From 951ec124dd38756d0b208e7fb2ad77ab136b4902 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Tue, 2 Jul 2024 15:24:35 +0200 Subject: [PATCH] Add terraform config for the ansible_controller (#68) This sets up an ec2 node with all the needed dependencies to work as an ansible control node. I am a bit uncertain if we should also add the git clone of the devops repo with ansible inside of it, or just leave that to being a manual task we do every time we need to do a deploy. For the moment I have kept it to being as simple as possible. This implements: https://github.com/ooni/devops/issues/67 --- tf/environments/prod/main.tf | 11 ++++ tf/modules/ansible_controller/main.tf | 74 ++++++++++++++++++++++ tf/modules/ansible_controller/outputs.tf | 1 + tf/modules/ansible_controller/variables.tf | 22 +++++++ 4 files changed, 108 insertions(+) create mode 100644 tf/modules/ansible_controller/main.tf create mode 100644 tf/modules/ansible_controller/outputs.tf create mode 100644 tf/modules/ansible_controller/variables.tf diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf index f7d61fb2..62d2c86c 100644 --- a/tf/environments/prod/main.tf +++ b/tf/environments/prod/main.tf @@ -578,3 +578,14 @@ module "codesigning" { subnet_cidr_blocks = module.network.vpc_subnet_cloudhsm[*].cidr_block key_name = module.adm_iam_roles.oonidevops_key_name } + +## Ansible controller setup + +module "ansible_controller" { + source = "../../modules/ansible_controller" + + vpc_id = module.network.vpc_id + key_name = module.adm_iam_roles.oonidevops_key_name + + dns_zone_ooni_io = local.dns_zone_ooni_io +} diff --git a/tf/modules/ansible_controller/main.tf b/tf/modules/ansible_controller/main.tf new file mode 100644 index 00000000..74d59d98 --- /dev/null +++ b/tf/modules/ansible_controller/main.tf @@ -0,0 +1,74 @@ +data "aws_ssm_parameter" "ubuntu_22_ami" { + name = "/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id" +} + +resource "aws_security_group" "ansible_ctrl_sg" { + description = "security group for ansible controller" + name_prefix = "ooni-ansible-ctrl" + + vpc_id = var.vpc_id + + ingress { + protocol = "tcp" + from_port = 22 + to_port = 22 + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + + cidr_blocks = [ + "0.0.0.0/0", + ] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_blocks = ["::/0"] + } + + lifecycle { + create_before_destroy = true + } + + tags = var.tags +} + +resource "aws_instance" "ansible_controller" { + ami = data.aws_ssm_parameter.ubuntu_22_ami.value + instance_type = var.instance_type + key_name = var.key_name + + user_data = <<-EOF + #!/bin/bash + apt-get update + apt-get install -y software-properties-common + add-apt-repository --yes --update ppa:ansible/ansible + apt-get install -y ansible + EOF + + lifecycle { + create_before_destroy = true + } + + security_groups = [aws_security_group.ansible_ctrl_sg.id] + + tags = var.tags +} + +resource "aws_route53_record" "oonith_service_alias" { + zone_id = var.dns_zone_ooni_io + name = "ansible-controller" + type = "A" + + alias { + name = aws_instance.ansible_controller.public_dns + zone_id = var.dns_zone_ooni_io + evaluate_target_health = true + } +} diff --git a/tf/modules/ansible_controller/outputs.tf b/tf/modules/ansible_controller/outputs.tf new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/tf/modules/ansible_controller/outputs.tf @@ -0,0 +1 @@ + diff --git a/tf/modules/ansible_controller/variables.tf b/tf/modules/ansible_controller/variables.tf new file mode 100644 index 00000000..6012cf22 --- /dev/null +++ b/tf/modules/ansible_controller/variables.tf @@ -0,0 +1,22 @@ +variable "vpc_id" { + description = "the id of the VPC to deploy the instance into" +} + +variable "tags" { + description = "tags to apply to the resources" + default = {} + type = map(string) +} + +variable "key_name" { + description = "Name of AWS key pair" +} + +variable "instance_type" { + default = "t2.micro" +} + +variable "dns_zone_ooni_io" { + description = "id of the DNS zone for ooni_io" +} +