openstack

openstack/.gitignore

@@ -0,0 +1,2 @@
+_cfgs/
+*.yaml

openstack/auth.tf

@@ -0,0 +1,8 @@
+
+provider "openstack" {
+  auth_url    = var.openstack_api
+  user_name   = var.openstack_user
+  password    = var.openstack_password
+  tenant_id   = var.openstack_tenant_id
+  tenant_name = var.openstack_tenant_name
+}

openstack/common.tf

@@ -0,0 +1,39 @@
+
+data "openstack_identity_auth_scope_v3" "os" {
+  name = var.openstack_project
+}
+
+data "openstack_images_image_v2" "debian" {
+  count       = length(var.regions)
+  region      = element(var.regions, count.index)
+  name        = "Debian 10"
+  most_recent = true
+  visibility  = "public"
+}
+
+resource "openstack_compute_keypair_v2" "keypair" {
+  count      = length(var.regions)
+  region     = element(var.regions, count.index)
+  name       = "Terraform"
+  public_key = file("~/.ssh/terraform.pub")
+}
+
+resource "openstack_images_image_v2" "talos" {
+  count            = length(var.regions)
+  region           = element(var.regions, count.index)
+  name             = "talos"
+  container_format = "bare"
+  disk_format      = "raw"
+  min_disk_gb      = 5
+
+  properties = {
+    hw_firmware_type = "uefi"
+    hw_disk_bus      = "scsi"
+    hw_scsi_model    = "virtio-scsi"
+    support_rtm      = "yes"
+  }
+
+  visibility = "private"
+  # image_source_url = "https://"
+  local_file_path = "../../talos-pr/_out/disk.raw"
+}

openstack/instances-master.tf

@@ -0,0 +1,68 @@
+
+resource "openstack_networking_port_v2" "vip" {
+  count          = 1
+  region         = element(var.regions, count.index)
+  name           = "vip"
+  network_id     = data.openstack_networking_network_v2.main[count.index].id
+  admin_state_up = "true"
+
+  fixed_ip {
+    subnet_id  = openstack_networking_subnet_v2.core[count.index].id
+    ip_address = cidrhost(openstack_networking_subnet_v2.core[count.index].cidr, 10)
+  }
+}
+
+resource "openstack_networking_port_v2" "api" {
+  count          = length(var.regions)
+  region         = element(var.regions, count.index)
+  name           = "master-${count.index + 1}"
+  network_id     = data.openstack_networking_network_v2.main[count.index].id
+  admin_state_up = "true"
+
+  fixed_ip {
+    subnet_id  = openstack_networking_subnet_v2.core[count.index].id
+    ip_address = cidrhost(openstack_networking_subnet_v2.core[count.index].cidr, 11 + count.index)
+  }
+}
+
+# resource "openstack_compute_instance_v2" "api" {
+#   count       = 1
+#   name        = "master-${count.index + 1}"
+#   image_id    = openstack_images_image_v2.talos[count.index].id
+#   flavor_name = "s1-2"
+#   region      = element(var.regions, count.index)
+#   key_pair    = openstack_compute_keypair_v2.keypair[count.index].name
+#   user_data   = file("_cfgs/talos.yaml")
+
+#   network {
+#     name           = data.openstack_networking_network_v2.external[count.index].name
+#     access_network = true
+#   }
+#   network {
+#     port = openstack_networking_port_v2.api[count.index].id
+#     # name = data.openstack_networking_network_v2.main[count.index].name
+#   }
+
+#   lifecycle {
+#     ignore_changes = [user_data, image_id]
+#   }
+# }
+
+
+# resource "openstack_compute_instance_v2" "gw" {
+#   count       = 1
+#   name        = "gw-ovh-${count.index + 1}"
+#   image_id    = data.openstack_images_image_v2.debian[count.index].id
+#   flavor_name = "s1-2"
+#   region      = element(var.regions, count.index)
+#   key_pair    = openstack_compute_keypair_v2.keypair[count.index].name
+
+#   network {
+#     name           = data.openstack_networking_network_v2.external[count.index].name
+#     access_network = true
+#   }
+
+#   lifecycle {
+#     ignore_changes = [user_data, image_name, image_id]
+#   }
+# }

openstack/network-secgroup.tf

@@ -0,0 +1,103 @@
+
+
+# resource "openstack_networking_secgroup_v2" "controlplane" {
+#   count       = length(var.regions)
+#   region      = element(var.regions, count.index)
+#   name        = "api"
+#   description = "Security group for allowing controlplane access"
+# }
+
+# resource "openstack_networking_secgroup_rule_v2" "controlplane_icmp_access_ipv4" {
+#   count             = length(var.regions)
+#   region            = element(var.regions, count.index)
+#   direction         = "ingress"
+#   ethertype         = "IPv4"
+#   protocol          = "icmp"
+#   security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id
+# }
+
+# resource "openstack_networking_secgroup_rule_v2" "controlplane_icmp_access_ipv6" {
+#   count             = length(var.regions)
+#   region            = element(var.regions, count.index)
+#   direction         = "ingress"
+#   ethertype         = "IPv6"
+#   protocol          = "icmp"
+#   security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id
+# }
+
+# resource "openstack_networking_secgroup_rule_v2" "controlplane_ssh_access_ipv4" {
+#   count             = length(var.regions)
+#   region            = element(var.regions, count.index)
+#   direction         = "ingress"
+#   ethertype         = "IPv4"
+#   protocol          = "tcp"
+#   port_range_min    = 22
+#   port_range_max    = 22
+#   security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id
+# }
+
+# resource "openstack_networking_secgroup_rule_v2" "controlplane_talos_access_ipv4" {
+#   count             = length(var.regions)
+#   region            = element(var.regions, count.index)
+#   direction         = "ingress"
+#   ethertype         = "IPv4"
+#   protocol          = "tcp"
+#   port_range_min    = 50000
+#   port_range_max    = 50000
+#   security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id
+# }
+
+# resource "openstack_networking_secgroup_rule_v2" "controlplane_etcd_access_ipv4" {
+#   count             = length(var.regions)
+#   region            = element(var.regions, count.index)
+#   direction         = "ingress"
+#   ethertype         = "IPv4"
+#   protocol          = "tcp"
+#   port_range_min    = 2379
+#   port_range_max    = 2380
+#   security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id
+# }
+
+# resource "openstack_networking_secgroup_rule_v2" "controlplane_kubernetes_access_ipv4" {
+#   count             = length(var.regions)
+#   region            = element(var.regions, count.index)
+#   direction         = "ingress"
+#   ethertype         = "IPv4"
+#   protocol          = "tcp"
+#   port_range_min    = 6443
+#   port_range_max    = 6443
+#   security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id
+# }
+
+# resource "openstack_networking_secgroup_rule_v2" "controlplane_kubernetes_access_ipv6" {
+#   count             = length(var.regions)
+#   region            = element(var.regions, count.index)
+#   direction         = "ingress"
+#   ethertype         = "IPv6"
+#   protocol          = "tcp"
+#   port_range_min    = 6443
+#   port_range_max    = 6443
+#   security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id
+# }
+
+# resource "openstack_networking_secgroup_rule_v2" "controlplane_cilium_health_access_ipv4" {
+#   count             = length(var.regions)
+#   region            = element(var.regions, count.index)
+#   direction         = "ingress"
+#   ethertype         = "IPv4"
+#   protocol          = "tcp"
+#   port_range_min    = 4240
+#   port_range_max    = 4240
+#   security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id
+# }
+
+# resource "openstack_networking_secgroup_rule_v2" "controlplane_cilium_health_access_ipv6" {
+#   count             = length(var.regions)
+#   region            = element(var.regions, count.index)
+#   direction         = "ingress"
+#   ethertype         = "IPv6"
+#   protocol          = "tcp"
+#   port_range_min    = 4240
+#   port_range_max    = 4240
+#   security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id
+# }

openstack/network.tf

@@ -0,0 +1,76 @@
+
+# resource "openstack_networking_network_v2" "main" {
+#   count          = length(var.regions)
+#   region         = element(var.regions, count.index)
+#   name           = "main"
+#   admin_state_up = "true"
+# }
+
+data "openstack_networking_network_v2" "main" {
+  count    = length(var.regions)
+  region   = element(var.regions, count.index)
+  name     = "main"
+  external = false
+}
+
+resource "openstack_networking_subnet_v2" "core" {
+  count      = length(var.regions)
+  region     = element(var.regions, count.index)
+  name       = "core"
+  network_id = data.openstack_networking_network_v2.main[count.index].id
+  cidr       = cidrsubnet(var.vpc_main_cidr, 8, count.index * 4)
+  no_gateway = true
+  allocation_pool {
+    start = cidrhost(cidrsubnet(var.vpc_main_cidr, 8, count.index * 4), 11)
+    end   = cidrhost(cidrsubnet(var.vpc_main_cidr, 8, count.index * 4), -7)
+  }
+  ip_version = 4
+}
+
+resource "openstack_networking_subnet_v2" "private" {
+  count      = length(var.regions)
+  region     = element(var.regions, count.index)
+  name       = "private"
+  network_id = data.openstack_networking_network_v2.main[count.index].id
+  cidr       = cidrsubnet(var.vpc_main_cidr, 8, 1 + count.index * 4)
+  allocation_pool {
+    start = cidrhost(cidrsubnet(var.vpc_main_cidr, 8, 1 + count.index * 4), 11)
+    end   = cidrhost(cidrsubnet(var.vpc_main_cidr, 8, 1 + count.index * 4), -7)
+  }
+  ip_version = 4
+}
+
+data "openstack_networking_network_v2" "external" {
+  count    = length(var.regions)
+  region   = element(var.regions, count.index)
+  name     = "Ext-Net"
+  external = true
+}
+
+resource "openstack_networking_router_v2" "gw" {
+  count          = length(var.regions)
+  region         = element(var.regions, count.index)
+  name           = "private"
+  admin_state_up = true
+  # enable_snat    = true
+  external_network_id = data.openstack_networking_network_v2.external[count.index].id
+}
+
+resource "openstack_networking_port_v2" "private" {
+  count          = length(var.regions)
+  region         = element(var.regions, count.index)
+  name           = "gw"
+  network_id     = data.openstack_networking_network_v2.main[count.index].id
+  admin_state_up = "true"
+  fixed_ip {
+    subnet_id  = openstack_networking_subnet_v2.private[count.index].id
+    ip_address = cidrhost(openstack_networking_subnet_v2.private[count.index].cidr, 1)
+  }
+}
+
+resource "openstack_networking_router_interface_v2" "private" {
+  count     = length(var.regions)
+  region    = element(var.regions, count.index)
+  router_id = openstack_networking_router_v2.gw[count.index].id
+  port_id   = openstack_networking_port_v2.private[count.index].id
+}

openstack/variables.tf

@@ -0,0 +1,61 @@
+
+variable "openstack_api" {}
+variable "openstack_user" {}
+variable "openstack_password" {}
+variable "openstack_tenant_id" {}
+variable "openstack_tenant_name" {}
+variable "openstack_project" {}
+
+variable "vpc_main_cidr" {
+  default = "172.18.0.0/16"
+}
+
+variable "regions" {
+  type        = list(string)
+  description = "The id of the openstack region"
+  default     = ["GRA7", "UK1"]
+}
+
+variable "controlplane" {
+  description = "Property of controlplane"
+  type        = map(any)
+  default = {
+    count   = 0,
+    type    = ""
+    type_lb = ""
+  }
+}
+
+variable "tags" {
+  description = "Tags of resources"
+  type        = map(string)
+  default = {
+    environment = "Develop"
+  }
+}
+
+variable "whitelist_admins" {
+  description = "Whitelist for administrators"
+  default     = ["0.0.0.0/0", "::/0"]
+}
+
+variable "whitelist_web" {
+  description = "Whitelist for web (default Cloudflare network)"
+  default = [
+    "173.245.48.0/20",
+    "103.21.244.0/22",
+    "103.22.200.0/22",
+    "103.31.4.0/22",
+    "141.101.64.0/18",
+    "108.162.192.0/18",
+    "190.93.240.0/20",
+    "188.114.96.0/20",
+    "197.234.240.0/22",
+    "198.41.128.0/17",
+    "162.158.0.0/15",
+    "172.64.0.0/13",
+    "131.0.72.0/22",
+    "104.16.0.0/13",
+    "104.24.0.0/14",
+  ]
+}

openstack/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    openstack = {
+      source  = "terraform-provider-openstack/openstack"
+      version = "~> 1.43.1"
+    }
+  }
+  required_version = ">= 1.0"
+}