scottk/terraform-talos
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/terraform-talos.git synced 2025-10-29 17:42:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Gallery and gateway

Browse Source
This commit is contained in:
Serge Logvinov
2022-05-22 18:32:41 +03:00
parent cb166a6431
commit a255c28c16
15 changed files with 355 additions and 180 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
azure/common.tf
View File

@@ -1,6 +1,6 @@
data "azurerm_image" "talos" {
for_each = { for idx, name in local.regions : name => idx }
name = "talos-amd64-${each.key}"
resource_group_name = local.resource_group
}
# data "azurerm_image" "talos" {
# for_each = { for idx, name in local.regions : name => idx }
# name = "talos-amd64-${each.key}"
# resource_group_name = local.resource_group
# }

103
azure/images/gallery.tf Normal file
View File

@@ -0,0 +1,103 @@
data "azurerm_resource_group" "kubernetes" {
name = var.project
}
resource "random_id" "images" {
byte_length = 8
}
resource "azurerm_shared_image_gallery" "talos" {
name = random_id.images.hex
resource_group_name = data.azurerm_resource_group.kubernetes.name
location = var.regions[0]
description = "Shared talos images.\nhttps://www.talos.dev/"
tags = merge(var.tags, { type = "infra" })
}
resource "azurerm_shared_image" "talos" {
name = "talos"
gallery_name = azurerm_shared_image_gallery.talos.name
resource_group_name = data.azurerm_resource_group.kubernetes.name
location = var.regions[0]
description = "https://www.talos.dev"
os_type = "Linux"
hyper_v_generation = "V2"
accelerated_network_support_enabled = true
# specialized = true
identifier {
publisher = var.project
offer = "Talos"
sku = "1.0-dev"
}
}
resource "azurerm_storage_account" "images" {
name = random_id.images.hex
resource_group_name = data.azurerm_resource_group.kubernetes.name
location = var.regions[0]
account_tier = "Standard"
account_replication_type = "LRS"
blob_properties {
versioning_enabled = true
container_delete_retention_policy {
days = 1
}
delete_retention_policy {
days = 1
}
}
tags = merge(var.tags, { type = "infra" })
}
resource "azurerm_storage_container" "images" {
name = lower(var.project)
storage_account_name = azurerm_storage_account.images.name
container_access_type = "private"
}
resource "azurerm_storage_blob" "talos" {
name = "talos-amd64.vhd"
storage_account_name = azurerm_storage_account.images.name
storage_container_name = azurerm_storage_container.images.name
type = "Page"
source = "${path.module}/disk.vhd"
}
resource "azurerm_image" "talos" {
location = var.regions[0]
name = "talos-amd64"
resource_group_name = data.azurerm_resource_group.kubernetes.name
hyper_v_generation = "V2"
os_disk {
os_type = "Linux"
os_state = "Generalized" # Specialized
blob_uri = azurerm_storage_blob.talos.url
caching = "ReadOnly"
size_gb = 8
}
tags = merge(var.tags, { os = "talos" })
}
resource "azurerm_shared_image_version" "talos" {
name = "0.0.2"
location = var.regions[0]
resource_group_name = data.azurerm_resource_group.kubernetes.name
gallery_name = azurerm_shared_image.talos.gallery_name
image_name = azurerm_shared_image.talos.name
managed_image_id = azurerm_image.talos.id
target_region {
name = var.regions[0]
regional_replica_count = 1
storage_account_type = "Standard_LRS"
}
}

106
azure/images/images.tf
View File

@@ -1,64 +1,64 @@
data "azurerm_resource_group" "kubernetes" {
name = var.project
}
# data "azurerm_resource_group" "kubernetes" {
# name = var.project
# }
resource "random_id" "images" {
byte_length = 8
}
# resource "random_id" "images" {
# byte_length = 8
# }
resource "azurerm_storage_account" "images" {
for_each = { for idx, name in var.regions : name => idx }
location = each.key
name = substr("${random_id.images.hex}${each.key}", 0, 24)
resource_group_name = data.azurerm_resource_group.kubernetes.name
account_tier = "Standard"
account_replication_type = "LRS"
# resource "azurerm_storage_account" "images" {
# for_each = { for idx, name in var.regions : name => idx }
# location = each.key
# name = substr("${random_id.images.hex}${each.key}", 0, 24)
# resource_group_name = data.azurerm_resource_group.kubernetes.name
# account_tier = "Standard"
# account_replication_type = "LRS"
blob_properties {
container_delete_retention_policy {
days = 1
}
delete_retention_policy {
days = 1
}
}
# blob_properties {
# container_delete_retention_policy {
# days = 1
# }
# delete_retention_policy {
# days = 1
# }
# }
tags = merge(var.tags, { type = "infra" })
}
# tags = merge(var.tags, { type = "infra" })
# }
resource "azurerm_storage_container" "images" {
for_each = { for idx, name in var.regions : name => idx }
name = lower(var.project)
storage_account_name = azurerm_storage_account.images[each.key].name
container_access_type = "private"
}
# resource "azurerm_storage_container" "images" {
# for_each = { for idx, name in var.regions : name => idx }
# name = lower(var.project)
# storage_account_name = azurerm_storage_account.images[each.key].name
# container_access_type = "private"
# }
resource "azurerm_storage_blob" "talos" {
for_each = { for idx, name in var.regions : name => idx }
name = "talos-amd64.vhd"
storage_account_name = azurerm_storage_account.images[each.key].name
storage_container_name = azurerm_storage_container.images[each.key].name
type = "Page"
source = "${path.module}/disk.vhd"
}
# resource "azurerm_storage_blob" "talos" {
# for_each = { for idx, name in var.regions : name => idx }
# name = "talos-amd64.vhd"
# storage_account_name = azurerm_storage_account.images[each.key].name
# storage_container_name = azurerm_storage_container.images[each.key].name
# type = "Page"
# source = "${path.module}/disk.vhd"
# }
resource "azurerm_image" "base" {
for_each = { for idx, name in var.regions : name => idx }
location = each.key
name = "talos-amd64-${each.key}"
resource_group_name = data.azurerm_resource_group.kubernetes.name
# resource "azurerm_image" "base" {
# for_each = { for idx, name in var.regions : name => idx }
# location = each.key
# name = "talos-amd64-${each.key}"
# resource_group_name = data.azurerm_resource_group.kubernetes.name
zone_resilient = false
hyper_v_generation = "V2"
# zone_resilient = false
# hyper_v_generation = "V2"
os_disk {
os_type = "Linux"
os_state = "Generalized"
blob_uri = azurerm_storage_blob.talos[each.key].url
caching = "ReadWrite"
size_gb = 8
}
# os_disk {
# os_type = "Linux"
# os_state = "Generalized"
# blob_uri = azurerm_storage_blob.talos[each.key].url
# caching = "ReadWrite"
# size_gb = 8
# }
tags = merge(var.tags, { os = "talos" })
}
# tags = merge(var.tags, { os = "talos" })
# }

6
azure/instances-controlplane.tf
View File

@@ -21,9 +21,9 @@ module "controlplane" {
instance_count = lookup(try(var.controlplane[each.key], {}), "count", 0)
instance_resource_group = local.resource_group
instance_type = lookup(try(var.controlplane[each.key], {}), "instance_type", "Standard_B2s")
instance_image = data.azurerm_image.talos[each.key].id
instance_tags = merge(var.tags, { type = "infra" })
instance_secgroup = local.network_secgroup[each.key].controlplane
# instance_image = data.azurerm_image.talos[each.key].id
instance_tags = merge(var.tags, { type = "infra" })
instance_secgroup = local.network_secgroup[each.key].controlplane
instance_params = merge(var.kubernetes, {
lbv4 = local.network_public[each.key].controlplane_lb[0]
lbv6 = try(local.network_public[each.key].controlplane_lb[1], "")

9
azure/instances-web.tf
View File

@@ -49,13 +49,20 @@ resource "azurerm_linux_virtual_machine_scale_set" "web" {
public_key = file("~/.ssh/terraform.pub")
}
source_image_id = data.azurerm_image.talos[each.key].id
os_disk {
caching = "ReadOnly"
storage_account_type = "StandardSSD_LRS"
disk_size_gb = 50
}
# source_image_id = data.azurerm_image.talos[each.key].id
source_image_reference {
publisher = "talos"
offer = "Talos"
sku = "1.0-dev"
version = "latest"
}
tags = merge(var.tags, { type = "web" })
boot_diagnostics {}

8
azure/instances-werker.tf
View File

@@ -44,6 +44,14 @@
# caching = "ReadOnly"
# storage_account_type = "StandardSSD_LRS"
# disk_size_gb = 50
# dynamic "diff_disk_settings" {
# for_each = var.vm_os_ephemeral ? ["Local"] : []
# content {
# option = diff_disk_settings.value
# placement = "ResourceDisk"
# }
# }
# }
# disable_password_authentication = false

8
azure/modules/controlplane/main.tf
View File

@@ -122,11 +122,11 @@ resource "azurerm_linux_virtual_machine" "controlplane" {
source_image_id = length(var.instance_image) > 0 ? var.instance_image : null
dynamic "source_image_reference" {
for_each = length(var.instance_image) == 0 ? ["debian"] : []
for_each = length(var.instance_image) == 0 ? ["gallery"] : []
content {
publisher = "Debian"
offer = "debian-11"
sku = "11-gen2"
publisher = "talos"
offer = "Talos"
sku = "1.0-dev"
version = "latest"
}
}

2
azure/outputs.tf
View File

@@ -6,7 +6,7 @@ output "controlplane_endpoint" {
output "controlplane_endpoint_public" {
description = "Kubernetes controlplane endpoint public"
value = local.endpoint
value = try(flatten([for c in module.controlplane : c.controlplane_endpoints])[0], "")
}
output "web_endpoint" {

115
azure/prepare/network-gw.tf Normal file
View File

@@ -0,0 +1,115 @@
resource "azurerm_public_ip" "router_v4" {
for_each = { for idx, name in var.regions : name => idx if try(var.capabilities[name].network_gw_enable, false) }
location = each.key
name = "router-${lower(each.key)}-v4"
resource_group_name = azurerm_resource_group.kubernetes.name
ip_version = "IPv4"
sku = azurerm_lb.controlplane[each.key].sku
allocation_method = azurerm_lb.controlplane[each.key].sku == "Standard" ? "Static" : "Dynamic"
tags = merge(var.tags, { type = "infra" })
}
resource "azurerm_public_ip" "router_v6" {
for_each = { for idx, name in var.regions : name => idx if azurerm_lb.controlplane[name].sku == "Standard" && try(var.capabilities[name].network_gw_enable, false) }
location = each.key
name = "router-${lower(each.key)}-v6"
resource_group_name = azurerm_resource_group.kubernetes.name
ip_version = "IPv6"
sku = azurerm_lb.controlplane[each.key].sku
allocation_method = "Static"
tags = merge(var.tags, { type = "infra" })
}
resource "azurerm_network_interface" "router" {
for_each = { for idx, name in var.regions : name => idx if try(var.capabilities[name].network_gw_enable, false) }
location = each.key
name = "router-${lower(each.key)}"
resource_group_name = azurerm_resource_group.kubernetes.name
enable_ip_forwarding = true
dynamic "ip_configuration" {
for_each = azurerm_subnet.public[each.key].address_prefixes
content {
name = "router-${lower(each.key)}-v${length(split(".", ip_configuration.value)) > 1 ? "4" : "6"}"
primary = length(split(".", ip_configuration.value)) > 1
subnet_id = azurerm_subnet.public[each.key].id
private_ip_address = cidrhost(ip_configuration.value, -2)
private_ip_address_version = length(split(".", ip_configuration.value)) > 1 ? "IPv4" : "IPv6"
private_ip_address_allocation = "Static"
public_ip_address_id = length(split(".", ip_configuration.value)) > 1 ? azurerm_public_ip.router_v4[each.key].id : try(azurerm_public_ip.router_v6[each.key].id, "")
}
}
tags = merge(var.tags, { type = "infra" })
}
resource "azurerm_network_interface_security_group_association" "router" {
for_each = { for idx, name in var.regions : name => idx if try(var.capabilities[name].network_gw_enable, false) }
network_interface_id = azurerm_network_interface.router[each.key].id
network_security_group_id = azurerm_network_security_group.gateway[each.key].id
}
# resource "azurerm_network_interface" "router_2" {
# for_each = { for idx, name in var.regions : name => idx if try(var.capabilities[name].network_gw_enable, false) }
# location = each.key
# name = "router-${lower(each.key)}-private"
# resource_group_name = azurerm_resource_group.kubernetes.name
# dynamic "ip_configuration" {
# for_each = azurerm_subnet.private[each.key].address_prefixes
# content {
# name = "router-${lower(each.key)}-v${length(split(".", ip_configuration.value)) > 1 ? "4" : "6"}"
# primary = length(split(".", ip_configuration.value)) > 1
# subnet_id = azurerm_subnet.private[each.key].id
# private_ip_address = cidrhost(ip_configuration.value, -2)
# private_ip_address_version = length(split(".", ip_configuration.value)) > 1 ? "IPv4" : "IPv6"
# private_ip_address_allocation = "Static"
# }
# }
# tags = merge(var.tags, { type = "infra" })
# }
resource "azurerm_linux_virtual_machine" "router" {
for_each = { for idx, name in var.regions : name => idx if try(var.capabilities[name].network_gw_enable, false) }
location = each.key
name = "router-${lower(each.key)}"
computer_name = "router-${lower(each.key)}"
resource_group_name = azurerm_resource_group.kubernetes.name
size = lookup(try(var.capabilities[each.key], {}), "network_gw_type", "Standard_B1s")
allow_extension_operations = false
provision_vm_agent = false
network_interface_ids = [azurerm_network_interface.router[each.key].id]
os_disk {
name = "router-${lower(each.key)}"
caching = "ReadOnly"
storage_account_type = "Standard_LRS"
disk_size_gb = 32
}
admin_username = "debian"
admin_ssh_key {
username = "debian"
public_key = file("~/.ssh/terraform.pub")
}
source_image_reference {
publisher = "Debian"
offer = "debian-11"
sku = "11-gen2"
version = "latest"
}
tags = merge(var.tags, { type = "infra" })
boot_diagnostics {}
lifecycle {
ignore_changes = [admin_username, admin_ssh_key, os_disk, source_image_reference, tags]
}
}

9
azure/prepare/network.tf
View File

@@ -48,13 +48,20 @@ resource "azurerm_route_table" "link" {
for_each = range(0, length(var.network_cidr))
content {
name = "link-${each.value}-${route.value}"
name = "link-${each.key}-v${length(split(".", var.network_cidr[route.value])) > 1 ? "4" : "6"}"
address_prefix = var.network_cidr[route.value]
next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = cidrhost(azurerm_subnet.public[each.key].address_prefixes[route.value], -2)
}
}
route {
name = "link-${each.key}-default-v6"
address_prefix = "::/0"
next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = cidrhost([for ip in azurerm_subnet.public[each.key].address_prefixes : ip if length(split(".", ip)) == 1][0], -2)
}
tags = merge(var.tags, { type = "infra" })
}

5
azure/prepare/outputs.tf
View File

@@ -4,6 +4,11 @@ output "subscription" {
value = var.subscription_id
}
output "project" {
description = "Azure project name"
value = var.project
}
output "regions" {
description = "Azure regions"
value = var.regions

110
azure/prepare/secgroup-common.tf
View File

@@ -13,113 +13,3 @@ resource "azurerm_network_security_group" "common" {
tags = merge(var.tags, { type = "infra" })
}
resource "azurerm_network_security_rule" "common_icmp" {
for_each = { for idx, name in var.regions : name => idx }
resource_group_name = azurerm_resource_group.kubernetes.name
network_security_group_name = azurerm_network_security_group.common[each.key].name
name = "icmp"
priority = 1000
direction = "Inbound"
access = "Allow"
protocol = "Icmp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}
resource "azurerm_network_security_rule" "common_ssh" {
for_each = { for idx, name in var.regions : name => idx }
resource_group_name = azurerm_resource_group.kubernetes.name
network_security_group_name = azurerm_network_security_group.common[each.key].name
name = "ssh"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "22"
destination_address_prefix = "*"
}
# resource "azurerm_network_security_rule" "common_kubelet_v4" {
# for_each = { for idx, name in var.regions : name => idx }
# resource_group_name = azurerm_resource_group.kubernetes.name
# network_security_group_name = azurerm_network_security_group.common[each.key].name
# name = "kubelet-v4"
# priority = 1011
# direction = "Inbound"
# access = "Allow"
# protocol = "Tcp"
# source_port_range = "*"
# source_address_prefix = var.network_cidr[0]
# destination_port_range = "10250"
# destination_address_prefix = "*"
# }
# resource "azurerm_network_security_rule" "common_kubelet_v6" {
# for_each = { for idx, name in var.regions : name => idx }
# resource_group_name = azurerm_resource_group.kubernetes.name
# network_security_group_name = azurerm_network_security_group.common[each.key].name
# name = "kubelet-v6"
# priority = 1012
# direction = "Inbound"
# access = "Allow"
# protocol = "Tcp"
# source_port_range = "*"
# source_address_prefix = var.network_cidr[1]
# destination_port_range = "10250"
# destination_address_prefix = "*"
# }
# resource "azurerm_network_security_rule" "common_cilium_health_v4" {
# for_each = { for idx, name in var.regions : name => idx }
# resource_group_name = azurerm_resource_group.kubernetes.name
# network_security_group_name = azurerm_network_security_group.common[each.key].name
# name = "cilium-health-v4"
# priority = 1021
# direction = "Inbound"
# access = "Allow"
# protocol = "Tcp"
# source_port_range = "*"
# source_address_prefix = var.network_cidr[0]
# destination_port_range = "4240"
# destination_address_prefix = "*"
# }
# resource "azurerm_network_security_rule" "common_cilium_health_v6" {
# for_each = { for idx, name in var.regions : name => idx }
# resource_group_name = azurerm_resource_group.kubernetes.name
# network_security_group_name = azurerm_network_security_group.common[each.key].name
# name = "cilium-health-v6"
# priority = 1022
# direction = "Inbound"
# access = "Allow"
# protocol = "Tcp"
# source_port_range = "*"
# source_address_prefix = var.network_cidr[1]
# destination_port_range = "4240"
# destination_address_prefix = "*"
# }
# resource "azurerm_network_security_rule" "common_cilium_vxvlan_v4" {
# for_each = { for idx, name in var.regions : name => idx }
# resource_group_name = azurerm_resource_group.kubernetes.name
# network_security_group_name = azurerm_network_security_group.common[each.key].name
# name = "cilium-vxvlan"
# priority = 1023
# direction = "Inbound"
# access = "Allow"
# protocol = "Udp"
# source_port_range = "*"
# source_address_prefix = var.network_cidr[0]
# destination_port_range = "8472"
# destination_address_prefix = "*"
# }

39
azure/prepare/secgroup-gw.tf Normal file
View File

@@ -0,0 +1,39 @@
resource "azurerm_network_security_group" "gateway" {
for_each = { for idx, name in var.regions : name => idx }
location = each.key
name = "gateway-${each.key}"
resource_group_name = azurerm_resource_group.kubernetes.name
dynamic "security_rule" {
for_each = var.whitelist_admin
content {
name = "Icmp-${security_rule.key}"
priority = 1000 + security_rule.key
direction = "Inbound"
access = "Allow"
protocol = "Icmp"
source_port_range = "*"
source_address_prefix = security_rule.value
destination_port_range = "*"
destination_address_prefix = "*"
}
}
dynamic "security_rule" {
for_each = var.whitelist_admin
content {
name = "WhitelistAdmin-${security_rule.key}"
priority = 1500 + security_rule.key
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = security_rule.value
destination_port_ranges = ["22"]
destination_address_prefix = "*"
}
}
tags = merge(var.tags, { type = "infra" })
}

4
azure/prepare/variables.tf
View File

@@ -64,14 +64,14 @@ variable "capabilities" {
"uksouth" = {
network_nat_enable = false,
network_lb_type = "Basic",
network_gw_enable = true,
network_gw_enable = false,
network_gw_type = "Standard_B1s",
},
"ukwest" = {
network_nat_enable = false,
network_lb_type = "Basic",
network_gw_enable = true,
network_gw_enable = false,
network_gw_type = "Standard_B1s",
},
}

1
azure/variables.tf
View File

@@ -8,6 +8,7 @@ data "terraform_remote_state" "prepare" {
locals {
subscription_id = data.terraform_remote_state.prepare.outputs.subscription
project = data.terraform_remote_state.prepare.outputs.project
regions = data.terraform_remote_state.prepare.outputs.regions
resource_group = data.terraform_remote_state.prepare.outputs.resource_group