From 93c1c6e5b76ed712f6c5107c6a124025279996d6 Mon Sep 17 00:00:00 2001
From: Christopher Baines <mail@cbaines.net>
Date: Sun, 3 Jun 2018 13:06:30 +0100
Subject: Change how the EFS File System is handled

For the AWS backend.

Bring it in to the Terraform configuration for the backend, where
previously only the id was known. Also, alter the provisioning so that
it can handle an empty EFS file system.

This reduces the amount of manual setup required for AWS.
---
 terraform/aws/backend/main.tf          | 80 ++++++++++++++++++++++++++--------
 terraform/aws/mini_environment/main.tf | 12 +----
 2 files changed, 64 insertions(+), 28 deletions(-)

(limited to 'terraform')

diff --git a/terraform/aws/backend/main.tf b/terraform/aws/backend/main.tf
index 56b91b9..20b0bbe 100644
--- a/terraform/aws/backend/main.tf
+++ b/terraform/aws/backend/main.tf
@@ -22,10 +22,6 @@ variable "aws_route_53_zone_id" {
   type = "string"
 }
 
-variable "aws_efs_file_system_id" {
-  type = "string"
-}
-
 variable "ssh_public_key" {
   type = "string"
 }
@@ -70,6 +66,10 @@ variable "mini_environment_admin_public_ip_address" {
   type = "string"
 }
 
+variable "backend_slug" {
+  type = "string"
+}
+
 locals {
   guix_daemon_substitute_servers = "${join(" ", keys(var.guix_substitute_servers))}"
 }
@@ -84,10 +84,6 @@ data "aws_route53_zone" "main" {
   zone_id = "${var.aws_route_53_zone_id}"
 }
 
-data "aws_efs_file_system" "main" {
-  file_system_id = "${var.aws_efs_file_system_id}"
-}
-
 data "template_file" "guix_daemon_service" {
   template = "${file("${path.module}/guix-daemon.service.tpl")}"
 
@@ -96,13 +92,37 @@ data "template_file" "guix_daemon_service" {
   }
 }
 
+data "aws_availability_zones" "available" {}
+
+
+resource "aws_default_subnet" "main" {
+  count = "${length(data.aws_availability_zones.available.names)}"
+  availability_zone = "${data.aws_availability_zones.available.names[count.index]}"
+}
+
+resource "aws_efs_file_system" "main" {
+  creation_token = "govuk_mini_environment_admin/${var.backend_slug}"
+
+  tags {
+    Name = "govuk_mini_environment_admin/${var.backend_slug}"
+  }
+}
+
+resource "aws_efs_mount_target" "main" {
+  count = "${length(data.aws_availability_zones.available.names)}"
+  file_system_id = "${aws_efs_file_system.main.id}"
+  subnet_id      = "${aws_default_subnet.main.*.id[count.index]}"
+
+  security_groups = ["${aws_security_group.efs_mount_target.id}"]
+}
 
 resource "aws_key_pair" "deployer" {
+  key_name = "govuk_mini_environment_admin/${var.backend_slug}/deployer"
   public_key = "${var.ssh_public_key}"
 }
 
 resource "aws_security_group" "public_webserver" {
-  name        = "govuk_mini_environment_admin_public_webserver"
+  name        = "govuk_mini_environment_admin/${var.backend_slug}/public_webserver"
   description = "For instances running public facing web servers"
   vpc_id      = "${var.aws_vpc_id}"
 
@@ -136,7 +156,7 @@ resource "aws_security_group" "public_webserver" {
 }
 
 resource "aws_security_group" "ssh_access_from_mini_environment_admin" {
-  name        = "govuk_mini_environment_admin_ssh_access_from_mini_environment_admin"
+  name        = "govuk_mini_environment_admin/${var.backend_slug}/ssh_access_from_mini_environment_admin"
   description = "For instances that need SSH access for Terraform and Guix builds"
   vpc_id      = "${var.aws_vpc_id}"
 
@@ -149,7 +169,7 @@ resource "aws_security_group" "ssh_access_from_mini_environment_admin" {
 }
 
 resource "aws_security_group" "guix_client" {
-  name        = "govuk_mini_environment_admin_guix_client"
+  name        = "govuk_mini_environment_admin/${var.backend_slug}/guix_client"
   description = "For instances with access to the guix_daemon instance"
   vpc_id      = "${var.aws_vpc_id}"
 
@@ -162,7 +182,7 @@ resource "aws_security_group" "guix_client" {
 }
 
 resource "aws_security_group" "guix_daemon" {
-  name        = "govuk_mini_environment_admin_guix_daemon"
+  name        = "govuk_mini_environment_admin/${var.backend_slug}/guix_daemon"
   description = "For the guix_daemon instance."
   vpc_id      = "${var.aws_vpc_id}"
 
@@ -182,7 +202,7 @@ resource "aws_security_group" "guix_daemon" {
 }
 
 resource "aws_security_group" "efs_mount_target" {
-  name        = "govuk_mini_environment_admin_efs_mount_target"
+  name        = "govuk_mini_environment_admin/${var.backend_slug}/efs_mount_target"
   description = "For the EFS File System mount targets"
   vpc_id      = "${var.aws_vpc_id}"
 
@@ -210,6 +230,8 @@ resource "aws_spot_instance_request" "main" {
   wait_for_fulfillment = true
   spot_price = "0.05"
 
+  depends_on = ["aws_efs_mount_target.main"]
+
   provisioner "file" {
     content = "${data.template_file.guix_daemon_service.rendered}"
     destination = "/home/ubuntu/guix-daemon.service"
@@ -237,10 +259,21 @@ resource "aws_spot_instance_request" "main" {
       "sudo apt-get -y install nfs-common cachefilesd nscd",
       "sudo tune2fs -o user_xattr /dev/xvda1",
       "sudo sed 's/#RUN/RUN/' -i /etc/default/cachefilesd",
-      "echo \"${data.aws_efs_file_system.main.dns_name}:/var/guix /var/guix nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab",
-      "echo \"${data.aws_efs_file_system.main.dns_name}:/gnu/store /gnu/store nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,fsc,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab",
-      "echo \"${data.aws_efs_file_system.main.dns_name}:/ /mnt/efs nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,fsc,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab",
-      "sudo mkdir -p /var/guix /gnu/store /mnt/efs",
+      "sudo mkdir -p /mnt/efs",
+      "echo \"${aws_efs_file_system.main.dns_name}:/ /mnt/efs nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,fsc,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab",
+      "sudo mount -a",
+      <<EOF
+if [ ! -d "/mnt/efs/gnu" ]; then
+  cd /mnt/efs
+  sudo wget https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.x86_64-linux.tar.xz
+  sudo tar --warning=no-timestamp -xf guix-binary-0.14.0.x86_64-linux.tar.xz
+  cd -
+fi
+EOF
+      ,
+      "sudo mkdir -p /gnu/store /var/guix",
+      "echo \"${aws_efs_file_system.main.dns_name}:/var/guix /var/guix nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab",
+      "echo \"${aws_efs_file_system.main.dns_name}:/gnu/store /gnu/store nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,fsc,hard,timeo=600,retrans=2 0 0\" | sudo tee -a /etc/fstab",
       "sudo mount -a",
       "sudo mv /home/ubuntu/guix-daemon.service /etc/systemd/system/guix-daemon.service",
       "sudo mkdir /etc/guix",
@@ -259,7 +292,14 @@ EOF
       "sudo systemctl daemon-reload",
       "sudo systemctl enable guix-daemon.service",
       "sudo systemctl start guix-daemon.service",
-      "ln -s /var/guix/profiles/per-user/ubuntu/guix-profile ~/.guix-profile",
+      <<EOF
+if [ ! -d "/var/guix/profiles/per-user/ubuntu" ]; then
+  /var/guix/profiles/per-user/root/guix-profile/bin/guix package -i guile guix
+else
+  ln -s /var/guix/profiles/per-user/ubuntu/guix-profile ~/.guix-profile
+fi
+EOF
+      ,
       # This is needed for things like guix copy to work
       "echo 'GUIX_PROFILE=/home/ubuntu/.guix-profile; source /home/ubuntu/.guix-profile/etc/profile' | cat - .bashrc > temp && mv temp .bashrc"
     ]
@@ -300,3 +340,7 @@ output "ssh_access_from_mini_environment_admin_security_group_name" {
 output "guix_daemon_private_dns" {
   value = "${aws_spot_instance_request.main.private_dns}"
 }
+
+output "efs_file_system_dns_name" {
+  value = "${aws_efs_file_system.main.dns_name}"
+}
diff --git a/terraform/aws/mini_environment/main.tf b/terraform/aws/mini_environment/main.tf
index 4f9b9c3..f5db361 100644
--- a/terraform/aws/mini_environment/main.tf
+++ b/terraform/aws/mini_environment/main.tf
@@ -22,10 +22,6 @@ variable "aws_route_53_zone_id" {
   type = "string"
 }
 
-variable "aws_efs_file_system_id" {
-  type = "string"
-}
-
 variable "start_command" {
   type = "string"
 }
@@ -52,10 +48,6 @@ data "aws_route53_zone" "main" {
   zone_id = "${var.aws_route_53_zone_id}"
 }
 
-data "aws_efs_file_system" "main" {
-  file_system_id = "${var.aws_efs_file_system_id}"
-}
-
 data "template_file" "govuk_service" {
   template = "${file("${path.module}/govuk.service.tpl")}"
 
@@ -96,9 +88,9 @@ resource "aws_spot_instance_request" "main" {
       "sudo tune2fs -o user_xattr /dev/xvda1",
       "sudo sed 's/#RUN/RUN/' -i /etc/default/cachefilesd",
       "sudo mkdir -p /gnu/store",
-      "sudo mount -t nfs4 -o ro,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,actimeo=600,fsc,nocto,retrans=2 ${data.aws_efs_file_system.main.dns_name}:gnu/store /gnu/store",
+      "sudo mount -t nfs4 -o ro,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,actimeo=600,fsc,nocto,retrans=2 ${data.terraform_remote_state.backend.efs_file_system_dns_name}:gnu/store /gnu/store",
       "sudo mkdir -p /var/guix",
-      "sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${data.aws_efs_file_system.main.dns_name}:var/guix /var/guix",
+      "sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${data.terraform_remote_state.backend.efs_file_system_dns_name}:var/guix /var/guix",
       "echo \"export GUIX_DAEMON_SOCKET=guix://${data.terraform_remote_state.backend.guix_daemon_private_dns}\" | sudo tee /etc/profile.d/guix-daemon-socket.sh",
       #"sudo systemctl restart cachefilesd",
       "sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080",
-- 
cgit v1.2.3