diff --git a/openstack/.gitignore b/openstack/.gitignore new file mode 100644 index 0000000..f423a9b --- /dev/null +++ b/openstack/.gitignore @@ -0,0 +1,2 @@ +_cfgs/ +*.yaml diff --git a/openstack/auth.tf b/openstack/auth.tf new file mode 100644 index 0000000..55e2557 --- /dev/null +++ b/openstack/auth.tf @@ -0,0 +1,8 @@ + +provider "openstack" { + auth_url = var.openstack_api + user_name = var.openstack_user + password = var.openstack_password + tenant_id = var.openstack_tenant_id + tenant_name = var.openstack_tenant_name +} diff --git a/openstack/common.tf b/openstack/common.tf new file mode 100644 index 0000000..aa1f2f1 --- /dev/null +++ b/openstack/common.tf @@ -0,0 +1,39 @@ + +data "openstack_identity_auth_scope_v3" "os" { + name = var.openstack_project +} + +data "openstack_images_image_v2" "debian" { + count = length(var.regions) + region = element(var.regions, count.index) + name = "Debian 10" + most_recent = true + visibility = "public" +} + +resource "openstack_compute_keypair_v2" "keypair" { + count = length(var.regions) + region = element(var.regions, count.index) + name = "Terraform" + public_key = file("~/.ssh/terraform.pub") +} + +resource "openstack_images_image_v2" "talos" { + count = length(var.regions) + region = element(var.regions, count.index) + name = "talos" + container_format = "bare" + disk_format = "raw" + min_disk_gb = 5 + + properties = { + hw_firmware_type = "uefi" + hw_disk_bus = "scsi" + hw_scsi_model = "virtio-scsi" + support_rtm = "yes" + } + + visibility = "private" + # image_source_url = "https://" + local_file_path = "../../talos-pr/_out/disk.raw" +} diff --git a/openstack/instances-master.tf b/openstack/instances-master.tf new file mode 100644 index 0000000..02c9eb1 --- /dev/null +++ b/openstack/instances-master.tf @@ -0,0 +1,68 @@ + +resource "openstack_networking_port_v2" "vip" { + count = 1 + region = element(var.regions, count.index) + name = "vip" + network_id = data.openstack_networking_network_v2.main[count.index].id + admin_state_up = "true" + + fixed_ip { + subnet_id = openstack_networking_subnet_v2.core[count.index].id + ip_address = cidrhost(openstack_networking_subnet_v2.core[count.index].cidr, 10) + } +} + +resource "openstack_networking_port_v2" "api" { + count = length(var.regions) + region = element(var.regions, count.index) + name = "master-${count.index + 1}" + network_id = data.openstack_networking_network_v2.main[count.index].id + admin_state_up = "true" + + fixed_ip { + subnet_id = openstack_networking_subnet_v2.core[count.index].id + ip_address = cidrhost(openstack_networking_subnet_v2.core[count.index].cidr, 11 + count.index) + } +} + +# resource "openstack_compute_instance_v2" "api" { +# count = 1 +# name = "master-${count.index + 1}" +# image_id = openstack_images_image_v2.talos[count.index].id +# flavor_name = "s1-2" +# region = element(var.regions, count.index) +# key_pair = openstack_compute_keypair_v2.keypair[count.index].name +# user_data = file("_cfgs/talos.yaml") + +# network { +# name = data.openstack_networking_network_v2.external[count.index].name +# access_network = true +# } +# network { +# port = openstack_networking_port_v2.api[count.index].id +# # name = data.openstack_networking_network_v2.main[count.index].name +# } + +# lifecycle { +# ignore_changes = [user_data, image_id] +# } +# } + + +# resource "openstack_compute_instance_v2" "gw" { +# count = 1 +# name = "gw-ovh-${count.index + 1}" +# image_id = data.openstack_images_image_v2.debian[count.index].id +# flavor_name = "s1-2" +# region = element(var.regions, count.index) +# key_pair = openstack_compute_keypair_v2.keypair[count.index].name + +# network { +# name = data.openstack_networking_network_v2.external[count.index].name +# access_network = true +# } + +# lifecycle { +# ignore_changes = [user_data, image_name, image_id] +# } +# } diff --git a/openstack/network-secgroup.tf b/openstack/network-secgroup.tf new file mode 100644 index 0000000..5198139 --- /dev/null +++ b/openstack/network-secgroup.tf @@ -0,0 +1,103 @@ + + +# resource "openstack_networking_secgroup_v2" "controlplane" { +# count = length(var.regions) +# region = element(var.regions, count.index) +# name = "api" +# description = "Security group for allowing controlplane access" +# } + +# resource "openstack_networking_secgroup_rule_v2" "controlplane_icmp_access_ipv4" { +# count = length(var.regions) +# region = element(var.regions, count.index) +# direction = "ingress" +# ethertype = "IPv4" +# protocol = "icmp" +# security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id +# } + +# resource "openstack_networking_secgroup_rule_v2" "controlplane_icmp_access_ipv6" { +# count = length(var.regions) +# region = element(var.regions, count.index) +# direction = "ingress" +# ethertype = "IPv6" +# protocol = "icmp" +# security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id +# } + +# resource "openstack_networking_secgroup_rule_v2" "controlplane_ssh_access_ipv4" { +# count = length(var.regions) +# region = element(var.regions, count.index) +# direction = "ingress" +# ethertype = "IPv4" +# protocol = "tcp" +# port_range_min = 22 +# port_range_max = 22 +# security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id +# } + +# resource "openstack_networking_secgroup_rule_v2" "controlplane_talos_access_ipv4" { +# count = length(var.regions) +# region = element(var.regions, count.index) +# direction = "ingress" +# ethertype = "IPv4" +# protocol = "tcp" +# port_range_min = 50000 +# port_range_max = 50000 +# security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id +# } + +# resource "openstack_networking_secgroup_rule_v2" "controlplane_etcd_access_ipv4" { +# count = length(var.regions) +# region = element(var.regions, count.index) +# direction = "ingress" +# ethertype = "IPv4" +# protocol = "tcp" +# port_range_min = 2379 +# port_range_max = 2380 +# security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id +# } + +# resource "openstack_networking_secgroup_rule_v2" "controlplane_kubernetes_access_ipv4" { +# count = length(var.regions) +# region = element(var.regions, count.index) +# direction = "ingress" +# ethertype = "IPv4" +# protocol = "tcp" +# port_range_min = 6443 +# port_range_max = 6443 +# security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id +# } + +# resource "openstack_networking_secgroup_rule_v2" "controlplane_kubernetes_access_ipv6" { +# count = length(var.regions) +# region = element(var.regions, count.index) +# direction = "ingress" +# ethertype = "IPv6" +# protocol = "tcp" +# port_range_min = 6443 +# port_range_max = 6443 +# security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id +# } + +# resource "openstack_networking_secgroup_rule_v2" "controlplane_cilium_health_access_ipv4" { +# count = length(var.regions) +# region = element(var.regions, count.index) +# direction = "ingress" +# ethertype = "IPv4" +# protocol = "tcp" +# port_range_min = 4240 +# port_range_max = 4240 +# security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id +# } + +# resource "openstack_networking_secgroup_rule_v2" "controlplane_cilium_health_access_ipv6" { +# count = length(var.regions) +# region = element(var.regions, count.index) +# direction = "ingress" +# ethertype = "IPv6" +# protocol = "tcp" +# port_range_min = 4240 +# port_range_max = 4240 +# security_group_id = openstack_networking_secgroup_v2.controlplane[count.index].id +# } diff --git a/openstack/network.tf b/openstack/network.tf new file mode 100644 index 0000000..ed05c1b --- /dev/null +++ b/openstack/network.tf @@ -0,0 +1,76 @@ + +# resource "openstack_networking_network_v2" "main" { +# count = length(var.regions) +# region = element(var.regions, count.index) +# name = "main" +# admin_state_up = "true" +# } + +data "openstack_networking_network_v2" "main" { + count = length(var.regions) + region = element(var.regions, count.index) + name = "main" + external = false +} + +resource "openstack_networking_subnet_v2" "core" { + count = length(var.regions) + region = element(var.regions, count.index) + name = "core" + network_id = data.openstack_networking_network_v2.main[count.index].id + cidr = cidrsubnet(var.vpc_main_cidr, 8, count.index * 4) + no_gateway = true + allocation_pool { + start = cidrhost(cidrsubnet(var.vpc_main_cidr, 8, count.index * 4), 11) + end = cidrhost(cidrsubnet(var.vpc_main_cidr, 8, count.index * 4), -7) + } + ip_version = 4 +} + +resource "openstack_networking_subnet_v2" "private" { + count = length(var.regions) + region = element(var.regions, count.index) + name = "private" + network_id = data.openstack_networking_network_v2.main[count.index].id + cidr = cidrsubnet(var.vpc_main_cidr, 8, 1 + count.index * 4) + allocation_pool { + start = cidrhost(cidrsubnet(var.vpc_main_cidr, 8, 1 + count.index * 4), 11) + end = cidrhost(cidrsubnet(var.vpc_main_cidr, 8, 1 + count.index * 4), -7) + } + ip_version = 4 +} + +data "openstack_networking_network_v2" "external" { + count = length(var.regions) + region = element(var.regions, count.index) + name = "Ext-Net" + external = true +} + +resource "openstack_networking_router_v2" "gw" { + count = length(var.regions) + region = element(var.regions, count.index) + name = "private" + admin_state_up = true + # enable_snat = true + external_network_id = data.openstack_networking_network_v2.external[count.index].id +} + +resource "openstack_networking_port_v2" "private" { + count = length(var.regions) + region = element(var.regions, count.index) + name = "gw" + network_id = data.openstack_networking_network_v2.main[count.index].id + admin_state_up = "true" + fixed_ip { + subnet_id = openstack_networking_subnet_v2.private[count.index].id + ip_address = cidrhost(openstack_networking_subnet_v2.private[count.index].cidr, 1) + } +} + +resource "openstack_networking_router_interface_v2" "private" { + count = length(var.regions) + region = element(var.regions, count.index) + router_id = openstack_networking_router_v2.gw[count.index].id + port_id = openstack_networking_port_v2.private[count.index].id +} diff --git a/openstack/variables.tf b/openstack/variables.tf new file mode 100644 index 0000000..f03c5e3 --- /dev/null +++ b/openstack/variables.tf @@ -0,0 +1,61 @@ + +variable "openstack_api" {} +variable "openstack_user" {} +variable "openstack_password" {} +variable "openstack_tenant_id" {} +variable "openstack_tenant_name" {} +variable "openstack_project" {} + +variable "vpc_main_cidr" { + default = "172.18.0.0/16" +} + +variable "regions" { + type = list(string) + description = "The id of the openstack region" + default = ["GRA7", "UK1"] +} + +variable "controlplane" { + description = "Property of controlplane" + type = map(any) + default = { + count = 0, + type = "" + type_lb = "" + } +} + +variable "tags" { + description = "Tags of resources" + type = map(string) + default = { + environment = "Develop" + } +} + +variable "whitelist_admins" { + description = "Whitelist for administrators" + default = ["0.0.0.0/0", "::/0"] +} + +variable "whitelist_web" { + description = "Whitelist for web (default Cloudflare network)" + default = [ + "173.245.48.0/20", + "103.21.244.0/22", + "103.22.200.0/22", + "103.31.4.0/22", + "141.101.64.0/18", + "108.162.192.0/18", + "190.93.240.0/20", + "188.114.96.0/20", + "197.234.240.0/22", + "198.41.128.0/17", + "162.158.0.0/15", + "172.64.0.0/13", + "131.0.72.0/22", + "104.16.0.0/13", + "104.24.0.0/14", + ] +} diff --git a/openstack/versions.tf b/openstack/versions.tf new file mode 100644 index 0000000..7c96629 --- /dev/null +++ b/openstack/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + openstack = { + source = "terraform-provider-openstack/openstack" + version = "~> 1.43.1" + } + } + required_version = ">= 1.0" +}