Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v16] trigger instance refresh on launch_template change #47299

Merged
merged 8 commits into from
Oct 7, 2024
Merged
Original file line number Diff line number Diff line change
Expand Up @@ -350,6 +350,49 @@

See the [Teleport authentication reference](../../../reference/access-controls/authentication.mdx) for more information.

### default_tags

```code
$ export TF_VAR_default_tags='{"key":"value", "env":"dev"}'
```

This value can be used to control the default tags applied to all resources,
including resources created dynamically by the AWS Auto Scaling Groups (ASG).
The default is no tags.

### enable\_auth\_asg\_instance\_refresh

```code
$ export TF_VAR_enable_auth_asg_instance_refresh="false"
```

This variable can be used to enable automatic instance refresh on the Teleport
**auth server** AWS Autoscaling Group (ASG) - the refresh is triggered by

Check failure on line 370 in docs/pages/admin-guides/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform.mdx

View workflow job for this annotation

GitHub Actions / Lint docs prose style

[vale] reported by reviewdog 🐶 [messaging.consistent-terms] For consistent product messaging in the docs, use '\"Auth Service\" (or \"Auth Service instance\" for a specific node)' instead of 'auth server'. Raw Output: {"message": "[messaging.consistent-terms] For consistent product messaging in the docs, use '\\\"Auth Service\\\" (or \\\"Auth Service instance\\\" for a specific node)' instead of 'auth server'.", "location": {"path": "docs/pages/admin-guides/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform.mdx", "range": {"start": {"line": 370, "column": 3}}}, "severity": "ERROR"}
changes to the launch template or configuration.
Enable the auth ASG instance refresh with caution - upgrading the version of
Teleport will trigger an instance refresh and **auth servers must be scaled down
to only one instance** before upgrading your Teleport cluster.

### enable\_proxy\_asg\_instance\_refresh

```code
$ export TF_VAR_enable_proxy_asg_instance_refresh="false"
```

This variable can be used to enable automatic instance refresh on the Teleport
**proxy server** AWS Autoscaling Group (ASG) - the refresh is triggered by
changes to the launch template or configuration.

### enable\_node\_asg\_instance\_refresh

```code
$ export TF_VAR_enable_node_asg_instance_refresh="false"
```

This variable can be used to enable automatic instance refresh on the Teleport
**node server** AWS Autoscaling Group (ASG) - the refresh is triggered by
changes to the launch template or configuration.

## Reference deployment defaults

### Instances
Expand Down
18 changes: 18 additions & 0 deletions examples/aws/terraform/ha-autoscale-cluster/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,24 @@ TF_VAR_use_tls_routing ?= false
# Teleport Enterprise FIPS deployments have local authentication disabled, so should use "github", "oidc", or "saml"
TF_VAR_teleport_auth_type ?= "local"

# (optional) AWS tags applied to all resources.
TF_VAR_default_tags ?= {}

# (optional) Whether to trigger instance refresh rollout for Teleport Auth
# servers when the launch template or configuration changes.
# Enable this with caution - upgrading Teleport version will trigger an
# instance refresh and auth servers must be scaled down to only one instance
# before upgrading your Teleport cluster.
TF_VAR_enable_auth_asg_instance_refresh ?= false

# (optional) Whether to trigger instance refresh rollout for Teleport Proxy
# servers when the launch template or configuration changes.
TF_VAR_enable_proxy_asg_instance_refresh ?= false

# (optional) Whether to trigger instance refresh rollout for Teleport Node
# servers when the launch template or configuration changes.
TF_VAR_enable_node_asg_instance_refresh ?= false

export

# Plan launches terraform plan
Expand Down
30 changes: 29 additions & 1 deletion examples/aws/terraform/ha-autoscale-cluster/auth_asg.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ resource "aws_autoscaling_group" "auth" {

launch_template {
name = aws_launch_template.auth.name
version = "$Latest"
version = aws_launch_template.auth.latest_version
}

// These are target groups of the auth server network load balancer
Expand All @@ -33,6 +33,26 @@ resource "aws_autoscaling_group" "auth" {
propagate_at_launch = true
}

dynamic "tag" {
for_each = data.aws_default_tags.this.tags
content {
key = tag.key
value = tag.value
propagate_at_launch = true
}
}

dynamic "instance_refresh" {
for_each = var.enable_auth_asg_instance_refresh ? [1] : []
content {
strategy = "Rolling"
preferences {
auto_rollback = false
min_healthy_percentage = 0
}
}
}

// external autoscale algos can modify these values,
// so ignore changes to them
lifecycle {
Expand Down Expand Up @@ -99,4 +119,12 @@ resource "aws_launch_template" "auth" {
iam_instance_profile {
name = aws_iam_instance_profile.auth.name
}

dynamic "tag_specifications" {
for_each = ["instance", "volume", "network-interface"]
content {
resource_type = tag_specifications.value
tags = data.aws_default_tags.this.tags
}
}
}
2 changes: 2 additions & 0 deletions examples/aws/terraform/ha-autoscale-cluster/data.tf
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,5 @@ locals {
data "aws_kms_alias" "ssm" {
name = var.kms_alias_name
}

data "aws_default_tags" "this" {}
30 changes: 29 additions & 1 deletion examples/aws/terraform/ha-autoscale-cluster/node_asg.tf
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ resource "aws_autoscaling_group" "node" {

launch_template {
id = aws_launch_template.node.id
version = "$Latest"
version = aws_launch_template.node.latest_version
}

tag {
Expand All @@ -28,6 +28,26 @@ resource "aws_autoscaling_group" "node" {
propagate_at_launch = true
}

dynamic "tag" {
for_each = data.aws_default_tags.this.tags
content {
key = tag.key
value = tag.value
propagate_at_launch = true
}
}

dynamic "instance_refresh" {
for_each = var.enable_node_asg_instance_refresh ? [1] : []
content {
strategy = "Rolling"
preferences {
auto_rollback = true
min_healthy_percentage = 50
}
}
}

// external autoscale algos can modify these values,
// so ignore changes to them
lifecycle {
Expand Down Expand Up @@ -83,4 +103,12 @@ resource "aws_launch_template" "node" {
iam_instance_profile {
name = aws_iam_instance_profile.node.name
}

dynamic "tag_specifications" {
for_each = ["instance", "volume", "network-interface"]
content {
resource_type = tag_specifications.value
tags = data.aws_default_tags.this.tags
}
}
}
4 changes: 4 additions & 0 deletions examples/aws/terraform/ha-autoscale-cluster/provider.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,8 @@ terraform {

provider "aws" {
region = var.region

default_tags {
tags = var.default_tags
}
}
52 changes: 50 additions & 2 deletions examples/aws/terraform/ha-autoscale-cluster/proxy_asg.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ resource "aws_autoscaling_group" "proxy" {

launch_template {
name = aws_launch_template.proxy.name
version = "$Latest"
version = aws_launch_template.proxy.latest_version
}

// Auto scaling group is associated with load balancer
Expand Down Expand Up @@ -44,6 +44,26 @@ resource "aws_autoscaling_group" "proxy" {
propagate_at_launch = true
}

dynamic "tag" {
for_each = data.aws_default_tags.this.tags
content {
key = tag.key
value = tag.value
propagate_at_launch = true
}
}

dynamic "instance_refresh" {
for_each = var.enable_proxy_asg_instance_refresh ? [1] : []
content {
strategy = "Rolling"
preferences {
auto_rollback = true
min_healthy_percentage = 50
}
}
}

// external autoscale algos can modify these values,
// so ignore changes to them
lifecycle {
Expand All @@ -68,7 +88,7 @@ resource "aws_autoscaling_group" "proxy_acm" {

launch_template {
name = aws_launch_template.proxy.name
version = "$Latest"
version = aws_launch_template.proxy.latest_version
}

// Auto scaling group is associated with load balancer
Expand Down Expand Up @@ -97,6 +117,26 @@ resource "aws_autoscaling_group" "proxy_acm" {
propagate_at_launch = true
}

dynamic "tag" {
for_each = data.aws_default_tags.this.tags
content {
key = tag.key
value = tag.value
propagate_at_launch = true
}
}

dynamic "instance_refresh" {
for_each = var.enable_proxy_asg_instance_refresh ? [1] : []
content {
strategy = "Rolling"
preferences {
auto_rollback = true
min_healthy_percentage = 50
}
}
}

// external autoscale algos can modify these values,
// so ignore changes to them
lifecycle {
Expand Down Expand Up @@ -164,4 +204,12 @@ resource "aws_launch_template" "proxy" {
iam_instance_profile {
name = aws_iam_instance_profile.proxy.id
}

dynamic "tag_specifications" {
for_each = ["instance", "volume", "network-interface"]
content {
resource_type = tag_specifications.value
tags = data.aws_default_tags.this.tags
}
}
}
30 changes: 30 additions & 0 deletions examples/aws/terraform/ha-autoscale-cluster/vars.tf
Original file line number Diff line number Diff line change
Expand Up @@ -240,3 +240,33 @@ variable "teleport_auth_type" {
type = string
default = "local"
}

// (optional) Change the default tags applied to all resources.
variable "default_tags" {
type = map(string)
default = {}
}

// Whether to trigger instance refresh rollout for Teleport Auth servers when
// servers when the launch template or configuration changes.
// Enable this with caution - upgrading Teleport version will trigger an
// instance refresh and auth servers must be scaled down to only one instance
// before upgrading your Teleport cluster.
variable "enable_auth_asg_instance_refresh" {
type = bool
default = false
}

// Whether to trigger instance refresh rollout for Teleport Proxy servers when
// servers when the launch template or configuration changes.
variable "enable_proxy_asg_instance_refresh" {
type = bool
default = false
}

// Whether to trigger instance refresh rollout for Teleport Node servers when
// servers when the launch template or configuration changes.
variable "enable_node_asg_instance_refresh" {
type = bool
default = false
}
Loading