2 files changed, 64 insertions, 28 deletions

diff --git a/terraform/aws/backend/main.tf b/terraform/aws/backend/main.tf
index 56b91b9..20b0bbe 100644
--- a/terraform/aws/backend/main.tf
+++ b/terraform/aws/backend/main.tf
@@ -22,10 +22,6 @@ variable "aws_route_53_zone_id" {
   type = "string"
 }
 
-variable "aws_efs_file_system_id" {
-  type = "string"
-}
-
 variable "ssh_public_key" {
   type = "string"
 }
@@ -70,6 +66,10 @@ variable "mini_environment_admin_public_ip_address" {
   type = "string"
 }
 
+variable "backend_slug" {
+  type = "string"
+}
+
 locals {
   guix_daemon_substitute_servers = "${join(" ", keys(var.guix_substitute_servers))}"
 }
@@ -84,10 +84,6 @@ data "aws_route53_zone" "main" {
   zone_id = "${var.aws_route_53_zone_id}"
 }
 
-data "aws_efs_file_system" "main" {
-  file_system_id = "${var.aws_efs_file_system_id}"
-}
-
 data "template_file" "guix_daemon_service" {
   template = "${file("${path.module}/guix-daemon.service.tpl")}"
 
@@ -96,13 +92,37 @@ data "template_file" "guix_daemon_service" {
   }
 }
 
+data "aws_availability_zones" "available" {}
+
+
+resource "aws_default_subnet" "main" {
+  count = "${length(data.aws_availability_zones.available.names)}"
+  availability_zone = "${data.aws_availability_zones.available.names[count.index]}"
+}
+
+resource "aws_efs_file_system" "main" {
+  creation_token = "govuk_mini_environment_admin/${var.backend_slug}"
+
+  tags {
+    Name = "govuk_mini_environment_admin/${var.backend_slug}"
+  }
+}
+
+resource "aws_efs_mount_target" "main" {
+  count = "${length(data.aws_availability_zones.available.names)}"
+  file_system_id = "${aws_efs_file_system.main.id}"
+  subnet_id      = "${aws_default_subnet.main.*.id[count.index]}"
+
+  security_groups = ["${aws_security_group.efs_mount_target.id}"]
+}
 
 resource "aws_key_pair" "deployer" {
+  key_name = "govuk_mini_environment_admin/${var.backend_slug}/deployer"
   public_key = "${var.ssh_public_key}"
 }
 
 resource "aws_security_group" "public_webserver" {
-  name        = "govuk_mini_environment_admin_public_webserver"
+  name        = "govuk_mini_environment_admin/${var.backend_slug}/public_webserver"
   description = "For instances running public facing web servers"
   vpc_id      = "${var.aws_vpc_id}"
 
@@ -136,7 +156,7 @@ resource "aws_security_group" "public_webserver" {
 }
 
 resource "aws_security_group" "ssh_access_from_mini_environment_admin" {
-  name        = "govuk_mini_environment_admin_ssh_access_from_mini_environment_admin"
+  name        = "govuk_mini_environment_admin/${var.backend_slug}/ssh_access_from_mini_environment_admin"
   description = "For instances that need SSH access for Terraform and Guix builds"
   vpc_id      = "${var.aws_vpc_id}"
 
@@ -149,7 +169,7 @@ resource "aws_security_group" "ssh_access_from_mini_environment_admin" {
 }
 
 resource "aws_security_group" "guix_client" {
-  name        = "govuk_mini_environment_admin_guix_client"
+  name        = "govuk_mini_environment_admin/${var.backend_slug}/guix_client"
   description = "For instances with access to the guix_daemon instance"
   vpc_id      = "${var.aws_vpc_id}"
 
@@ -162,7 +182,7 @@ resource "aws_security_group" "guix_client" {
 }
 
 resource "aws_security_group" "guix_daemon" {
-  name        = "govuk_mini_environment_admin_guix_daemon"
+  name        = "govuk_mini_environment_admin/${var.backend_slug}/guix_daemon"
   description = "For the guix_daemon instance."
   vpc_id      = "${var.aws_vpc_id}"
 
@@ -182,7 +202,7 @@ resource "aws_security_group" "guix_daemon" {
 }
 
 resource "aws_security_group" "efs_mount_target" {
-  name        = "govuk_mini_environment_admin_efs_mount_target"
+  name        = "govuk_mini_environment_admin/${var.backend_slug}/efs_mount_target"
   description = "For the EFS File System mount targets"
   vpc_id      = "${var.aws_vpc_id}"
 
@@ -210,6 +230,8 @@ resource "aws_spot_instance_request" "main" {
   wait_for_fulfillment = true
   spot_price = "0.05"
 
+  depends_on = ["aws_efs_mount_target.main"]
+
   provisioner "file" {
     content = "${data.template_file.guix_daemon_service.rendered}"
     destination = "/home/ubuntu/guix-daemon.service"
@@ -237,10 +259,21 @@ resource "aws_spot_instance_request" "main" {
       "sudo apt-get -y install nfs-common cachefilesd nscd",
       "sudo tune2fs -o user_xattr /dev/xvda1",
       "sudo sed 's/#RUN/RUN/' -i /etc/default/cachefilesd",
-      "echo \"${data.aws_efs_file_system.main.dns_name}:/var/guix /var/guix nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab",
-      "echo \"${data.aws_efs_file_system.main.dns_name}:/gnu/store /gnu/store nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,fsc,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab",
-      "echo \"${data.aws_efs_file_system.main.dns_name}:/ /mnt/efs nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,fsc,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab",
-      "sudo mkdir -p /var/guix /gnu/store /mnt/efs",
+      "sudo mkdir -p /mnt/efs",
+      "echo \"${aws_efs_file_system.main.dns_name}:/ /mnt/efs nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,fsc,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab",
+      "sudo mount -a",
+      <<EOF
+if [ ! -d "/mnt/efs/gnu" ]; then
+  cd /mnt/efs
+  sudo wget https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.x86_64-linux.tar.xz
+  sudo tar --warning=no-timestamp -xf guix-binary-0.14.0.x86_64-linux.tar.xz
+  cd -
+fi
+EOF
+      ,
+      "sudo mkdir -p /gnu/store /var/guix",
+      "echo \"${aws_efs_file_system.main.dns_name}:/var/guix /var/guix nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab",
+      "echo \"${aws_efs_file_system.main.dns_name}:/gnu/store /gnu/store nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,fsc,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab",
       "sudo mount -a",
       "sudo mv /home/ubuntu/guix-daemon.service /etc/systemd/system/guix-daemon.service",
       "sudo mkdir /etc/guix",
@@ -259,7 +292,14 @@ EOF
       "sudo systemctl daemon-reload",
       "sudo systemctl enable guix-daemon.service",
       "sudo systemctl start guix-daemon.service",
-      "ln -s /var/guix/profiles/per-user/ubuntu/guix-profile ~/.guix-profile",
+      <<EOF
+if [ ! -d "/var/guix/profiles/per-user/ubuntu" ]; then
+  /var/guix/profiles/per-user/root/guix-profile/bin/guix package -i guile guix
+else
+  ln -s /var/guix/profiles/per-user/ubuntu/guix-profile ~/.guix-profile
+fi
+EOF
+      ,
       # This is needed for things like guix copy to work
       "echo 'GUIX_PROFILE=/home/ubuntu/.guix-profile; source /home/ubuntu/.guix-profile/etc/profile' | cat - .bashrc > temp && mv temp .bashrc"
     ]
@@ -300,3 +340,7 @@ output "ssh_access_from_mini_environment_admin_security_group_name" {
 output "guix_daemon_private_dns" {
   value = "${aws_spot_instance_request.main.private_dns}"
 }
+
+output "efs_file_system_dns_name" {
+  value = "${aws_efs_file_system.main.dns_name}"
+}
diff --git a/terraform/aws/mini_environment/main.tf b/terraform/aws/mini_environment/main.tf
index 4f9b9c3..f5db361 100644
--- a/terraform/aws/mini_environment/main.tf
+++ b/terraform/aws/mini_environment/main.tf
@@ -22,10 +22,6 @@ variable "aws_route_53_zone_id" {
   type = "string"
 }
 
-variable "aws_efs_file_system_id" {
-  type = "string"
-}
-
 variable "start_command" {
   type = "string"
 }
@@ -52,10 +48,6 @@ data "aws_route53_zone" "main" {
   zone_id = "${var.aws_route_53_zone_id}"
 }
 
-data "aws_efs_file_system" "main" {
-  file_system_id = "${var.aws_efs_file_system_id}"
-}
-
 data "template_file" "govuk_service" {
   template = "${file("${path.module}/govuk.service.tpl")}"
 
@@ -96,9 +88,9 @@ resource "aws_spot_instance_request" "main" {
       "sudo tune2fs -o user_xattr /dev/xvda1",
       "sudo sed 's/#RUN/RUN/' -i /etc/default/cachefilesd",
       "sudo mkdir -p /gnu/store",
-      "sudo mount -t nfs4 -o ro,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,actimeo=600,fsc,nocto,retrans=2 ${data.aws_efs_file_system.main.dns_name}:gnu/store /gnu/store",
+      "sudo mount -t nfs4 -o ro,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,actimeo=600,fsc,nocto,retrans=2 ${data.terraform_remote_state.backend.efs_file_system_dns_name}:gnu/store /gnu/store",
       "sudo mkdir -p /var/guix",
-      "sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${data.aws_efs_file_system.main.dns_name}:var/guix /var/guix",
+      "sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${data.terraform_remote_state.backend.efs_file_system_dns_name}:var/guix /var/guix",
       "echo \"export GUIX_DAEMON_SOCKET=guix://${data.terraform_remote_state.backend.guix_daemon_private_dns}\" | sudo tee /etc/profile.d/guix-daemon-socket.sh",
       #"sudo systemctl restart cachefilesd",
       "sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080",