diff options
| author | Christopher Baines <mail@cbaines.net> | 2018-06-03 13:06:30 +0100 |
|---|---|---|
| committer | Christopher Baines <mail@cbaines.net> | 2018-06-03 14:09:13 +0100 |
| commit | 93c1c6e5b76ed712f6c5107c6a124025279996d6 (patch) | |
| tree | 9744ed6a454e8d5ba69657e4ad5fdd699b726b25 /terraform/aws | |
| parent | f74331a8e6d5b0ae9c2c73a36ba19730752269aa (diff) | |
| download | govuk-mini-environment-admin-93c1c6e5b76ed712f6c5107c6a124025279996d6.tar govuk-mini-environment-admin-93c1c6e5b76ed712f6c5107c6a124025279996d6.tar.gz | |
Change how the EFS File System is handled
For the AWS backend.
Bring it in to the Terraform configuration for the backend, where
previously only the id was known. Also, alter the provisioning so that
it can handle an empty EFS file system.
This reduces the amount of manual setup required for AWS.
Diffstat (limited to 'terraform/aws')
| -rw-r--r-- | terraform/aws/backend/main.tf | 80 | ||||
| -rw-r--r-- | terraform/aws/mini_environment/main.tf | 12 |
2 files changed, 64 insertions, 28 deletions
diff --git a/terraform/aws/backend/main.tf b/terraform/aws/backend/main.tf index 56b91b9..20b0bbe 100644 --- a/terraform/aws/backend/main.tf +++ b/terraform/aws/backend/main.tf @@ -22,10 +22,6 @@ variable "aws_route_53_zone_id" { type = "string" } -variable "aws_efs_file_system_id" { - type = "string" -} - variable "ssh_public_key" { type = "string" } @@ -70,6 +66,10 @@ variable "mini_environment_admin_public_ip_address" { type = "string" } +variable "backend_slug" { + type = "string" +} + locals { guix_daemon_substitute_servers = "${join(" ", keys(var.guix_substitute_servers))}" } @@ -84,10 +84,6 @@ data "aws_route53_zone" "main" { zone_id = "${var.aws_route_53_zone_id}" } -data "aws_efs_file_system" "main" { - file_system_id = "${var.aws_efs_file_system_id}" -} - data "template_file" "guix_daemon_service" { template = "${file("${path.module}/guix-daemon.service.tpl")}" @@ -96,13 +92,37 @@ data "template_file" "guix_daemon_service" { } } +data "aws_availability_zones" "available" {} + + +resource "aws_default_subnet" "main" { + count = "${length(data.aws_availability_zones.available.names)}" + availability_zone = "${data.aws_availability_zones.available.names[count.index]}" +} + +resource "aws_efs_file_system" "main" { + creation_token = "govuk_mini_environment_admin/${var.backend_slug}" + + tags { + Name = "govuk_mini_environment_admin/${var.backend_slug}" + } +} + +resource "aws_efs_mount_target" "main" { + count = "${length(data.aws_availability_zones.available.names)}" + file_system_id = "${aws_efs_file_system.main.id}" + subnet_id = "${aws_default_subnet.main.*.id[count.index]}" + + security_groups = ["${aws_security_group.efs_mount_target.id}"] +} resource "aws_key_pair" "deployer" { + key_name = "govuk_mini_environment_admin/${var.backend_slug}/deployer" public_key = "${var.ssh_public_key}" } resource "aws_security_group" "public_webserver" { - name = "govuk_mini_environment_admin_public_webserver" + name = "govuk_mini_environment_admin/${var.backend_slug}/public_webserver" description = "For instances running public facing web servers" vpc_id = "${var.aws_vpc_id}" @@ -136,7 +156,7 @@ resource "aws_security_group" "public_webserver" { } resource "aws_security_group" "ssh_access_from_mini_environment_admin" { - name = "govuk_mini_environment_admin_ssh_access_from_mini_environment_admin" + name = "govuk_mini_environment_admin/${var.backend_slug}/ssh_access_from_mini_environment_admin" description = "For instances that need SSH access for Terraform and Guix builds" vpc_id = "${var.aws_vpc_id}" @@ -149,7 +169,7 @@ resource "aws_security_group" "ssh_access_from_mini_environment_admin" { } resource "aws_security_group" "guix_client" { - name = "govuk_mini_environment_admin_guix_client" + name = "govuk_mini_environment_admin/${var.backend_slug}/guix_client" description = "For instances with access to the guix_daemon instance" vpc_id = "${var.aws_vpc_id}" @@ -162,7 +182,7 @@ resource "aws_security_group" "guix_client" { } resource "aws_security_group" "guix_daemon" { - name = "govuk_mini_environment_admin_guix_daemon" + name = "govuk_mini_environment_admin/${var.backend_slug}/guix_daemon" description = "For the guix_daemon instance." vpc_id = "${var.aws_vpc_id}" @@ -182,7 +202,7 @@ resource "aws_security_group" "guix_daemon" { } resource "aws_security_group" "efs_mount_target" { - name = "govuk_mini_environment_admin_efs_mount_target" + name = "govuk_mini_environment_admin/${var.backend_slug}/efs_mount_target" description = "For the EFS File System mount targets" vpc_id = "${var.aws_vpc_id}" @@ -210,6 +230,8 @@ resource "aws_spot_instance_request" "main" { wait_for_fulfillment = true spot_price = "0.05" + depends_on = ["aws_efs_mount_target.main"] + provisioner "file" { content = "${data.template_file.guix_daemon_service.rendered}" destination = "/home/ubuntu/guix-daemon.service" @@ -237,10 +259,21 @@ resource "aws_spot_instance_request" "main" { "sudo apt-get -y install nfs-common cachefilesd nscd", "sudo tune2fs -o user_xattr /dev/xvda1", "sudo sed 's/#RUN/RUN/' -i /etc/default/cachefilesd", - "echo \"${data.aws_efs_file_system.main.dns_name}:/var/guix /var/guix nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab", - "echo \"${data.aws_efs_file_system.main.dns_name}:/gnu/store /gnu/store nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,fsc,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab", - "echo \"${data.aws_efs_file_system.main.dns_name}:/ /mnt/efs nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,fsc,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab", - "sudo mkdir -p /var/guix /gnu/store /mnt/efs", + "sudo mkdir -p /mnt/efs", + "echo \"${aws_efs_file_system.main.dns_name}:/ /mnt/efs nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,fsc,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab", + "sudo mount -a", + <<EOF +if [ ! -d "/mnt/efs/gnu" ]; then + cd /mnt/efs + sudo wget https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.x86_64-linux.tar.xz + sudo tar --warning=no-timestamp -xf guix-binary-0.14.0.x86_64-linux.tar.xz + cd - +fi +EOF + , + "sudo mkdir -p /gnu/store /var/guix", + "echo \"${aws_efs_file_system.main.dns_name}:/var/guix /var/guix nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab", + "echo \"${aws_efs_file_system.main.dns_name}:/gnu/store /gnu/store nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,fsc,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab", "sudo mount -a", "sudo mv /home/ubuntu/guix-daemon.service /etc/systemd/system/guix-daemon.service", "sudo mkdir /etc/guix", @@ -259,7 +292,14 @@ EOF "sudo systemctl daemon-reload", "sudo systemctl enable guix-daemon.service", "sudo systemctl start guix-daemon.service", - "ln -s /var/guix/profiles/per-user/ubuntu/guix-profile ~/.guix-profile", + <<EOF +if [ ! -d "/var/guix/profiles/per-user/ubuntu" ]; then + /var/guix/profiles/per-user/root/guix-profile/bin/guix package -i guile guix +else + ln -s /var/guix/profiles/per-user/ubuntu/guix-profile ~/.guix-profile +fi +EOF + , # This is needed for things like guix copy to work "echo 'GUIX_PROFILE=/home/ubuntu/.guix-profile; source /home/ubuntu/.guix-profile/etc/profile' | cat - .bashrc > temp && mv temp .bashrc" ] @@ -300,3 +340,7 @@ output "ssh_access_from_mini_environment_admin_security_group_name" { output "guix_daemon_private_dns" { value = "${aws_spot_instance_request.main.private_dns}" } + +output "efs_file_system_dns_name" { + value = "${aws_efs_file_system.main.dns_name}" +} diff --git a/terraform/aws/mini_environment/main.tf b/terraform/aws/mini_environment/main.tf index 4f9b9c3..f5db361 100644 --- a/terraform/aws/mini_environment/main.tf +++ b/terraform/aws/mini_environment/main.tf @@ -22,10 +22,6 @@ variable "aws_route_53_zone_id" { type = "string" } -variable "aws_efs_file_system_id" { - type = "string" -} - variable "start_command" { type = "string" } @@ -52,10 +48,6 @@ data "aws_route53_zone" "main" { zone_id = "${var.aws_route_53_zone_id}" } -data "aws_efs_file_system" "main" { - file_system_id = "${var.aws_efs_file_system_id}" -} - data "template_file" "govuk_service" { template = "${file("${path.module}/govuk.service.tpl")}" @@ -96,9 +88,9 @@ resource "aws_spot_instance_request" "main" { "sudo tune2fs -o user_xattr /dev/xvda1", "sudo sed 's/#RUN/RUN/' -i /etc/default/cachefilesd", "sudo mkdir -p /gnu/store", - "sudo mount -t nfs4 -o ro,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,actimeo=600,fsc,nocto,retrans=2 ${data.aws_efs_file_system.main.dns_name}:gnu/store /gnu/store", + "sudo mount -t nfs4 -o ro,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,actimeo=600,fsc,nocto,retrans=2 ${data.terraform_remote_state.backend.efs_file_system_dns_name}:gnu/store /gnu/store", "sudo mkdir -p /var/guix", - "sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${data.aws_efs_file_system.main.dns_name}:var/guix /var/guix", + "sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${data.terraform_remote_state.backend.efs_file_system_dns_name}:var/guix /var/guix", "echo \"export GUIX_DAEMON_SOCKET=guix://${data.terraform_remote_state.backend.guix_daemon_private_dns}\" | sudo tee /etc/profile.d/guix-daemon-socket.sh", #"sudo systemctl restart cachefilesd", "sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080", |