBBEMBTk0MDE5MRIwEAYDVQQKDAlEb2NrZXJhZ2UxFjAU
254 |       BgNVBAsMDUlUIERlcGFydG1lbnQxGDAWBgNVBAMMD2NhLmRvY2tlci5sb2NhbDEk
255 |       MCIGCSqGSIb3DQEJARYVYWRtaW5AY2EuZG9ja2VyLmxvY2FsMIIBIjANBgkqhkiG
256 |       9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnBnvGi9GoysVZHhbHh1aEQbO8g7EqkiElDQz
257 |       RmLT7UZh3FaoSgdWKYdu1C8779trwzjPltjthxmrGuFIjPXZ3gBe3k6s/etf9na+
258 |       QFa0lXmKmUX3LJAnwupmfC+fDFnVVN3beol8lW35eV/KGh8SXrbHrHpadcNdQURy
259 |       /MnavNQXSFxcW8vyUUlkoaI8qIeKu/70wv98Nfb0I8HMDmuaJjqBaOXevD4CBUFr
260 |       vrEQKWCF2DHomjDsCaQjxyoXAd85Ow8ZLxi6j4JmL2bFhR2bCfO0O8cpCHoU/W5g
261 |       dZhgjbld/TdcMagOd409krolG69ReR4uibju1/xlsMtvdCnaFQIDAQABMA0GCSqG
262 |       SIb3DQEBDQUAA4IBAQA6nkGIotTMZVZNiL3I9ZqGpSvN9AzENRt2ZvvJ9T2CGNX6
263 |       e8H8H8lD/AAfGdiitYxSgTL47dYhQ3MgECSRqX7jEeW3wHxhTTxVuFUu2PNXUCio
264 |       vbIm9kKqxspKSTN//BKDCAwHFUqYGiS8cw15HobpCnav9zmT7edRvdOEptM4VRJd
265 |       2hIBkPEAW4OAF2D59Y6sZxHuUorkLhTRqOutl6h7sPbdUQeIfOqHMaX6T2xl6VtJ
266 |       3I+Yza5TkVCPck88Q2PCECaXRSDN8UR5xTtXVBL1ikwdMsyEv7aD2ZzsET+djyZc
267 |       jsZnSW1rVS7qOLwmOmOH2LMxknD0AOobvGkugZTA
268 |       -----END CERTIFICATE-----
269 |   - path: /opt/etc/vault/certs/ca.key
270 |     permissions: 0600
271 |     owner: root
272 |     content: |
273 |       -----BEGIN RSA PRIVATE KEY-----
274 |       MIIEpQIBAAKCAQEAnBnvGi9GoysVZHhbHh1aEQbO8g7EqkiElDQzRmLT7UZh3Fao
275 |       SgdWKYdu1C8779trwzjPltjthxmrGuFIjPXZ3gBe3k6s/etf9na+QFa0lXmKmUX3
276 |       LJAnwupmfC+fDFnVVN3beol8lW35eV/KGh8SXrbHrHpadcNdQURy/MnavNQXSFxc
277 |       W8vyUUlkoaI8qIeKu/70wv98Nfb0I8HMDmuaJjqBaOXevD4CBUFrvrEQKWCF2DHo
278 |       mjDsCaQjxyoXAd85Ow8ZLxi6j4JmL2bFhR2bCfO0O8cpCHoU/W5gdZhgjbld/Tdc
279 |       MagOd409krolG69ReR4uibju1/xlsMtvdCnaFQIDAQABAoIBAG+GP8MvX4IXt9Lu
280 |       AftD8SMVACkD0BHweXgAy1lQJiTxEd1/tAAfubk130KM9H9q/lSddAJLvXe2KP6t
281 |       UU4UH7FyBlVBVGqdDRRixY3l5GKeUR0sVWlrHF0vZkT3KOSEEdvuHW4wZ+fCiGfk
282 |       vdlntZIheAqL57EXALsukhB0jmg06TjsPS8zbbnOJPbU3ZjDUjxMgfMB8xvj8LxX
283 |       kB9MB04ABkss47a7Ep5iHhhSQFu14udFiYOMvrrYbqp7l1zvzLYnsidrEGZIVcLr
284 |       xW52UfDtR4AROofSWBNpPCxv4u5OvH1NYTE1OPo21lqXhRSYiEAtO4NiZEPdH8gp
285 |       Az/XrsECgYEAyuDsdo0NwUuv3ByWEh+u3hOXAGa7LngwsdrlK7bUgqOfMukc6O+a
286 |       ZRYPvTMm+h6K3gbcE6M2XdWNuPF+uwkJuDI35ZXQBCBOlovx1cOMV4g/VzrXbA34
287 |       Tj61QytaZw/zQG+HwswfV12JH8L+HNpJ9EWtwJoWDzHWpg1Fp9+ErrkCgYEAxPl/
288 |       zrzcXfrfiP7akACzQp931LH54+FRiPTH3n3+QrQRyT0CXTxkDR6rgaHr6DxWDSKo
289 |       HRuvq73A1N3bucqrvr28krSgOge1kOAge76/X+BRlbdfXuNGsed4hgFyf71XTnGb
290 |       AX6xeuKvkxqNe84nXmZgm69T7LQ8MHAA2H4R+D0CgYEAtXzeq/LlAiz2Bf8glNf4
291 |       87sskvRTsG9eiExcRG3Kz48VxFJbRVnKkXFZ5RQUYx3ddl9Gkt6nrOt0W6TVjPW5
292 |       1yg9bslFC9vm0bAhR+wl6Mv+dccynPwmS8C3IH5w4c+X+OWM2ksGIn6PQ3WJI0B3
293 |       dei7VZfB8hfQgD1ROaqvpCkCgYEAo8HdrK2883D/aHCgmnnKjofvYuf4HakUVS1U
294 |       ATh0K1ZzNv++uG7dqz6lTWelrfSDgfYfF9wNp1VhPFeaNhM1x6UMYldCohwIqgJ7
295 |       XwWNKxNeIH9MDaIcAwmyXI5Vd7edHv055ftDaCuP1leL6rLQbh3lEWmo9zA8nfRv
296 |       74yYOe0CgYEAo8f33HogLL5/xtKkovlmTN/M+8NPMtu550gr9OKxxgYbvmQ895qy
297 |       hpSQnWoQ3z+Ry5sSXln4Ot5A5PfrlSCL35X7js/BOhjR3t45b9vT9KhAxmPRQiHO
298 |       dpiWS6BVt6AA13lV4LXIMRZ+ITJ+BC2yvPprmSTrLrt0FPyC35PJBYU=
299 |       -----END RSA PRIVATE KEY-----
300 |   - path: /etc/profile.d/vault.sh
301 |     content: |
302 |         export VAULT_CACERT=/opt/etc/vault/certs/ca.pem
303 |         export VAULT_ADDR=http://localhost:8200
304 |         #export VAULT_CLIENT_CERT=/var/lib/apps/vault/certs/client.crt
305 |         #export VAULT_CLIENT_KEY=/var/lib/apps/vault/certs/client.key
306 | 
307 | 
308 | 
309 | 


--------------------------------------------------------------------------------
/resources/cloud-config/worker.yaml.tmpl:
--------------------------------------------------------------------------------
  1 | #cloud-config
  2 | 
  3 | # Workers cloud-config
  4 | coreos:
  5 |   etcd2:
  6 |     proxy: on
  7 |     listen-client-urls: http://0.0.0.0:2379,http://0.0.0.0:4001
  8 |   fleet:
  9 |     public-ip: $private_ipv4
 10 |     metadata: env=${CLUSTER_NAME},platform=ec2,provider=aws,role=worker
 11 |   update:
 12 |     reboot-strategy: best-effort
 13 |   locksmith:
 14 |     group: worker
 15 |   units:
 16 |     - name: locksmithd.service
 17 |       command: start
 18 |       drop-ins:
 19 |       - name: 30-cloudinit.conf
 20 |         content: |
 21 |           [Service]
 22 |           Environment="LOCKSMITHD_REBOOT_WINDOW_START=05:30"
 23 |           Environment="LOCKSMITHD_REBOOT_WINDOW_LENGTH=3h"
 24 |     - name: etcd2.service
 25 |       command: start
 26 |       drop-ins:
 27 |         - name: 60-initial-cluster.conf
 28 |           content: |
 29 |             [Service]
 30 |             EnvironmentFile=/etc/sysconfig/initial-cluster
 31 |     - name: fleet.service
 32 |       command: start
 33 | 
 34 | # coreos.units.* components
 35 |     - name: format-disk.service
 36 |       command: start
 37 |       content: |
 38 |         [Unit]
 39 |         Description=Formats the disk drive
 40 |         [Service]
 41 |         Type=oneshot
 42 |         RemainAfterExit=yes
 43 |         Environment="LABEL=var-lib-docker"
 44 |         Environment="DEV=/dev/xvdb"
 45 |         # Do not wipe the disk if it's already being used, so the docker images persistent cross reboot.
 46 |         ExecStart=-/bin/bash -c "if ! findfs LABEL=$LABEL > /tmp/label.$LABEL; then wipefs -a -f $DEV && mkfs.ext4 -T news -F -L $LABEL $DEV && echo wiped; fi"
 47 |     - name: var-lib-docker.mount
 48 |       command: start
 49 |       content: |
 50 |         [Unit]
 51 |         Description=Mount disk to /var/lib/docker
 52 |         Requires=format-disk.service
 53 |         After=format-disk.service
 54 |         Before=docker.service
 55 |         [Mount]
 56 |         What=/dev/xvdb
 57 |         Where=/var/lib/docker
 58 |         Type=ext4
 59 |     - name: docker.service
 60 |       command: start
 61 |       drop-ins:
 62 |         - name: 60-docker-wait-for-var-lib.conf
 63 |           content: |
 64 |               [Unit]
 65 |               Requires=var-lib-docker.mount
 66 |               After=var-lib-docker.mount
 67 |               [Service]
 68 |               Restart=always
 69 |               RestartSec=5
 70 |     - name: git-sync.service
 71 |       command: start
 72 |       content: |
 73 |         [Unit]
 74 |         Description=git-sync
 75 |         ConditionPathExists=/opt/bin/git-sync.sh
 76 |         
 77 |         [Service]
 78 |         EnvironmentFile=/etc/environment
 79 |         TimeoutStartSec=10min
 80 |         ExecStart=/opt/bin/git-sync.sh
 81 |     - name: git-sync.timer
 82 |       command: start
 83 |       content: |      
 84 |         [Unit]
 85 |         Description=git-sync timer
 86 |         
 87 |         [Timer]
 88 |         OnCalendar=*:*:00
 89 |         #OnUnitActiveSec=30
 90 |     - name: post-provisioning.service
 91 |       command: start
 92 |       content: |       
 93 |         [Unit]
 94 |         Description=A hook to excute bootstrap script at boot
 95 |         Wants=git-sync.service
 96 |         After=git-sync.service
 97 |         ConditionPathExists=/opt/bin/post-provision.sh
 98 |         
 99 |         [Service]
100 |         Type=oneshot
101 |         RemainAfterExit=true
102 |         EnvironmentFile=/etc/environment
103 |         ExecStart=/opt/bin/post-provision.sh
104 | write_files:            
105 |   - path: /opt/bin/git-sync.sh
106 |     permissions: 0700
107 |     owner: root
108 |     content: |
109 |         #!/bin/bash
110 |         # This script sync /var/lib/apps with github repo
111 |         export GIT_SSH_COMMAND=${GIT_SSH_COMMAND}
112 |         if [[ -d /var/lib/apps/.git ]]; 
113 |         then 
114 |             cd /var/lib/apps; git pull
115 |         else
116 |             mkdir -p /var/lib
117 |             git clone ${APP_REPOSITORY} /var/lib/apps
118 |         fi
119 |   - path: /opt/bin/s3sync.sh
120 |     permissions: 0700
121 |     owner: root
122 |     content: |
123 |         #!/bin/bash
124 |         # This script run a awscli docker to sync /var/lib/apps with s3 bucket
125 |         # this allows us to dynamically config hosted applications
126 |         AWS_CONFIG_ENV=/root/.aws/envvars
127 |         source $AWS_CONFIG_ENV
128 |         IMAGE=suet/awscli:latest
129 |         APPBUCKET=s3://${AWS_ACCOUNT}-${CLUSTER_NAME}-config/apps
130 |         DST=/var/lib/apps
131 |         CMD="aws s3 sync --exact-timestamps --delete $APPBUCKET $DST && chmod 755 $DST/bin/*"
132 |         
133 |         # pull the IMAGE if not loaded
134 |         docker history $IMAGE > /dev/null 2>&1 || docker pull $IMAGE
135 |         # sync s3 apps to
136 |         docker run --rm --name s3sync -v $${DST}:$${DST} --env-file=$AWS_CONFIG_ENV $IMAGE /bin/bash -c "$CMD"
137 |   - path: /opt/bin/post-provision.sh
138 |     permissions: 0700
139 |     owner: root
140 |     content: |
141 |         #!/usr/bin/bash
142 |         # This script gets excecuted on each reboot. 
143 |         # It can be an additional config you want to set after CoreOS's cloud-config.
144 |         post_provision='/var/lib/apps/post_provision'
145 |         # wait until the post_provision is downloaded from git/s3
146 |         until [ -d $post_provision ]; do sleep 3; done;
147 |         if [ -d $post_provision ]
148 |         then
149 |             for i in $post_provision/*.sh
150 |             do
151 |               /bin/bash -x $i
152 |             done
153 |         fi
154 |         exit 0
155 |   - path: /etc/systemd/system/docker.service.d/50-insecure-registry.conf
156 |     content: |
157 |         [Service]
158 |         Environment=DOCKER_OPTS='--insecure-registry=10.0.0.0/8,dockerhub.coreos-cluster.local'
159 | 
160 |   - path: /etc/aws/account.envvars
161 |     permissions: 0644
162 |     owner: root
163 |     content: |
164 |         AWS_ACCOUNT=${AWS_ACCOUNT}
165 |         AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}
166 |         CLUSTER_NAME=${CLUSTER_NAME}
167 |   - path: /root/.aws/envvars
168 |     permissions: 0600
169 |     owner: root
170 |     content: |
171 |         AWS_ACCOUNT=${AWS_ACCOUNT}
172 |         AWS_USER=${AWS_USER}
173 |         AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
174 |         AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
175 |         AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}
176 |   - path: /root/.aws/config
177 |     permissions: 0600
178 |     owner: root
179 |     content: |
180 |         [default]
181 |         aws_access_key_id=${AWS_ACCESS_KEY_ID}
182 |         aws_secret_access_key=${AWS_SECRET_ACCESS_KEY}
183 |         region=${AWS_DEFAULT_REGION}
184 | 
185 | 
186 | 


--------------------------------------------------------------------------------
/resources/makefiles/admiral.mk:
--------------------------------------------------------------------------------
 1 | admiral: init_admiral
 2 | 	cd $(BUILD)/$@ ; $(SCRIPTS)/tf-apply-confirm.sh
 3 | 	# Wait for vpc/subnets to be ready
 4 | 	sleep 5
 5 | 	#$(MAKE) gen_admiral_vars
 6 | 	@$(MAKE) get_admiral_ips
 7 | 
 8 | # Use this for ongoing changes if you only changed admiral.tf.
 9 | admiral_only: init create_admiral_key
10 | 	mkdir -p $(BUILD)/admiral
11 | 	cp -rf $(RESOURCES)/terraforms/admiral/admiral.tf $(BUILD)/admiral
12 | 	cd $(BUILD)/admiral ; ln -sf ../*.tf .
13 | 	@if [[ "X$(APP_REPOSITORY_DEPLOYKEY)" != "X" ]] && [[ -f $(APP_REPOSITORY_DEPLOYKEY) ]]; then \
14 |   		cat $(APP_REPOSITORY_DEPLOYKEY) >> $(BUILD)/cloud-config/admiral.yaml.tmpl; \
15 |   	fi
16 | 	cd $(BUILD)/admiral; $(SCRIPTS)/tf-apply-confirm.sh
17 | 	$(MAKE) gen_admiral_vars
18 | 	@$(MAKE) get_admiral_ips
19 | 
20 | plan_admiral: init_admiral
21 | 	cd $(BUILD)/admiral; $(TF_GET); $(TF_PLAN)
22 | 
23 | destroy_admiral: destroy_admiral_key 
24 | 	cd $(BUILD)/admiral; $(TF_DESTROY)
25 | 
26 | show_admiral:  
27 | 	cd $(BUILD)/admiral; $(TF_SHOW) 
28 | 
29 | create_admiral_key:
30 | 	cd $(BUILD); \
31 | 		$(SCRIPTS)/aws-keypair.sh -c $(CLUSTER_NAME)-admiral;
32 | 
33 | upload_admiral_key:
34 | 	cd $(BUILD); \
35 | 		$(SCRIPTS)/aws-keypair.sh -u $(CLUSTER_NAME)-admiral;
36 | 
37 | destroy_admiral_key:
38 | 	cd $(BUILD); $(SCRIPTS)/aws-keypair.sh -d $(CLUSTER_NAME)-admiral;
39 | 
40 | init_admiral: etcd create_admiral_key
41 | 	mkdir -p $(BUILD)/admiral
42 | 	cp -rf $(RESOURCES)/terraforms/admiral/admiral.tf $(BUILD)/admiral
43 | 	cd $(BUILD)/admiral ; rm -rf $(BUILD)/admiral_vars.tf admiral_vars.tf; ln -sf ../*.tf .
44 | 	@if [[ "X$(APP_REPOSITORY_DEPLOYKEY)" != "X" ]] && [[ -f $(APP_REPOSITORY_DEPLOYKEY) ]]; then \
45 |   		cat $(APP_REPOSITORY_DEPLOYKEY) >> $(BUILD)/cloud-config/admiral.yaml.tmpl; \
46 |   	fi
47 | 
48 | clean_admiral:
49 | 	rm -rf $(BUILD)/admiral $(BUILD)/admiral_vars.tf
50 | 
51 | gen_admiral_vars:
52 | 	cd $(BUILD)/admiral; ${SCRIPTS}/gen-tf-vars.sh > $(BUILD)/admiral_vars.tf
53 | 
54 | get_admiral_ips:
55 | 	@echo "admiral public ips: " `$(SCRIPTS)/get-ec2-public-id.sh $(CLUSTER_NAME)-admiral`
56 | 
57 | # EFS target
58 | admiral_efs_target: plan_admiral_efs_target
59 | 	cd $(BUILD)/admiral; $(TF_GET); $(TF_APPLY);
60 | 
61 | plan_admiral_efs_target:
62 | 	cp -rf $(RESOURCES)/terraforms/admiral/admiral-efs-target.tf $(BUILD)/admiral
63 | 	cd $(BUILD)/admiral; $(TF_GET); $(TF_PLAN)
64 | 
65 | # Call this explicitly to re-load user_data
66 | update_admiral_user_data:
67 | 	cd $(BUILD)/admiral; \
68 | 		${TF_PLAN} -target=data.template_file.admiral_cloud_config; \
69 | 		$(TF_APPLY)
70 | 
71 | .PHONY: admiral admiral_only destroy_admiral plan_destroy_admiral plan_admiral init_admiral get_admiral_ips update_admiral_user_data
72 | .PHONY: show_admiral create_admiral_key destroy_admiral_key gen_admiral_vars init_efs_target clean_admiral
73 | 


--------------------------------------------------------------------------------
/resources/makefiles/cloudtrail.mk:
--------------------------------------------------------------------------------
 1 | cloudtrail: init_cloudtrail
 2 | 	cd $(BUILD)/$@ ; $(SCRIPTS)/tf-apply-confirm.sh
 3 | 	# Wait for cloudtrail to be ready
 4 | 	sleep 10
 5 | 
 6 | # Only for cloudtrail update. No other dependency change.
 7 | cloudtrail_only:
 8 | 	rsync -av $(RESOURCES)/terraforms/cloudtrail/ $(BUILD)/cloudtrail
 9 | 	cd $(BUILD)/cloudtrail ; ln -sf ../*.tf . ; $(SCRIPTS)/tf-apply-confirm.sh
10 | 
11 | plan_cloudtrail: init_cloudtrail
12 | 	cd $(BUILD)/cloudtrail; $(TF_GET); $(TF_PLAN)
13 | 
14 | plan_destroy_cloudtrail:
15 | 	cd $(BUILD)/cloudtrail; $(TF_DESTROY_PLAN)
16 | 
17 | destroy_cloudtrail: 
18 | 	cd $(BUILD)/cloudtrail; $(TF_DESTROY)
19 | 
20 | init_cloudtrail: update_provider
21 | 	mkdir -p $(BUILD)/cloudtrail
22 | 	rsync -av $(RESOURCES)/terraforms/cloudtrail/ $(BUILD)/cloudtrail
23 | 	cd $(BUILD)/cloudtrail ; ln -sf ../*.tf .
24 | 
25 | show_cloudtrail:  
26 | 	cd $(BUILD)/cloudtrail; $(TF_SHOW) 
27 | 
28 | .PHONY: cloudtrail plan_cloudtrail plan_destroy_cloudtrail destroy_cloudtrail cloudtrail_only init_cloudtrail show_cloudtrail
29 | 


--------------------------------------------------------------------------------
/resources/makefiles/efs.mk:
--------------------------------------------------------------------------------
 1 | # Create EFS cluster servers and EFS mount targets
 2 | efs: init_efs
 3 | 	@cd $(BUILD)/$@ ; $(SCRIPTS)/tf-apply-confirm.sh
 4 | 	@$(MAKE) gen_efs_vars
 5 | 
 6 | plan_efs: init_efs
 7 | 	cd $(BUILD)/efs; $(TF_GET); $(TF_PLAN)
 8 | 
 9 | init_efs: vpc
10 | 	mkdir -p $(BUILD)/efs
11 | 	rsync -avq  $(RESOURCES)/terraforms/efs/ $(BUILD)/efs
12 | 	cd $(BUILD)/efs ; ln -sf ../*.tf .
13 | 
14 | destroy_efs:
15 | 	cd $(BUILD)/efs; $(TF_DESTROY)
16 | 
17 | gen_efs_vars:
18 | 	cd $(BUILD)/efs; ${SCRIPTS}/gen-tf-vars.sh > $(BUILD)/efs_vars.tf
19 | 
20 | .PHONY: efs init_efs gen_etcd_vars plan_destroy_efs destroy_efs plan_efs
21 | 


--------------------------------------------------------------------------------
/resources/makefiles/elb-ci.mk:
--------------------------------------------------------------------------------
 1 | elb_ci: vpc plan_elb_ci
 2 | 	cd $(BUILD)/elb_ci ; $(SCRIPTS)/tf-apply-confirm.sh
 3 | 	@$(MAKE) get_elb_ci_dns_name
 4 | 
 5 | plan_elb_ci: plan_vpc init_elb_ci
 6 | 	cd $(BUILD)/elb_ci; $(TF_PLAN)
 7 | 
 8 | destroy_elb_ci: | $(TF_PROVIDER)
 9 | 	cd $(BUILD)/elb_ci; $(TF_DESTROY)
10 | 
11 | plan_destroy_elb_ci:
12 | 	cd $(BUILD)/elb_ci; $(TF_DESTROY_PLAN)
13 | 
14 | # init elb build dir, may add init_route53 as dependence if dns registration is needed.
15 | init_elb_ci: | $(SITE_CERT) init route53
16 | 	mkdir -p $(BUILD)/elb_ci
17 | 	cp -rf $(RESOURCES)/terraforms/elb_ci/ci.tf $(BUILD)/elb_ci
18 | 	cd $(BUILD)/elb_ci ; ln -sf ../*.tf .
19 | 
20 | get_elb_ci_dns_name:
21 | 	@cd $(BUILD)/elb_ci; elb_name=`$(TF_OUTPUT) elb_name` ; echo `$(SCRIPTS)/get-dns-name.sh $$elb_name`
22 | 
23 | .PHONY: elb_ci destroy_elb_ci plan_elb_ci init_elb_ci certs get_elb_ci_dns_name plan_destroy_elb_ci
24 | 


--------------------------------------------------------------------------------
/resources/makefiles/etcd.mk:
--------------------------------------------------------------------------------
 1 | etcd: init_etcd 
 2 | 	@cd $(BUILD)/$@ ; $(SCRIPTS)/tf-apply-confirm.sh
 3 | 	# Wait for vpc/subnets to be ready
 4 | 	sleep 5
 5 | 	#@cd $(BUILD)/$@; $(TF_OUTPUT) && @$(MAKE) gen_vault_vars @$(MAKE) gen_etcd_vars
 6 | 	$(MAKE) get_etcd_ips
 7 | 
 8 | etcd_only: init create_etcd_key
 9 | 	mkdir -p $(BUILD)/etcd
10 | 	rsync -av  $(RESOURCES)/terraforms/etcd/ $(BUILD)/etcd
11 | 	cd $(BUILD)/etcd ; ln -sf ../*.tf .
12 | 	@if [[ "X$(APP_REPOSITORY_DEPLOYKEY)" != "X" ]] && [[ -f $(APP_REPOSITORY_DEPLOYKEY) ]]; then \
13 |   		 cat $(APP_REPOSITORY_DEPLOYKEY) >> $(BUILD)/cloud-config/etcd.yaml.tmpl; \
14 |   	fi
15 | 	@cd $(BUILD)/etcd ; $(SCRIPTS)/tf-apply-confirm.sh
16 | 	# Wait for vpc/subnets to be ready
17 | 	sleep 5
18 | 	@$(MAKE) gen_etcd_vars
19 | 	$(MAKE) get_etcd_ips
20 | 
21 | plan_etcd: init_etcd
22 | 	cd $(BUILD)/etcd; $(TF_GET); $(TF_PLAN)
23 | 
24 | destroy_etcd: destroy_etcd_key 
25 | 	cd $(BUILD)/etcd; $(TF_DESTROY)
26 | 
27 | show_etcd:  
28 | 	cd $(BUILD)/etcd; $(TF_SHOW) 
29 | 
30 | create_etcd_key:
31 | 	cd $(BUILD); \
32 | 		$(SCRIPTS)/aws-keypair.sh -c $(CLUSTER_NAME)-etcd;
33 | 
34 | upload_etcd_key:
35 | 	cd $(BUILD); \
36 | 		$(SCRIPTS)/aws-keypair.sh -u $(CLUSTER_NAME)-etcd;
37 | 
38 | destroy_etcd_key:
39 | 	cd $(BUILD); $(SCRIPTS)/aws-keypair.sh -d $(CLUSTER_NAME)-etcd;
40 | 
41 | init_etcd: vpc iam s3 create_etcd_key 
42 | 	mkdir -p $(BUILD)/etcd
43 | 	rsync -av  $(RESOURCES)/terraforms/etcd/ $(BUILD)/etcd
44 | 	cd $(BUILD)/etcd ; rm -rf $(BUILD)/etcd_vars.tf etcd_vars.tf ; ln -sf ../*.tf .
45 | 	@if [[ "X$(APP_REPOSITORY_DEPLOYKEY)" != "X" ]] && [[ -f $(APP_REPOSITORY_DEPLOYKEY) ]]; then \
46 |   		 cat $(APP_REPOSITORY_DEPLOYKEY) >> $(BUILD)/cloud-config/etcd.yaml.tmpl; \
47 |   	fi
48 | 
49 | clean_etcd:
50 | 	rm -rf $(BUILD)/etcd $(BUILD)/etcd_vars.tf
51 | 
52 | gen_etcd_vars:
53 | 	cd $(BUILD)/etcd; ${SCRIPTS}/gen-tf-vars.sh > $(BUILD)/etcd_vars.tf
54 | 
55 | get_etcd_ips:
56 | 	@echo "etcd public ips: " `$(SCRIPTS)/get-ec2-public-id.sh $(CLUSTER_NAME)-etcd`
57 | 
58 | # Call this explicitly to re-load user_data
59 | update_etcd_user_data:
60 | 	cd $(BUILD)/etcd; \
61 | 		{TF_PLAN} -target=data.template_file.etcd_cloud_config; \
62 | 		$(TF_APPLY)
63 | 
64 | .PHONY: etcd etcd-only destroy_etcd plan_destroy_etcd plan_etcd init_etcd get_etcd_ips update_etcd_user_data
65 | .PHONY: show_etcd create_etcd_key destroy_etcd_key gen_etcd_vars clean_etcd
66 | 


--------------------------------------------------------------------------------
/resources/makefiles/iam.mk:
--------------------------------------------------------------------------------
 1 | iam: init_iam 
 2 | 	@cd $(BUILD)/$@; $(SCRIPTS)/tf-apply-confirm.sh
 3 | 	@$(MAKE) gen_s3_vars
 4 | 	@$(MAKE) gen_iam_vars
 5 | 
 6 | plan_iam: init_iam
 7 | 	cd $(BUILD)/iam; $(TF_GET); $(TF_PLAN)
 8 | 
 9 | destroy_iam:  
10 | 	cd $(BUILD)/iam; $(TF_DESTROY)
11 | 
12 | show_iam:  
13 | 	cd $(BUILD)/iam; $(TF_SHOW) 
14 | 
15 | init_iam: s3
16 | 	mkdir -p $(BUILD)/iam
17 | 	rsync -av  $(RESOURCES)/terraforms/iam/ $(BUILD)/iam
18 | 	cd $(BUILD)/iam ; ln -sf ../*.tf .
19 | 
20 | clean_iam:
21 | 	rm -rf $(BUILD)/iam $(BUILD)/iam_vars.tf
22 | 
23 | gen_iam_vars:
24 | 	cd $(BUILD)/iam; ${SCRIPTS}/gen-tf-vars.sh > $(BUILD)/iam_vars.tf
25 | 
26 | .PHONY: iam plan_destroy_iam destroy_iam plan_iam init_iam gen_iam_vars clean_iam
27 | 
28 | 


--------------------------------------------------------------------------------
/resources/makefiles/init.mk:
--------------------------------------------------------------------------------
 1 | show:
 2 | 	@echo "show_<resource>"
 3 | 
 4 | show_state: init
 5 | 	cat $(BUILD)/terraform.tfstate
 6 | 
 7 | refresh: init
 8 | 	cd $(BUILD); $(TF_REFRESH)
 9 | 
10 | init: | $(TF_PROVIDER) $(AMI_VAR)
11 | 
12 | get_vpc_id:
13 | 	$(SCRIPTS)/get-vpc-id.sh
14 | 
15 | $(BUILD): init_build_dir
16 | 
17 | $(TF_PROVIDER): update_provider
18 | 
19 | $(AMI_VAR): update_ami
20 | 
21 | $(SITE_CERT): gen_certs
22 | 
23 | init_build_dir:
24 | 	@mkdir -p $(BUILD)
25 | 	@cp -rf $(RESOURCES)/cloud-config $(BUILD)
26 | 	@cp -rf $(RESOURCES)/policies $(BUILD)
27 | 	@$(SCRIPTS)/substitute-CLUSTER-NAME.sh $(BUILD)/cloud-config/s3-cloudconfig-bootstrap.sh
28 | 
29 | update_ami:	| $(BUILD)
30 | 	# Generate default AMI ids
31 | 	$(SCRIPTS)/get-ami.sh > $(BUILD)/$(AMI_VAR)
32 | 
33 | update_provider: | $(BUILD)
34 | 	# Generate tf provider
35 | 	$(SCRIPTS)/gen-provider.sh > /dev/null 2>&1 &&  $(SCRIPTS)/gen-provider.sh > $(BUILD)/$(TF_PROVIDER)
36 | 
37 | gen_certs: $(BUILD)
38 | 	@cp -rf $(RESOURCES)/certs $(BUILD); sed -i '' "s/DOMAIN/$(APP_DOMAIN)/g" $(BUILD)/certs/*
39 | 	@if [ ! -f "$(SITE_CERT)" ] ; \
40 | 	then \
41 | 		$(MAKE) -C $(CERTS) ; \
42 | 	fi
43 | 
44 | clean_certs:
45 | 	rm -f $(CERTS)/*.pem
46 | 
47 | .PHONY: init show show_state refresh update_ami update_provider init_build_dir
48 | .PHONY: gen_certs clean_certs


--------------------------------------------------------------------------------
/resources/makefiles/rds.mk:
--------------------------------------------------------------------------------
 1 | DB_PWD := $(BUILD)/rds/override.tf
 2 | 
 3 | rds: init_rds $(DB_PWD)
 4 | 	cd $(BUILD)/$@ ; $(SCRIPTS)/tf-apply-confirm.sh
 5 | 	# Wait for rds to be ready
 6 | 	sleep 10
 7 | 
 8 | # Only for db update. No other dependency change.
 9 | rds_only:
10 | 	rsync -av $(RESOURCES)/terraforms/rds/ $(BUILD)/rds
11 | 	cd $(BUILD)/rds ; ln -sf ../*.tf . ; $(SCRIPTS)/tf-apply-confirm.sh
12 | 
13 | plan_rds: init_rds
14 | 	cd $(BUILD)/rds; $(TF_GET); $(TF_PLAN)
15 | 
16 | plan_destroy_rds:
17 | 	cd $(BUILD)/rds; $(TF_DESTROY_PLAN)
18 | 
19 | destroy_rds: 
20 | 	cd $(BUILD)/rds; $(TF_DESTROY)
21 | 
22 | init_rds: vpc route53
23 | 	mkdir -p $(BUILD)/rds
24 | 	rsync -av $(RESOURCES)/terraforms/rds/ $(BUILD)/rds
25 | 	cd $(BUILD)/rds ; ln -sf ../*.tf .
26 | 
27 | $(DB_PWD): 
28 | 	$(SCRIPTS)/gen-rds-password.sh $(DB_PWD)
29 | 
30 | gen_db_pwd: $(DB_PWD)
31 | 
32 | show_rds:  
33 | 	cd $(BUILD)/rds; $(TF_SHOW) 
34 | 
35 | .PHONY: rds plan_rds plan_destroy_rds destroy_rds rds_only init_rds gen_rds_password show_rds gen_db_pwd
36 | 


--------------------------------------------------------------------------------
/resources/makefiles/route53.mk:
--------------------------------------------------------------------------------
 1 | 
 2 | route53: init_route53
 3 | 	@cd $(BUILD)/$@ ; $(SCRIPTS)/tf-apply-confirm.sh
 4 | 	@$(MAKE) gen_route53_vars
 5 | 
 6 | plan_route53: plan_vpc init_route53
 7 | 	cd $(BUILD)/route53; $(TF_PLAN)
 8 | 
 9 | init_route53: vpc
10 | 	mkdir -p $(BUILD)/route53
11 | 	rsync -avq  $(RESOURCES)/terraforms/route53/ $(BUILD)/route53
12 | 	cd $(BUILD)/route53 ; ln -sf ../*.tf .
13 | 
14 | plan_destroy_route53:
15 | 	cd $(BUILD); $(TF_PLAN)
16 | 
17 | gen_route53_vars:
18 | 	cd $(BUILD)/route53; ${SCRIPTS}/gen-tf-vars.sh > $(BUILD)/route53_vars.tf
19 | 
20 | destroy_route53:
21 | 	cd $(BUILD)/route53; $(TF_DESTROY)
22 | 
23 | clean_route53: destroy_route53
24 | 	rm -f $(BUILD)/module-route53.tf
25 | 
26 | .PHONY: route53 plan_route53 init_route53 plan_destroy_route53 gen_route53_vars destroy_route53 clean_route53
27 | 


--------------------------------------------------------------------------------
/resources/makefiles/s3.mk:
--------------------------------------------------------------------------------
 1 | s3: init_s3
 2 | 	@cd $(BUILD)/$@; $(SCRIPTS)/tf-apply-confirm.sh
 3 | 	@sleep 10
 4 | 	@$(MAKE) gen_s3_vars
 5 | 
 6 | plan_s3: init_s3
 7 | 	cd $(BUILD)/s3; $(TF_GET); $(TF_PLAN)
 8 | 
 9 | destroy_s3:  
10 | 	cd $(BUILD)/s3; $(TF_DESTROY)
11 | 
12 | show_s3:  
13 | 	cd $(BUILD)/s3; $(TF_SHOW) 
14 | 
15 | init_s3: init
16 | 	mkdir -p $(BUILD)/s3
17 | 	rsync -av  $(RESOURCES)/terraforms/s3/ $(BUILD)/s3
18 | 	cd $(BUILD)/s3 ; ln -sf ../*.tf .
19 | 
20 | clean_s3:
21 | 	rm -rf $(BUILD)/s3 $(BUILD)/s3_vars.tf
22 | 
23 | gen_s3_vars:
24 | 	cd $(BUILD)/s3; ${SCRIPTS}/gen-tf-vars.sh > $(BUILD)/s3_vars.tf
25 | 
26 | .PHONY: s3 plan_destroy_s3 destroy_s3 plan_s3 init_s3 gen_s3_vars clean_s3
27 | 
28 | 


--------------------------------------------------------------------------------
/resources/makefiles/vault.mk:
--------------------------------------------------------------------------------
 1 | vault: init_vault 
 2 | 	@cd $(BUILD)/$@ ; $(SCRIPTS)/tf-apply-confirm.sh
 3 | 	# Wait for vpc/subnets to be ready
 4 | 	sleep 5
 5 | 	#@cd $(BUILD)/$@; $(TF_OUTPUT) && @$(MAKE) gen_vault_vars
 6 | 	$(MAKE) get_vault_ips
 7 | 
 8 | vault_only: init create_vault_key
 9 | 	mkdir -p $(BUILD)/vault
10 | 	rsync -av  $(RESOURCES)/terraforms/vault/ $(BUILD)/vault
11 | 	cd $(BUILD)/vault ; ln -sf ../*.tf .
12 | 	@if [[ "X$(APP_REPOSITORY_DEPLOYKEY)" != "X" ]] && [[ -f $(APP_REPOSITORY_DEPLOYKEY) ]]; then \
13 |   		 cat $(APP_REPOSITORY_DEPLOYKEY) >> $(BUILD)/cloud-config/vault.yaml.tmpl; \
14 |   	fi
15 | 	cat $(RESOURCES)/cloud-config/common-files.yaml.tmpl >> $(BUILD)/cloud-config/vault.yaml.tmpl
16 | 	@cd $(BUILD)/vault ; $(SCRIPTS)/tf-apply-confirm.sh
17 | 	# Wait for vpc/subnets to be ready
18 | 	sleep 5
19 | 	@$(MAKE) gen_vault_vars
20 | 	$(MAKE) get_vault_ips
21 | 
22 | plan_vault: init_vault
23 | 	cd $(BUILD)/vault; $(TF_GET); $(TF_PLAN)
24 | 
25 | destroy_vault: destroy_vault_key 
26 | 	cd $(BUILD)/vault; $(TF_DESTROY)
27 | 
28 | show_vault:  
29 | 	cd $(BUILD)/vault; $(TF_SHOW) 
30 | 
31 | create_vault_key:
32 | 	cd $(BUILD); \
33 | 		$(SCRIPTS)/aws-keypair.sh -c $(CLUSTER_NAME)-vault;
34 | 
35 | upload_vault_key:
36 | 	cd $(BUILD); \
37 | 		$(SCRIPTS)/aws-keypair.sh -u $(CLUSTER_NAME)-vault;
38 | 
39 | destroy_vault_key:
40 | 	cd $(BUILD); $(SCRIPTS)/aws-keypair.sh -d $(CLUSTER_NAME)-vault;
41 | 
42 | init_vault: vpc iam s3 create_vault_key $(SITE_CERT)
43 | 	mkdir -p $(BUILD)/vault
44 | 	rsync -av  $(RESOURCES)/terraforms/vault/ $(BUILD)/vault
45 | 	cd $(BUILD)/vault ; ln -sf ../*.tf .
46 | 	@if [[ "X$(APP_REPOSITORY_DEPLOYKEY)" != "X" ]] && [[ -f $(APP_REPOSITORY_DEPLOYKEY) ]]; then \
47 |   		 cat $(APP_REPOSITORY_DEPLOYKEY) >> $(BUILD)/cloud-config/vault.yaml.tmpl; \
48 |   	fi
49 | 	cat $(RESOURCES)/cloud-config/common-files.yaml.tmpl >> $(BUILD)/cloud-config/vault.yaml.tmpl
50 | 
51 | clean_vault:
52 | 	rm -rf $(BUILD)/vault; $(BUILD)/vault_vars.tf
53 | 
54 | gen_vault_vars:
55 | 	cd $(BUILD)/vault; ${SCRIPTS}/gen-tf-vars.sh > $(BUILD)/vault_vars.tf
56 | 
57 | get_vault_ips:
58 | 	@echo "vault public ips: " `$(SCRIPTS)/get-ec2-public-id.sh $(CLUSTER_NAME)-vault`
59 | 
60 | # Call this explicitly to re-load user_data
61 | update_vault_user_data:
62 | 	cat $(RESOURCES)/cloud-config/vault.yaml.tmpl $(RESOURCES)/cloud-config/common-files.yaml.tmpl > $(BUILD)/cloud-config/vault.yaml.tmpl
63 | 	cd $(BUILD)/vault; \
64 | 		{TF_PLAN} -target=data.template_file.vault_cloud_config; \
65 | 		$(TF_APPLY)
66 | 
67 | .PHONY: vault vault-only destroy_vault plan_destroy_vault plan_vault init_vault get_vault_ips update_vault_user_data
68 | .PHONY: show_vault create_vault_key destroy_vault_key gen_vault_vars clean_vault
69 | 


--------------------------------------------------------------------------------
/resources/makefiles/vpc.mk:
--------------------------------------------------------------------------------
 1 | vpc: init_vpc
 2 | 	@cd $(BUILD)/$@ ; $(SCRIPTS)/tf-apply-confirm.sh
 3 | 	# Wait for vpc/subnets to be ready
 4 | 	sleep 5
 5 | 	$(MAKE) gen_vpc_vars
 6 | 
 7 | plan_vpc: init_vpc
 8 | 	cd $(BUILD)/vpc; $(TF_GET); $(TF_PLAN)
 9 | 
10 | destroy_vpc:
11 | 	@echo "In $@."
12 | 	@$(MAKE) confirm
13 | 	cd $(BUILD)/vpc; $(TF_DESTROY)
14 | 
15 | show_vpc:  
16 | 	cd $(BUILD)/vpc; $(TF_SHOW) 
17 | 
18 | init_vpc: init
19 | 	mkdir -p $(BUILD)/vpc
20 | 	rsync -av $(RESOURCES)/terraforms/vpc/ $(BUILD)/vpc
21 | 	cd $(BUILD)/vpc ; ln -sf ../provider.tf .
22 | 
23 | clean_vpc:
24 | 	rm -rf $(BUILD)/vpc $(BUILD)/vpc_vars.tf
25 | 
26 | gen_vpc_vars:
27 | 	cd $(BUILD)/vpc; ${SCRIPTS}/gen-tf-vars.sh > $(BUILD)/vpc_vars.tf
28 | 
29 | .PHONY: get_vpc_ids vpc plan_destroy_vpc destroy_vpc plan_vpc init_vpc show_vpc clean_vpc
30 | 
31 | 


--------------------------------------------------------------------------------
/resources/makefiles/worker.mk:
--------------------------------------------------------------------------------
 1 | worker: init_worker
 2 | 	cd $(BUILD)/$@ ; $(SCRIPTS)/tf-apply-confirm.sh
 3 | 	#@$(MAKE) gen_worker_vars
 4 | 	@$(MAKE) get_worker_ips
 5 | 
 6 | # Use this for ongoing changes if you only changed worker.tf.
 7 | worker_only: init create_worker_key
 8 | 	mkdir -p $(BUILD)/worker
 9 | 	cp -rf $(RESOURCES)/terraforms/worker/worker.tf $(BUILD)/worker
10 | 	cd $(BUILD)/worker ; ln -sf ../*.tf .	
11 | 	@if [[ "X$(APP_REPOSITORY_DEPLOYKEY)" != "X" ]] && [[ -f $(APP_REPOSITORY_DEPLOYKEY) ]]; then \
12 |   		cat $(APP_REPOSITORY_DEPLOYKEY) >> $(BUILD)/cloud-config/worker.yaml.tmpl; \
13 |   	fi
14 | 	cd $(BUILD)/worker ; $(SCRIPTS)/tf-apply-confirm.sh
15 | 	@$(MAKE) gen_worker_vars
16 | 	@$(MAKE) get_worker_ips
17 | 
18 | plan_worker: init_worker
19 | 	cd $(BUILD)/worker; $(TF_GET); $(TF_PLAN)
20 | 
21 | init_worker: etcd create_worker_key
22 | 	mkdir -p $(BUILD)/worker
23 | 	cp -rf $(RESOURCES)/terraforms/worker/worker.tf $(BUILD)/worker
24 | 	cd $(BUILD)/worker ; ln -sf ../*.tf .
25 | 	@if [[ "X$(APP_REPOSITORY_DEPLOYKEY)" != "X" ]] && [[ -f $(APP_REPOSITORY_DEPLOYKEY) ]]; then \
26 |   		cat $(APP_REPOSITORY_DEPLOYKEY) >> $(BUILD)/cloud-config/worker.yaml.tmpl; \
27 |   	fi
28 | 
29 | destroy_worker: destroy_worker_key 
30 | 	cd $(BUILD)/worker; $(TF_DESTROY)
31 | 
32 | show_worker:  
33 | 	cd $(BUILD)/worker; $(TF_SHOW) 
34 | 
35 | create_worker_key:
36 | 	cd $(BUILD); \
37 | 		$(SCRIPTS)/aws-keypair.sh -c $(CLUSTER_NAME)-worker;
38 | 
39 | destroy_worker_key:
40 | 	cd $(BUILD); $(SCRIPTS)/aws-keypair.sh -d $(CLUSTER_NAME)-worker;
41 | 
42 | clean_worker:
43 | 	rm -rf $(BUILD)/worker $(BUILD)/worker_vars.tf
44 | 
45 | gen_worker_vars:
46 | 	cd $(BUILD)/worker; ${SCRIPTS}/gen-tf-vars.sh > $(BUILD)/worker_vars.tf
47 | 
48 | get_worker_ips:
49 | 	@echo "worker public ips: " `$(SCRIPTS)/get-ec2-public-id.sh $(CLUSTER_NAME)-worker`
50 | 
51 | 
52 | # Call this explicitly to re-load user_data
53 | update_worker_user_data:
54 | 	cd $(BUILD)/worker; \
55 | 		{TF_PLAN} -target=data.template_file.worker_cloud_config; \
56 | 		$(TF_APPLY)
57 | 		
58 | .PHONY: worker worker_only destroy_worker plan_destroy_worker plan_worker init_worker get_worker_ips update_worker_user_data
59 | .PHONY: show_worker create_worker_key destroy_worker_key gen_worker_vars clean_worker
60 | 


--------------------------------------------------------------------------------
/resources/policies/admiral_policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Effect": "Allow",
 6 |       "Action": [
 7 |         "s3:*"
 8 |       ],
 9 |       "Resource": [
10 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-cloudinit",
11 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-cloudinit/*",
12 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-config",
13 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-config/*",
14 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-dockerhub",
15 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-dockerhub/*",
16 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-jenkins",
17 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-jenkins/*",
18 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-splunk",
19 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-splunk/*"
20 |       ]
21 |     },
22 |     {
23 |       "Effect": "Allow",
24 |       "Action": [
25 |         "ec2:Describe*",
26 |         "autoscaling:Describe*"
27 |       ],
28 |       "Resource": [
29 |         "*"
30 |       ]
31 |     }
32 |   ]
33 | }
34 | 


--------------------------------------------------------------------------------
/resources/policies/assume_role_policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Sid": "",
 6 |       "Effect": "Allow",
 7 |       "Principal": {
 8 |         "Service": "ec2.amazonaws.com"
 9 |       },
10 |       "Action": "sts:AssumeRole"
11 |     }
12 |   ]
13 | }


--------------------------------------------------------------------------------
/resources/policies/deployment_policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Effect": "Allow",
 6 |       "Action": [
 7 |         "elasticloadbalancing:*",
 8 |         "route53:*",
 9 |         "s3:*"
10 |       ],
11 |       "Resource": [
12 |         "*"
13 |       ]
14 |     }
15 |   ]
16 | }


--------------------------------------------------------------------------------
/resources/policies/dockerhub_policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Effect": "Allow",
 6 |       "Action": [
 7 |         "s3:*"
 8 |       ],
 9 |       "Resource": [
10 |         "arn:aws:s3:::${AWS_ACCOUNT}_${CLUSTER_NAME}-dockerhub",
11 |         "arn:aws:s3:::${AWS_ACCOUNT}_${CLUSTER_NAME}-dockerhub/*"
12 |       ]
13 |     },
14 |     {
15 |       "Effect": "Allow",
16 |       "Action": [
17 |         "s3:List*",
18 |         "s3:Get*"
19 |       ],
20 |       "Resource": [
21 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-cloudinit/etcd/initial-cluster",
22 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-cloudinit/dockerhub",
23 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-cloudinit/dockerhub/*",
24 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-config",
25 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-config/*"
26 |       ]
27 |     }
28 |   ]
29 | }
30 | 


--------------------------------------------------------------------------------
/resources/policies/etcd_policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Effect": "Allow",
 6 |       "Action": [
 7 |         "s3:*"
 8 |       ],
 9 |       "Resource": [
10 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-cloudinit",
11 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-cloudinit/*",
12 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-config",
13 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-config/*"
14 |       ]
15 |     },
16 |     {
17 |       "Effect": "Allow",
18 |       "Action": [
19 |         "ec2:Describe*",
20 |         "autoscaling:Describe*"
21 |       ],
22 |       "Resource": [
23 |         "*"
24 |       ]
25 |     }
26 |   ]
27 | }
28 | 


--------------------------------------------------------------------------------
/resources/policies/vault_policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Effect": "Allow",
 6 |       "Action": [
 7 |         "s3:*"
 8 |       ],
 9 |       "Resource": [
10 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-cloudinit",
11 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-cloudinit/*",
12 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-vault-cloudinit",
13 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-vault-cloudinit/*",
14 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-config",
15 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-config/*"
16 |       ]
17 |     },
18 |     {
19 |       "Effect": "Allow",
20 |       "Action": [
21 |         "ec2:Describe*",
22 |         "autoscaling:Describe*"
23 |       ],
24 |       "Resource": [
25 |         "*"
26 |       ]
27 |     }
28 |   ]
29 | }
30 | 


--------------------------------------------------------------------------------
/resources/policies/worker_policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Effect": "Allow",
 6 |       "Action": [
 7 |         "ec2:Describe*",
 8 |         "autoscaling:Describe*"
 9 |       ],
10 |       "Resource": [
11 |         "*"
12 |       ]
13 |     },
14 |     {
15 |       "Effect": "Allow",
16 |       "Action": [
17 |         "s3:List*",
18 |         "s3:Get*"
19 |       ],
20 |       "Resource": [
21 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-cloudinit/etcd/initial-cluster",
22 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-cloudinit",
23 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-cloudinit/worker",
24 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-cloudinit/worker/*",
25 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-config",
26 |         "arn:aws:s3:::${AWS_ACCOUNT}-${CLUSTER_NAME}-config/*"
27 |       ]
28 |     }
29 |   ]
30 | }
31 | 


--------------------------------------------------------------------------------
/resources/terraforms/admiral/admiral.tf:
--------------------------------------------------------------------------------
  1 | module "admiral" {
  2 |   source = "../../modules/cluster"
  3 | 
  4 |   # cluster varaiables for the cluster module
  5 |   cluster_name = "${var.cluster_name}"
  6 |   asg_name = "admiral"
  7 |   # a list of subnet IDs to launch resources in.
  8 |   cluster_vpc_zone_identifiers = "${var.admiral_subnet_0_id},${var.admiral_subnet_1_id},${var.admiral_subnet_2_id}"
  9 |   cluster_min_size = 1
 10 |   cluster_max_size = 1
 11 |   cluster_desired_capacity = 1
 12 |   cluster_security_groups = "${aws_security_group.admiral.id}"
 13 | 
 14 |   # Instance specifications
 15 |   ami = "${var.ami}"
 16 |   image_type = "t2.small"
 17 |   keypair = "${var.cluster_name}-admiral"
 18 | 
 19 |   # Note: currently admiral launch_configuration devices can NOT be changed after admiral cluster is up
 20 |   # See https://github.com/hashicorp/terraform/issues/2910
 21 |   # Instance disks
 22 |   root_volume_type = "gp2"
 23 |   root_volume_size = 12
 24 |   docker_volume_type = "gp2"
 25 |   docker_volume_size = 12 
 26 |   data_volume_type = "gp2"
 27 |   data_volume_size = 100
 28 | 
 29 |   user_data = "${file("../cloud-config/s3-cloudconfig-bootstrap.sh")}"
 30 |   iam_role_policy = "${data.template_file.admiral_policy_json.rendered}"
 31 | }
 32 | 
 33 | # Upload CoreOS cloud-config to a s3 bucket; s3-cloudconfig-bootstrap script in user-data will download 
 34 | # the cloud-config upon reboot to configure the system. This avoids rebuilding machines when 
 35 | # changing cloud-config.
 36 | resource "aws_s3_bucket_object" "admiral_cloud_config" {
 37 |   bucket = "${var.s3_cloudinit_bucket}"
 38 |   key = "admiral/cloud-config.yaml"
 39 |   content = "${data.template_file.admiral_cloud_config.rendered}"
 40 | }
 41 | 
 42 | data "template_file" "admiral_cloud_config" {
 43 |     template = "${file("../cloud-config/admiral.yaml.tmpl")}"
 44 |     vars {
 45 |         "AWS_ACCOUNT" = "${var.aws_account["id"]}"
 46 |         "AWS_USER" = "${var.deployment_user}"
 47 |         "AWS_ACCESS_KEY_ID" = "${var.deployment_key_id}"
 48 |         "AWS_SECRET_ACCESS_KEY" = "${var.deployment_key_secret}"
 49 |         "AWS_DEFAULT_REGION" = "${var.aws_account["default_region"]}"
 50 |         "CLUSTER_NAME" = "${var.cluster_name}"
 51 |         "APP_REPOSITORY" = "${var.app_repository}"
 52 |         "GIT_SSH_COMMAND" = "\"${var.git_ssh_command}\""
 53 |     }
 54 | }
 55 | 
 56 | data "template_file" "admiral_policy_json" {
 57 |     template = "${file("../policies/admiral_policy.json")}"
 58 |     vars {
 59 |         "AWS_ACCOUNT" = "${var.aws_account["id"]}"
 60 |         "CLUSTER_NAME" = "${var.cluster_name}"
 61 |     }
 62 | }
 63 | 
 64 | resource "aws_security_group" "admiral"  {
 65 |   name = "${var.cluster_name}-admiral"
 66 |   vpc_id = "${var.cluster_vpc_id}"
 67 |   description = "admiral"
 68 |   # Hacker's note: the cloud_config has to be uploaded to s3 before instances fireup
 69 |   # but module can't have 'depends_on', so we have to make 
 70 |   # this indrect dependency through security group
 71 |   depends_on = ["aws_s3_bucket_object.admiral_cloud_config"]
 72 | 
 73 |   # Allow all outbound traffic
 74 |   egress {
 75 |     from_port = 0
 76 |     to_port = 0
 77 |     protocol = "-1"
 78 |     cidr_blocks = ["0.0.0.0/0"]
 79 |   }
 80 | 
 81 |   # Allow access from vpc
 82 |   ingress {
 83 |     from_port = 10
 84 |     to_port = 65535
 85 |     protocol = "tcp"
 86 |     cidr_blocks = ["${var.cluster_vpc_cidr}"]
 87 |   }
 88 | 
 89 |   # Allow access from vpc
 90 |   ingress {
 91 |     from_port = 10
 92 |     to_port = 65535
 93 |     protocol = "udp"
 94 |     cidr_blocks = ["${var.cluster_vpc_cidr}"]
 95 |   }
 96 | 
 97 |   # Allow SSH from my hosts
 98 |   ingress {
 99 |     from_port = 22
100 |     to_port = 22
101 |     protocol = "tcp" 
102 |     cidr_blocks = ["${split(",", var.allow_ssh_cidr)}"]
103 |     self = true
104 |   }
105 | 
106 |   tags {
107 |     Name = "${var.cluster_name}-admiral"
108 |   }
109 | }
110 | 
111 | output "admiral_security_group" { value = "${aws_security_group.admiral.id}" }
112 | 
113 | 


--------------------------------------------------------------------------------
/resources/terraforms/cloudtrail/cloudtrail.tf:
--------------------------------------------------------------------------------
 1 | module "cloudtrail" {
 2 |   source = "../../modules/cloudtrail"
 3 | 
 4 |   trail_name = "${var.cluster_name}"
 5 |   s3_bucket_name = "${var.aws_account["id"]}-${var.cluster_name}-cloudtrail"
 6 |   include_global_service_events = true
 7 |   is_multi_region_trail = true
 8 |   cluster_name = "${var.cluster_name}"
 9 |   aws_account_id = "${var.aws_account["id"]}"
10 | }
11 | 
12 | 


--------------------------------------------------------------------------------
/resources/terraforms/efs/efs.tf:
--------------------------------------------------------------------------------
 1 | # EFS cluster
 2 | resource "aws_efs_file_system" "efs" {
 3 |   reference_name = "${var.cluster_name}-efs"
 4 |   tags {
 5 |     Name = "${var.cluster_name}-efs"
 6 |   }
 7 |   tags {
 8 |     Billing = "${var.cluster_name}"
 9 |   }
10 | }
11 | 
12 | resource "aws_security_group" "efs"  {
13 |     name = "${var.cluster_name}-efs"
14 |     vpc_id = "${var.cluster_vpc_id}"
15 |     description = "efs"
16 | 
17 |     # Allow all outound traffic
18 |     egress {
19 |       from_port = 0
20 |       to_port = 0
21 |       protocol = "-1"
22 |       cidr_blocks = ["0.0.0.0/0"]
23 |     }
24 | 
25 |     # EFS client port
26 |     ingress {
27 |       from_port = 2049
28 |       to_port = 2049
29 |       protocol = "tcp"
30 |       cidr_blocks = ["${var.cluster_vpc_cidr}"]
31 |     }
32 | 
33 |     tags {
34 |       Name = "${var.cluster_name}-efs"
35 |     }
36 | }
37 | 
38 | output "efs_file_system_efs_id" { value = "${aws_efs_file_system.efs.id}" }
39 | output "security_group_efs_id" { value = "${aws_security_group.efs.id}" }
40 | 
41 | module "efs-target" {
42 |     source = "../../modules/efs-target"
43 |     filesystem_id = "${aws_efs_file_system.efs.id}"
44 |     security_group_id = "${aws_security_group.efs.id}"
45 |     efs_subnet_0_id = "${var.worker_subnet_0_id}"
46 |     efs_subnet_1_id = "${var.worker_subnet_1_id}"
47 |     efs_subnet_2_id = "${var.worker_subnet_2_id}"
48 | }
49 | 


--------------------------------------------------------------------------------
/resources/terraforms/elb-ci/ci.tf:
--------------------------------------------------------------------------------
  1 | #
  2 | # ELB for CI
  3 | #
  4 | 
  5 | variable "ci_cert" { default = "../certs/site.pem" }
  6 | variable "ci_cert_chain" { default = "../certs/rootCA.pem" }
  7 | variable "ci_cert_key" { default = "../certs/site-key.pem" }
  8 | 
  9 | resource "aws_elb" "ci" {
 10 |   name = "${var.cluster_name}-elb-ci"
 11 |   depends_on = [ "aws_iam_server_certificate.wildcard" ]  
 12 |   subnets = ["${var.elb_subnet_0_id}","${var.elb_subnet_1_id}","${var.elb_subnet_2_id}"]
 13 |   security_groups = [ "${aws_security_group.elb_ci.id}" ]
 14 | 
 15 |   listener {
 16 |     lb_port = 443
 17 |     lb_protocol = "https"
 18 |     instance_port = 8080
 19 |     instance_protocol = "http"
 20 |     ssl_certificate_id = "${aws_iam_server_certificate.wildcard.arn}"
 21 |   }
 22 | 
 23 |   listener {
 24 |     lb_port = 80
 25 |     lb_protocol = "http"
 26 |     instance_port = 8080
 27 |     instance_protocol = "http"
 28 |   }
 29 | 
 30 |   health_check {
 31 |     healthy_threshold = 5
 32 |     unhealthy_threshold = 2
 33 |     timeout = 3
 34 |     target = "TCP:8080"
 35 |     interval = 30
 36 |   }
 37 | 
 38 |   tags {
 39 |       Name = "${var.cluster_name}-elb-ci"
 40 |   }
 41 | }
 42 | 
 43 | # Upload a example/demo wildcard cert
 44 | resource "aws_iam_server_certificate" "wildcard" {
 45 |   name = "${var.app_domain}"
 46 |   certificate_body = "${file("${var.ci_cert}")}"
 47 |   certificate_chain = "${file("${var.ci_cert_chain}")}"
 48 |   private_key = "${file("${var.ci_cert_key}")}"
 49 | 
 50 |   lifecycle {
 51 |     create_before_destroy = true
 52 |   }
 53 | 
 54 |   provisioner "local-exec" {
 55 |     command = <<EOF
 56 | echo # Sleep 10 secends so that aws_iam_server_certificate.wildcard is truely setup by aws iam service
 57 | echo # See https://github.com/hashicorp/terraform/issues/2499 (terraform ~v0.6.1)
 58 | sleep 10
 59 | EOF
 60 |   }
 61 | }
 62 | 
 63 | resource "aws_security_group" "elb_ci"  {
 64 |     name = "${var.cluster_name}-elb-ci"
 65 |     vpc_id = "${var.cluster_vpc_id}"
 66 |     description = "${var.cluster_name} elb-ci"
 67 | 
 68 |     # Allow all outbound traffic
 69 |     egress {
 70 |       from_port = 0
 71 |       to_port = 0
 72 |       protocol = "-1"
 73 |       cidr_blocks = ["0.0.0.0/0"]
 74 |     }
 75 | 
 76 |     ingress {
 77 |       from_port = 80
 78 |       to_port = 80
 79 |       protocol = "tcp"
 80 |       cidr_blocks = ["0.0.0.0/0"]
 81 |     }
 82 | 
 83 |     ingress {
 84 |       from_port = 443
 85 |       to_port = 443
 86 |       protocol = "tcp"
 87 |       cidr_blocks = ["0.0.0.0/0"]
 88 |     }
 89 | 
 90 |     tags {
 91 |       Name = "${var.cluster_name}-elb-ci"
 92 |     }
 93 | }
 94 | 
 95 | # DNS registration
 96 | resource "aws_route53_record" "private-ci" {
 97 |   zone_id = "${var.route53_private_zone_id}"
 98 |   name = "ci"
 99 |   type = "A"
100 |   
101 |   alias {
102 |     name = "${aws_elb.ci.dns_name}"
103 |     zone_id = "${aws_elb.ci.zone_id}"
104 |     evaluate_target_health = true
105 |   }
106 | }
107 | resource "aws_route53_record" "public-ci" {
108 |   zone_id = "${var.route53_public_zone_id}"
109 |   name = "ci"
110 |   type = "A"
111 |   
112 |   alias {
113 |     name = "${aws_elb.ci.dns_name}"
114 |     zone_id = "${aws_elb.ci.zone_id}"
115 |     evaluate_target_health = true
116 |   }
117 | }
118 | 
119 | output "security_group_elb" {
120 |     value = "${aws_security_group.elb_ci.id}"
121 | }
122 | output "elb_name" {
123 |     value = "${aws_elb.ci.id}"
124 | }
125 | 


--------------------------------------------------------------------------------
/resources/terraforms/elb-dockerhub/dockerhub.tf:
--------------------------------------------------------------------------------
 1 | #
 2 | # ELB for dockerhub
 3 | #
 4 | 
 5 | variable "dockerhub_cert" { default = "certs/site.pem" }
 6 | variable "dockerhub_cert_chain" { default = "certs/rootCA.pem" }
 7 | variable "dockerhub_cert_key" { default = "certs/site-key.pem" }
 8 | 
 9 | resource "aws_elb" "dockerhub" {
10 |   name = "dockerhub-elb"
11 |   depends_on = "aws_iam_server_certificate.wildcard"
12 |   
13 |   security_groups = [ "${aws_security_group.elb.id}" ]
14 |   subnets = ["${var.elb_subnet_0_id}","${var.elb_subnet_1_id}","${var.elb_subnet_2_id}"]
15 |   
16 |   listener {
17 |     lb_port = 443
18 |     lb_protocol = "https"
19 |     instance_port = 5080
20 |     instance_protocol = "http"
21 |     ssl_certificate_id = "${aws_iam_server_certificate.wildcard.arn}"
22 |   }
23 | 
24 |   health_check {
25 |     healthy_threshold = 5
26 |     unhealthy_threshold = 2
27 |     timeout = 3
28 |     target = "HTTP:5080/_ping"
29 |     interval = 30
30 |   }
31 | }
32 | 
33 | # Upload a example/demo wildcard cert
34 | resource "aws_iam_server_certificate" "wildcard" {
35 |   name = "wildcard"
36 |   certificate_body = "${file("${var.dockerhub_cert}")}"
37 |   certificate_chain = "${file("${var.dockerhub_cert_chain}")}"
38 |   private_key = "${file("${var.dockerhub_cert_key}")}"
39 | 
40 |   provisioner "local-exec" {
41 |     command = <<EOF
42 | echo # Sleep 10 secends so that aws_iam_server_certificate.wildcard is truely setup by aws iam service
43 | echo # See https://github.com/hashicorp/terraform/issues/2499 (terraform ~v0.6.1)
44 | sleep 10
45 | EOF
46 |   }
47 | }
48 | 
49 | /*
50 | # DNS registration
51 | resource "aws_route53_record" "private-dockerhub" {
52 |   zone_id = "${var.route53_private_zone_id}"
53 |   name = "dockerhub"
54 |   type = "A"
55 |   
56 |   alias {
57 |     name = "${aws_elb.dockerhub.dns_name}"
58 |     zone_id = "${aws_elb.dockerhub.zone_id}"
59 |     evaluate_target_health = true
60 |   }
61 | }
62 | resource "aws_route53_record" "public-dockerhub" {
63 |   zone_id = "${var.route53_public_zone_id}"
64 |   name = "dockerhub"
65 |   type = "A"
66 |   
67 |   alias {
68 |     name = "${aws_elb.dockerhub.dns_name}"
69 |     zone_id = "${aws_elb.dockerhub.zone_id}"
70 |     evaluate_target_health = true
71 |   }
72 | }
73 | */
74 | 
75 | output "dockerhub_elb_id" {
76 |     value = "${aws_elb.dockerhub.id}"
77 | }
78 | 


--------------------------------------------------------------------------------
/resources/terraforms/etcd/etcd.tf:
--------------------------------------------------------------------------------
  1 | module "etcd" {
  2 |   source = "../../modules/cluster"
  3 | 
  4 |   # cluster varaiables
  5 |   asg_name = "etcd"
  6 |   cluster_name = "${var.cluster_name}"
  7 |   # a list of subnet IDs to launch resources in.
  8 |   cluster_vpc_zone_identifiers = "${var.etcd_subnet_0_id},${var.etcd_subnet_1_id},${var.etcd_subnet_2_id}"
  9 |   # for etcd, cluster_min_size = cluster_max_size = cluster_desired_capacity = <odd number>
 10 |   cluster_min_size = 1
 11 |   cluster_max_size = 1
 12 |   cluster_desired_capacity = 1
 13 |   cluster_security_groups = "${aws_security_group.etcd.id}"
 14 | 
 15 |   # Instance specifications
 16 |   ami = "${var.ami}"
 17 |   image_type = "t2.small"
 18 |   keypair = "${var.cluster_name}-etcd"
 19 | 
 20 |   # Note: currently etcd launch_configuration devices can NOT be changed after etcd cluster is up
 21 |   # See https://github.com/hashicorp/terraform/issues/2910
 22 |   # Instance disks
 23 |   root_volume_type = "gp2"
 24 |   root_volume_size = 12
 25 |   docker_volume_type = "gp2"
 26 |   docker_volume_size = 12 
 27 |   data_volume_type = "gp2"
 28 |   data_volume_size = 100
 29 | 
 30 |   user_data = "${file("../cloud-config/s3-cloudconfig-bootstrap.sh")}"
 31 |   iam_role_policy = "${data.template_file.etcd_policy_json.rendered}"
 32 | }
 33 | 
 34 | # Upload CoreOS cloud-config to a s3 bucket; s3-cloudconfig-bootstrap script in user-data will download 
 35 | # the cloud-config upon reboot to configure the system. This avoids rebuilding machines when 
 36 | # changing cloud-config.
 37 | resource "aws_s3_bucket_object" "etcd_cloud_config" {
 38 |   bucket = "${var.s3_cloudinit_bucket}"
 39 |   key = "etcd/cloud-config.yaml"
 40 |   content = "${data.template_file.etcd_cloud_config.rendered}"
 41 | }
 42 | 
 43 | data "template_file" "etcd_cloud_config" {
 44 |     template = "${file("../cloud-config/etcd.yaml.tmpl")}"
 45 |     vars {
 46 |         "AWS_ACCOUNT" = "${var.aws_account["id"]}"
 47 |         "AWS_USER" = "${var.deployment_user}"
 48 |         "AWS_ACCESS_KEY_ID" = "${var.deployment_key_id}"
 49 |         "AWS_SECRET_ACCESS_KEY" = "${var.deployment_key_secret}"
 50 |         "AWS_DEFAULT_REGION" = "${var.aws_account["default_region"]}"
 51 |         "CLUSTER_NAME" = "${var.cluster_name}"
 52 |         "APP_REPOSITORY" = "${var.app_repository}"
 53 |         "GIT_SSH_COMMAND" = "\"${var.git_ssh_command}\""
 54 |     }
 55 | }
 56 | 
 57 | data "template_file" "etcd_policy_json" {
 58 |     template = "${file("../policies/etcd_policy.json")}"
 59 |     vars {
 60 |         "AWS_ACCOUNT" = "${var.aws_account["id"]}"
 61 |         "CLUSTER_NAME" = "${var.cluster_name}"
 62 |     }
 63 | }
 64 | 
 65 | resource "aws_security_group" "etcd"  {
 66 |   name = "${var.cluster_name}-etcd"
 67 |   vpc_id = "${var.cluster_vpc_id}"
 68 |   description = "etcd"
 69 |   # Hacker's note: the cloud_config has to be uploaded to s3 before instances fireup
 70 |   # but module can't have 'depends_on', so we have to make 
 71 |   # this indrect dependency through security group
 72 |   depends_on = ["aws_s3_bucket_object.etcd_cloud_config"]
 73 |   lifecycle { create_before_destroy = true }
 74 | 
 75 |   # Allow all outbound traffic
 76 |   egress {
 77 |     from_port = 0
 78 |     to_port = 0
 79 |     protocol = "-1"
 80 |     cidr_blocks = ["0.0.0.0/0"]
 81 |   }
 82 | 
 83 |   # Allow etcd peers to communicate, include etcd proxies
 84 |   ingress {
 85 |     from_port = 2380
 86 |     to_port = 2380
 87 |     protocol = "tcp"
 88 |     cidr_blocks = ["${var.cluster_vpc_cidr}"]
 89 |   }
 90 | 
 91 |   # Allow etcd clients to communicate
 92 |   ingress {
 93 |     from_port = 2379
 94 |     to_port = 2379
 95 |     protocol = "tcp"
 96 |     cidr_blocks = ["${var.cluster_vpc_cidr}"]
 97 |   }
 98 | 
 99 |   # Allow SSH from my hosts
100 |   ingress {
101 |     from_port = 22
102 |     to_port = 22
103 |     protocol = "tcp"
104 |     cidr_blocks = ["${split(",", var.allow_ssh_cidr)}"]
105 |     self = true
106 |   }
107 | 
108 |   tags {
109 |     Name = "${var.cluster_name}-etcd"
110 |   }
111 | }
112 | 
113 | output "etcd_security_group" { value = "${aws_security_group.etcd.id}" }
114 | 


--------------------------------------------------------------------------------
/resources/terraforms/iam/iam.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | # deployment user for elb registrations, s3 access, efs mount etc.
 3 | resource "aws_iam_user" "deployment" {
 4 |     name = "${var.cluster_name}-deployment"
 5 |     path = "/system/"   
 6 | }
 7 | resource "aws_iam_user_policy" "deployment" {
 8 |     name = "${aws_iam_user.deployment.name}"
 9 |     user = "${aws_iam_user.deployment.name}"
10 |     policy = "${file("../policies/deployment_policy.json")}"
11 | }
12 | 
13 | resource "aws_iam_policy_attachment" "efs-readonly" {
14 |     name = "efs-readonly"
15 |     users = ["${aws_iam_user.deployment.name}"]
16 |     policy_arn = "arn:aws:iam::aws:policy/AmazonElasticFileSystemReadOnlyAccess"
17 | }
18 | 
19 | # Save deployment credetials to config bucket
20 | # TODO: add encryption
21 | resource "aws_s3_bucket_object" "aws_deployment_id" {
22 |     bucket = "${var.s3_config_bucket}"
23 |     key = "credentials/deployment/id"
24 |     content = "${aws_iam_access_key.deployment.id}"
25 | }
26 | 
27 | resource "aws_s3_bucket_object" "aws_deployment_key" {
28 |     bucket = "${var.s3_config_bucket}"
29 |     key = "credentials/deployment/key"
30 |     content = "${aws_iam_access_key.deployment.secret}"
31 | }
32 | 
33 | resource "aws_iam_access_key" "deployment" {
34 |     user = "${aws_iam_user.deployment.name}"
35 | }
36 | 
37 | output "deployment_user" { 
38 |     value = "${aws_iam_user.deployment.name}"
39 | }
40 | output "deployment_key_id" {
41 |     sensitive = true
42 |     value = "${aws_iam_access_key.deployment.id}"
43 | }
44 | output "deployment_key_secret" {
45 |     sensitive = true
46 |     value = "${aws_iam_access_key.deployment.secret}" 
47 | }
48 | 


--------------------------------------------------------------------------------
/resources/terraforms/rds/mysql.tf:
--------------------------------------------------------------------------------
 1 | variable "mysql_db_user" { default = "root" }
 2 | variable "mysql_db_password" { default = "dbchangeme" }
 3 | 
 4 | resource "aws_db_instance" "cluster-mysql" {
 5 |     identifier = "${var.cluster_name}-mysql"
 6 |     allocated_storage = 10
 7 |     engine = "mysql"
 8 |     instance_class = "db.t2.medium"
 9 |     storage_type = "gp2"
10 |     name = "master"
11 |     username = "${var.mysql_db_user}"
12 |     password = "${var.mysql_db_password}"
13 |     multi_az = "false" 
14 |     availability_zone = "${var.rds_subnet_0_az}"
15 |     port = "3306"
16 |     publicly_accessible = "true"
17 |     backup_retention_period = "7"
18 |     maintenance_window = "tue:10:33-tue:11:03"
19 |     backup_window = "09:19-10:10"
20 |     vpc_security_group_ids = [ "${aws_security_group.rds.id}" ]
21 |     db_subnet_group_name = "${aws_db_subnet_group.cluster_db.id}"
22 | }
23 | 
24 | # Register with Route53
25 | 
26 | # Create record in ${var.app_domain} zone
27 | resource "aws_route53_record" "mysqldb" {
28 |     zone_id = "${var.route53_public_zone_id}"
29 |     name = "mysqldb.${var.app_domain}"
30 |     type = "CNAME"
31 |     ttl = "60"
32 |     records = [ "${aws_db_instance.cluster-mysql.address}" ]
33 | }
34 | 
35 | output "db_instance_cluster_mysql_name" {
36 |     value = "${aws_db_instance.cluster-mysql.name}"
37 | }
38 | output "db_instance_cluster_mysql_username" {
39 |     value = "${aws_db_instance.cluster-mysql.username}"
40 | }
41 | output "mysql_db_password" {
42 |     sensitive = true
43 |     value = "${var.mysql_db_password}"
44 | }
45 | output "db_instance_cluster_mysql_address" {
46 |     value = "${aws_db_instance.cluster-mysql.address}"
47 | }
48 | output "db_instance_cluster_mysql_endpoint" {
49 |     value = "${aws_db_instance.cluster-mysql.endpoint}"
50 | }


--------------------------------------------------------------------------------
/resources/terraforms/rds/postgres.tf:
--------------------------------------------------------------------------------
 1 | variable "postgres_db_user" { default = "root" }
 2 | variable "postgres_db_password" { default = "dbchangeme" }
 3 | 
 4 | resource "aws_db_instance" "cluster-postgres" {
 5 |     identifier = "${var.cluster_name}-postgres"
 6 |     allocated_storage = 10
 7 |     engine = "postgres"
 8 |     #engine_version = "9.5.2"
 9 |     instance_class = "db.t2.medium"
10 |     storage_type = "gp2"
11 |     name = "master"
12 |     username = "${var.postgres_db_user}"
13 |     password = "${var.postgres_db_password}"
14 |     multi_az = "false" 
15 |     availability_zone = "${var.rds_subnet_0_az}"
16 |     port = "5432"
17 |     publicly_accessible = "true"
18 |     backup_retention_period = "7"
19 |     maintenance_window = "tue:10:33-tue:11:03"
20 |     backup_window = "09:19-10:10"
21 |     vpc_security_group_ids = [ "${aws_security_group.rds.id}" ]
22 |     db_subnet_group_name = "${aws_db_subnet_group.cluster_db.id}"
23 | }
24 | 
25 | # Register with Route53
26 | # Create record in ${var.app_domain} zone
27 | resource "aws_route53_record" "postgresdb" {
28 |     zone_id = "${var.route53_public_zone_id}"
29 |     name = "postgresdb.${var.app_domain}"
30 |     type = "CNAME"
31 |     ttl = "60"
32 |     records = [ "${aws_db_instance.cluster-postgres.address}" ]
33 | }
34 | 
35 | output "db_instance_cluster_postgres_name" {
36 |     value = "${aws_db_instance.cluster-postgres.name}"
37 | }
38 | output "db_instance_cluster_postgres_username" {
39 |     value = "${aws_db_instance.cluster-postgres.username}"
40 | }
41 | output "postgres_db_password" {
42 |     sensitive = true
43 |     value = "${var.postgres_db_password}"
44 | }
45 | output "db_instance_cluster_postgres_address" {
46 |     value = "${aws_db_instance.cluster-postgres.address}"
47 | }
48 | output "db_instance_cluster_postgres_endpoint" {
49 |     value = "${aws_db_instance.cluster-postgres.endpoint}"
50 | }
51 | 


--------------------------------------------------------------------------------
/resources/terraforms/rds/security-group.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_db_subnet_group" "cluster_db" {
 2 |     name = "${var.cluster_name}-db"
 3 |     description = "db subnets for ${var.cluster_name} applications"
 4 |     subnet_ids = ["${var.rds_subnet_0_id}","${var.rds_subnet_1_id}","${var.rds_subnet_2_id}"]
 5 | }
 6 | 
 7 | resource "aws_security_group" "rds"  {
 8 |     name = "rds"
 9 |     vpc_id = "${var.cluster_vpc_id}"
10 |     description = "rds SG"
11 | 
12 |     # Allow all outbound traffic
13 |     egress {
14 |       from_port = 0
15 |       to_port = 0
16 |       protocol = "-1"
17 |       cidr_blocks = ["0.0.0.0/0"]
18 |     }
19 | 
20 |     # Allow MySQL access
21 |     ingress {
22 |       from_port = 3306
23 |       to_port = 3306
24 |       protocol = "tcp"
25 |       cidr_blocks = ["${var.cluster_vpc_cidr}", "${split(",", var.allow_ssh_cidr)}"]
26 |     }
27 |     # Allow PostgresSQL access
28 |     ingress {
29 |       from_port = 5432
30 |       to_port = 5432
31 |       protocol = "tcp" 
32 |       cidr_blocks = ["${var.cluster_vpc_cidr}", "${split(",", var.allow_ssh_cidr)}"]
33 |     }
34 | }
35 | 


--------------------------------------------------------------------------------
/resources/terraforms/route53/route53.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_route53_zone" "public" {
 2 |     name = "${var.app_domain}"
 3 | 
 4 |     tags {
 5 |         Name = "${var.app_domain}"
 6 |     }
 7 | }
 8 | 
 9 | resource "aws_route53_zone" "private" {
10 |     name = "cluster.local"   
11 |     vpc_id = "${var.cluster_vpc_id}"
12 | 
13 |     tags {
14 |         Name = "cluster.local"
15 |     }
16 | }
17 | 
18 | output "route53_public_zone_id"  { value = "${aws_route53_zone.public.id}" }
19 | output "route53_private_zone_id" { value = "${aws_route53_zone.private.id}" }
20 | 


--------------------------------------------------------------------------------
/resources/terraforms/s3/s3.tf:
--------------------------------------------------------------------------------
 1 | # s3 bucket for initial-cluster etcd proxy discovery
 2 | # and two-stage cloudinit user-data files
 3 | resource "aws_s3_bucket" "cloudinit" {
 4 |     bucket = "${var.aws_account["id"]}-${var.cluster_name}-cloudinit"
 5 |     acl = "private"
 6 |     force_destroy = true
 7 |     tags {
 8 |         Name = "Cloudinit"
 9 |     }
10 | }
11 | # s3 bucket for application configuration, code, units etcd. Shared by all cluster nodes
12 | resource "aws_s3_bucket" "config" {
13 |     bucket = "${var.aws_account["id"]}-${var.cluster_name}-config"
14 |     force_destroy = true
15 |     acl = "private"
16 |     tags {
17 |         Name = "Config"
18 |     }
19 | }
20 | 
21 | # s3 bucket for jenkins backup data
22 | resource "aws_s3_bucket" "jenkins" {
23 |     bucket = "${var.aws_account["id"]}-${var.cluster_name}-jenkins"
24 |     force_destroy = true
25 |     acl = "private"
26 |     tags {
27 |         Name = "Jenkins"
28 |     }
29 | }
30 | 
31 | # s3 bucket for private docker registry
32 | resource "aws_s3_bucket" "dockerhub" {
33 |     bucket = "${var.aws_account["id"]}-${var.cluster_name}-dockerhub"
34 |     force_destroy = true
35 |     acl = "private"
36 |     tags {
37 |         Name = "Dockerhub"
38 |     }
39 | }
40 | 
41 | # s3 bucket for log data backup
42 | resource "aws_s3_bucket" "logs" {
43 |     bucket = "${var.aws_account["id"]}-${var.cluster_name}-logs"
44 |     force_destroy = true
45 |     acl = "private"
46 |     tags {
47 |         Name = "Logs"
48 |     }
49 | }
50 | 
51 | output "s3_cloudinit_bucket" { value = "${aws_s3_bucket.cloudinit.id}" }
52 | output "s3_config_bucket" { value = "${aws_s3_bucket.config.id}" }
53 | output "s3_jenkins_bucket" { value = "${aws_s3_bucket.jenkins.id}" }
54 | output "s3_dockerhub_bucket" { value = "${aws_s3_bucket.dockerhub.id}" }
55 | output "s3_logs_bucket" { value = "${aws_s3_bucket.logs.id}" }


--------------------------------------------------------------------------------
/resources/terraforms/vault/elb.tf:
--------------------------------------------------------------------------------
  1 | #
  2 | # ELB for Vault
  3 | 
  4 | # Upload a example/demo wildcard cert
  5 | resource "aws_iam_server_certificate" "wildcard" {
  6 |   name_prefix = "vault-"
  7 |   certificate_body = "${file("${var.vault_cert}")}"
  8 |   certificate_chain = "${file("${var.vault_cert_chain}")}"
  9 |   private_key = "${file("${var.vault_cert_key}")}"
 10 | 
 11 |   lifecycle {
 12 |     create_before_destroy = true
 13 |   }
 14 | 
 15 |   provisioner "local-exec" {
 16 |     command = <<EOF
 17 | echo # Sleep 10 secends so that aws_iam_server_certificate.wildcard is truely setup by aws iam service
 18 | echo # See https://github.com/hashicorp/terraform/issues/2499 (terraform ~v0.6.1)
 19 | sleep 10
 20 | EOF
 21 |   }
 22 | }
 23 | 
 24 | resource "aws_security_group" "elb_vault"  {
 25 |     name = "${var.cluster_name}-elb-vault"
 26 |     vpc_id = "${var.cluster_vpc_id}"
 27 |     description = "${var.cluster_name} elb-vault"
 28 | 
 29 |     # Allow all outbound traffic
 30 |     egress {
 31 |       from_port = 0
 32 |       to_port = 0
 33 |       protocol = "-1"
 34 |       cidr_blocks = ["0.0.0.0/0"]
 35 |     }
 36 |     ingress {
 37 |       from_port = 22
 38 |       to_port = 22
 39 |       protocol = "tcp"
 40 |       cidr_blocks = ["0.0.0.0/0"]
 41 |     }
 42 |     ingress {
 43 |       from_port = 80
 44 |       to_port = 80
 45 |       protocol = "tcp"
 46 |       cidr_blocks = ["0.0.0.0/0"]
 47 |     }
 48 | 
 49 |     ingress {
 50 |       from_port = 443
 51 |       to_port = 443
 52 |       protocol = "tcp"
 53 |       cidr_blocks = ["0.0.0.0/0"]
 54 |     }
 55 | 
 56 |     tags {
 57 |       Name = "${var.cluster_name}-elb-vault"
 58 |     }
 59 | }
 60 | 
 61 | resource "aws_elb" "vault" {
 62 |     name = "vault"
 63 |     connection_draining = true
 64 |     connection_draining_timeout = 400
 65 |     internal = true
 66 |     subnets = ["${var.elb_subnet_0_id}","${var.elb_subnet_1_id}"]
 67 |     security_groups = ["${aws_security_group.elb.id}"]
 68 | 
 69 |     listener {
 70 |         instance_port = 8200
 71 |         instance_protocol = "tcp"
 72 |         lb_port = 80
 73 |         lb_protocol = "tcp"
 74 |     }
 75 | 
 76 |     listener {
 77 |         instance_port = 8200
 78 |         instance_protocol = "tcp"
 79 |         lb_port = 443
 80 |         lb_protocol = "tcp"
 81 |     }
 82 | 
 83 |     health_check {
 84 |         healthy_threshold = 2
 85 |         unhealthy_threshold = 3
 86 |         timeout = 5
 87 |         target = "${var.elb-health-check}"
 88 |         interval = 15
 89 |     }
 90 | 
 91 |     tags {
 92 |       Name = "${var.cluster_name}-elb-vault"
 93 |     }
 94 | }
 95 | 
 96 | resource "aws_security_group" "elb" {
 97 |     name = "vault-elb"
 98 |     description = "Vault ELB"
 99 |     vpc_id = "${var.cluster_vpc_id}"
100 | }
101 | 
102 | resource "aws_security_group_rule" "vault-elb-http" {
103 |     security_group_id = "${aws_security_group.elb.id}"
104 |     type = "ingress"
105 |     from_port = 80
106 |     to_port = 80
107 |     protocol = "tcp"
108 |     cidr_blocks = ["0.0.0.0/0"]
109 | }
110 | 
111 | resource "aws_security_group_rule" "vault-elb-https" {
112 |     security_group_id = "${aws_security_group.elb.id}"
113 |     type = "ingress"
114 |     from_port = 443
115 |     to_port = 443
116 |     protocol = "tcp"
117 |     cidr_blocks = ["0.0.0.0/0"]
118 | }
119 | 
120 | resource "aws_security_group_rule" "vault-elb-egress" {
121 |     security_group_id = "${aws_security_group.elb.id}"
122 |     type = "egress"
123 |     from_port = 0
124 |     to_port = 0
125 |     protocol = "-1"
126 |     cidr_blocks = ["0.0.0.0/0"]
127 | }
128 | 
129 | /*
130 | # DNS registration
131 | resource "aws_route53_record" "private-vault" {
132 |   zone_id = "${var.route53_private_zone_id}"
133 |   name = "vault"
134 |   type = "A"
135 |   
136 |   alias {
137 |     name = "${aws_elb.vault.dns_name}"
138 |     zone_id = "${aws_elb.vault.zone_id}"
139 |     evaluate_target_health = true
140 |   }
141 | }
142 | resource "aws_route53_record" "public-vault" {
143 |   zone_id = "${var.route53_public_zone_id}"
144 |   name = "vault"
145 |   type = "A"
146 |   
147 |   alias {
148 |     name = "${aws_elb.vault.dns_name}"
149 |     zone_id = "${aws_elb.vault.zone_id}"
150 |     evaluate_target_health = true
151 |   }
152 | }
153 | */
154 | output "security_group_elb_vault" {
155 |     value = "${aws_security_group.elb_vault.id}"
156 | }
157 | output "elb_name" {
158 |     value = "${aws_elb.vault.id}"
159 | }
160 | 


--------------------------------------------------------------------------------
/resources/terraforms/vault/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "vault_release_url" {
 2 |   default = "https://releases.hashicorp.com/vault/0.6.4/vault_0.6.4_linux_amd64.zip"
 3 | }
 4 | variable "vault_cert" { default = "../certs/site.pem" }
 5 | variable "vault_cert_chain" { default = "../certs/rootCA.pem" }
 6 | variable "vault_cert_key" { default = "../certs/site-key.pem" }
 7 | #  Use TCP because we use TLS. 
 8 | variable "elb-health-check" {
 9 |     default = "TCP:8200"
10 |     description = "Health check for Vault servers"
11 | }
12 | 
13 | 


--------------------------------------------------------------------------------
/resources/terraforms/vault/vault.tf:
--------------------------------------------------------------------------------
  1 | 
  2 | module "vault" {
  3 |   source = "../../modules/asg-with-elb"
  4 | 
  5 |   # cluster varaiables
  6 |   asg_name = "vault"
  7 |   cluster_name = "${var.cluster_name}"
  8 |   # a list of subnet IDs to launch resources in.
  9 |   cluster_vpc_zone_identifiers = "${var.vault_subnet_0_id},${var.vault_subnet_1_id},${var.vault_subnet_2_id}"
 10 |   # for vault, cluster_min_size = cluster_max_size = cluster_desired_capacity = <odd number>
 11 |   cluster_min_size = 3
 12 |   cluster_max_size = 3
 13 |   cluster_desired_capacity = 3
 14 |   cluster_security_groups = "${aws_security_group.vault.id}"
 15 |   load_balancers = "${aws_elb.vault.id}"
 16 | 
 17 |   # Instance specifications
 18 |   ami = "${var.ami}"
 19 |   image_type = "m3.medium"
 20 |   keypair = "${var.cluster_name}-vault"
 21 | 
 22 |   # Note: currently vault launch_configuration devices can NOT be changed after vault cluster is up
 23 |   # See https://github.com/hashicorp/terraform/issues/2910
 24 |   # Instance disks
 25 |   root_volume_type = "gp2"
 26 |   root_volume_size = 12
 27 |   docker_volume_type = "gp2"
 28 |   docker_volume_size = 12 
 29 |   data_volume_type = "gp2"
 30 |   data_volume_size = 100
 31 | 
 32 |   user_data = "${file("../cloud-config/s3-cloudconfig-bootstrap.sh")}"
 33 |   iam_role_policy = "${data.template_file.vault_policy_json.rendered}"
 34 | }
 35 | 
 36 | # Upload CoreOS cloud-config to a s3 bucket; s3-cloudconfig-bootstrap script in user-data will download 
 37 | # the cloud-config upon reboot to configure the system. This avoids rebuilding machines when 
 38 | # changing cloud-config.
 39 | resource "aws_s3_bucket_object" "vault_cloud_config" {
 40 |   bucket = "${var.s3_cloudinit_bucket}"
 41 |   key = "vault/cloud-config.yaml"
 42 |   content = "${data.template_file.vault_cloud_config.rendered}"
 43 | }
 44 | 
 45 | data "template_file" "vault_cloud_config" {
 46 |     template = "${file("../cloud-config/vault.yaml.tmpl")}"
 47 |     vars {
 48 |         "AWS_ACCOUNT" = "${var.aws_account["id"]}"
 49 |         "AWS_USER" = "${var.deployment_user}"
 50 |         "AWS_ACCESS_KEY_ID" = "${var.deployment_key_id}"
 51 |         "AWS_SECRET_ACCESS_KEY" = "${var.deployment_key_secret}"
 52 |         "AWS_DEFAULT_REGION" = "${var.aws_account["default_region"]}"
 53 |         "CLUSTER_NAME" = "${var.cluster_name}"
 54 |         "APP_REPOSITORY" = "${var.app_repository}"
 55 |         "GIT_SSH_COMMAND" = "\"${var.git_ssh_command}\""
 56 |         "VAULT_RELEASE_URL" = "${var.vault_release_url}"
 57 |   }
 58 | }
 59 | 
 60 | data "template_file" "vault_policy_json_test" {
 61 |     template = "${file("../policies/vault_policy.json")}"
 62 |     vars {
 63 |         "AWS_ACCOUNT" = "${var.aws_account["id"]}"
 64 |         "CLUSTER_NAME" = "${var.cluster_name}"
 65 |     }
 66 | }
 67 | 
 68 | data "template_file" "vault_policy_json" {
 69 |     template = "${file("../policies/vault_policy.json")}"
 70 |     vars {
 71 |         "AWS_ACCOUNT" = "${var.aws_account["id"]}"
 72 |         "CLUSTER_NAME" = "${var.cluster_name}"
 73 |     }
 74 | }
 75 | 
 76 | // Security group for Vault allows SSH and HTTP access (via "tcp" in
 77 | // case TLS is used)
 78 | resource "aws_security_group" "vault" {
 79 |     name = "vault"
 80 |     description = "Vault servers"
 81 |     vpc_id = "${var.cluster_vpc_id}"
 82 |     tags {
 83 |         Name = "${var.cluster_name}-vault"
 84 |     }
 85 | }
 86 | 
 87 | resource "aws_security_group_rule" "vault-ssh" {
 88 |     security_group_id = "${aws_security_group.vault.id}"
 89 |     type = "ingress"
 90 |     from_port = 22
 91 |     to_port = 22
 92 |     protocol = "tcp"
 93 |     cidr_blocks = ["${split(",", var.allow_ssh_cidr)}"]
 94 | }
 95 | 
 96 | # Allow etcd client to communicate
 97 | resource "aws_security_group_rule" "vault-etcd" {
 98 |     security_group_id = "${aws_security_group.vault.id}"
 99 |     type = "ingress"
100 |     from_port = 2380
101 |     to_port = 2380
102 |     protocol = "tcp"
103 |     cidr_blocks = ["${var.cluster_vpc_cidr}"]
104 | }
105 | 
106 | # Allow etcd peers to communicate
107 | resource "aws_security_group_rule" "vault-etcd-peer" {
108 |     security_group_id = "${aws_security_group.vault.id}"
109 |     type = "ingress"
110 |     from_port = 2379
111 |     to_port = 2379
112 |     protocol = "tcp"
113 |     cidr_blocks = ["${var.cluster_vpc_cidr}"]
114 | }
115 | 
116 | // This rule allows Vault HTTP API access to individual nodes, since each will
117 | // need to be addressed individually for unsealing.
118 | resource "aws_security_group_rule" "vault-http-api" {
119 |     security_group_id = "${aws_security_group.vault.id}"
120 |     type = "ingress"
121 |     from_port = 8200
122 |     to_port = 8200
123 |     protocol = "tcp"
124 |     cidr_blocks = ["0.0.0.0/0"]
125 | }
126 | 
127 | resource "aws_security_group_rule" "vault-egress" {
128 |     security_group_id = "${aws_security_group.vault.id}"
129 |     type = "egress"
130 |     from_port = 0
131 |     to_port = 0
132 |     protocol = "-1"
133 |     cidr_blocks = ["0.0.0.0/0"]
134 | }
135 | 
136 | output "vault_security_group" { value = "${aws_security_group.vault.id}" }
137 | 


--------------------------------------------------------------------------------
/resources/terraforms/vpc/vpc-subnet-admiral.tf:
--------------------------------------------------------------------------------
 1 | module "admiral_subnet_0" {
 2 |   source = "../../modules/subnet"
 3 | 
 4 |   subnet_name = "${var.cluster_name}-admiral_0"
 5 |   subnet_cidr = "10.10.2.0/26"
 6 |   subnet_az = "${data.aws_availability_zones.available.names[0]}"
 7 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
 8 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
 9 | }
10 | 
11 | module "admiral_subnet_1" {
12 |   source = "../../modules/subnet"
13 | 
14 |   subnet_name = "${var.cluster_name}-admiral_1"
15 |   subnet_cidr = "10.10.2.64/26"
16 |   subnet_az = "${data.aws_availability_zones.available.names[1]}"
17 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
18 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
19 | }
20 | 
21 | module "admiral_subnet_2" {
22 |   source = "../../modules/subnet"
23 | 
24 |   subnet_name = "${var.cluster_name}-admiral_2"
25 |   subnet_cidr = "10.10.2.128/26"
26 |   subnet_az = "${data.aws_availability_zones.available.names[2]}"
27 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
28 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
29 | }
30 | 
31 | output "admiral_subnet_0_id" { value = "${module.admiral_subnet_0.id}" }
32 | output "admiral_subnet_0_az" { value = "${module.admiral_subnet_0.az}" }
33 | output "admiral_subnet_1_id" { value = "${module.admiral_subnet_1.id}" }
34 | output "admiral_subnet_1_az" { value = "${module.admiral_subnet_1.az}" }
35 | output "admiral_subnet_2_id" { value = "${module.admiral_subnet_2.id}" }
36 | output "admiral_subnet_2_az" { value = "${module.admiral_subnet_2.az}" }


--------------------------------------------------------------------------------
/resources/terraforms/vpc/vpc-subnet-elb.tf:
--------------------------------------------------------------------------------
 1 | module "elb_subnet_0" {
 2 |   source = "../../modules/subnet"
 3 | 
 4 |   subnet_name = "${var.cluster_name}-elb_0"
 5 |   subnet_cidr = "10.10.3.0/26"
 6 |   subnet_az = "${data.aws_availability_zones.available.names[0]}"
 7 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
 8 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
 9 | }
10 | 
11 | module "elb_subnet_1" {
12 |   source = "../../modules/subnet"
13 | 
14 |   subnet_name = "${var.cluster_name}-elb_1"
15 |   subnet_cidr = "10.10.3.64/26"
16 |   subnet_az = "${data.aws_availability_zones.available.names[1]}"
17 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
18 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
19 | }
20 | 
21 | module "elb_subnet_2" {
22 |   source = "../../modules/subnet"
23 | 
24 |   subnet_name = "${var.cluster_name}-elb_2"
25 |   subnet_cidr = "10.10.3.128/26"
26 |   subnet_az = "${data.aws_availability_zones.available.names[2]}"
27 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
28 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
29 | }
30 | 
31 | output "elb_subnet_0_id" { value = "${module.elb_subnet_0.id}" }
32 | output "elb_subnet_0_az" { value = "${module.elb_subnet_0.az}" }
33 | output "elb_subnet_1_id" { value = "${module.elb_subnet_1.id}" }
34 | output "elb_subnet_1_az" { value = "${module.elb_subnet_1.az}" }
35 | output "elb_subnet_2_id" { value = "${module.elb_subnet_2.id}" }
36 | output "elb_subnet_2_az" { value = "${module.elb_subnet_2.az}" }


--------------------------------------------------------------------------------
/resources/terraforms/vpc/vpc-subnet-etcd.tf:
--------------------------------------------------------------------------------
 1 | module "etcd_subnet_0" {
 2 |   source = "../../modules/subnet"
 3 | 
 4 |   subnet_name = "${var.cluster_name}-etcd_0"
 5 |   subnet_cidr = "10.10.1.0/26"
 6 |   subnet_az = "${data.aws_availability_zones.available.names[0]}"
 7 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
 8 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
 9 | }
10 | 
11 | module "etcd_subnet_1" {
12 |   source = "../../modules/subnet"
13 | 
14 |   subnet_name = "${var.cluster_name}-etcd_1"
15 |   subnet_cidr = "10.10.1.64/26"
16 |   subnet_az = "${data.aws_availability_zones.available.names[1]}"
17 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
18 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
19 | }
20 | 
21 | module "etcd_subnet_2" {
22 |   source = "../../modules/subnet"
23 | 
24 |   subnet_name = "${var.cluster_name}-etcd_2"
25 |   subnet_cidr = "10.10.1.128/26"
26 |   subnet_az = "${data.aws_availability_zones.available.names[2]}"
27 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
28 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
29 | }
30 | 
31 | output "etcd_subnet_0_id" { value = "${module.etcd_subnet_0.id}" }
32 | output "etcd_subnet_0_az" { value = "${module.etcd_subnet_0.az}" }
33 | output "etcd_subnet_1_id" { value = "${module.etcd_subnet_1.id}" }
34 | output "etcd_subnet_1_az" { value = "${module.etcd_subnet_1.az}" }
35 | output "etcd_subnet_2_id" { value = "${module.etcd_subnet_2.id}" }
36 | output "etcd_subnet_2_az" { value = "${module.etcd_subnet_2.az}" }


--------------------------------------------------------------------------------
/resources/terraforms/vpc/vpc-subnet-rds.tf:
--------------------------------------------------------------------------------
 1 | module "rds_subnet_0" {
 2 |   source = "../../modules/subnet"
 3 | 
 4 |   subnet_name = "${var.cluster_name}-rds_0"
 5 |   subnet_cidr = "10.10.4.0/26"
 6 |   subnet_az = "${data.aws_availability_zones.available.names[0]}"
 7 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
 8 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
 9 | }
10 | 
11 | module "rds_subnet_1" {
12 |   source = "../../modules/subnet"
13 | 
14 |   subnet_name = "${var.cluster_name}-rds_1"
15 |   subnet_cidr = "10.10.4.64/26"
16 |   subnet_az = "${data.aws_availability_zones.available.names[1]}"
17 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
18 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
19 | }
20 | 
21 | module "rds_subnet_2" {
22 |   source = "../../modules/subnet"
23 | 
24 |   subnet_name = "${var.cluster_name}-rds_2"
25 |   subnet_cidr = "10.10.4.128/26"
26 |   subnet_az = "${data.aws_availability_zones.available.names[2]}"
27 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
28 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
29 | }
30 | 
31 | output "rds_subnet_0_id" { value = "${module.rds_subnet_0.id}" }
32 | output "rds_subnet_0_az" { value = "${module.rds_subnet_0.az}" }
33 | output "rds_subnet_1_id" { value = "${module.rds_subnet_1.id}" }
34 | output "rds_subnet_1_az" { value = "${module.rds_subnet_1.az}" }
35 | output "rds_subnet_2_id" { value = "${module.rds_subnet_2.id}" }
36 | output "rds_subnet_2_az" { value = "${module.rds_subnet_2.az}" }


--------------------------------------------------------------------------------
/resources/terraforms/vpc/vpc-subnet-vault.tf:
--------------------------------------------------------------------------------
 1 | module "vault_subnet_0" {
 2 |   source = "../../modules/subnet"
 3 | 
 4 |   subnet_name = "${var.cluster_name}-vault_0"
 5 |   subnet_cidr = "10.10.6.0/26"
 6 |   subnet_az = "${data.aws_availability_zones.available.names[0]}"
 7 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
 8 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
 9 | }
10 | 
11 | module "vault_subnet_1" {
12 |   source = "../../modules/subnet"
13 | 
14 |   subnet_name = "${var.cluster_name}-vault_1"
15 |   subnet_cidr = "10.10.6.64/26"
16 |   subnet_az = "${data.aws_availability_zones.available.names[1]}"
17 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
18 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
19 | }
20 | 
21 | module "vault_subnet_2" {
22 |   source = "../../modules/subnet"
23 | 
24 |   subnet_name = "${var.cluster_name}-vault_2"
25 |   subnet_cidr = "10.10.6.128/26"
26 |   subnet_az = "${data.aws_availability_zones.available.names[2]}"
27 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
28 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
29 | }
30 | 
31 | output "vault_subnet_0_id" { value = "${module.vault_subnet_0.id}" }
32 | output "vault_subnet_0_az" { value = "${module.vault_subnet_0.az}" }
33 | output "vault_subnet_1_id" { value = "${module.vault_subnet_1.id}" }
34 | output "vault_subnet_1_az" { value = "${module.vault_subnet_1.az}" }
35 | output "vault_subnet_2_id" { value = "${module.vault_subnet_2.id}" }
36 | output "vault_subnet_2_az" { value = "${module.vault_subnet_2.az}" }


--------------------------------------------------------------------------------
/resources/terraforms/vpc/vpc-subnet-worker.tf:
--------------------------------------------------------------------------------
 1 | module "worker_subnet_0" {
 2 |   source = "../../modules/subnet"
 3 | 
 4 |   subnet_name = "${var.cluster_name}-worker_0"
 5 |   subnet_cidr = "10.10.5.0/26"
 6 |   subnet_az = "${data.aws_availability_zones.available.names[0]}"
 7 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
 8 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
 9 | }
10 | 
11 | module "worker_subnet_1" {
12 |   source = "../../modules/subnet"
13 | 
14 |   subnet_name = "${var.cluster_name}-worker_1"
15 |   subnet_cidr = "10.10.5.64/26"
16 |   subnet_az = "${data.aws_availability_zones.available.names[1]}"
17 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
18 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
19 | }
20 | 
21 | module "worker_subnet_2" {
22 |   source = "../../modules/subnet"
23 | 
24 |   subnet_name = "${var.cluster_name}-worker_2"
25 |   subnet_cidr = "10.10.5.128/26"
26 |   subnet_az = "${data.aws_availability_zones.available.names[2]}"
27 |   vpc_id = "${aws_vpc.cluster_vpc.id}"
28 |   route_table_id = "${aws_route_table.cluster_vpc.id}"
29 | }
30 | 
31 | output "worker_subnet_0_id" { value = "${module.worker_subnet_0.id}" }
32 | output "worker_subnet_0_az" { value = "${module.worker_subnet_0.az}" }
33 | output "worker_subnet_1_id" { value = "${module.worker_subnet_1.id}" }
34 | output "worker_subnet_1_az" { value = "${module.worker_subnet_1.az}" }
35 | output "worker_subnet_2_id" { value = "${module.worker_subnet_2.id}" }
36 | output "worker_subnet_2_az" { value = "${module.worker_subnet_2.az}" }


--------------------------------------------------------------------------------
/resources/terraforms/vpc/vpc.tf:
--------------------------------------------------------------------------------
 1 | data "aws_availability_zones" "available" {}
 2 | 
 3 | resource "aws_vpc" "cluster_vpc" {
 4 |     cidr_block = "10.10.0.0/16"
 5 | 
 6 |     enable_dns_support = true
 7 |     enable_dns_hostnames = true
 8 |     lifecycle {
 9 |         ignore_changes = ["tags"]
10 |     }
11 | 
12 |     tags {
13 |         Name = "${var.cluster_name}"
14 |     }
15 |     tags {
16 |         Created = "${var.timestamp}-${var.iamuser}-Terraform"
17 |     }
18 | }
19 | 
20 | resource "aws_internet_gateway" "cluster_vpc" {
21 |     vpc_id = "${aws_vpc.cluster_vpc.id}"
22 | 
23 |     tags {
24 |         Name = "${var.cluster_name}"
25 |     }
26 | }
27 | 
28 | resource "aws_route_table" "cluster_vpc" {
29 |     vpc_id = "${aws_vpc.cluster_vpc.id}"
30 |     route {
31 |         cidr_block = "0.0.0.0/0"
32 |         gateway_id = "${aws_internet_gateway.cluster_vpc.id}"
33 |     }
34 | 
35 |     tags {
36 |         Name = "${var.cluster_name}"
37 |     }
38 | }
39 | 
40 | resource "aws_vpc_endpoint" "s3" {
41 |     vpc_id = "${aws_vpc.cluster_vpc.id}"
42 |     service_name = "com.amazonaws.${var.aws_account["default_region"]}.s3"
43 |     route_table_ids = ["${aws_route_table.cluster_vpc.id}"]
44 | }
45 | 
46 | output "cluster_vpc_id" { value = "${aws_vpc.cluster_vpc.id}" }
47 | output "cluster_vpc_cidr" { value = "${aws_vpc.cluster_vpc.cidr_block}" }
48 | 


--------------------------------------------------------------------------------
/resources/terraforms/worker/worker.tf:
--------------------------------------------------------------------------------
  1 | module "worker" {
  2 |   source = "../../modules/cluster"
  3 | 
  4 |   # cluster varaiables
  5 |   cluster_name = "${var.cluster_name}"
  6 |   asg_name = "worker"
  7 |   # a list of subnet IDs to launch resources in.
  8 |   cluster_vpc_zone_identifiers = "${var.worker_subnet_0_id},${var.worker_subnet_1_id},${var.worker_subnet_2_id}"
  9 |   cluster_min_size = 1
 10 |   cluster_max_size = 2
 11 |   cluster_desired_capacity = 2
 12 |   cluster_security_groups = "${aws_security_group.worker.id}"
 13 | 
 14 |   # Instance specifications
 15 |   ami = "${var.ami}"
 16 |   image_type = "t2.micro"
 17 |   keypair = "${var.cluster_name}-worker"
 18 | 
 19 |   # Note: currently worker launch_configuration devices can NOT be changed after worker cluster is up
 20 |   # See https://github.com/hashicorp/terraform/issues/2910
 21 |   # Instance disks
 22 |   root_volume_type = "gp2"
 23 |   root_volume_size = 12
 24 |   docker_volume_type = "gp2"
 25 |   docker_volume_size = 12 
 26 |   data_volume_type = "gp2"
 27 |   data_volume_size = 100
 28 | 
 29 |   user_data = "${file("../cloud-config/s3-cloudconfig-bootstrap.sh")}"
 30 |   iam_role_policy = "${data.template_file.worker_policy_json.rendered}"
 31 | }
 32 | 
 33 | # Upload CoreOS cloud-config to a s3 bucket; s3-cloudconfig-bootstrap script in user-data will download 
 34 | # the cloud-config upon reboot to configure the system. This avoids rebuilding machines when 
 35 | # changing cloud-config.
 36 | resource "aws_s3_bucket_object" "worker_cloud_config" {
 37 |   bucket = "${var.s3_cloudinit_bucket}"
 38 |   key = "worker/cloud-config.yaml"
 39 |   content = "${data.template_file.worker_cloud_config.rendered}"
 40 | }
 41 | 
 42 | data "template_file" "worker_cloud_config" {
 43 |     template = "${file("../cloud-config/worker.yaml.tmpl")}"
 44 |     vars {
 45 |         "AWS_ACCOUNT" = "${var.aws_account["id"]}"
 46 |         "AWS_USER" = "${var.deployment_user}"
 47 |         "AWS_ACCESS_KEY_ID" = "${var.deployment_key_id}"
 48 |         "AWS_SECRET_ACCESS_KEY" = "${var.deployment_key_secret}"
 49 |         "AWS_DEFAULT_REGION" = "${var.aws_account["default_region"]}"
 50 |         "CLUSTER_NAME" = "${var.cluster_name}"
 51 |         "APP_REPOSITORY" = "${var.app_repository}"
 52 |         "GIT_SSH_COMMAND" = "\"${var.git_ssh_command}\""
 53 |     }
 54 | }
 55 | 
 56 | data "template_file" "worker_policy_json" {
 57 |     template = "${file("../policies/worker_policy.json")}"
 58 |     vars {
 59 |         "AWS_ACCOUNT" = "${var.aws_account["id"]}"
 60 |         "CLUSTER_NAME" = "${var.cluster_name}"
 61 |     }
 62 | }
 63 | 
 64 | resource "aws_security_group" "worker"  {
 65 |   name = "${var.cluster_name}-worker"
 66 |   vpc_id = "${var.cluster_vpc_id}"
 67 |   description = "worker"
 68 |   # Hacker's note: the cloud_config has to be uploaded to s3 before instances fireup
 69 |   # but module can't have 'depends_on', so we have to make 
 70 |   # this indrect dependency through security group
 71 |   depends_on = ["aws_s3_bucket_object.worker_cloud_config"]
 72 | 
 73 |   # Allow all outbound traffic
 74 |   egress {
 75 |     from_port = 0
 76 |     to_port = 0
 77 |     protocol = "-1"
 78 |     cidr_blocks = ["0.0.0.0/0"]
 79 |   }
 80 | 
 81 |   # Allow access from vpc
 82 |   ingress {
 83 |     from_port = 10
 84 |     to_port = 65535
 85 |     protocol = "tcp"
 86 |     cidr_blocks = ["${var.cluster_vpc_cidr}"]
 87 |   }
 88 | 
 89 |   # Allow access from vpc
 90 |   ingress {
 91 |     from_port = 10
 92 |     to_port = 65535
 93 |     protocol = "udp"
 94 |     cidr_blocks = ["${var.cluster_vpc_cidr}"]
 95 |   }
 96 | 
 97 |   # Allow SSH from my hosts
 98 |   ingress {
 99 |     from_port = 22
100 |     to_port = 22
101 |     protocol = "tcp" 
102 |     cidr_blocks = ["${split(",", var.allow_ssh_cidr)}"]
103 |     self = true
104 |   }
105 | 
106 |   tags {
107 |     Name = "${var.cluster_name}-worker"
108 |   }
109 | }
110 | 
111 | output "worker_security_group" { value = "${aws_security_group.worker.id}" }
112 | 
113 | 


--------------------------------------------------------------------------------
/scripts/aws-keypair.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | AWS_PROFILE=${AWS_PROFILE:-coreos-cluster}
 4 | CLUSTER_NAME=${CLUSTER_NAME:-coreos-cluster}
 5 | AWS_ACCOUNT=${AWS_ACCOUNT:-}
 6 | AWS_REGION=${AWS_REGION:-us-west-2}
 7 | 
 8 | # Default keypair name
 9 | key="${CLUSTER_NAME}-default"
10 | 
11 | if [ "X${AWS_ACCOUNT}" = "X" ];
12 | then
13 |   echo "Getting AWS account number..."
14 |   AWS_ACCOUNT=$(aws --profile ${AWS_PROFILE} iam get-user | jq ".User.Arn" | grep -Eo '[[:digit:]]{12}')
15 | fi
16 | 
17 | TMP_DIR=keypairs
18 | 
19 | create(){
20 |   if  aws --profile ${AWS_PROFILE} --region ${AWS_REGION} ec2 describe-key-pairs --key-name ${key} > /dev/null 2>&1 ;
21 |   then
22 |     echo "keypair ${key} already exists."
23 |   else
24 |     mkdir -p ${TMP_DIR}
25 |     chmod 700 ${TMP_DIR}
26 |     echo "Creating keypair ${key}"
27 |     aws --profile ${AWS_PROFILE} --region ${AWS_REGION} ec2 create-key-pair --key-name ${key} --query 'KeyMaterial' --output text > ${TMP_DIR}/${key}.pem
28 |     # copy the key to user's home .ssh
29 |     # cp ${TMP_DIR}/${key}.pem ${HOME}/.ssh; chmod 600 ${HOME}/.ssh/${key}.pem
30 |     chmod 600 ${TMP_DIR}/${key}.pem
31 |     echo "ssh-add ${TMP_DIR}/${key}.pem"
32 |     ssh-add ${TMP_DIR}/${key}.pem
33 |     # Clean up
34 |     # rm -rf ${TMP_DIR}
35 |   fi
36 | }
37 | 
38 | exist(){
39 |   if aws --profile ${AWS_PROFILE} --region ${AWS_REGION} ec2 describe-key-pairs --key-name ${key} > /dev/null 2>&1 ;
40 |   then
41 |     return 0
42 |   else
43 |     return 1
44 |   fi
45 | }
46 | destroy(){
47 |   if  ! aws --profile ${AWS_PROFILE} --region ${AWS_REGION} ec2 describe-key-pairs --key-name ${key} > /dev/null 2>&1 ;
48 |   then
49 |     echo "keypair ${key} does not exists."
50 |   else
51 |     if [ -f ${TMP_DIR}/${key}.pem ];
52 |     then
53 |       echo "Remove from ssh agent"
54 |       ssh-add -L |grep "${TMP_DIR}/${key}.pem" > ${TMP_DIR}/${key}.pub
55 |       [ -s ${TMP_DIR}/${key}.pub ] && ssh-add -d ${TMP_DIR}/${key}.pub
56 |       rm -rf ${TMP_DIR}/${key}.pem
57 |       rm -rf ${TMP_DIR}/${key}.pub
58 |     fi
59 |     aws --profile ${AWS_PROFILE} --region ${AWS_REGION}  s3 rm s3://${AWS_ACCOUNT}-${CLUSTER_NAME}-config/keypairs/${key}.pem
60 |     echo "Delete aws keypair ${key}"
61 |     aws --profile ${AWS_PROFILE} --region ${AWS_REGION} ec2 delete-key-pair --key-name ${key}  
62 |     echo "Remove from ${TMP_DIR}"
63 |   fi 
64 | }
65 | 
66 | while getopts ":c:d:e:h" OPTION
67 | do
68 |   key=$OPTARG
69 |   case $OPTION in
70 |     c)
71 |       create
72 |       ;;
73 |     d)
74 |       destroy
75 |       ;;
76 |     e)
77 |       exist
78 |       ;;
79 |     *)
80 |       echo "Usage: $(basename $0) -c|-d|-e keyname"
81 |       exit 1
82 |       ;;
83 |   esac
84 | done
85 | 


--------------------------------------------------------------------------------
/scripts/cloudtrail-admin.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | set -e
  3 | shopt -s extglob # enables pattern lists like +(...|...)
  4 | 
  5 | # Default variables
  6 | init() {
  7 |   # Supported regions
  8 |   regions="us-east-1 us-west-1 us-west-2 eu-west-1 sa-east-1 ap-northeast-1 ap-southeast-1 ap-southeast-2"
  9 |   regionRegexp='+(us-east-1|us-west-1|us-west-2|eu-west-1|sa-east-1|ap-northeast-1|ap-southeast-1|ap-southeast-2)'
 10 | 
 11 |   # Script actions
 12 |   actionsRegexp='+(create|delete|show)'
 13 |   
 14 |   # Dryrun flag
 15 |   dryrun=0
 16 |   
 17 |   # Interactive flag
 18 |   interactive=1  
 19 | }
 20 | 
 21 | # Create trails for all supported regions and create SNS topics
 22 | create_trails(){
 23 |   bucketOpt="--s3-use-bucket"
 24 |   includeGlobal="false"
 25 |   
 26 |   # Setup the first trail to receive global events
 27 |   region=$defaultRegion
 28 |   thisTrail=${trailname}-$region
 29 |   trail=$(aws --profile $profile cloudtrail describe-trails --region $region --trail-name-list $thisTrail | jq --raw-output '.trailList[].Name')
 30 |   if [ "$trail" = "$thisTrail" ]; then
 31 |     echo "$accountId already has CloudTrail setup: $trail."
 32 |   else
 33 |     includeGlobal="true"
 34 |     if ! aws --profile $profile s3 ls s3://$trailbucket > /dev/null 2>&1; then
 35 |       bucketOpt="--s3-new-bucket"
 36 |     fi
 37 |     thisTrail=${trailname}-$region
 38 |     setup_trail
 39 |   fi
 40 |   
 41 |   # Setup the rest of the trails
 42 |   for region in $regions
 43 |   do
 44 |     thisTrail=${trailname}-$region
 45 |     trail=$(aws --profile $profile cloudtrail describe-trails --region $region --trail-name-list $thisTrail | jq --raw-output '.trailList[].Name')
 46 |     if [ "$trail" = "$thisTrail" ]; then
 47 |       echo "$accountId already has CloudTrail setup: $thisTrail."
 48 |     else
 49 |       setup_trail
 50 |     fi
 51 |   done
 52 | }
 53 | 
 54 | setup_trail(){
 55 |   snstopic=$thisTrail
 56 |   cmd="aws --profile $profile cloudtrail create-subscription --region $region \
 57 |       --name $thisTrail \
 58 |       $bucketOpt $trailbucket --sns-new-topic $snstopic \
 59 |       --include-global-service-events $includeGlobal"
 60 |   echo "Creating $thisTrail"
 61 |   [ $dryrun -eq 0 ] && $cmd
 62 | }
 63 | 
 64 | create_sqs(){
 65 |   # This is optional. Some third party AWS log service, e.g. SplunkAppForAWS, may need a SQS. 
 66 |   # Cloudtrail SQS and Trail name
 67 |   queuename=${accountId}-cloudtrail
 68 |   if [ $interactive -eq 1 ]; then
 69 |     answer='N'
 70 |     echo -n "Do you want to create SQS $queuename? [Y/N]"
 71 |     read answer
 72 |     echo ""
 73 |     if [ "X$answer" != "XY" ]; then
 74 |       echo "No queue is created."
 75 |       exit 0
 76 |     fi
 77 |   fi
 78 |   echo "Creating SQS service."
 79 |   cmd="aws --profile $profile sqs create-queue --queue-name $queuename --region $defaultRegion"
 80 |   [ $dryrun -eq 0 ] && $cmd
 81 | }
 82 | 
 83 | show(){
 84 |   echo "Trails" 
 85 |   for i in $regions
 86 |   do 
 87 |     aws --profile $profile cloudtrail describe-trails --region $i | jq --raw-output '.trailList[].Name'
 88 |   done
 89 | 
 90 |   echo "SNS"
 91 |   for i in $regions
 92 |   do
 93 |     aws --profile $profile sns list-topics --region $i | jq --raw-output '.Topics[].TopicArn' | grep "$profile-cloudtrail"
 94 |   done
 95 | 
 96 |   echo "SQS"
 97 |   if [ ! -z "$accountId" ]; then
 98 |     aws --profile $profile sqs list-queues --queue-name-prefix $accountId | jq --raw-output  '.QueueUrls[]'
 99 |   else
100 |     aws --profile $profile sqs list-queues | jq --raw-output  '.QueueUrls[]'
101 |   fi
102 | }
103 | 
104 | # Delete SNS topics
105 | delete_sns(){
106 |   # Delete SNS topics
107 |   for i in $regions
108 |   do
109 |     snstopic=${trailname}-$i
110 |     topicarn=$(aws --profile $profile sns list-topics --region $i |grep $snstopic | awk '{print $2}' | sed 's/\"//g')
111 |     if [ $topicarn ]; then
112 |       cmd="aws --profile $profile sns delete-topic --topic-arn $topicarn --region $i"
113 |       echo "Deleting $topicarn."
114 |       [ $dryrun -eq 0 ] && $cmd
115 |     fi
116 |   done
117 | }
118 | 
119 | # Delete Cloudtrails
120 | delete_trails() {
121 |   for i in $regions
122 |   do
123 |     thisTrail=$trailname-$i
124 |     trail=$(aws --profile $profile cloudtrail describe-trails --region $i  --trail-name-list $thisTrail | jq --raw-output '.trailList[].Name')
125 |     if [ -z "$trail" ];
126 |     then
127 |       echo "$thisTrail doesn't exist."
128 |       continue
129 |     fi
130 |     cmd="aws --profile $profile cloudtrail delete-trail --region $i --name $thisTrail"
131 |     echo "Deleting $thisTrail."
132 |     [ $dryrun -eq 0 ] && $cmd
133 |   done
134 | }
135 |   
136 | # Delete sqs
137 | delete_sqs() {
138 |   queuename=${accountId}-cloudtrail
139 |   queueurl=$(aws --profile $profile sqs get-queue-url --queue-name $queuename --query QueueUrl | sed 's/\"//g')
140 |   if [ -z $queueurl ]; then
141 |     echo "No SQS to delete."
142 |   else 
143 |     cmd="aws --profile $profile sqs delete-queue --queue-url $queueurl"
144 |     echo "Deleting $queueurl."
145 |     [ $dryrun -eq 0 ] && $cmd
146 |   fi
147 | }
148 | 
149 | help(){
150 |   echo "create-cloudtrail -a <action> -p <profile> [-b <bucket>] -r region [-n] [-y]"
151 |   echo ""
152 |   echo " -a <create|show|delete>: action. create, show or delete cloudtrails setup by this tool."
153 |   echo " -p <aws profile>: authenticate as this profile."
154 |   echo " -b <bucket>: optional. bucket name to get all trail reports."
155 |   echo " -r <region>: region to get AWS global events, e.g. IAM"
156 |   echo " -y     : non-interative mode. Answer to yes to all default values."
157 |   echo " -n     : dryrun. print out the commands"
158 |   echo " -h     : Help"
159 | }
160 | 
161 | # Main
162 | 
163 | # Set default values
164 | init
165 | 
166 | while getopts "a:p:b:r:hny" OPTION
167 | do
168 |   case $OPTION in
169 |     a)
170 |       action=$OPTARG
171 |       case $action in
172 |         $actionsRegexp) 
173 |           ;;
174 |         *)
175 |           echo "Unsupported action $action."
176 |           exit 1
177 |       esac
178 |       ;;
179 |     p)
180 |       profile=$OPTARG
181 |       ;;
182 |     b)
183 |       bucket=$OPTARG
184 |       ;;
185 |     r)
186 |       defaultRegion=$OPTARG
187 |       case $defaultRegion in
188 |          $regionRegexp)
189 |            ;;
190 |          *)
191 |           echo "Unsuported region $region."
192 |           exit 1
193 |       esac
194 |       ;;
195 |     n)
196 |       dryrun=1
197 |       ;;
198 |     y)
199 |       interactive=0
200 |       ;;
201 |     [h?])
202 |       help
203 |       exit
204 |       ;;
205 |   esac
206 | done
207 | 
208 | if [[ -z $action || -z $profile || -z $defaultRegion && $action != 'show' ]]; then
209 |   help
210 |   exit 1
211 | fi
212 | 
213 | echo "Getting AWS account number ..."
214 | accountId=$(aws --profile $profile iam get-user | jq '.User.Arn' | grep -Eo '[[:digit:]]{12}')
215 | if [ -z "$accountId" ]; then
216 |   echo "Cannot find AWS account number."
217 |   exit 1
218 | else 
219 |   if [[ ! -z "bucket" && $interactive -ne 0 && $action != "show" ]]; then
220 |       answer='N'
221 |       echo -n "Do you accept the $accountId SNA and cloudtrail bucket prefix? [Y/N]"
222 |       read answer
223 |       echo ""
224 |       [ "X$answer" != "XY" ] && echo "Do nothing. Quit."&&  exit 0
225 |   fi
226 | fi
227 | 
228 | # Don't exist on non-zero code because the following aws commmands exit code
229 | # is '1' on sucess.
230 | set +e 
231 | # Cloudtrail name, one name per account.
232 | trailname=${profile}-cloudtrail
233 | 
234 | # S3 bucket to receive logs
235 | trailbucket=${bucket:-${accountId}-cloudtrail}
236 | 
237 | # Call functions based on action 
238 | case $action in
239 |   'create')
240 |     create_trails
241 |     create_sqs
242 |     ;;
243 |   'delete')
244 |     delete_trails
245 |     delete_sns
246 |     delete_sqs
247 |     ;; 
248 |   'show')
249 |     show
250 |     ;;
251 | esac
252 | 
253 | [ $dryrun -eq 1 ] && echo "Dryrun mode. Nothing is changed."
254 | 
255 | exit 0
256 | 


--------------------------------------------------------------------------------
/scripts/gen-provider.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | #
 3 | # Init variables and sanity checks
 4 | DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
 5 | ROOT_DIR=$(dirname $DIR)
 6 | BUILD=${BUILD:-$ROOT_DIR/build}
 7 | TF_MODULES_DIR=${TF_MODULES_DIR:-$ROOT_DIR/modules}
 8 | 
 9 | AWS_PROFILE=${AWS_PROFILE:-coreos-cluster}
10 | CLUSTER_NAME=${CLUSTER_NAME:-coreos-cluster}
11 | 
12 | #TF_VAR_aws_region=$($DIR/read_cfg.sh $HOME/.aws/config "profile $AWS_PROFILE" region)
13 | aws_user=$(aws --profile $AWS_PROFILE iam get-user)
14 | TF_VAR_aws_account=$(echo $aws_user | jq ".User.Arn" | grep -Eo '[[:digit:]]{12}')
15 | TF_VAR_aws_user=$(echo $aws_user | jq --raw-output '.User.UserName')
16 | ALLOW_SSH_CIDR="$(curl -s http://ipinfo.io/ip)/32"
17 | 
18 | cat <<EOF
19 | # Generated by scripts/gen-provider.sh
20 | provider "aws" {
21 |   profile = "$AWS_PROFILE"
22 |   max_retries = 3
23 |   region = "$AWS_REGION"
24 | EOF
25 | if [ ! -z $ALLOWED_ACCOUNT_IDS ]; then
26 |     echo  \ \ allowed_account_ids = [ "$ALLOWED_ACCOUNT_IDS" ]
27 | elif [[ ! -z $FORBIDDEN_ACCOUNT_IDS ]]; then
28 |     echo  \ \ forbidden_account_ids = [ "$FORBIDDEN_ACCOUNT_IDS" ]
29 | fi
30 | cat <<EOF
31 | }
32 | variable "aws_account" {
33 |     default = {
34 |         id = "$TF_VAR_aws_account"
35 |         default_region = "$AWS_REGION"
36 |         profile = "$AWS_PROFILE"
37 |     }
38 | }
39 | variable "cluster_name" {
40 |     default = "${CLUSTER_NAME}"
41 | }
42 | variable "build_dir" {
43 |     default = "${BUILD}"
44 | }
45 | variable "allow_ssh_cidr" {
46 |     default = "${ALLOW_SSH_CIDR}"
47 | }
48 | variable "modules_dir" {
49 |     default = "${TF_MODULES_DIR}"
50 | }
51 | variable "app_repository" {
52 |     default = "${APP_REPOSITORY}"
53 | }
54 | 
55 | variable "git_ssh_command" {
56 |     default = "${GIT_SSH_COMMAND}"
57 | }
58 | variable "app_domain" {
59 |     default = "${APP_DOMAIN}"
60 | }
61 | variable "timestamp" {
62 |     default = "undefined"
63 | }
64 | variable "iamuser" {
65 |     default = "undefined"
66 | }
67 | variable "wait_time" {
68 |     default = 10
69 | }
70 | EOF
71 | 


--------------------------------------------------------------------------------
/scripts/gen-rds-password.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | #
 3 | # Init variables and sanity checks
 4 | DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
 5 | ROOT_DIR=$(dirname $DIR)
 6 | BUILD=${BUILD:-$ROOT_DIR/build}
 7 | 
 8 | file=$1
 9 | if [ -z "$file" ]; then
10 |   echo "Output file cannot be empty."
11 |   exit 1
12 | fi
13 | 
14 | # Database password: has to be ASCII alphanumeric
15 | postgres_db_password=$(openssl rand -base64 14 | tr -dc 'a-zA-Z0-9')
16 | mysql_db_password=$(openssl rand -base64 14 |  tr -dc 'a-zA-Z0-9')
17 | cat > $file  <<EOF
18 | # Generated by scripts/gen-provider.sh
19 | variable "postgres_db_user" {
20 |   default = "root"
21 | }
22 | variable "postgres_db_password" {
23 |   default = "$postgres_db_password"
24 | }
25 | variable "mysql_db_user" {
26 |   default = "root"
27 | }
28 | variable "mysql_db_password" {
29 |   default = "$mysql_db_password"
30 | }
31 | EOF
32 | 


--------------------------------------------------------------------------------
/scripts/gen-tf-vars.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | echo "# Generated by make vpc/gen_vpc_vars"
 3 | echo "# $(date)"
 4 | echo "$(terraform output)" | while read line
 5 | do
 6 | 	IFS=' = ' read -r -a array <<< "$line"
 7 | 	if [ ! -z "${array[0]}" ];
 8 | 	then
 9 | 		echo variable \"${array[0]}\" { default = \"${array[1]}\"}
10 | 	fi
11 | done


--------------------------------------------------------------------------------
/scripts/get-ami.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # Default Environment variables
 4 | COREOS_UPDATE_CHANNEL="${COREOS_UPDATE_CHANNEL:-beta}"      # stable/beta/alpha
 5 | AWS_REGION=${AWS_REGION:-us-west-2}                           # us-west-1/us-west-2/...
 6 | VM_TYPE=${VM_TYPE:-pv}                                    # hvm/pv - note: t1.micro supports only pv type
 7 | 
 8 | # Get options from the command line
 9 | while getopts ":c:z:t:" OPTION
10 | do
11 |     case $OPTION in
12 |         c)
13 |           COREOS_UPDATE_CHANNEL=$OPTARG
14 |           ;;
15 |         z)
16 |           AWS_REGION=$OPTARG
17 |           ;;
18 |         t)
19 |           VM_TYPE=$OPTARG
20 |           ;;
21 |         *)
22 |           echo "Usage: $(basename $0) -c <stable|beta|alpha> -z <aws zone> -t <hvm|pv>"
23 |           exit 0
24 |           ;;
25 |     esac
26 | done
27 | 
28 | 
29 | # Get the AMI id
30 | url=`printf "http://%s.release.core-os.net/amd64-usr/current/coreos_production_ami_%s_%s.txt" $COREOS_UPDATE_CHANNEL $VM_TYPE $AWS_REGION`
31 | 
32 | cat <<EOF
33 | # Generated by scripts/get-ami.sh
34 | variable "ami" { default = "`curl -s $url`" }
35 | EOF
36 | 


--------------------------------------------------------------------------------
/scripts/get-dns-name.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | elb_name=${1:-''}
 4 | if [ -z "$elb_name" ]; then
 5 |   echo "Need load balancer name."
 6 |   exit 1
 7 | fi
 8 | 
 9 | AWS_PROFILE=${AWS_PROFILE:-coreos-cluster}
10 | AWS_REGION=${AWS_REGION:-us-west-2}
11 | 
12 | elb_dnsname=$(aws elb describe-load-balancers --profile $AWS_PROFILE --load-balancer-names=$elb_name | \
13 | 	jq -r '.LoadBalancerDescriptions[].DNSName')
14 | 
15 | echo $elb_dnsname
16 | 


--------------------------------------------------------------------------------
/scripts/get-ec2-public-id.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | AWS_PROFILE=${AWS_PROFILE:-coreos-cluster}
 4 | AWS_REGION=${AWS_REGION:-us-west-2}
 5 | ASG=${1:-etcd}
 6 | 
 7 | EC2_IDS=$(aws --profile $AWS_PROFILE --region $AWS_REGION autoscaling describe-auto-scaling-groups \
 8 | 	--auto-scaling-group-name $ASG 2> /dev/null | jq .AutoScalingGroups[0].Instances[].InstanceId | xargs)
 9 | 
10 | if [ ! -z "${EC2_IDS}" ]; then
11 | 	aws --profile $AWS_PROFILE --region $AWS_REGION ec2 describe-instances --instance-ids $EC2_IDS \
12 |     | jq -r '.Reservations[].Instances | map(.NetworkInterfaces[].Association.PublicIp)[]'
13 | else
14 | 	echo "Cannot get IPs for autoscaling group $ASG."
15 | fi
16 | 
17 | 


--------------------------------------------------------------------------------
/scripts/get-vpc-id.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | # Check if the cluster already exists. 
 3 | # Only proceed if the cluster doesn't exist. Return value is 0.
 4 | 
 5 | CLUSTER_NAME=${CLUSTER_NAME:-''}
 6 | AWS_PROFILE=${AWS_PROFILE:-''}
 7 | if [ ! -z "$CLUSTER_NAME" ]; then
 8 |   cluster_tag=$(aws --profile ${AWS_PROFILE} ec2 describe-vpcs  --filters "Name=tag:Name,Values=${CLUSTER_NAME}" | jq -r '.Vpcs[0].VpcId')
 9 |   if [[ $? -ne 0 ]]; then
10 |     echo "Error checking cluster."
11 |     exit 1
12 |   elif [[ $cluster_tag  =~ "vpc-" ]]; then
13 |     echo "Cluster ${CLUSTER_NAME} exists with vpc id $cluster_tag"
14 |   else
15 |     echo "Cluster ${CLUSTER_NAME} does not exists."
16 |   fi
17 | else
18 |   echo "Cluster name is required."   
19 |   exit 1
20 | fi
21 | exit 0
22 | 


--------------------------------------------------------------------------------
/scripts/session-lock.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # 
 3 | # xuwang@gmail.com
 4 | # 
 5 | # Use AWS keypair as a 'lock' mechanism to protect some operations that should only be run
 6 | # by one team mate, e.g. updating terraform states. Only the person who owns the keypair's private key can
 7 | # perform the operation. 
 8 | # 
 9 | # Usage:
10 | # session-lock -l
11 | # <some operations>
12 | # session-lock -u
13 | # 
14 | 
15 | AWS_PROFILE=${AWS_PROFILE:-coreos-cluster}
16 | CLUSTER_NAME=${CLUSTER_NAME:-coreos-cluster}
17 | AWS_ACCOUNT=${AWS_ACCOUNT:-}
18 | AWS_REGION=${AWS_REGION:-us-west-2}
19 | ROOTDIR=${ROOTDIR:-`PWD`}
20 | 
21 | # Default keypair name, to be used as a lock
22 | LOCK_KEYNAME="${CLUSTER_NAME}-tfstate-lock"
23 | LOCK_KEY_PEMFILE="${ROOTDIR}/${LOCK_KEYNAME}.pem"
24 | 
25 | # AWS key command
26 | AWS_EC2_CLI="aws --profile ${AWS_PROFILE} --region ${AWS_REGION} ec2"
27 | 
28 | check_finger_print(){
29 | 	FINGERPRINT_PUB=$( ${AWS_EC2_CLI} describe-key-pairs --key-names ${LOCK_KEYNAME} | jq -r ".KeyPairs[].KeyFingerprint")
30 | 	FINGERPRINT_PEM=$(openssl pkcs8 -in ${LOCK_KEY_PEMFILE} -inform PEM -outform DER -topk8 -nocrypt | openssl sha1 -c)
31 | 	if [[ "${FINGERPRINT_PUB}" != "${FINGERPRINT_PEM}" ]] ; then
32 | 	  	return 1
33 | 	 else
34 | 	 	return 0
35 | 	 fi
36 | }
37 | 
38 | lock(){
39 | 	if  ! ${AWS_EC2_CLI} describe-key-pairs --key-name ${LOCK_KEYNAME} > /dev/null 2>&1 ; then
40 | 		${AWS_EC2_CLI} create-key-pair --key-name ${LOCK_KEYNAME} --query 'KeyMaterial' \
41 | 		 --output text > ${LOCK_KEY_PEMFILE} && echo "Created lock using keypair ${LOCK_KEYNAME}."
42 | 	elif [[ ! -f ${LOCK_KEY_PEMFILE} ]]; then
43 |   		echo "${LOCK_KEYNAME} is in use by another person. Cannot start a new sessions."
44 |   		return 1
45 |   	else 
46 |   		check_finger_print
47 |   		if [ $? -eq 1 ]; then
48 | 	  		echo "${LOCK_KEY_PEMFILE} exists, but doesn't match the ${LOCK_KEYNAME}'s fingerprint."
49 | 	  		return 1
50 | 	 	else
51 | 			echo "You have aquired ${LOCK_KEYNAME}. Session started. Don't forget to release the lock." 
52 | 		fi
53 | 	fi
54 | }
55 | 
56 | unlock(){
57 | 	if  ! ${AWS_EC2_CLI} describe-key-pairs --key-name ${LOCK_KEYNAME} > /dev/null 2>&1 ; then
58 | 		echo "keypair ${key} does not exist. Nothing to remove."
59 |     return 0
60 | 	elif [ ! -f ${LOCK_KEY_PEMFILE} ]; then
61 |     	echo "${LOCK_KEY_PEMFILE} in use but you don't own the private key. Won't remove."
62 |     	return 1
63 |   else 
64 |     	check_finger_print
65 |     	if [ $? -eq 1 ]; then
66 |     		echo "${LOCK_KEY_PEMFILE} exists, but doesn't match the ${LOCK_KEYNAME}'s fingerprint. Won't remove."
67 |     		return 1
68 |     	fi
69 |   fi
70 |   ${AWS_EC2_CLI} delete-key-pair --key-name ${LOCK_KEYNAME} \
71 |        && echo "Deleted ${LOCK_KEYNAME}." \
72 |        && rm -rf ${LOCK_KEY_PEMFILE} && echo "Removed ${LOCK_KEY_PEMFILE}."
73 | }
74 | 
75 | while getopts ":l:u:h" OPTION
76 | do
77 |   key=$OPTARG
78 |   case $OPTION in
79 |     l)
80 |       lock
81 |       ;;
82 |     u)
83 |       unlock
84 |       ;;
85 |     *)
86 |       echo "Usage: $(basename $0) -l|-u keyname"
87 |       exit 1
88 |       ;;
89 |   esac
90 | done


--------------------------------------------------------------------------------
/scripts/setup_vault.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -e
 3 | 
 4 | # pass -i for interactive run. Otherwise, automatically init and unseal.
 5 | interactive=${1:-'false'}
 6 | 
 7 | if [ "X$interactive" = 'X-i' ]; then
 8 |     read -p $'Running this script will initialize & unseal Vault, \nthen put your unseal keys and root token into Consul KV. \n\nIf you are sure you want to continue, type \'yes\': \n' ANSWER
 9 |   if [ "$ANSWER" != "yes" ]; then
10 |      echo
11 |      echo "Exiting without intializing & unsealing Vault, no keys or tokens were stored."
12 |      echo
13 |      exit 1
14 |    fi
15 | fi
16 | 
17 | els() { etcdctl ls /service/vault/$1; }
18 | eset() { etcdctl set /service/vault/$1  $2; }
19 | eget() { etcdctl get /service/vault/$1; }
20 | 
21 | if  ! etcdctl ls /service/vault ; then
22 |     etcdctl mkdir /service/vault
23 | fi
24 | if [ ! $(els root-token 2> /dev/null ) ]; then
25 |   echo "Initialize Vault"
26 |   vault init | tee /tmp/vault.init > /dev/null
27 | 
28 |   # Store master keys and unseal keys in etcd for operator to retrieve and remove
29 |   COUNTER=1
30 |   cat /tmp/vault.init | grep '\(Unseal Key\)' | awk '{print $4}' | for key in $(cat -); do
31 |     eset unseal-key-$COUNTER $key
32 |     COUNTER=$((COUNTER + 1))
33 |   done
34 |   export ROOT_TOKEN=$(cat /tmp/vault.init | grep '^Initial' | awk '{print $4}')
35 |   eset root-token $ROOT_TOKEN
36 | 
37 |   echo "Tempoary key files are in /tmp/vault.init. You can remove keys from disk: shred /tmp/vault.init"
38 |   #shred /tmp/vault.init
39 | else
40 |   echo "Vault has already been initialized, skipping."
41 | fi
42 | 
43 | echo "Unsealing Vault"
44 | vault unseal $(eget unseal-key-1)
45 | vault unseal $(eget unseal-key-2)
46 | vault unseal $(eget unseal-key-3)
47 | 
48 | echo "Vault setup complete."
49 | 
50 | instructions() {
51 |   cat <<EOF
52 | We use an instance of HashiCorp Vault for secrets management.
53 | It has been automatically initialized and unsealed once. Future unsealing must
54 | be done manually.
55 | The unseal keys and root token have been temporarily stored in Etcd K/V.
56 |   /service/vault/root-token /service/vault/unseal-key-{1..5}
57 | Please securely distribute and record these secrets and remove them from Consul.
58 | EOF
59 | 
60 |   exit 1
61 | }
62 | 
63 | instructions
64 | 


--------------------------------------------------------------------------------
/scripts/substitute-AWS-ACCOUNT.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # Replace AWS-ACCOUNT with aws account number in *.tf and *.json files. Can be used 
 4 | # to form policy documents, resource names etc, with the aws account number as part of a string.
 5 | 
 6 | # AWS account number - getting it from an existing user resource
 7 | # 
 8 | AWS_PROFILE=${AWS_PROFILE:-coreos-cluster}
 9 | 
10 | echo "Getting AWS account number..."
11 | AWS_ACCOUNT=$(aws --profile ${AWS_PROFILE} iam get-user | jq ".User.Arn" | grep -Eo '[[:digit:]]{12}')
12 | 
13 | files=$(grep -s -l AWS-ACCOUNT -r $@)
14 | if [ "X$files" != "X" ];
15 | then
16 |   for f in $files
17 |   do
18 |     perl -p -i -e "s/AWS-ACCOUNT/$AWS_ACCOUNT/g" $f
19 |   done
20 | fi
21 | 
22 | 


--------------------------------------------------------------------------------
/scripts/substitute-CLUSTER-NAME.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # Replace CLUSTER_NAME with user defined name.
 4 | 
 5 | CLUSTER_NAME=${CLUSTER_NAME:-coreos-cluster}
 6 | 
 7 | files=$(grep -s -l CLUSTER-NAME -r $@)
 8 | if [ "X$files" != "X" ];
 9 | then
10 |   for f in $files
11 |   do
12 |     perl -p -i -e "s/CLUSTER-NAME/$CLUSTER_NAME/g" $f
13 |   done
14 | fi
15 | 
16 | 


--------------------------------------------------------------------------------
/scripts/tf-apply-confirm.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | #
 3 | # Decide if we should carry out terraform apply based on if there is a change
 4 | 
 5 | TF_PLAN=${TF_PLAN:-"terraform plan -module-depth=1"}
 6 | TF_GET=${TF_GET:-"terraform get -update"}
 7 | TF_APPLY=${TF_APPLY:-"terraform apply -refresh=false"}
 8 | CONFIRM_TF_APPLY=${CONFIRM_TF_APPLY:-"YES"}
 9 | resource=$(basename $(pwd))
10 | 
11 | $TF_GET > /dev/null
12 | echo "Creating or updating $resource plan. This may take a while."
13 | if [ "X${CONFIRM_TF_APPLY}" != "XYES" ]; then
14 |   $TF_PLAN
15 |   $TF_APPLY
16 | else
17 |   $TF_PLAN -detailed-exitcode > /dev/null
18 |   if [ $? -eq 2 ];
19 |   then
20 |       $TF_PLAN
21 |       echo "CONTINUE? [Y/N]: "
22 |       read ANSWER
23 |       if [ "$ANSWER" != "Y" ];
24 |       then 
25 |           echo "Exiting."
26 |           exit 1
27 |       else
28 |   	      $TF_APPLY
29 |       fi
30 |   else
31 |      echo "Nothing to change."
32 |   fi
33 | fi  
34 | 


--------------------------------------------------------------------------------