SAN-4262; Terraform (#470)

* First steps with terraform.

* Basic working VPC setup with public subnet, bastion, and nat.

* Tag formatting.

* Nearly working, just need outbound from private through nat.

* Fully working vpc base.

* Added basic readme to describe usage and scope.

* Use route resources over embedded.

* Fixed typo in docs.

* Conform to tag standards.

* Removed depends_on

* Removed nat instance options.

Author: rsandor

.gitignore

@@ -11,4 +11,6 @@ ca.srl
 ansible/roles/hipache/templates/runnable*
 ansible/certs/*
 *.retry
-
+*.tfstate*
+terraform/credentials.tfvars
+terraform/.build

ssh/config

@@ -16,6 +16,12 @@ Host epsilon*
   StrictHostKeyChecking no
   Identityfile ~/.ssh/epsilon.pem
 
+Host zeta*
+  User ubuntu
+  ForwardAgent yes
+  StrictHostKeyChecking no
+  Identityfile ~/.ssh/zeta.pem
+
 ################################################################################
 # utility
 ################################################################################
@@ -274,3 +280,10 @@ Host 127.0.0.1
   UserKnownHostsFile /dev/null
   User core
   LogLevel QUIET
+
+################################################################################
+# Zeta Environment (Terraform Infrastructure Migration)
+################################################################################
+Host zeta-bastion
+  HostName 52.24.4.209
+  Port 22

terraform/Makefile

@@ -0,0 +1,58 @@
+.DEFAULT_GOAL := help
+.PHONY: help plan apply deps
+
+TF_SOURCE := sandbox
+BUILD_DIR := .build
+BUILD_TARGET := sandbox.tf
+CREDENTIALS_FILE := credentials.tfvars
+
+help:
+	@echo "Builds Runnable AWS infrastructures with Terraform"
+	@echo ""
+	@echo "Environment Variables:"
+	@echo "  TERRAFORM_ENVIRONMENT - Name of the environment for which to apply changes"
+	@echo ""
+	@echo "Targets:"
+	@echo "  apply    Commits the plan and builds the infrastructure"
+	@echo "  deps     Ensures system requirements are met to run Terraform"
+	@echo "  env      Display the working environment (TERRAFORM_ENVIRONMENT)"
+	@echo "  help     Displays this message"
+	@echo "  plan     Builds a new Terraform plan"
+	@echo ""
+	@echo "For an indepth guide see: https://github.com/codenow/devops-scripts README"
+
+env:
+	@echo "Working environment: ${TERRAFORM_ENVIRONMENT}"
+
+deps:
+	@hash terraform > /dev/null 2>&1 || \
+		(echo "Terraform not installed (try: brew install terraform)"; exit 1)
+	@test -n "$(TERRAFORM_ENVIRONMENT)" || \
+		(echo "Variable TERRAFORM_ENVIRONMENT is missing"; exit 1)
+	@test -e "${CREDENTIALS_FILE}" || \
+		(echo "Cannot find credentials variables, ask someone for '${CREDENTIALS_FILE}'")
+
+compile:
+	@echo "Compiling .tf files from sandbox/"
+	@mkdir -p .build
+	@find ${TF_SOURCE} \
+		| grep -E '${TF_SOURCE}/.*[.]tf' \
+		| xargs cat > ${BUILD_DIR}/${BUILD_TARGET}
+
+apply: compile deps
+	terraform apply \
+		-var-file="${CREDENTIALS_FILE}" \
+		-var-file="environment/${TERRAFORM_ENVIRONMENT}.tfvars" \
+		${BUILD_DIR}/
+
+destroy: compile deps
+	terraform destroy \
+		-var-file="${CREDENTIALS_FILE}" \
+		-var-file="environment/${TERRAFORM_ENVIRONMENT}.tfvars" \
+		${BUILD_DIR}/
+
+plan: compile deps
+	terraform plan \
+		-var-file="${CREDENTIALS_FILE}" \
+		-var-file="environment/${TERRAFORM_ENVIRONMENT}.tfvars" \
+		${BUILD_DIR}/

terraform/README.md

@@ -0,0 +1,24 @@
+# devops-scripts/terraform
+
+## Overview
+The `terraform/` directory in `devops-scripts` defines our sandboxes infrastructure
+as code via [Hashicorp's Terraform Tool](https://terraform.io). To begin let's look
+at the overall directory structure:
+
+- `Makefile` - Makefile used to build, destroy, and mutate the sandboxes AWS infrastructure.
+- `environment/` - Holds variable definitions for each of the environments we maintain.
+- `sandbox/` - Contains the Terraform files (`*.tf`) that describe the sandboxes infrastructure.
+
+Take a moment to familiarize yourself with the layout of the files listed above.
+
+## How to develop
+
+1. Set the `TERRAFORM_ENVIRONMENT` environment variable to `zeta` in your shell.
+2. Get a copy of the `credentials.tfvars` file from @rsandor.
+3. Make changes to the `*.tf` files that describe your infrastructure change.
+4. Run `make plan` from the `terraform/` directory
+5. Once satisfied with the resulting diff, run `make apply` to apply changes.
+
+**Note:** currently only members of the devops team are allowed to have credentials
+that can mutate the entire infrastructure. For the foreseeable future no execeptions
+will be made.

terraform/environment/zeta.tfvars

@@ -0,0 +1,32 @@
+/**
+ * Variable definitions for the Runnable sandboxes `zeta` environment. This
+ * environment will be used to migrate from our old "by hand" infrastructure to
+ * management by terraform.
+ */
+
+environment = "zeta"
+key_name = "zeta"
+provider.region = "us-west-2"
+
+/**
+ * VPC resource configuration.
+ */
+vpc.cidr_block = "10.248.0.0/16"
+
+/**
+ * Subnet configuration.
+ */
+public-subnet.cidr_block_a = "10.248.0.0/24"
+public-subnet.cidr_block_b = "10.248.1.0/24"
+public-subnet.cidr_block_c = "10.248.2.0/24"
+public-subnet.cidr_block_reserved = "10.248.3.0/24"
+
+private-subnet.cidr_block_a = "10.248.4.0/24"
+private-subnet.cidr_block_b = "10.248.5.0/24"
+private-subnet.cidr_block_c = "10.248.6.0/24"
+private-subnet.cidr_block_reserved = "10.248.7.0/24"
+
+/**
+ * Instance level configuration.
+ */
+bastion.ssh_port = "22"

terraform/sandbox/instance/bastion.tf

@@ -0,0 +1,19 @@
+/**
+ * Bastion server for the VPC. The bastion server allows those with credentials
+ * (e.g. a signed pem file) to SSH through it and into the private subnet.
+ */
+resource "aws_instance" "bastion" {
+  tags {
+    Name = "bastion"
+    Environment = "${var.environment}"
+  }
+
+  ami = "${var.bastion.ami}"
+  associate_public_ip_address = true
+  instance_type = "${var.bastion.instance_type}"
+  key_name = "${var.key_name}"
+  security_groups = [
+    "${aws_security_group.bastion.id}"
+  ]
+  subnet_id = "${aws_subnet.public-a.id}"
+}

terraform/sandbox/instance/private-example.tf

@@ -0,0 +1,19 @@
+/**
+ * Private example server. This is to test whether or not bastion is working
+ * correctly in the vpc.
+ */
+resource "aws_instance" "private-example" {
+  tags {
+    Name = "private-example"
+    Environment = "${var.environment}"
+  }
+
+  ami = "ami-9abea4fb"
+  associate_public_ip_address = false
+  instance_type = "t2.micro"
+  key_name = "${var.key_name}"
+  security_groups = [
+    "${aws_security_group.private-example.id}"
+  ]
+  subnet_id = "${aws_subnet.private-a.id}"
+}

terraform/sandbox/provider.tf

@@ -0,0 +1,10 @@
+/*
+ * Default provider for all Runnable AWS resources.
+ * @see https://www.terraform.io/docs/providers/aws/index.html
+ * @author Ryan Sandor Richards
+ */
+provider "aws" {
+  region = "us-west-2"
+  access_key = "${var.provider.access_key}"
+  secret_key = "${var.provider.secret_key}"
+}

terraform/sandbox/security_group/bastion.tf

@@ -0,0 +1,38 @@
+/**
+ * Bastion security group. This allows trusted external sources to talk to
+ * machines within the packer VPCs private subnet.
+ */
+resource "aws_security_group" "bastion" {
+  tags {
+    Name = "bastion"
+    Environment = "${var.environment}"
+  }
+
+  vpc_id = "${aws_vpc.sandbox.id}"
+  name = "bastion"
+  description = "Ingress/Egress rules for the VPC bastion server"
+}
+
+/**
+ * Allows inbound SSH connections from the internet to the bastion server.
+ */
+resource "aws_security_group_rule" "bastion-ingress-ssh" {
+  type = "ingress"
+  security_group_id = "${aws_security_group.bastion.id}"
+  from_port = "${var.bastion.ssh_port}"
+  to_port = "${var.bastion.ssh_port}"
+  protocol = "tcp"
+  cidr_blocks = ["0.0.0.0/0"]
+}
+
+/**
+ * Allows all outbound traffic from the bastion server.
+ */
+resource "aws_security_group_rule" "bastion-egress-all" {
+  type = "egress"
+  security_group_id = "${aws_security_group.bastion.id}"
+  from_port = 0
+  to_port = 0
+  protocol = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+}

terraform/sandbox/security_group/private-example.tf

@@ -0,0 +1,38 @@
+/**
+ * Security group for the private-example server.
+ */
+resource "aws_security_group" "private-example" {
+  tags {
+    Name = "private-example"
+    Environment = "${var.environment}"
+  }
+
+  vpc_id = "${aws_vpc.sandbox.id}"
+  name = "private-example"
+  description = "Example private subnet security group"
+}
+
+/**
+ * Allows SSH (port 22) traffic inbound to private-example security group via
+ * the bastion security group.
+ */
+resource "aws_security_group_rule" "private-example-inbound-bastion" {
+  type = "ingress"
+  security_group_id = "${aws_security_group.private-example.id}"
+  source_security_group_id = "${aws_security_group.bastion.id}"
+  from_port = 22
+  to_port = 22
+  protocol = "tcp"
+}
+
+/**
+ * Allows all outbound on the private-example security group.
+ */
+resource "aws_security_group_rule" "private-example-outbound-all" {
+  type = "egress"
+  security_group_id = "${aws_security_group.private-example.id}"
+  from_port = 0
+  to_port = 0
+  protocol = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+}