From fc1e5260603ff0f6030c4aed7874c8ea3b532e5c Mon Sep 17 00:00:00 2001 From: Christopher Baines Date: Thu, 3 May 2018 21:44:06 +0100 Subject: Improve the AWS backend This gets the AWS backend to the point where you can deploy the backend, and then a mini environment without any actions outside of the govuk-mini-environment-admin. --- terraform/aws/backend/guix-daemon.service.tpl | 17 ++ terraform/aws/backend/main.tf | 302 ++++++++++++++++++++++++++ terraform/aws/mini_environment.tf | 138 ------------ terraform/aws/mini_environment/main.tf | 145 +++++++++++++ 4 files changed, 464 insertions(+), 138 deletions(-) create mode 100644 terraform/aws/backend/guix-daemon.service.tpl create mode 100644 terraform/aws/backend/main.tf delete mode 100644 terraform/aws/mini_environment.tf create mode 100644 terraform/aws/mini_environment/main.tf (limited to 'terraform') diff --git a/terraform/aws/backend/guix-daemon.service.tpl b/terraform/aws/backend/guix-daemon.service.tpl new file mode 100644 index 0000000..adf07a1 --- /dev/null +++ b/terraform/aws/backend/guix-daemon.service.tpl @@ -0,0 +1,17 @@ +[Unit] +Description=Build daemon for GNU Guix + +[Service] +ExecStart=/var/guix/profiles/per-user/root/guix-profile/bin/guix-daemon --build-users-group=guixbuild --disable-deduplication --substitute-urls="${substitute_servers}" --listen=0.0.0.0 --listen=/var/guix/daemon-socket/socket --max-jobs=16 +Environment=GUIX_LOCPATH=/root/.guix-profile/lib/locale +RemainAfterExit=yes +StandardOutput=syslog +StandardError=syslog + +# See . +# Some package builds (for example, go@1.8.1) may require even more than +# 1024 tasks. +TasksMax=8192 + +[Install] +WantedBy=multi-user.target diff --git a/terraform/aws/backend/main.tf b/terraform/aws/backend/main.tf new file mode 100644 index 0000000..56b91b9 --- /dev/null +++ b/terraform/aws/backend/main.tf @@ -0,0 +1,302 @@ +terraform { + backend "http" {} +} + +variable "aws_access_key" { + type = "string" +} + +variable "aws_secret_key" { + type = "string" +} + +variable "aws_region" { + type = "string" +} + +variable "aws_vpc_id" { + type = "string" +} + +variable "aws_route_53_zone_id" { + type = "string" +} + +variable "aws_efs_file_system_id" { + type = "string" +} + +variable "ssh_public_key" { + type = "string" +} + +variable "guix_substitute_servers" { + type = "map" + default = { + "https://berlin.guixsd.org" = < temp && mv temp .bashrc" + ] + + connection { + type = "ssh" + user = "ubuntu" + } + } +} + +resource "aws_route53_record" "main" { + zone_id = "${data.aws_route53_zone.main.zone_id}" + name = "guix-daemon" + type = "A" + ttl = "60" + records = ["${aws_spot_instance_request.main.public_ip}"] +} + +# Outputs + +output "deployer_key_pair_name" { + value = "${aws_key_pair.deployer.key_name}" +} + +output "guix_client_security_group_name" { + value = "${aws_security_group.guix_client.name}" +} + +output "public_webserver_security_group_name" { + value = "${aws_security_group.public_webserver.name}" +} + +output "ssh_access_from_mini_environment_admin_security_group_name" { + value = "${aws_security_group.ssh_access_from_mini_environment_admin.name}" +} + +output "guix_daemon_private_dns" { + value = "${aws_spot_instance_request.main.private_dns}" +} diff --git a/terraform/aws/mini_environment.tf b/terraform/aws/mini_environment.tf deleted file mode 100644 index 06bc0f3..0000000 --- a/terraform/aws/mini_environment.tf +++ /dev/null @@ -1,138 +0,0 @@ -terraform { - backend "http" {} -} - -variable "slug" { - type = "string" -} - -variable "aws_access_key" { - type = "string" -} - -variable "aws_secret_key" { - type = "string" -} - -variable "aws_region" { - type = "string" -} - -variable "ssh_public_key" { - type = "string" -} - -variable "start_command" { - type = "string" -} - -provider "aws" { - access_key = "${var.aws_access_key}" - secret_key = "${var.aws_secret_key}" - region = "${var.aws_region}" -} - -resource "aws_key_pair" "deployer" { - public_key = "${var.ssh_public_key}" -} - -data "aws_security_group" "guix-client" { - id = "sg-d8003ba3" -} - -data "aws_instance" "guix-daemon" { - instance_id = "i-010e25f85dfa73e72" -} - -data "aws_route53_zone" "main" { - zone_id = "ZD004G8DN6AQZ" -} - -data "aws_efs_file_system" "main" { - file_system_id = "fs-81e05e48" -} - -data "template_file" "govuk_service" { - template = "${file("${path.module}/mini_environment/govuk.service.tpl")}" - - vars { - start_command = "${var.start_command}" - } -} - -resource "aws_spot_instance_request" "example" { - ami = "ami-8fd760f6" - instance_type = "t2.large" - key_name = "${aws_key_pair.deployer.key_name}" - security_groups = [ - "${data.aws_security_group.guix-client.name}", - "default", - "public-webserver" - ] - - wait_for_fulfillment = true - spot_price = "0.05" - - provisioner "file" { - content = "${data.template_file.govuk_service.rendered}" - destination = "/home/ubuntu/govuk.service" - - connection { - type = "ssh" - user = "ubuntu" - } - } - - provisioner "remote-exec" { - inline = [ - "sudo apt-get update", - "sudo apt-get update", - "sudo apt-get -y install nfs-common cachefilesd", - "sudo tune2fs -o user_xattr /dev/xvda1", - "sudo sed 's/#RUN/RUN/' -i /etc/default/cachefilesd", - "sudo mkdir -p /gnu/store", - "sudo mount -t nfs4 -o ro,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,actimeo=600,fsc,nocto,retrans=2 ${data.aws_efs_file_system.main.dns_name}:gnu/store /gnu/store", - "sudo mkdir -p /var/guix", - "sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${data.aws_efs_file_system.main.dns_name}:var/guix /var/guix", - "echo \"export GUIX_DAEMON_SOCKET=guix://${data.aws_instance.guix-daemon.private_dns}\" | sudo tee /etc/profile.d/guix-daemon-socket.sh", - #"sudo systemctl restart cachefilesd", - "sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080", - "sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443", - "sudo mv /home/ubuntu/govuk.service /etc/systemd/system/govuk.service", - "sudo systemctl daemon-reload", - "sudo systemctl enable govuk.service", - "sudo systemctl start govuk.service" - ] - - connection { - type = "ssh" - user = "ubuntu" - } - } -} - -resource "aws_route53_record" "example" { - zone_id = "${data.aws_route53_zone.main.zone_id}" - name = "${var.slug}" - type = "A" - ttl = "60" - records = ["${aws_spot_instance_request.example.public_ip}"] -} - -resource "aws_route53_record" "example_wildcard" { - zone_id = "${data.aws_route53_zone.main.zone_id}" - name = "*.${var.slug}" - type = "A" - ttl = "60" - records = ["${aws_spot_instance_request.example.public_ip}"] -} - -# Outputs - -output "spot_bid_status" { - value = "${aws_spot_instance_request.example.spot_bid_status}" -} - -output "spot_request_status" { - value = "${aws_spot_instance_request.example.spot_request_state}" -} diff --git a/terraform/aws/mini_environment/main.tf b/terraform/aws/mini_environment/main.tf new file mode 100644 index 0000000..4f9b9c3 --- /dev/null +++ b/terraform/aws/mini_environment/main.tf @@ -0,0 +1,145 @@ +terraform { + backend "http" {} +} + +variable "slug" { + type = "string" +} + +variable "aws_access_key" { + type = "string" +} + +variable "aws_secret_key" { + type = "string" +} + +variable "aws_region" { + type = "string" +} + +variable "aws_route_53_zone_id" { + type = "string" +} + +variable "aws_efs_file_system_id" { + type = "string" +} + +variable "start_command" { + type = "string" +} + +variable "backend_remote_state_address" { + type = "string" +} + +provider "aws" { + access_key = "${var.aws_access_key}" + secret_key = "${var.aws_secret_key}" + region = "${var.aws_region}" +} + + +data "terraform_remote_state" "backend" { + backend = "http" + config { + address = "${var.backend_remote_state_address}" + } +} + +data "aws_route53_zone" "main" { + zone_id = "${var.aws_route_53_zone_id}" +} + +data "aws_efs_file_system" "main" { + file_system_id = "${var.aws_efs_file_system_id}" +} + +data "template_file" "govuk_service" { + template = "${file("${path.module}/govuk.service.tpl")}" + + vars { + start_command = "${var.start_command}" + } +} + + +resource "aws_spot_instance_request" "main" { + ami = "ami-8fd760f6" + instance_type = "t2.large" + key_name = "${data.terraform_remote_state.backend.deployer_key_pair_name}" + security_groups = [ + "${data.terraform_remote_state.backend.guix_client_security_group_name}", + "${data.terraform_remote_state.backend.public_webserver_security_group_name}", + "${data.terraform_remote_state.backend.ssh_access_from_mini_environment_admin_security_group_name}" + ] + + wait_for_fulfillment = true + spot_price = "0.05" + + provisioner "file" { + content = "${data.template_file.govuk_service.rendered}" + destination = "/home/ubuntu/govuk.service" + + connection { + type = "ssh" + user = "ubuntu" + } + } + + provisioner "remote-exec" { + inline = [ + "sudo apt-get update", + "sudo apt-get update", + "sudo apt-get -y install nfs-common cachefilesd", + "sudo tune2fs -o user_xattr /dev/xvda1", + "sudo sed 's/#RUN/RUN/' -i /etc/default/cachefilesd", + "sudo mkdir -p /gnu/store", + "sudo mount -t nfs4 -o ro,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,actimeo=600,fsc,nocto,retrans=2 ${data.aws_efs_file_system.main.dns_name}:gnu/store /gnu/store", + "sudo mkdir -p /var/guix", + "sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${data.aws_efs_file_system.main.dns_name}:var/guix /var/guix", + "echo \"export GUIX_DAEMON_SOCKET=guix://${data.terraform_remote_state.backend.guix_daemon_private_dns}\" | sudo tee /etc/profile.d/guix-daemon-socket.sh", + #"sudo systemctl restart cachefilesd", + "sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080", + "sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443", + "sudo iptables -A OUTPUT -t nat -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080", + "sudo iptables -A OUTPUT -t nat -o lo -p tcp --dport 443 -j REDIRECT --to-port 8443", + "sudo mv /home/ubuntu/govuk.service /etc/systemd/system/govuk.service", + "sudo systemctl daemon-reload", + "sudo systemctl enable govuk.service", + "sudo systemctl start govuk.service" + ] + + connection { + type = "ssh" + user = "ubuntu" + } + } +} + +resource "aws_route53_record" "main" { + zone_id = "${data.aws_route53_zone.main.zone_id}" + name = "${var.slug}" + type = "A" + ttl = "60" + records = ["${aws_spot_instance_request.main.public_ip}"] +} + +resource "aws_route53_record" "wildcard" { + zone_id = "${data.aws_route53_zone.main.zone_id}" + name = "*.${var.slug}" + type = "A" + ttl = "60" + records = ["${aws_spot_instance_request.main.public_ip}"] +} + +# Outputs + +output "spot_bid_status" { + value = "${aws_spot_instance_request.main.spot_bid_status}" +} + +output "spot_request_status" { + value = "${aws_spot_instance_request.main.spot_request_state}" +} -- cgit v1.2.3