diff options
| author | Christopher Baines <mail@cbaines.net> | 2018-06-03 13:06:30 +0100 |
|---|---|---|
| committer | Christopher Baines <mail@cbaines.net> | 2018-06-03 14:09:13 +0100 |
| commit | 93c1c6e5b76ed712f6c5107c6a124025279996d6 (patch) | |
| tree | 9744ed6a454e8d5ba69657e4ad5fdd699b726b25 | |
| parent | f74331a8e6d5b0ae9c2c73a36ba19730752269aa (diff) | |
| download | govuk-mini-environment-admin-93c1c6e5b76ed712f6c5107c6a124025279996d6.tar govuk-mini-environment-admin-93c1c6e5b76ed712f6c5107c6a124025279996d6.tar.gz | |
Change how the EFS File System is handled
For the AWS backend.
Bring it in to the Terraform configuration for the backend, where
previously only the id was known. Also, alter the provisioning so that
it can handle an empty EFS file system.
This reduces the amount of manual setup required for AWS.
| -rw-r--r-- | app/controllers/backends/terraform_aws_controller.rb | 1 | ||||
| -rw-r--r-- | app/models/backends/terraform_aws.rb | 5 | ||||
| -rw-r--r-- | app/views/backends/terraform_aws/new.html.erb | 28 | ||||
| -rw-r--r-- | app/views/backends/terraform_aws/show.html.erb | 29 | ||||
| -rw-r--r-- | db/migrate/20180603120426_remove_efs_file_system_id_from_backends_terraform_aws.rb | 5 | ||||
| -rw-r--r-- | db/structure.sql | 4 | ||||
| -rw-r--r-- | terraform/aws/backend/main.tf | 80 | ||||
| -rw-r--r-- | terraform/aws/mini_environment/main.tf | 12 | ||||
| -rw-r--r-- | test/controllers/backends/terraform_aws_controller_test.rb | 4 |
9 files changed, 73 insertions, 95 deletions
diff --git a/app/controllers/backends/terraform_aws_controller.rb b/app/controllers/backends/terraform_aws_controller.rb index 4b49f23..6e8ed55 100644 --- a/app/controllers/backends/terraform_aws_controller.rb +++ b/app/controllers/backends/terraform_aws_controller.rb @@ -66,7 +66,6 @@ class Backends::TerraformAwsController < ApplicationController :aws_region, :vpc_id, :route_53_zone_id, - :efs_file_system_id, :aws_access_key_id, :aws_secret_access_key ) diff --git a/app/models/backends/terraform_aws.rb b/app/models/backends/terraform_aws.rb index e448cd8..d5abfee 100644 --- a/app/models/backends/terraform_aws.rb +++ b/app/models/backends/terraform_aws.rb @@ -31,7 +31,6 @@ # updated_at :datetime not null # domain :string # route_53_zone_id :string not null -# efs_file_system_id :string not null # vpc_id :string not null # @@ -107,6 +106,7 @@ class Backends::TerraformAws < ApplicationRecord vars: common_terraform_variables.merge( aws_vpc_id: vpc_id, ssh_public_key: ssh_public_key, + backend_slug: label.parameterize, mini_environment_admin_guix_public_key: guix_public_key, mini_environment_admin_public_ip_address: public_ip_address ), @@ -132,8 +132,7 @@ class Backends::TerraformAws < ApplicationRecord aws_secret_key: aws_secret_access_key, aws_region: aws_region, ssh_public_key: ssh_public_key, - aws_route_53_zone_id: route_53_zone_id, - aws_efs_file_system_id: efs_file_system_id + aws_route_53_zone_id: route_53_zone_id } end diff --git a/app/views/backends/terraform_aws/new.html.erb b/app/views/backends/terraform_aws/new.html.erb index 04cab8a..fbd26a1 100644 --- a/app/views/backends/terraform_aws/new.html.erb +++ b/app/views/backends/terraform_aws/new.html.erb @@ -125,34 +125,6 @@ License along with the GOV.UK Mini Environment Admin. If not, see </div> <div class="form-group form-group-lg"> - <%= f.label( - :efs_file_system_id, - 'EFS File System ID', - class: 'col-sm-4 control-label' - ) %> - <div class="col-sm-8"> - <%= f.text_field( - :efs_file_system_id, - class: 'form-control', - placeholder: 'The ID of the EFS File System to use' - ) %> - <span class="help-block"> - <p> - This EFS (Elastic File System) is used for the Guix - store. - </p> - <p> - It must be used by both this instance of the GOV.UK Mini - Environment Admin, and the mini environments created - through this backend, so that store items created - through this service are available on the mini - environment machines when they mount this file system. - </p> - </span> - </div> - </div> - - <div class="form-group form-group-lg"> <%= f.label :aws_access_key_id, 'AWS Access Key ID', class: 'col-sm-4 control-label' %> <div class="col-sm-8"> <%= f.text_field( diff --git a/app/views/backends/terraform_aws/show.html.erb b/app/views/backends/terraform_aws/show.html.erb index f542cff..6204d96 100644 --- a/app/views/backends/terraform_aws/show.html.erb +++ b/app/views/backends/terraform_aws/show.html.erb @@ -132,35 +132,6 @@ License along with the GOV.UK Mini Environment Admin. If not, see </div> <div class="form-group form-group-lg"> - <%= f.label( - :efs_file_system_id, - 'EFS File System ID', - class: 'col-sm-4 control-label' - ) %> - <div class="col-sm-8"> - <%= f.text_field( - :efs_file_system_id, - class: 'form-control', - placeholder: 'The ID of the EFS File System to use', - readonly: true - ) %> - <span class="help-block"> - <p> - This EFS (Elastic File System) is used for the Guix - store. - </p> - <p> - It must be used by both this instance of the GOV.UK Mini - Environment Admin, and the mini environments created - through this backend, so that store items created - through this service are available on the mini - environment machines when they mount this file system. - </p> - </span> - </div> - </div> - - <div class="form-group form-group-lg"> <%= f.label :aws_access_key_id, 'AWS Access Key ID', class: 'col-sm-4 control-label' %> <div class="col-sm-8"> <%= f.text_field( diff --git a/db/migrate/20180603120426_remove_efs_file_system_id_from_backends_terraform_aws.rb b/db/migrate/20180603120426_remove_efs_file_system_id_from_backends_terraform_aws.rb new file mode 100644 index 0000000..25abfb5 --- /dev/null +++ b/db/migrate/20180603120426_remove_efs_file_system_id_from_backends_terraform_aws.rb @@ -0,0 +1,5 @@ +class RemoveEfsFileSystemIdFromBackendsTerraformAws < ActiveRecord::Migration[5.1] + def change + remove_column :terraform_aws_backends, :efs_file_system_id, :string + end +end diff --git a/db/structure.sql b/db/structure.sql index 9e03d7d..36c6abb 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -256,7 +256,6 @@ CREATE TABLE public.terraform_aws_backends ( updated_at timestamp without time zone NOT NULL, domain character varying, route_53_zone_id character varying NOT NULL, - efs_file_system_id character varying NOT NULL, vpc_id character varying NOT NULL ); @@ -660,6 +659,7 @@ INSERT INTO "schema_migrations" (version) VALUES ('20180530191341'), ('20180530192706'), ('20180601153537'), -('20180601182655'); +('20180601182655'), +('20180603120426'); diff --git a/terraform/aws/backend/main.tf b/terraform/aws/backend/main.tf index 56b91b9..20b0bbe 100644 --- a/terraform/aws/backend/main.tf +++ b/terraform/aws/backend/main.tf @@ -22,10 +22,6 @@ variable "aws_route_53_zone_id" { type = "string" } -variable "aws_efs_file_system_id" { - type = "string" -} - variable "ssh_public_key" { type = "string" } @@ -70,6 +66,10 @@ variable "mini_environment_admin_public_ip_address" { type = "string" } +variable "backend_slug" { + type = "string" +} + locals { guix_daemon_substitute_servers = "${join(" ", keys(var.guix_substitute_servers))}" } @@ -84,10 +84,6 @@ data "aws_route53_zone" "main" { zone_id = "${var.aws_route_53_zone_id}" } -data "aws_efs_file_system" "main" { - file_system_id = "${var.aws_efs_file_system_id}" -} - data "template_file" "guix_daemon_service" { template = "${file("${path.module}/guix-daemon.service.tpl")}" @@ -96,13 +92,37 @@ data "template_file" "guix_daemon_service" { } } +data "aws_availability_zones" "available" {} + + +resource "aws_default_subnet" "main" { + count = "${length(data.aws_availability_zones.available.names)}" + availability_zone = "${data.aws_availability_zones.available.names[count.index]}" +} + +resource "aws_efs_file_system" "main" { + creation_token = "govuk_mini_environment_admin/${var.backend_slug}" + + tags { + Name = "govuk_mini_environment_admin/${var.backend_slug}" + } +} + +resource "aws_efs_mount_target" "main" { + count = "${length(data.aws_availability_zones.available.names)}" + file_system_id = "${aws_efs_file_system.main.id}" + subnet_id = "${aws_default_subnet.main.*.id[count.index]}" + + security_groups = ["${aws_security_group.efs_mount_target.id}"] +} resource "aws_key_pair" "deployer" { + key_name = "govuk_mini_environment_admin/${var.backend_slug}/deployer" public_key = "${var.ssh_public_key}" } resource "aws_security_group" "public_webserver" { - name = "govuk_mini_environment_admin_public_webserver" + name = "govuk_mini_environment_admin/${var.backend_slug}/public_webserver" description = "For instances running public facing web servers" vpc_id = "${var.aws_vpc_id}" @@ -136,7 +156,7 @@ resource "aws_security_group" "public_webserver" { } resource "aws_security_group" "ssh_access_from_mini_environment_admin" { - name = "govuk_mini_environment_admin_ssh_access_from_mini_environment_admin" + name = "govuk_mini_environment_admin/${var.backend_slug}/ssh_access_from_mini_environment_admin" description = "For instances that need SSH access for Terraform and Guix builds" vpc_id = "${var.aws_vpc_id}" @@ -149,7 +169,7 @@ resource "aws_security_group" "ssh_access_from_mini_environment_admin" { } resource "aws_security_group" "guix_client" { - name = "govuk_mini_environment_admin_guix_client" + name = "govuk_mini_environment_admin/${var.backend_slug}/guix_client" description = "For instances with access to the guix_daemon instance" vpc_id = "${var.aws_vpc_id}" @@ -162,7 +182,7 @@ resource "aws_security_group" "guix_client" { } resource "aws_security_group" "guix_daemon" { - name = "govuk_mini_environment_admin_guix_daemon" + name = "govuk_mini_environment_admin/${var.backend_slug}/guix_daemon" description = "For the guix_daemon instance." vpc_id = "${var.aws_vpc_id}" @@ -182,7 +202,7 @@ resource "aws_security_group" "guix_daemon" { } resource "aws_security_group" "efs_mount_target" { - name = "govuk_mini_environment_admin_efs_mount_target" + name = "govuk_mini_environment_admin/${var.backend_slug}/efs_mount_target" description = "For the EFS File System mount targets" vpc_id = "${var.aws_vpc_id}" @@ -210,6 +230,8 @@ resource "aws_spot_instance_request" "main" { wait_for_fulfillment = true spot_price = "0.05" + depends_on = ["aws_efs_mount_target.main"] + provisioner "file" { content = "${data.template_file.guix_daemon_service.rendered}" destination = "/home/ubuntu/guix-daemon.service" @@ -237,10 +259,21 @@ resource "aws_spot_instance_request" "main" { "sudo apt-get -y install nfs-common cachefilesd nscd", "sudo tune2fs -o user_xattr /dev/xvda1", "sudo sed 's/#RUN/RUN/' -i /etc/default/cachefilesd", - "echo \"${data.aws_efs_file_system.main.dns_name}:/var/guix /var/guix nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab", - "echo \"${data.aws_efs_file_system.main.dns_name}:/gnu/store /gnu/store nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,fsc,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab", - "echo \"${data.aws_efs_file_system.main.dns_name}:/ /mnt/efs nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,fsc,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab", - "sudo mkdir -p /var/guix /gnu/store /mnt/efs", + "sudo mkdir -p /mnt/efs", + "echo \"${aws_efs_file_system.main.dns_name}:/ /mnt/efs nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,fsc,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab", + "sudo mount -a", + <<EOF +if [ ! -d "/mnt/efs/gnu" ]; then + cd /mnt/efs + sudo wget https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.x86_64-linux.tar.xz + sudo tar --warning=no-timestamp -xf guix-binary-0.14.0.x86_64-linux.tar.xz + cd - +fi +EOF + , + "sudo mkdir -p /gnu/store /var/guix", + "echo \"${aws_efs_file_system.main.dns_name}:/var/guix /var/guix nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab", + "echo \"${aws_efs_file_system.main.dns_name}:/gnu/store /gnu/store nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,fsc,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab", "sudo mount -a", "sudo mv /home/ubuntu/guix-daemon.service /etc/systemd/system/guix-daemon.service", "sudo mkdir /etc/guix", @@ -259,7 +292,14 @@ EOF "sudo systemctl daemon-reload", "sudo systemctl enable guix-daemon.service", "sudo systemctl start guix-daemon.service", - "ln -s /var/guix/profiles/per-user/ubuntu/guix-profile ~/.guix-profile", + <<EOF +if [ ! -d "/var/guix/profiles/per-user/ubuntu" ]; then + /var/guix/profiles/per-user/root/guix-profile/bin/guix package -i guile guix +else + ln -s /var/guix/profiles/per-user/ubuntu/guix-profile ~/.guix-profile +fi +EOF + , # This is needed for things like guix copy to work "echo 'GUIX_PROFILE=/home/ubuntu/.guix-profile; source /home/ubuntu/.guix-profile/etc/profile' | cat - .bashrc > temp && mv temp .bashrc" ] @@ -300,3 +340,7 @@ output "ssh_access_from_mini_environment_admin_security_group_name" { output "guix_daemon_private_dns" { value = "${aws_spot_instance_request.main.private_dns}" } + +output "efs_file_system_dns_name" { + value = "${aws_efs_file_system.main.dns_name}" +} diff --git a/terraform/aws/mini_environment/main.tf b/terraform/aws/mini_environment/main.tf index 4f9b9c3..f5db361 100644 --- a/terraform/aws/mini_environment/main.tf +++ b/terraform/aws/mini_environment/main.tf @@ -22,10 +22,6 @@ variable "aws_route_53_zone_id" { type = "string" } -variable "aws_efs_file_system_id" { - type = "string" -} - variable "start_command" { type = "string" } @@ -52,10 +48,6 @@ data "aws_route53_zone" "main" { zone_id = "${var.aws_route_53_zone_id}" } -data "aws_efs_file_system" "main" { - file_system_id = "${var.aws_efs_file_system_id}" -} - data "template_file" "govuk_service" { template = "${file("${path.module}/govuk.service.tpl")}" @@ -96,9 +88,9 @@ resource "aws_spot_instance_request" "main" { "sudo tune2fs -o user_xattr /dev/xvda1", "sudo sed 's/#RUN/RUN/' -i /etc/default/cachefilesd", "sudo mkdir -p /gnu/store", - "sudo mount -t nfs4 -o ro,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,actimeo=600,fsc,nocto,retrans=2 ${data.aws_efs_file_system.main.dns_name}:gnu/store /gnu/store", + "sudo mount -t nfs4 -o ro,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,actimeo=600,fsc,nocto,retrans=2 ${data.terraform_remote_state.backend.efs_file_system_dns_name}:gnu/store /gnu/store", "sudo mkdir -p /var/guix", - "sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${data.aws_efs_file_system.main.dns_name}:var/guix /var/guix", + "sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${data.terraform_remote_state.backend.efs_file_system_dns_name}:var/guix /var/guix", "echo \"export GUIX_DAEMON_SOCKET=guix://${data.terraform_remote_state.backend.guix_daemon_private_dns}\" | sudo tee /etc/profile.d/guix-daemon-socket.sh", #"sudo systemctl restart cachefilesd", "sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080", diff --git a/test/controllers/backends/terraform_aws_controller_test.rb b/test/controllers/backends/terraform_aws_controller_test.rb index be575f1..f98890f 100644 --- a/test/controllers/backends/terraform_aws_controller_test.rb +++ b/test/controllers/backends/terraform_aws_controller_test.rb @@ -17,7 +17,6 @@ class Backends::TerraformAwsControllerTest < ActionDispatch::IntegrationTest aws_access_key_id: 'test-access-key-id', aws_secret_access_key: 'test-secret-access-key', route_53_zone_id: 'test-route-53-zone-id', - efs_file_system_id: 'test-efs-file-system-id', vpc_id: 'test-vpc-id' } @@ -45,7 +44,6 @@ class Backends::TerraformAwsControllerTest < ActionDispatch::IntegrationTest aws_access_key_id: 'old-test-access-key-id', aws_secret_access_key: 'old-test-secret-access-key', route_53_zone_id: 'old-test-route-53-zone-id', - efs_file_system_id: 'test-efs-file-system-id', vpc_id: 'test-vpc-id' ) @@ -74,7 +72,6 @@ class Backends::TerraformAwsControllerTest < ActionDispatch::IntegrationTest aws_access_key_id: 'old-test-access-key-id', aws_secret_access_key: 'old-test-secret-access-key', route_53_zone_id: 'old-test-route-53-zone-id', - efs_file_system_id: 'test-efs-file-system-id', vpc_id: 'test-vpc-id' ) @@ -90,7 +87,6 @@ class Backends::TerraformAwsControllerTest < ActionDispatch::IntegrationTest aws_access_key_id: 'old-test-access-key-id', aws_secret_access_key: 'old-test-secret-access-key', route_53_zone_id: 'old-test-route-53-zone-id', - efs_file_system_id: 'test-efs-file-system-id', vpc_id: 'test-vpc-id' ) |